Chapter 5

Systems Security
Application Security and Login Security
Application Security (AppSec)
• application security as a shield protecting your software's entire
lifecycle.
• It's a set of practices, tools, and processes designed to keep
applications secure from various cyber threats. This includes:
• Protecting data and code: AppSec aims to prevent theft,
unauthorized access, or manipulation of data and the application's
code itself.
 Application Security (AppSec)
• Secure development lifecycle (SDLC): Security considerations are
integrated throughout the entire development process, from
design to deployment.
• Identifying vulnerabilities: AppSec involves finding weaknesses in
applications that attackers could exploit.
• Fixing and preventing vulnerabilities: Once vulnerabilities are
identified, they are patched or addressed to prevent future attacks.
 Login Security
• Login security is a specific aspect of application security that focuses on
protecting the login process.
• It ensures that only authorized users can access an application or
account. Here are some key aspects of login security:
• Authentication: This verifies a user's identity through methods like
usernames and passwords, multi-factor authentication (MFA), or
biometrics (fingerprint scan).
• Authorization: Even after successful authentication, users are only
granted access to the specific features or data they are authorized for.
Login Security
• Strong passwords and password management: Encouraging strong
passwords and secure storage practices helps prevent unauthorized
access.
• Account lockout after failed attempts: Limiting login attempts after a
certain number of failures thwarts brute-force attacks.
Boot Loader Security (LILO and GRUB)
• Boot loaders like LILO (Linux Loader) and GRUB (Grand Unified
Bootloader) are crucial programs that initiate the boot process on
your system.
• They load the operating system kernel into memory and prepare the
environment for it to run.
• However, securing your bootloader is important to prevent
unauthorized access to your system.
LILO (Less Common):
• Simpler Security: LILO is a simpler bootloader compared to GRUB.
• It doesn't offer a command interface, so there's no risk of an attacker
gaining interactive access before the kernel loads.
• Limited Protection: However, LILO's security features are limited.
LILO (Less Common):
• It allows password protection, preventing someone from booting a
specific operating system or entering single-user mode without the
password.
• Outdated Technology: LILO is considered an older technology and is
not actively developed anymore.
• Modern systems typically use GRUB.
GRUB (More Common):
• More Features, More Complexity: GRUB offers a wider range of
features than LILO, including a command interface.
• This complexity also introduces potential security risks if not
configured properly.
• Password Protection: Similar to LILO, GRUB allows password
protection for entries in the boot menu.
GRUB (More Common):
• This prevents unauthorized users from selecting a specific operating
system to boot.
• Secure Boot: Modern systems with UEFI firmware often utilize Secure
Boot, a feature that restricts the operating systems that can be
booted.
• GRUB can be configured to work with Secure Boot for added security
Cont..
• GRUB Configuration Security:
• The security of your GRUB configuration file (/boot/grub/grub.cfg) is
crucial.
• Ensure it has proper permissions (owned by root and read-only for
others) to prevent unauthorized modification.
Here are some general boot loader security practices:

• Enable password protection: Use a strong password for your boot loader
to prevent unauthorized access to different boot options.
• Keep software updated: Ensure your boot loader is updated with the
latest security patches for known vulnerabilities.
• Secure boot configuration file: Maintain proper permissions on your
boot loader configuration file to prevent tampering.
• Physical security: Consider physical security measures like locking your
computer case to prevent unauthorized tampering with the boot process.
Cont..
• boot loader security is just one aspect of overall system
security.
• It's important to maintain
• strong passwords,
• keep your operating system and applications updated,
• be on alert about potential threats.
TCP Wrappers Configuration
• TCP Wrappers is a legacy host-based access control system for
restricting access to network services on Unix-like systems.
• It works by allowing administrators to define rules in configuration
files that specify which hosts can access specific services.
Configuration Files:
• /etc/hosts.allow: This file defines rules that permit access to services.
The rules are processed first.
• /etc/hosts.deny: This file defines rules that deny access to services.
Rules are processed only if no matching rule is found in
/etc/hosts.allow.
Cont…
Rule Format:
Each line in the configuration files follows a specific format:
<service_name>: <client_spec>[: <option1>[:<option2>...]]

•<service_name>: This specifies the service being controlled (e.g., sshd, ftp).
•<client_spec>: This defines which hosts are allowed or denied access. It can be:

•IP address (e.g., 192.168.1.10)

•Hostname (e.g., [invalid URL removed])
•Network subnet (e.g., 192.168.1.0/24)
•Wildcards:
•ALL:Matches all clients.
•LOCAL: Matches localhost.

•KNOWN: Matches known hosts.

•UNKNOWN: Matches unknown hosts.

•[:<option1>[:<option2>...]]: These are optional settings that can further control access, such as logging level
• (e.g., :severity=warn).
Cont…
Example Rules:
•Allow access to SSH from all hosts in the 192.168.1.0/24
network:
• sshd: 192.168.1.0/24
•Deny access to FTP from all unknown hosts:
• ftp: UNKNOWN

•Allow access to Telnet only from localhost and log all

connections:
• telnet: LOCAL :ALL :severity=info
 Important Considerations:
•Order matters: Rules are processed sequentially in each file.
•The first matching rule is applied.
•Default Deny: If no matching rules are found in either file, access is
typically denied.
•Consider creating a default deny rule in /etc/hosts.deny for extra security
(e.g., ALL: ALL).

