Free Essay

It302 4.1 Research Assignment

In: Computers and Technology

Submitted By ferb1234
Words 1350
Pages 6
Linux Security Technologies There are many ways to have internet access these days. Coffee shops, libraries, airports and even public buses have free wireless access. With all these free accesses to the World Wide Web, there is also many potential ways for hackers to potentially get your personal information and use it for their gain. There are many ways to combat this situation by using several security measures with Linux programming, which the majority of the software is free. Some of those security technologies are SELinux, TCP Wrappers, IPtables and Chroot Jail to name a few. SELinux is a security enhancement to Linux which allows users and administrators more control over access control. Access can be constrained on such variables as which users and applications can access which resources. Was developed by the NSA in December of 2000. These resources may take the form of files. Standard Linux access controls, such as file modes (-rwxr-xr-x) are modifiable by the user and the applications which the user runs. Conversely, SELinux access controls are determined by a policy loaded on the system which may not be changed by careless users or misbehaving applications.
SELinux also adds finer granularity to access controls. Instead of only being able to specify who can read, write or execute a file, for example, SELinux lets you specify who can unlink, append only, move a file and so on. SELinux allows you to specify access to many resources other than files as well, such as network resources and interprocess communication (IPC). SELinux is an implementation of mandatory access controls (MAC) on Linux. Mandatory access controls allow an administrator of a system to define how applications and users can access different resources such as files, devices, networks and inter-process communication.
SELinux can help protect you from bugs in applications. Most people treat applications as user surrogates (e.g., "I go to google.com" not "I tell my browser to go to google.com and it does so on my behalf"). However applications, especially the desktop applications we all use, come in at millions of lines of code. Without knowing what those millions of lines of code do there is no way to know if an application will really do what you tell it or if it becomes malicious because of vulnerabilities. With SELinux you can treat the applications you run differently from yourself thereby limiting what an exploited application can do.
Almost all BSD / UNIX / Linux like operating systems are compiled with TCP Wrappers support. For e.g. Solaris 9, various Linux / *BSD distributions, and Mac OS X have TCP Wrappers configured to run out-of-the-box. It is a library which provides simple access control and standardized logging for supported applications which accept connections over a network.
TCP Wrapper is a host-based Networking ACL system, used to filter network access to Internet. TCP wrappers was originally written to monitor and stop cracking activities on the UNIX workstation in 90s. It was best solution in 90s to protect the UNIX workstations over the Internet. However it has few disadvantages:
All UNIX apps must be compiled with the libwrap library.
The wrappers do not work with RPC services over TCP.
The user name lookup feature of TCP Wrappers uses identd to identify the username of the remote host. By default, this feature is disabled, as identd may appear hung when there are large number of TCP connections.
However, it has one strong advantage over firewall. It works on the application layer. It can filter requests when encryption is used. Basically, you need to use both host based and network based security. Common services such as pop3, ftp, sshd, telnet, r-services are supported by TCP Wrappers.

Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.
Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a 'target', which may be a jump to a user-defined chain in the same table.
Originally, the most popular firewall/NAT package running on Linux was ipchains, but it had a number of shortcomings. To rectify this, the Netfilter organization decided to create a new product called iptables, giving it such improvements as:
Better integration with the Linux kernel with the capability of loading iptables-specific kernel modules designed for improved speed and reliability.
Stateful packet inspection. This means that the firewall keeps track of each connection passing through it and in certain cases will view the contents of data flows in an attempt to anticipate the next action of certain protocols. This is an important feature in the support of active FTP and DNS, as well as many other network services.
Filtering packets based on a MAC address and the values of the flags in the TCP header. This is helpful in preventing attacks using malformed packets and in restricting access from locally attached servers to other networks in spite of their IP addresses.
System logging that provides the option of adjusting the level of detail of the reporting.
Better network address translation.
Support for transparent integration with such Web proxy programs as Squid.
A rate limiting feature that helps iptables block some types of denial of service (DoS) attacks.
Considered a faster and more secure alternative to ipchains, iptables has become the default firewall package installed under RedHat and Fedora Linux.
On Unix-like operating systems, such as Linux, a chroot jail is the common expression used to describe a section of a filesystem that is sectioned off for a particular user. On a web server, it is particularly useful for the security of shared hosting accounts.
Without a chroot jail, a user with limited file permissions would still be able to navigate to top-level directories. As an example, suppose the user’s directory is /home/user. Without chroot, nothing would prevent the user from navigating up to /home to see other users’ directories or even navigating up to / where they can see /etc, /usr, /var, /lib, and other system-critical directories. Although the user would not have the permissions to edit them, they would be able to see the files and target specific ones to try to exploit.
You could respond to this by saying, “Well, I trust my users.” Unfortunately, it is not just a matter of trust. By allowing your user access, you also allow anyone who can hack their account access. That just creates one more weak link in your security fence.
Many control panels that reconfigure web servers for shared hosting will automatically create chroot directories for user accounts. There is also software that can help you more easily create chroot jails. One such software suite is called Jailkit, which is available for free.
Another important use for chroot is for virtualization. With a virtual private server (vps), the user has a complete operating system installed within a chroot directory. As a result, even though the user has root privileges for his or her own account, the user cannot access higher directories and would not even be aware that they exist (on a technical level). In other words, if the user is in /var/chroot/vhosts/user/, there is no way to move up beyond that /user directory. It will appear to the user as the default root directory, which is /.
Chroot is very useful for basic preventative security, but it is not designed to prevent deliberate attempts to gain root access and attack a server. For that there are other security measures you can take. Nevertheless, chroot helps tremendously to at least make it more difficult to exploit your dedicated server.
In summary, in today technological world we need to have a security program in place. Whether it TCPWrappers, SELinux, chroot jail or Iptables, it’s a must that you have at one of these program running at all times.

