DerbyCon 2012 - Intro to Linux System Hardening

Too sad that this talk is only from System Administrator to System Administrator but not for Information Security (InfoSec) guys. The speaker, Chris Jenks (rattis), is in the view of System Administrator to harden Linux system instead of an InfoSec view. However, it is an InfoSec Conference. Strange.



In general, a System Administrator has no knowledge of about how malicious hackers thinking and doing. Their knowledge about InfoSec is limited. They just guessing what they done can prevent from being attack.



Description of the Talk (Written by the speaker) :



This introductory level talk is designed for people that know a little bit about Linux and a how to run Backtrack. The main target audience would have a junior level administration experience, who also knows about Bactrack.



It looks at how to do basic system hardening on CentOS and Ubuntu, using systems with default installs. It then looks at using those same tactics to systems running Backtrack. Along the way, I discuss why I don’t like using virtual machines, multiboot, liveCD or USB to run Bactrack in the field, and why I think it should be ran on a dedicated machine.



BIO of Speaker :



Experience includes fifteen years of network engineering and thirteen years system administration. He is currently studying Information Assurance at Eastern Michigan University. That degree will supplement his degrees in Computer Information Systems and Anthropology. Certifications include Security+ and Offensive Security Wireless Professional. Involved in Michigan’s Locksport scene, and a regular at Arbsec and MiSec. He’s the ”rat” in the Rats and Rouges InfoSec Podcast.







My Own Opinion :



Basically, BackTrack Linux is a Linux distribution for Penetration Testing. That mean, it is a tool for attackers (you can think like this in order to make your mind clear). Just like Thai boxers who will not wear any protective equipment to protect themselve during the fight. It is because those protective equipment may causing obstruction to their performance in the fight.



However, the speaker of the talk advised users of BackTrack to enable firewall (iptables) and configure the Apache web server to listen to the localhost (127.0.0.1). He also suggests to re-configure the SSH to not allow root login and create a sudoer account. More tools, such as denyhosts, fail2ban, tripwire and logcheck, are also advised to be installed in BackTrack.



If firewall is enabled and other tools (such as denyhosts, fail2ban, tripwire) to be installed in BackTrack, it is something like shooting on our foot when using it to do the pentesting. Meanwhile, the speaker do not know the function of the Apache web server at the BackTrack as he do not know why she is there. Moreover, SSH in BackTrack is for attack purpose instead of administration function. Almost all the tools in BackTrack requires root privilege to run, therefore, the sudoer account is not required.



BackTrack is not a normal Linux distribution for general users to use daily and casually. It is a special designed distribution for Penetration Testing; it is designed for attackers (you can think that Penetration Tester is an attacker but he is not a bad guy). It is designed to attack but not to defence.



Weird enough that the speaker has some qualifications of InfoSec. Overall, this talk is misleading in the view of a BackTrack user. Not recommended.



UPDATED on November 10, 2012 :



I find out that he had another 2 more talks on the same topic and spreading the same wrong information to the listeners. Too sad.



I am doubt that if the SysAdmin hack back (if any), what can he get? What can he do? As he said, shut down the attacker's box? The attacker is just using a BackTrack and if the root password has been changed, there is no chance for a SysAdmin doing something evil to the attacker. It is really doubt, in my opinion.



He even don't know the difference between 127.0.0.1 and 0.0.0.0 as he suggest to turn off CUPS as it is running as root. However, CUPS is listening to localhost and the user account running is already root. So, what does he want?



By the way, he use Denyhosts to block the unwanted SSH access, that mean he do not know how to use SSH to perform an attack.



He also suggest to disable the mail function. However, how can we (attacker) to perform an attack via mail?



I am doubt that he do not know how to use BackTrack. Not kidding!



Finally, one thing that I do agree with him is to change the root password to something else and may be changing the hostname too.



Anyway, he is just a System Administrator only but not an Information Security guy.