1

Cyber Patriot Lecture Series How to Secure Ubuntu 16 From Outside Threats 2

Discussion Topics

1. Brief overview of file system layout 2. Brief overview of logs files 3. General Security Settings overview 4. Built-in command to know 5. Q&A 3

File System

 / --root, top of file system  /dev, /devices –contains files use to talk to system devices  /usr –primarily OS directory, read-only  /bin , /usr/bin , /usr/local, /opt --executable program directories  /home , /export/home – user home directory/files  /var – log files, temp queues for system services  /tmp – temp file space  /swap – secondary memory location  /mnt – temporary mount points for cd, usb, others Log Files and Uses /var/log

Utmp*: Complete user login picture Wtmp*: historical data of utmp Btmp: failed login attempts Dmesg: Display or driver messages Messages: Global system messages including mail, cron, etc—syslog on some systems Maillog: Mailserver logs Auth: Authentication related events such as ssh logins, failed passwords, invalid account attempts—secure log on some systems. Kern: Cron:

*Only readable with who, last or utmpdump commands 5 General Security Considerations

 Encrypt hard-drives  Update  Clean old versions, packages  Only install applications/services required  Protect shared memory and ASLR  Use strong passwords and passphrases  Enforce requirements-- strength, aging, reuse, etc  Use a firewall, AV and rootkit detection  Prevent IP spoofing  Do not allow root login, use sudo  Use least privilege  Use bios passwords  Secure the browser 6 Encrypt file system during install

Update Operating System 7 Address Space Layout Randomization (ASLR)

ldd /bin/bash – command to show memory address used sudo sysctl -ar random – view kernel settings for keyword random sudo sysctl -w kernel.randomize_va_space=0 – disable to show difference 8 Enforcing Password Complexity Rules

>sudo apt-get -y install libpam-pwquality cracklib-runtime >sudo vi /etc/pam.d/common-password password requisite pam_pwquality.so retry=3 minlen=10 maxrepeat=3 ucredit=-2 lcredit=-2 dcredit=-2 ocredit=-2 difok=3 gecoscheck=1 maxsequence=3 reject_username enforce_for_root password requisite pam_pwhistory.so remember=10

>sudo /etc/pam.d/common-auth auth required pam_tally2.so onerr=fail per_user deny=5 unlock_time=1800 no_magic_root reset 9 Meaning of each parameter: retry=3: Prompt a user 3 times before returning with error. minlen=10 : The password length cannot be less than this parameter maxrepeat=3: Allow a maximum of 3 repeated characters ucredit=-2 : Require at least two uppercase character lcredit=-2 : Must have at least two lowercase character. dcredit=-2 : must have at least two digit ocredit=-2 : must have at least two other characters difok=3 : The number of characters in the new password that must not have been present in the old password. gecoscheck=1: Words in the GECOS field of the user’s passwd entry are not contained in the new password. reject_username: Rejects the password if contains the name of the user in either straight or reversed form. enforce_for_root: Enforce password policy for root user remember=10 : store history of last 10 passwords onerr=fail : what to do when max deny reached (fail = lock) deny=5 : 5 attempts before locking unlock_time=1800 : auto-unlock after time no_magice_root : do not lockout root, prevents DoS on root. 10

Example Screenshot 11

Additional Password Settings

1. Log sudo use. 2. Log successful and unknown attempts. 3. Password aging and time between changes 12

Install Anti-

>sudo apt-get -y install clamav clamtk 13

Install Rootkit detection

>sudo apt-get -y install 14 Security Configuration/Hardening Tools

 SELinux  AppArmor  Grsecurity  Bastille  Lynis 15

File Integrity Monitoring/HIDS Tools

 OSSEC – Open Source HIDS SECurity

 AIDE – Advanced Intrusion Detection Environment opensource Tripwire

 samhain 16 Vulnerability Scanners

 Nessus Essentials (formerly Nessus Home)

 OpenVAS

 Zenmap

 Nexpose 17 Built-in Commands and Tools

 pwd – present working directory  ps – list current process  ls – list directory contents  stat – display file status  file – determine file type  netstat – network statistics, connections, interfaces, tables  ifconfig – show interface information  uname – system information  dig – DNS lookup utility  top – display detailed process information  last – show last login information  whoami, who, id – shows information on the current user  man – reference manual (help pages) for commands 18 lsof – list open files 19

Server and Other Considerations

SSH configurations NTP configurations DNS configurations Web server configurations 20

Questions ?? 21 Additional Resources and References https://www.comparitech.com/blog/information-security/linux-security-guide/ https://sensorstechforum.com/10-best-methods-improve-linux-security/ https://wiki.ubuntu.com/BasicSecurity https://computingforgeeks.com/enforce-strong-user-password-policy-ubuntu-debian/ http://www.deer-run.com/~hal/linux_passwords_pam.html https://poweruphosting.com/blog/ubuntu-security/ https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1604-lts-server-part-1-basics https://linux-audit.com/ubuntu-server-hardening-guide-quick-and-secure/ http://bhami.com/rosetta.html https://www.tecmint.com/photorec-recover-deleted-lost-files-in-linux/