Kurt Seifried, [email protected]
This was a presentation I used to do on securing Linux, takes about a day to go through. The formatting got a bit mangled (lost some indentation, oh well) but it should make sense.
By Kurt Seifried
http://seifried.org/security/
Copyright / Trademarks
Copyright Kurt Seifried 2002, all rights reserved.
All trademarks (Red Hat, etc) are property of their respective owner
Kurt Seifried accepts no liabilities whatsoever for this documentation
Overview
Introduction
Basic security
Basic software and network security
Remote and local administration tools
Specific service security
Firewalls and VPN’s
Hardening scripts and other resources
Limiting users
Advanced security
Introduction overview
What is Linux?
Swiss army knife analogy
What is Linux?
Linux is a UNIX like operating system
Linux can do many things - SMTP, POP, IMAP, DNS, NNTP, LDAP, SSH, HTTP, HTTPS, FTP, X, etc.
Linux is the kernel, surrounding this is software like command shells, server software, etc. The complete package is called a distribution.
Swiss Army knife analogy
Use the right tool for the job
If you need a can opener, buy one
If you need a cork screw, don’t buy a Swiss army knife
Basic security overview
Physical
Boot time
Console issues
Filesystem
Basic security - Physical overview
Potential attacks
Local security
Potential attacks
Unplug, or simply steal the machine
Pour a can of soda into the machine
Remove battery, flush the BIOS
Copy harddrives with special tools (well not really special)
Console access (more later)
Local security
Place the machine in a locked room or cage
Control physical access to the room with the server
Beware of hung ceilings
Beware of raised floors
Beware of large ventilation ducts
Consider CCTV
Basic security - Boot time overview
BIOS / OpenBoot security
Master Boot Record
Lilo security
Boot up programs
BIOS Security
Enable the BIOS password for modifying the BIOS settings
Consider enabling the BIOS boot up password if it has one
Do not allow boots from removable media (floppy, CD-ROM, etc.)
Boot from the harddrive only
When booting from SCSI use an internal disk if possible
OpenBoot Security
Sparc
password S0m3password
setenv security-mode none|command|full
Apple
command-option-O-F to access
command-option-P-R to wipe
setenv auto-boot? false
no way to truly secure boot process
Master Boot Record
Some distributions offer interactive boots via the MBR
Debian for example:
"install-mbr" should be run with "--interrupt n" to prevent interruption of the boot sequence
Lilo security
use the "restricted" and "password" settings on lilo and all images
have a minimum of bootable kernels set up
make labels clear, use "message" if needed
consider disabling unattended booting
single and init=/bin/sh
Boot up programs
Remove or disable any software that allow an interactive boot
Red Hat for example:
"kudzu" should be removed or disabled
Consider disabling network services, and instead bringing them up manually
Bring up firewalling before network services
Basic security - Console issues
Prevent reboots by disabling ctrl-alt-del in /etc/inittab, and possibly point it to a script that generates an alert via pager/etc.
Consider using serial console with a terminal server and disabling the keyboard / monitor completely
Use case locking mechanisms
Login screens
Login screens
Warn against unauthorized use, do not use the word welcome
Try to give as little information as possible
Do not put OS type or version
Consider putting enough line feeds in so that it clears the screen from previous use
Basic security - filesystem overview
Filesystem layout
Filesystem links
Finding world writeable files and directories
Permissions of files / directories
Ownership of files / directories
Special attributes for files
Ensuring file integrity
Backups
Filesystem - layout overview
User writeable directories
/tmp and /var/tmp directory
User writeable directories
/tmp
/var/tmp
/home (user home directories)
/var (email, print queues, squid cache, etc.)
/tmp and /var/tmp directory
Anyone and everyone can write to them completely
Race conditions can occur when tmp files are created incorrectly (especially by privileged programs)
You might want to monitor the directories with l0pht-watch
/tmp and /var/tmp directory (cont.)
