SYSTEM

ADMINISTRATION

Biky Chouhan
Managing Linux Security
IDENTITY AND ACCESS MANAGEMENT
❑Identity and access management (IAM) is a security process that provides identity,
authentication, and authorization mechanisms for users, computers, and other entities to work
with organizational assets like networks, operating systems, and applications.

❑IAM enables you to define the attributes that comprise an entity's identity, such as its purpose,
function, security clearance, and more.

❑These attributes subsequently enable access management systems to make informed decisions
about whether to grant or deny an entity access, and if granted, decide what the entity has
authorization to do.
SSH AUTHENTICATION
❑The default authentication method for SSH access is a password— typically the same password
the local user would enter to sign in. However, this type of authentication is liable to various
password attacks. An attacker can simply guess a poor password, like a password that is based
on a common word. Or, they can automate the attack process through a brute force or dictionary
attack in order to crack the password using various combinations of characters.
SSH AUTHENTICATION FILES IN LINUX
❑/.ssh/ —A directory that contains files related to SSH keys.

❑id_rsa —Contains the user's private key.

❑id_rsa.pub —Contains the user's public key.

❑authorized_keys —the server uses this file to authenticate the client.

❑known_hosts —the client uses this file to authenticate servers.

❑config —A file on the client that you can use to configure SSH connection settings, such as
using an IdentityFile directive to associate multiple keys with specific servers.
SSH KEY COMMANDS
❑ssh-keygen: Generate a public/private key pair using a specified asymmetric encryption
algorithm.

❑ssh-copy-id: Append the user's public keys to the remote server's authorized_keys file so that
the server can authenticate the user's private key. The public key is sent over SSH and typically
requires password authentication to be enabled.

❑ssh-add: Add private key identities to the SSH key agent. If the key is protected by a password,
the user only needs to enter the password once, and the agent will automatically authenticate the
user
PAM
❑It provides a common mechanism for many different authentication services and applications.

❑Authentication can therefore be streamlined within that single framework, rather than be different for
each application and service.

❑The streamlining of authentication also benefits administrators, as PAM makes it easier for them to
configure authentication policies across all applications and services on the system, as opposite to
configuring policies in different formats depending on the service.

❑Developers can also write their own PAM modules in order to support specific authentication and
authorization functions within an app.
Lab : find any file in ssh dir
Lab : install putty
Putty
❑Putty is a free and open-source terminal emulator, serial console, and network file transfer
application. It supports several network protocols, including SSH, Telne. It is widely used on
Windows operating systems for remote access to servers and networking devices.

❑Putty is commonly used for remote access to servers and networking devices because it
provides a secure and reliable way to connect to them. It supports several network protocols,
including SSH, which encrypts the data being transmitted, making it more secure than other
protocols like Telnet.

❑Putty also includes features like session logging, which can be useful for debugging and
troubleshooting network issues. Additionally, it is a lightweight and easy-to-use application that
can be installed and configured quickly.
Lab : Generate pub/private key pair
Lab : Generate pub/private key pair
Lab : after key generation
Lab : check inside rsa.pub key
Lab : find ip
Lab : connection with root server
Lab : copy key pair in root server
Lab : inside root server without root pwd
Lab : check inside authorized_keys
Lab : conn to root server using putty
Lab : conn to root server using putty
Lab : conn root server with root pwd
Lab : generate pub key using puttygenkey
Lab : copy the pub key and save in document folder
Lab : gen private key and save it in document folder
Lab : open putty again and conn to root server with pwd
Lab : copy pub key into authorized_key(nano/vi)
Lab : conn root server without root pwd
PKI
❑A public key infrastructure (PKI) is a system that is composed of certificate authorities,
certificates, software, services, and other cryptographic components, for the purpose of enabling
authenticity and validation of data and entities.

❑The PKI can be implemented in various hierarchical structures and can be publicly available or
maintained privately by an organization. As its name implies, a PKI implements asymmetric
cryptography for the encryption and decryption of network data, including transactions over the
Internet.
PKI Components
❑Digital signature : A digital signature is a message digest that has been encrypted with a user's private
key. Asymmetric encryption algorithms can be used with hashing algorithms to create digital signatures.
The sender creates a hashed version of the message text, and then encrypts the hash itself with the
sender's private key. The encrypted hash is attached to the message as the digital signature.