Similar Documents

Free Essay

It302 Research Assignment 4.1

...Free and Open Source Software (FOSS), by 2006, had allegedly violated 235 patents that Microsoft was in possession of, including the Linux Kernal, Samba, OpenOffice.org, and others. Three contracts were struck up between Novell and Microsoft, most notably, a patent agreement that stated, “Don’t sue us and we won’t sue you.” When this happened, some dire consequences were predicted for FOSS, however, it hasn’t exactly gone as predicted. FOSS has blossomed since then. It is my opinion, that in entering these contracts, Microsoft put more of a light on Open Source, which then attracted the attention of other programmers, and in general, people who like free things. There is a very strong market for Linux going right now with GUI enabled operating systems including Red Hat/Fedora, and Ubuntu. They are having great success and continue getting updates, and users, on a growing basis as people experience, and learn how to use the command line. It doesn’t seem like much impact has been made, other than most companies have started using Open Source as a way to make their product better and more efficient. A few years back both MySpace and Facebook open sourced Qizmt and Tornado, respectively, not to garner any love from the people, but to try and make them better, and more efficient (Asay Sept. 16, 2009). More than anything, I would say Microsoft is feeling the hurt, they are losing money with so many people looking toward the Free and Open Source Software markets. Who would want...

Words: 644 - Pages: 3

Premium Essay

It255

...ITT Technical Institute IT255 Introduction to Information Systems Security Onsite Course SYLLABUS Credit hours: 4 Contact/Instructional hours: 50 (30 Theory Hours, 20 Lab Hours) Prerequisite(s) and/or Corequisite(s): Prerequisites: IT220 Network Standards and Protocols, IT221 Microsoft Network Operating System I, IT250 Linux Operating System Course Description: This course provides an overview of security challenges and strategies of counter measures in the information systems environment. Topics include definition of terms, concepts, elements, and goals incorporating industry standards and practices with a focus on availability, vulnerability, integrity and confidentiality aspects of information systems. Introduction to Information Systems Security Syllabus Where Does This Course Belong? This course is required for the Bachelor of Science in Information Systems Security program. This program covers the following core areas:    Foundational Courses Technical Courses BSISS Project The following diagram demonstrates how this course fits in the program: IS427 Information Systems Security Capstone Project 400 Level IS404 Access Control, Authentication & KPI IS411 Security Policies & Implementation Issues IS415 System Forensics Investigation & Response IS416 Securing Windows Platforms & Applications IS418 Securing Linux Platforms & Applications IS421 Legal & Security Issues IS423 Securing Windows Platforms & Applications ...

Words: 4114 - Pages: 17

Premium Essay

Seeking Help

...IT255 Introduction to Information Systems Security [Onsite] Course Description: This course provides an overview of security challenges and strategies of counter measures in the information systems environment. Topics include definition of terms, concepts, elements, and goals incorporating industry standards and practices with a focus on availability, vulnerability, integrity and confidentiality aspects of information systems. Prerequisite(s) and/or Corequisite(s): Prerequisites: IT220 Network Standards and Protocols, IT221 Microsoft Network Operating System I, IT250 Linux Operating System Credit hours: 4 Contact hours: 50 (30 Theory Hours, 20 Lab Hours) Introduction to Information Systems Security Syllabus Where Does This Course Belong? This course is required for the Bachelor of Science in Information Systems Security program. This program covers the following core areas:    Foundational Courses Technical Courses BSISS Project The following diagram demonstrates how this course fits in the program: IS427 Information Systems Security 400 Level Capstone Project IS418 IS404 Access Control, Authentication & KPI IS421 Legal & Security Issues IS423 Securing Windows Platforms & Applications IS411 Security Policies & Implementation Issues IS415 System Forensics Investigation & Response IS416 Securing Windows Platforms & Applications Securing Linux Platforms & Applications 300 Level IS305 Managing Risk in Information Systems ...

Words: 4296 - Pages: 18