Mount with restrictive options:
"nosuid" - no setuid or setgid files
"noexec" - files cannot be executed
"nodev" - no device files
Use software like tmpwatch to keep it relatively clean
Filesystem - links overview
Notes on hardlinks
Notes on symbolic links
Notes on hardlinks
hardlinks points directly to the inode of the file
directory permissions on directories "below" the target file will not stop a user that has already linked to a file, so create the directory, protect it, and then create the files in it
this is one reason why user writeable file systems should be on separate partitions
Notes on symbolic links
symbolic links point to a file or directory, file permissions on the target apply AND
directory permissions on directories "below" the target will stop a user that has linked to a file already
Finding world writeable files and directories
"find / -perm -002 -type d" (or "-type f" for files)
there will be many world writeable files such as symbolic links which can be mostly ignored
the /dev directory will have many world writeable devices, create a file listing after install and use it to find any future problems (permissions should not change much)
File permissions
"ls" tells all
"chmod" to change permissions
Generally "other" is the biggest concern "chmod o-a" will block all access
There are ACL projects for Linux, but most are quite simplistic and limited (SGI is working on a more complete implementation)
File ownership
"ls" tells all
"chown" to change the owner (user and group)
Watch out for files owned by numbers, this indicates the group or user account was deleted
Special attributes
"lsattr" tells all
"chattr" to modify them
-a append only, useful for log files and preventing accidental deletion
-i immutable, good for preventing accidental damage to files
it won’t keep out attackers with root access from modifying files/etc
Ensuring file integrity
Attackers will modify files, so to detect attacks, and clean up the mess you need to know which files were modified
Attackers can easily reset the last accessed times on files, and using size as a check is not secure
File integrity software is needed
File Integrity software
Use cryptographic signature algorithms (such as MD5 or SHA1)
Ability to store the database elsewhere (removable media such as a floppy)
To truly check the integrity you should boot off of read only removable media and run the tool from the same media against a known good database of file information
File integrity software (cont.)
Commercial packages such as Tripwire run on many platforms, good speed, ease of use and good reports, included with some Linux distributions.
Many good free packages such as SuSE auditdisk
http://www.tripwire.com/
http://www.tripwire.org/
Backups
Always have backups, scheduling will depend on how often the data changes and how critical it is (I backup my working data once an hour, I don’t backup the OS at all)
Offsite backups in a secured facility (bank deposit box) are critical
Verify that backups work, preferably on another machine
Backups (cont.)
There are many commercial and free backup programs for Linux that work on multiple platforms (see resource list)
My personal favorite for quick, automated, backups is tar, gzip and rsync (see resource section for code examples).
Basic software security overview
Using package managers
Updating software
Basic software - using package managers overview
RPM - Red Hat Package Manager
dpkg - Debian Package
apt - front end for dpkg and now RPM
alien - conversion utility
Using Package managers - RPM overview
Querying packages
Installing packages
Updating packages
Removing packages
Building RPMS
Querying packages (RPM)
"-q package" to query the database of installed software
"-qp package.rpm" to query a package
"-qf /path/to/some/file" to query a file
Installing packages (RPM)
"-i package.rpm" to install
"--nodeps" to ignore dependencies
"--force" to force it
"--replacepkgs" install package even if already installed
"--oldpackage" install an older package over a new one (when upgrades go wrong for example)
Updating packages (RPM)
"-U" to update the package (will install new packages as well)
"-F" to freshen the packages (will not install new packages)
For example download all the updates and then run "rpm -F *.rpm" and wait.
Removing packages (RPM)
"-e" to extract the package
"--nodeps" to ignore the breaking of dependencies
Some packages have circular dependencies (like ghostscript and ghostscript-fonts), simply use "--nodeps"
Building packages (RPM)
get the source rpm (.src.rpm)
install the source rpm
"cd /usr/src/redhat/SPECS" and "rpm -ba packagename.spec"
To update the source code in the package simply drop a new tarball into /usr/src/redhat/SOURCE and tweak the spec file
Software - dpkg overview
Querying, installing and removing packages
Using dselect
Using apt-get
Building packages
Querying, installing and removing packages (dpkg)
"dpkg -i package.deb" - Install package.deb
"dpkg -I package.deb" - Lists info about package.deb (rpm -qpi)
"dpkg -c package.deb" - Lists all files in package.deb (rpm -qpl)
"dpkg -l" - Shows all installed packages
"dpkg -r package-name" - Removes 'package-name' from the system (as listed by dpkg -l)
Using dselect
text based front end, uses arrow keys to move
+/- to add or remove packages
handles dependencies, uses apt to install
interface takes a bit getting used to (demo)
Using apt-get
apt-get install package-name
apt-get dist-upgrade]
apt-get update
apt-get upgrade
Building packages (dpkg)
http://www.debian.org/doc/packaging-manuals/packaging.html/index.html
files needed to build a package usually:
foo.diff.gz
foo.dsc
foo.orig.tar.gz
dpkg-repack will rebuild a debian package you have installed, including any changes (config files, patched binaries, etc.). Useful for creating updates and roll outs.
alien
converts package formats, not always correctly but is quite good, useful for getting at documentation in a package.