❑Digital certificate : Digital certificates are the most fundamental component of a PKI, and the main task
of a PKI is to manage digital certificates in a variety of ways. A digital certificate is an electronic
document that associates credentials with a public key. Both users and devices can hold certificates. The
certificate validates the certificate holder's identity through a digital signature and is also a way to
distribute the holder's public key. In addition, a certificate contains information about the holder's
identity.
PKI Components
❑Certificate authority (CA) : A CA is a server that issues digital certificates for entities and maintains the
associated private/public key pair. CAs sign digital certificates so that clients can validate the
authenticity of certificates owned by entities In other words, the certificate does not recognize any
authority, and is essentially certifying itself. Self-signed certificates require the client to trust the entity
directly.

❑Certificate signing request (CSR) : A CSR is a message sent to a CA in which an entity applies for a
certificate. It typically includes information that should go into the entity's certificate, like its public key,
digital signature, and other identifying information.
OpenSSL
❑OpenSSL is an open source implementation of the SSL/TLS protocol for securing data in transit using
cryptography. On Linux, the openssl command is an interface into accessing a variety of OpenSSL features. It is
also one of the most common tools for generating and managing components of a PKI. The syntax of the openssl
command is openssl [subcommand] [options]

❑Using openssl, you can:

✓ Generate public and private keys.

✓ Generate self-signed digital certificates in various formats.

✓ Generate digital certificates for other entities based on CSRs.

✓ Calculate hash values using various functions.

✓ Encrypt and decrypt data using various algorithms.

✓ Manage keys and certificates in a CA.

CBP & MAC
❑Context-based permissions describe multiple types of information about processes and files that are
used in combination to make decisions related to access control.

❑In Linux, there are two main context-based permission schemes available: SELinux and AppArmor.

❑Mandatory access control (MAC) is a model in which access is controlled by comparing an object's
security designation and a subject's security clearance. Objects such as files and other resources are
assigned security labels of unpredictable levels, depending on the object's sensitivity. Subjects are
assigned a security level or clearance, and when they try to access an object, their clearance level must
correspond to the object's security level. If there is a match, the subject can access the object; if there is
no match, the subject is denied access.
SELinux & AppArmor
❑Both SELinux and AppArmor provide security tools that isolate applications and limit access to an
attacker that has compromised one part of the system.

❑AppArmor works by granting access first, then applying restrictions. SELinux, however, restricts access
to all applications by default and grants access only to users that present the proper certifications.

❑AppArmor module allows developers to restrict applications from using specific files.

❑SELinux (Security Enhanced Linux) is a Linux security module built into the Linux kernel. The system
gives sysadmins more control over who has access to the resources. It assigns labels to the system's files,
processes, and ports.
SELinux
AppArmor
Configure SELinux
Configure SELinux
❑ It temporarily enables SELinux until the next system reboot. The “getenforce” command confirms the
existing status of SELinux mode:

❑ If SELinux is currently set to “Enforcing” or “Permissive”, enter the following command to switch it to
“Disabled”:
Implementing Simple Scripts
Configure Firewalls
❑Linux is an open-source operating system like Windows and MacOS. It is not just limited to the
operating system, but nowadays, it is also used as a platform to run desktops, servers, and embedded
systems. It provides various distributions and variations as it is open source and has a modular design.
The kernel is a core part of the Linux system.

❑Linux system is used to manage various services such as process scheduling, application scheduling,
basic peripheral devices, file system, and more.
Configuring Network Security
Firewall
❑What is Firewall ?

➢A firewall is a software program or a hardware device that protects a system or a network from
unauthorized access by blocking unwanted traffic.

➢It can allow or deny incoming and outgoing traffic based on a set of rules that are either explicitly
configured by an administrator or which are active by default.

➢Firewalls also provide logging features and alerts that track security problems and report them to the
administrator.

➢There are 2 tools to manage firewall in most of the Linux distributions.

✓ iptable

✓ firewalld
Generations of Firewall
➢Packet filters (first generation): These firewalls make decisions based on rules that correspond to one or
more network packet attributes. These rules appear in the form of an access control list (ACL). Packet
filtering firewalls are also called stateless firewalls because they can only inspect a packet in isolation,
and cannot determine what has come before that packet that might provide valuable context.

➢Stateful firewalls (second generation): In stateful firewalls can identify past traffic that is related to a
packet. This means that a stateful firewall can view the entire conversation of a transmission, such as the
three-way TCP/IP handshake. Stateful firewalls can therefore make more informed decisions about what
traffic to deny and what to allow.

➢Application-layer firewalls (third generation): These firewalls can inspect the contents of application-
layer traffic (e.g., protocols like HTTP and FTP) and make decisions based on these contents.
ACL FEATURES
❑A stateless firewall's ACL can allow or deny packets based on various factors.

