Essential Linux Security
Heartbleed, Shellshock, POODLE, GHOST, FREAK… With severe security vulnerabilities on the rise, how can we ensure our systems are adequately protected? This talk discusses the following essential Linux security topics:
* unattended upgrades
* automated TLS certificate provisioning
* strict transport security, content security policy, OCSP stapling
* file system encryption via LUKS / EncFS
* rootkit detection
* automatic ban after X authentication failures
These essential security topics can significantly reduce the attack surface of the systems we administer.
Unattended package upgrades are a good first line of defense, but only if they are properly set up and monitored. For security updates that require a reboot in order to fully address vulnerabilities, should reboots also be automatic? For users who prefer to reboot manually, how does one tell when a reboot is required?
Some of the related challenges include:
* many popular virtual private server (VPS) providers do not install or enable automatic security updates in their Linux images
* <pre>apt-get install unattended-upgrades</pre> on Debian-based systems installs automatic security updates but does not actually <em>enable</em> them, potentially putting unsuspecting Linux users at risk
* some security updates (e.g., kernel-level) require a server reboot to take effect, and yet users often don't realize this until the next time they log in, resulting in a system that is vulnerable in the interim
Given the ubiquitous nature of the web, it’s critical that we do everything we can to hasten the ubiquitous switchover to a TLS-everywhere world. What was previously an expensive and very tedious task has become much easier due to the Let’s Encrypt project, which automates TLS certificate provisioning and reduces the cost to zero. We’ll talk about the project and cover how it can be put to practical use.
Web security starts with TLS and yet requires careful configuration for maximum security. Forward secrecy, strict transport security, content security policy, OCSP stapling... these are just a few of the most important web security configuration options that we’ll cover.
If someone walks off with a hard drive, file system encryption is one of the only ways to protect the data contained within. We’ll talk about use cases and discuss when tools like LUKS and encfs are a good fit.
Last but not least, rootkit detection and automatic login bans are important tools in the fight for better security. By automatically banning IP addresses after multiple authentication failures, we reduce load on our systems and the risk of brute-force attacks.