"-d file" convert the file to a debian package
"-r file" convert the file to an RPM package
"-t file" convert the file to a tarball
files stored in /var/cache/apt/archives
Basic software - updating software
Software updates should be automated as much as possible
Most network intrusions occur through old software with known holes (the DDoS attacks of February 2000 on major sites for example)
Updating RPM’s
Updating debian packages
Software - vendor tools
Red Hat update agent - up2date, Red Hat network
http://www.redhat.com/support/manuals/RHNetwork/ref-guide/
Caldera Volution
Mandrake
SuSE
Software - updating RPM’s
AutoRPM and Rhlupdate require Perl and the Net::FTP module, best to use with an internal FTP server (quicker to)
On internal networks you might also choose to "push" updates by executing commands remotely (via SSH or NSH) for "rpm -Uvh ftp://you.server/package.rpm" or via nfs mounts
Software - updating debian packages
with dpkg and apt simply have a script runs that executes:
"apt-get update"
"apt-get upgrade"
On internal networks you might also choose to "push" updates by executing commands remotely (via SSH or NSH) and provide the files via nfs mounts
Basic network security
Minimize privilege and access
Network services
Minimize privilege and access
Most network daemons will run as a non root user
Most network daemons can run in a chroot’ed environment
Tools like subdomain will allow for fine grained access control.
Basic network security - services overview
Find out what is installed with rpm or dpkg and remove unnecessary components
Find out what is running
Disabling services in inetd
Disabling services in xinetd
Disabling stand alone daemons
Find out what is running
"ps -xau" will list all processes, look for names of network services like "named" or "dhcpd"
"netstat -at" gives a nice listing of all tcp services running (run with -n to get numbers instead of names)
"netstat -a" lists everything, including udp services
"lsof" lists all open files, use "lsof | egrep ‘(tcp|udp)’ " (depending on lsof version tcp and udp may be capitalized)
Disabling services in inetd
/etc/inetd.conf controls services run via inetd (the superserver)
Simply comment out lines to disable the service
restart inetd with a "killall -HUP inetd" to make it reread it’s config file or the appropriate rc script
Disabling services in xinetd
typically /etc/xinetd.d/ holds service files
delete file, or use keyword "DISABLED" and set to "yes"
restart xinetd with a "killall -HUP xinetd" to make it reread it’s config file or the appropriate rc script
Disabling stand alone daemons
stand alone daemons are run from /etc/rc.d/ typically
in Red Hat you can use chkconfig to stop and start services at boot time, or you can manually edit the symbolic links that control things
Other hiding places might be in rc.local, or exist as cron entries
Remote and local administration tools
Local administrative tools
Remote administrative tools
Remote shell access
Secure root access
Secure root access - sudo
Administration - local tools
These are useful for small environments, larger environments tend to need network based tools
YaST for SuSE, text based, relatively friendly, has a GUI
Linuxconf, text and X interfaces
Administration - remote tools
Linuxconf, has a web based interface but this must be configured from the GUI, ships with most distributions - http://www.solucorp.qc.ca/linuxconf/
Webmin, supports SSL easily, many modules available - http://www.webmin.org/
Pikt is a network based administrative tool with it’s own control language - http://pikt.uchicago.edu/pikt/
Administration - remote shell access
OpenSSH is free and easy to use, ships with most distributions now - http://www.openssh.com/
NSH is a commercial product, runs on UNIX and NT, very easy to use, has a Perl module to make scripting easy. Authentication and sessions are encrypted, authentication can be done via keys (to help automate things).