•Limited Functionality: While TCP Wrappers offer basic access

control, they have limitations.
• They don't offer features like user authentication or advanced
access control based on user accounts.
Modern Alternatives:
• TCP Wrappers are considered a legacy tool.
• Many modern systems rely on firewall software or access control
features within the services themselves for more granular control.
• Firewalls offer a broader range of security features and can manage
rules for various protocols and ports.
• NB. Improperly configured rules can inadvertently lock you out of
your own services.
• It's recommended to consult your specific system's documentation
before making changes.
Iptables Firewalling: Preliminaries
• Iptables is a powerful built-in firewall tool in most Linux
distributions.
• It allows you to define rules that control incoming, outgoing,
and forwarded network traffic on your system.
Firewall Basics:
Key concept :
• What it does: A firewall acts as a security barrier, filtering incoming
and outgoing network traffic based on predefined rules.
• It allows authorized traffic and blocks suspicious or unwanted
connections.
• Packet Filtering: Iptables works by filtering individual data packets
traveling across the network.
Firewall Basics:
• Each packet contains information about the source and destination IP
addresses, ports, and protocols involved in the communication.
• Default Policy: By default, iptables typically drops all incoming traffic
(unless explicitly allowed by a rule).
• This ensures a secure starting point.
 Iptables Components:
•Tables: Iptables organizes rules into tables.
• The most common table is the filter table, which controls incoming, outgoing, and forwarded
traffic.
•Chains: Each table is further divided into chains, which are sets of rules that process
packets in a specific order.
•The INPUT, OUTPUT, and FORWARD chains are commonly used for traffic entering, leaving, and being
routed by your system, respectively.
•Rules: Rules within a chain specify the conditions for allowing or dropping traffic.
• Each rule consists of criteria like source/destination IP, port number, protocol (TCP,
UDP, etc.), and an action (ACCEPT, DROP, REJECT, etc.).
Iptables Commands:
• iptables-list (-L, -v): Lists the current firewall rules.
• iptables-new (-N): Creates a new chain.
• iptables-append (-A): Appends a new rule to the end of a chain.
• iptables-insert (-I): Inserts a new rule at a specific position in a chain.
• iptables-delete (-D): Deletes an existing rule.
• iptables-flush (-F): Flushes all rules from a chain.
 Security Best Practices

•Start with a DROP policy: Begin with a default DROP policy for the INPUT chain to ensure a
secure starting point.
•Explicitly allow desired traffic: Define specific rules to allow only the necessary incoming
and outgoing traffic based on your system's purpose.
•Restrict access: Use granular rules to restrict access to specific IP addresses, ports, and
protocols.
•Log suspicious traffic: Consider logging dropped packets for monitoring and
troubleshooting purposes.
•Test and verify: Always test your rules carefully to avoid accidentally blocking legitimate
traffic.
 Iptables Scenarios: Packet Filtering, Port Forwarding, and NAT

• Iptables can be used for various network traffic control scenarios. Here's
an overview of three common ones:
1. Packet Filtering:
• Packet filtering is the core functionality of iptables.
• It allows you to define rules based on criteria like source/destination IP
addresses, ports, and protocols to control which traffic flows through your
system.
 Cont..
• Scenario: You want to allow SSH access to your server only from
specific IP addresses for enhanced security. Here's a sample rule:
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.10 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

This configuration:
•Allows SSH (tcp protocol, destination port 22) connections only from the
•IP address 192.168.1.10 using the ACCEPT action.
•The second rule drops any other incoming SSH connections using the
DROP action.
Cont..
2. Port Forwarding/Redirection:
• Port forwarding allows you to redirect incoming traffic on a specific
port to a different port on your local machine or another machine on
your network.
• This is useful for directing incoming requests to specific services.
 Cont..
• Scenario: You have a web server running on port 8080 on your
machine, but you want users to access it using the standard web port
80. Here's a sample rule:
• iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination
127.0.0.1:8080
This configuration:
•Uses the nat table, specifically the PREROUTING chain, to intercept
traffic before it reaches the local machine.
•The rule redirects (DNAT) any incoming traffic on port 80 (tcp protocol) to your
local machine (127.0.0.1) on port 8080.
Cont…
3. Network Address Translation (NAT)/IP Masquerading:
• NAT allows you to translate the source IP address of outgoing traffic
from your private network to a public IP address.
• This is typically used when your network has a single public IP address
shared by multiple devices.
Cont…
• Scenario: You have multiple devices on your private network behind a
router with a single public IP address.
• You want all outgoing traffic from these devices to appear to originate
from the router's public IP. Here's a configuration snippet:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

This configuration:
•Uses the POSTROUTING chain in the nat table to manipulate outgoing traffic (-o eth0
specifies the outgoing interface).
•The MASQUERADE target automatically translates the source IP address of outgoing
packets to the public IP address of the router interface.
Packet-Processing Model

