In this paper I will go over three different types of Linux security technologies those follow with SELinux, Chroot jail, and IPtables. These technologies aid in prevention of identity theft. I will help you understand what they are, who designed them, and what good they are for you to use them. In the next paragraphs you will be able to decide which one is best suited for you and more about the use of these technologies.
Under the GPL in late 2000, SElinux was released from the National Security Agency’s Office of Information Assurance. More recently it was developed by the open source community with the help of NSA. SElinux currently ships as a part of Fedora Core, and it’s supported by Red Hat. Also there are packages that exist for Debian, SuSe, and Gentoo although at this time these were unsupported by anyone. SElinux is based on the concept of Mandatory Access Control. Under MAC, administrators control every interaction on the software of the system.
A least privilege concept is used, by default applications and users have no rights, because all rights have to be granted by an administrator because of the system’s security policy. Under Discretionary Access Control (DAC), the files are owned by the user also. That user has full control over them.
If an attacker penetrates that user’s account they can do whatever they want with the files owned by that user. Standard UNIX permissions are still present on the system, and will be consulted before the SElinux policy during access attempts. If the standard permissions deny access the access is denied, so therefore SElinux is not involved. When the standard file permissions do allow access, the SElinux policy will be consulted and access is either gained or denied based on the security contexts of the source process and the targeted object.
During the development of Version 7 Unix in 1979 the chroot system call was introduced, and added to BSD by Bill Joy on 18 March 1982, one and a half years before 4.2BSD was released in order to test its installation and build system. With UNIX based operating systems, like Linux, a chroot jail is common expression used describe a section of a file system that is sectioned off for a specific user. On a web server, it is very useful for the security of shared hosting accounts. Without a chroot jail, a user with limited file permissions can navigate to the top level directories. Although that user does not have permission to change anything, they can invade the files and target specific ones and get the information they want.
Also a very good important use for chroot jail is for virtualization with a Virtual Private Server (VPS), the user has a complete operating system installed within a chroot directory. Therefore with the user having root privileges for their own account, that user can’t access higher directories and would be clueless that they exist. Chroot is useful for basic preventative security, although it isn’t designed to prevent deliberate attempts to gain root access or attack the server. For that you need other security measures that are available. Furthermore, chroot jail helps extremely to at least make it difficult for an attacker to exploit your dedicated server.
Paul “Rusty” Russell was the initial author of and head behind netfilter/iptables. Later when he was joined by other people they built the Netfilter core team and maintain the Netfilter/Iptables project together as a team effort. Harald Welte was leader till 2007 and Patrick Mchardy is the current head of the core netfilter core team. But with the numerous contributions by independent software developers, who will we