Secure root access
su is a bad idea since you need to give out root’s password
sudo allows for control of who can access it, what they can access, and from where, ships with most distributions
super also allows for easy control of access and ships with Debian
runas supports a nice logging feature and you can disable command line options
Secure root access - sudo
/etc/sudoers should be mode 440
bob ALL=(ALL) ALL
Host_Alias STATIONS=localhost, station1, station2
User_Alias HALTUSERS=bob, mary, jane
Cmnd_Alias HALT=halt, reboot, sync
Runas_Alias RBTUSER=admin
HALTUSERS STATIONS=(RBTUSER) HALT
Break for questions
Specific protocol security
DNS
DHCP
SMTP
POP/IMAP
SSL
HTTP/HTTPS
FTP
Protocols - DNS overview
Basics
Server types
Data
names to numbers - public / internal
numbers to name - public / internal
Bind
DNS basics
Domain name system, critical part of Internet infrastructure
If compromised you can reroute e-mail, and most services to hosts under your control
DNS also serves as a phone directory of your hosts and is useful for initial security probes
DNS servers are critical and should run no other services
DNS server types
Two main server types:
servers that provide DNS information to the Internet
servers that provide DNS lookups for internal hosts
You can easily have a server do both, but this makes it more vulnerable to attacks
Majority of DNS servers run BIND
DNS data
Names to numbers
"Public" zones such as *.seifried.org
"Internal" zones such as *.secret.seifried.org
Numbers to names
"Public" zones such as 1.2.3.*
"Internal" zones such as 10.0.0.*
DNS names to numbers - public zones
Anyone can query usually
Restricted access to zone transfers
Updates (I.e. dynamic DNS) usually not allowed
Attackers will try to transfer the zone, log this action, and attackers may try brute force queries, if you have sufficient disk space consider logging all queries
DNS names to numbers - internal zones
Restricted to internal hosts for querying
Heavily restricted zone transfers
Updates (I.e. dynamic DNS) might be allowed
Attackers will definitely try to transfer or query these, log all failed attempts
DNS numbers to names - public zones
Anyone can query usually
Restricted access to zone transfers
Updates (I.e. dynamic DNS) usually not allowed
Attackers will try to transfer the zone, log this action, and attackers may try brute force queries, if you have sufficient disk space consider logging all queries
DNS numbers to names - internal zones
Restricted to internal hosts for querying
Heavily restricted zone transfers
Updates (I.e. dynamic DNS) might be allowed
Attackers will definitely try to transfer or query these, log all failed attempts
DNS - Bind overview
Software security
Server version
named.conf - intro / ACL’s / views
Bind 9 - DNSSEC
BIND software security
Run the latest Bind software
Run as a non root user / group
"-u username"
"-g groupname"
Run chrooted "-t /directory/to/chroot/to"
Modify the named start script to add these options (/etc/rc.d/init.d/named)
Bind server version
Clients can query Bind software version remotely, as there are several holes in older version of Bind that allow root access.
Create a chaos zone called bind, restrict access to it to the local machine and log all attempts to query it or use the "version" statement:
"version 0.0.1;
Bind named.conf - intro
Configuration file for Bind version 8
You control all aspects of Bind from this file (memory usage, file placement, etc.)
Each domain can be handled separately
You can use include statements (handy if you have multiple admins)
/usr/doc/bind-8.x.x/html/config.html
Bind named.conf - ACL's
You can create one or multiple ACL lists, they must go at the top of the file (otherwise Bind might complain that they do not exist)
You can apply ACL’s to all types of access:
allow-query (ask for specific records)
allow-update (actually modify zone data)
allow-transfer (ask for the entire zone)
Bind named.conf - ACL's (cont.)
ACL’s can be applied on a server wide basis by putting them in the "options" declaration
ACL’s can be applied to specific zones and override the server wide ones
ACL’s can have hostnames, IP’s, network addresses, and there are several built in ones (localhost, localnets, etc.)
Bind 9 - DNSSEC
flaws: CPU overhead, space requirements rise enormously, all servers must be secure
generate keys with dnssec-keygen
generate request with dnssec-makekeyset
sign keys with dnssec-signkey
sign zones with dnssec-signzone
ultimately used to secure DNS and provide public key infrastructure, please store signing keys offline!
