Manage Security Flashcards
access firewall through GUI
System-Administration-Firewall
Any changes made using this utility will overwrite any manual changes made to the IPtables file
/etc/services
/etc/services file is a list of predefined services along with their port numbers and protocols associated with them.
netfilter
Netfilter is the standard firewall for Linux, which can be controlled by the IPtables command.
files where firewall rules are stored
The firewall rules are stored in /etc/sysconfig/iptables
IPtables rules
The iptables rules consist of three chains:
INPUT: processing packets coming into the system.
FORWARD: Packets that would be routed through the system
OUTPUT: Processes packets that originate from the systemExample
::INPUT ACCEPT [0:0] - all accepted
A INPUT -i lo -j ACCEPT -> loopback address allow input
The IPtables rules are processed from top to bottom
IPtables command
#service iptables restart -> restarts the iptables service # iptables -L -> check the rules that are loaded in memory # iptables -F -> flush out rules
Modifying firewall rules
When modifying firewall rules using the iptables command, better to insert than to append. Insert will put INPUT rule before the REJECT rules. # iptables -I INPUT -p tcp --dport 21 -j ACCEPT This is only temporary, once the machines restart(or the service restarts, all is lost). To permanently add changes: # service iptables save#service iptables restart #iptables -D INPUT -p tcp --dport 21 -j ACCEPT -> delete rule #service iptables save
Configure SSH key-based authentication
Instead of connecting through login/password to a remote host, SSH allows you to use key-based authentication. To set up key-based authentication, you need two virtual/physical servers that we will call server1 and server2. On the server1, create a user user01 with password user01:
# useradd user01 # passwd user01
On the server2, create the same user with password user01:
# useradd user01 # passwd user01
On the server1, connect as this new user:
# su - user01 Generate a private/public pair for key-based authentication (here rsa key with 2048 bits and no passphrase):
[user01@server1 ~]$ ssh-keygen -b 2048 -t rsa
Still on server1, copy the public key to server2.
[user01@server1 ~]$ ssh-copy-id -i .ssh/id_rsa.pub user01@server2.example.com
On the server2, edit the /etc/ssh/sshd_config file and set the following options:
PasswordAuthentication no
PubkeyAuthentication yes
Note: Don’t hesitate to set up a virtual console access on server2, this will avoid re-installing the physical/virtual server if something goes wrong. Restart the sshd service:
# systemctl restart sshd On the server1 as user01, connect to the server2:
[user01@server1 ~]$ ssh server2.example.com
Packages to install to troubleshoot SELinux
yum install policycoreutils-gui setroubleshoot- access system-config-selinux or from the GUISystem -> Administration -> SeLinux management
get and change SELinux modes
In the GUI, under the status category, we can change the enforcing mode.
#getenforce -> see current SELinux mode
# setenforce Permissive
# sertenforce 0 -> boolean value
-> 0 - enforce
-> 1 - Permissive
You can also edit this file /etc/selinux/config (permanent)You can also get the current SELinux status using:
#sestatus
#setenforce enforcing -> set enforcing mode
List and identify SELinux file and process context
To get a SELinux file context: #ls -Z To get a SELinux process context: #ps -eZ Any process label unconfined_t are not protected by SELinux
change security context on a file
- to change the security context on a file # chcon --reference /root/anaconda-ks.cfg_backup /etc/ssh/sshd_config ---- copies context from the anaconda file to the sshd_config file ---This actually will break the sshd service. if you try to start the service, you'll get an AVC denial error
Parsing SELinux AVC messages
You can use the sealert command to parse SELinux AVC messages #sealert -a /var/log/audit/audit.log
restore SELinux file context
use the restorecon command to restore SELinux file context #restorecon -R -v /etc/ssh/sshd_config
To set the security context of the file (not mandatory)
#chcon -t etc_t /etc/ssh/sshd_config -> temporary fix # semanage fcontext -a -t etc_t "/etc/ssh/sshd_config" -> to make permanent # restorecon -R -v /etc/ssh/sshd_config -> also needed to make permanent