➢Those factors are:

✓Source IP address

✓Destination IP address

✓Source TCP or UDP port

✓Destination TCP or UDP port

✓TCP or UDP protocol used

THE iptables TOOL
❑The function of iptables tool is packet filtering.

❑The packet filtering mechanism is organized into three different kinds of structures: tables, chains and
targets.

❑Tables = Table is something that allows you to process packets in specific ways. There are 5 different
types of tables filter, mangle, nat, raw and security.

✓filter —The default table used for typical packet filtering functionality.

✓nat — Used to implement Network Address Translation (NAT) rules.

✓mangle — Used to alter packets' TCP/IP headers.

✓raw — Used to configure exceptions for packets involved in connection tracking.

✓security — Used to mark packets with SELinux security contexts.

THE iptables TOOL
❑Chains = The chains are attached to tables. These chains allow you to inspect traffic at various points.
Chains allow you to filter traffic by adding rules to them. There are 3 chains used in iptables. INPUT:
incoming traffic

➢FORWARD: going to a router, from one device to another.

➢OUTPUT: outgoing traffic

❑Targets = Target decides the fate of a packet, such as allowing or rejecting it. There are 3 different type
of targets.

➢ACCEPT: connection accepted

➢REJECT: send reject response

➢DROP: drop connection without sending any response

THE iptables TOOL
❑Before working with iptables make sure firewalld is not running and disable it.

✓systemctl stop firewalld = to stop the service

✓systemctl distable firewalld = to prevent from staring at boot time.

✓systemctl mask firewalld = to prevent it from running by other programs

❑Checked the iptables-services package installed:

✓rpm -qa | grep iptables-services (check it)

✓systemctl status firewalld

✓yum install iptables-services(if not install then)

THE iptables TOOL
❑Start the services using below commands :

✓systemctl start iptables

✓systemctl enable iptables

❑iptables –L ==to check the iptables rules

❑iptables – F == to flush iptables.

THE iptables TOOL
THE iptables TOOL
THE iptables TOOL
❑Start the services using below commands :

✓systemctl start iptables

✓systemctl enable iptables

❑iptables –L ==to check the iptables rules

❑iptables – F == to flush iptables.

UFW
❑The Uncomplicated Firewall (UFW) is a firewall management tool that makes it easier to
configure the iptables service.

❑The ufw command enables you to work with the command-line interface. For example, the
following commands set up an allow rule for HTTP, turn on logging, and enable the firewall.
This automatically creates a default deny configuration for incoming traffic. The syntax of the

ufw command is ufw [options] {action}

THE firewalld SERVICE
❑The firewall daemon (firewalld) is used to dynamically manage a firewall without requiring the
firewall to restart upon modification. It is an alternative to iptables and uses zones and services
rather than chains and rules. Firewall zones are the rule sets that can apply to specific network
resources, like a network interface.

❑There are various default zones, each with different levels of trust. For example, the zone with
the lowest level of trust is called drop and it immediately drops all incoming connections.
Firewall services are the rules that apply to specific services that operate within a zone. For
example, you can add a service like HTTP to the dmz zone to allow incoming connections from
untrusted networks like the Internet, while denying outgoing access to the rest of the network.
THE firewall-cmd COMMAND
❑The firewall-cmd command enables you to configure firewalld by querying, adding, modifying, and
deleting zones and services as desired. Because firewalld is the default firewall service for many Linux
distributions.

❑The command includes options to identify which zone and which interface you want to configure, as
well as the ability to permit services by name or by port number. The syntax of the firewall-cmd
command is firewall-cmd [options]
NETFILTER
❑Netfilter is a Linux kernel framework that handles packets that traverse a network interface.
Some of the major services it provides are packet filtering, NAT, and connection tracking.
Netfilter supports the configuration of these services by providing hooks into the kernel's
network stack. Every packet that traverses the network interface will be "caught" by these
hooks.

❑The iptables tool is closely integrated with Netfilter. It is able to allow, drop, and perform other
firewall actions because it can interact with packets that are on Netfilter hooks.
IP FORWARDING & IP SETS
❑IP forwarding is the Linux kernel implementation of network routing functionality. It enables incoming
traffic on one network interface to be forwarded to another network interface.

❑IP sets are stored collections of IP addresses, network ranges, MAC addresses, port numbers, and
network interface names. The iptables tool can leverage IP sets for more efficient rule matching.

❑The ipset command enables you to create and modify IP sets. First you need to set a name, storage
method, and data type for your set. The syntax of the ipset command is ipset [options] {command}
Lab