Protocols - DHCP overview
Allows for easy control of client machines
Client issues
Server issues
DHCP client
Client runs as root, no easy way to change, it must modify network settings, /etc/resolv.conf, etc.
Can be a choke-point, consider having multiple servers in case one fails
No authentication of server data currently
Rogue servers can also be a problem, imagine if one set the DNS servers to those controlled by an attacker and rerouted email for example, check log files on clients and servers
ISC dhcpcd and pump are your main choices
DHCP server
Firewall at all network access points (forwarding DHCP requests across the Internet would be slow and unreliable in any case)
Rogue clients can exhaust the address pool space (sometimes unintentionally, such as NT RAS server), consider using static mappings for clients instead of pools
dhcp+paranoia patch http://users.phri.nyu.edu/~edelkind/custom/public/patches/dhcp-2.0+paranoia.patch
Protocols - SMTP overview
Basics
Server design
Sendmail
Postfix
SMTP basics
Transfers mail from client to server and server to other servers
No authentication or encryption by default on most systems
Most common problem is other people using your mail server to relay email (typically bulk SPAM)
Sendmail is the most popular MTA, Postfix is growing
Server design
Users deliver mail to server via SMTP
Servers can accept mail for local delivery (users access via POP/IMAP) or deliver to other servers via SMTP
You may want to have a separate server(s) for each function, you can tighten the configuration significantly
SMTP - Sendmail overview
basics
new security
relaying
access
http://www.sendmail.org/
http://www.sendmail.net/
http://www.sendmail.com/
Sendmail basics
Current release is 8.11.x
Commercial versions available from sendmail.com with support and a GUI
Default MTA (Mail Transfer Agent) for many Linux distributions
Runs as root, and is difficult to chroot and run as a non root user
Pre-compiled packages have most needed features
Sendmail - new security
Allows users to authenticate to the server securely and then use it to send email
Uses Cyrus SASL, most mail clients supported
content management API
interact with data, virus scanners, block objectionable content, encrypt outgoing mail, etc.
Sendmail - relaying
You can control the domains you will relay email to, and the hosts that can connect and relay email through your server
To control access for relaying to domains fine the line starting with "FR-o" in /etc/sendmail.cf, followed by a blank or a filename:
"FR-o /etc/mail/relay-domains"
put domains you wish to relay to in this file
Sendmail - access
This function is useful for stopping spammers
You can control access to the mail server based on hostnames, IP addresses, domains and email addresses (README.cf):
10.0.0 RELAY
10.2.0.1 OK
[email protected] REJECT
mail.example.org DISCARD
Sendmail - access (cont.)
Look for a line in sendmail.cf starting with Kaccess
Kaccess hash -o /etc/mail/access
Then create a text file with your rules and turn it into a db file (of the hash type):
"makemap hash access.db < access"
restart sendmail
SMTP - Postfix overview
basics
relaying
access
http://www.postfix.org/
Postfix basics
Written by Wietse Venema (author of TCP_WRAPPERS)
Designed to be secure and fast
Supports databases for configuration files
Runs mostly as a non root user, easy to chroot
Primary configuration file about 20-26 lines
Postfix relaying
You can control the domains you will relay email to, and the hosts that can connect and relay email through your server
in /etc/postfix/master.cf look for the line starting with "relay_domains"
"relay_domains = /etc/postfix/relaydomains"
put domains you wish to relay to in this file
Postfix access
This function is useful for stopping spammers
You can control access to the mail server based on hostnames, IP addresses, domains and email addresses (access.5.html):
10.0.0 OK
10.2.0.1 OK
baduser@ REJECT
mail.example.org REJECT
Postfix access (cont.)
The access table can be used for several checks (and you can use multiple access tables)
smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/access
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/access
You can also chain the checks (separate with commas)
Protocols - POP/IMAP overview
basics
POP
IMAP
security
SSL wrapping
POP/IMAP basics
Post Office Protocol (relatively simple)
good for a single user and easier on the server
Internet Mail Application Protocol (relatively complicated)
good for users checking email from multiple locations, stores mail on server
Both allow users to retrieve email messages, delete them, and manage their mailboxes under IMAP
POP
You can login, LIST, RETR and DELE messages (basically).