• The packet-processing model refers to the set of steps and

components involved in routing data packets across a network.
• It's a crucial process for ensuring efficient and secure data
transmission.
1. Kernel-Based Packet Processing:
• This has been the traditional model for decades. In this approach:
• Network Interface Card (NIC): The NIC receives data packets from the
network cable or wireless connection.
• Operating System Kernel: The packets are copied from the NIC to the
computer's main memory, specifically the kernel space.
• Packet Processing: The kernel performs various tasks on the packet,
including:
1. Kernel-Based Packet Processing:
• Header analysis: Extracting information from the packet header,
such as source and destination IP addresses, port numbers, and
protocol type.
• Routing decision: Based on the header information, the kernel
determines the next hop (destination) for the packet within the
network.
• Security checks: The kernel might perform security checks, such as
firewall filtering, to ensure the packet is legitimate.
• Transmission: The kernel copies the processed packet back to the NIC
for transmission to the next hop.
1. Kernel-Based Packet Processing:
• Advantages:
• Granular control: The kernel has complete control over packet
processing, allowing for complex security measures and custom
filtering rules.
• Flexibility: The kernel-based approach can be adapted to various
network configurations and protocols.
1. Kernel-Based Packet Processing:
Disadvantages:
• Performance bottleneck: Copying packets between the NIC and
kernel memory can introduce overhead, impacting network
performance on high-traffic systems.
• Increased CPU usage: Packet processing within the kernel utilizes CPU
resources, which can be a bottleneck for heavily loaded systems.
2. User-Space Packet Processing:
• This is a more recent approach that aims to address the limitations of
kernel-based processing. Here's the key difference:
• User-Space Applications: Packet processing tasks are offloaded to
dedicated applications running in user space (outside the kernel) with
direct access to the network hardware.
• Reduced Kernel Overhead: By minimizing kernel involvement, user-
space processing reduces CPU usage and memory copies, leading to
potentially higher performance.
2. User-Space Packet Processing:
Advantages:
• Improved performance: Offloading processing to user-space
applications can significantly improve network throughput, especially
for high-traffic environments.
• Reduced CPU load: The kernel is freed from intensive packet
processing tasks, allowing it to focus on other system functions.
2. User-Space Packet Processing:
Disadvantages:
• Complexity: Developing and maintaining user-space packet
processing applications can be more complex compared to the kernel-
based approach.
• Security concerns: Granting user-space applications direct access to
network hardware requires careful security considerations to prevent
potential vulnerabilities.
To choose these models depends on various factors like:

• Network traffic volume: For high-traffic environments, user-space

processing can offer significant performance benefits.
• Security requirements: Kernel-based processing might be preferred
for applications demanding the highest security level.
• Hardware and software support: The specific network hardware and
operating system capabilities can influence the suitability of each
approach.
Additionally, some hybrid models combine aspects of both kernel-
based and user-space processing for a balance between performance
and control.
Intrusion Detection and Mandatory Access Control (MAC)
with LIDS
• LIDS (Linux Intrusion Detection System) is not directly related to
Mandatory Access Control (MAC)
• However, both LIDS and MAC are important security concepts for
Linux systems
 Intrusion Detection System (IDS):
• An IDS is a security tool that monitors network traffic and system activity
for malicious behavior.
• It can detect and alert administrators about potential security threats
such as:
• Unauthorized access attempts
• Suspicious network activity
• File system modifications
• Rootkit installations
 LIDS (Linux Intrusion Detection System):
• LIDS is an open-source host-based IDS specifically designed for Linux
systems.
• It monitors system calls, kernel logs, and file system changes to identify
suspicious activity.
• While not as widely used as some commercial IDS solutions, LIDS offers a
lightweight and customizable option for Linux intrusion detection.
Mandatory Access Control (MAC)
• MAC is a security model that enforces access control policies on a
system.
• Unlike Discretionary Access Control (DAC), where users control access
permissions, MAC enforces a set of pre-defined rules that govern how
processes and users can access resources.
Mandatory Access Control (MAC)
Benefits of MAC:
• Enhanced security: MAC can prevent unauthorized access attempts
even if a user gains elevated privileges (like root access).
• Reduced risk of human error: By removing user control over access
permissions, MAC minimizes the risk of accidental misconfigurations.
Cont..
Challenges of MAC:
• Complexity: Implementing and managing MAC policies can be
complex, requiring careful configuration.
• Potential restrictions: MAC policies might restrict user flexibility in
accessing resources compared to DAC.
 Cont…
How LIDS and MAC work together:
• LIDS can be used to detect attempts to bypass or exploit MAC controls.
• MAC can prevent unauthorized access attempts even if an attacker
manages to compromise an application or user account.
MAC implementations for Linux:
• SELinux (Security-Enhanced Linux): A widely used and robust MAC
implementation for Linux.
• AppArmor: Another popular MAC framework that offers more granular
control over application behavior.
summary
• LIDS and MAC are complementary security approaches for Linux
systems.
• LIDS helps detect intrusion attempts, while MAC enforces access
control policies to prevent unauthorized access.