Inbox is stored on server, all other mail is stored on the client’s machine
User does not require a directory or write access to any directories on the server
IMAP
You can login, list messages, retrieve the headers, retrieve the bodies, delete them, move them to folders, upload messages to folders, and more
Inbox and other folders are stored on server
User requires a directory with write access on the server (some IMAP servers store it in a database)
POP/IMAP - security
POP/IMAP generally start as root and then switch to the user id logging in
POP/IMAP are generally difficult to chroot
By default usernames and passwords are passed in cleartext
By default email is passed around in cleartext
POP/IMAP - SSL wrapping
Install OpenSSL
Install stunnel, create certificate, reconfigure inetd.conf and restart inetd
On the client end choose "requires an SSL connection" (note: Netscape does not support SSL POP, only IMAP)
Consider disabling normal POP/IMAP
Server CPU usage will rise dramatically
Protocols - SSL overview
Installing OpenSSL
Install stunnel
Caveats
SSL - Installing OpenSSL
Source code available, and precompiled packages.
Use RSAREF in the US, however you cannot use it for any revenue generating activities (Universities charge, indirectly, for network access which restricts them for example).
RSAREF is slow and key size is limited
http://www.openssl.org/
SSL - Installing stunnel
Source code available, and precompiled packages
Create a server certificate
create a working stunnel.cnf
create a self signed certificate as /usr/certs/stunnel.pem
edit inetd.conf and restart it
http://www.stunnel.org/
SSL - Caveats
All connections will appear from localhost since stunnel handles the actual connection and acts as a tunnel
stunnel will log the connection, however the associated login to IMAP will have to be inferred by time, process number, etc.
CPU usage will increase a lot (you may want to restrict access to remote users/etc)
Protocols - HTTP/HTTPS overview
basics
Apache
Not Apache
HTTPS considerations
CGI considerations
HTTP/HTTPS basics
Two main families of HTTP/HTTPS servers:
Apache based
Not Apache based (I.e. Roxen, Zeus, Netscape)
Most security problems are not with the www server software, but usually with CGI scripts and user supplied data
Most www servers run as a non root user, and can be chrooted easily
Apache
Runs as user "nobody" by default
Several Apache-SSL servers available, and several add on SSL packages
CGI’s can be run as an arbitrary user (suEXEC)
Precompiled packages ship with almost all distributions
http://www.apache.org/
Not Apache
Zeus - many security features, not free
Roxen - OpenSource and free, feature complete
Netscape - ease of use, very fine control, not free
Zeus and Roxen both respond quickly to problems
HTTPS considerations
SSL allows the server to prove it’s identity to the client, and optionally the client can prove it’s identity to the server
Server key is stored in memory, and it is possible for an attacker with local administrative access to extract it
Attackers can register a similar domain name and easily trick users into using it
One IP per SSL site required
http://www.apache-ssl.org/
CGI considerations
Don’t trust input, sanitize and validate it
Give CGI’s minimal permissions and access (see SubDomain and chroot)
Audit CGI scripts for problems and holes
Use Perl taint and strict
Use access controls on your database, many recent exploits involved improper database permissions
Protocols - FTP overview
basics
Wu-FTPD
ProFTPD
FTP basics
difficult to firewall properly
cleartext authentication usually
SSL versions of FTP and services available, but few clients support them
Rsync recommended over ftp for synchronizing servers
SCP (from SSH) recommended for user access
Wu-FTPD
Numerous security flaws, not recommended
Relatively easy to configure for simple setups, complicated setups are difficult (if not impossible)
Security is achieved by chrooting, previous versions had numerous problems, make sure you are up to date
Pro-FTPD
Slightly more resource intensive then Wu-FTPD, but used by many large sites (Debian, SourceForge, etc.)
Easier configuration then Wu-FTPD, uses an Apache style configuration file
Supports virtual ftp servers
Easy to chroot users, does not require /etc, /lib, /bin directories replicated into each sub area
Pro-FTPD (cont.)
Allows controlled access to directories:
AllowOverwrite
Read, Write, etc
You do not need to rely on file permissions to secure directories
Users can have their own configuration files in directories
Numerous security related configuration directives
Firewalls and VPN’s overview
IPCHAINS
Netfilter
Firewall-1
IPSec
SSH + PPP
Firewalling - IPCHAINS
Currently in kernel release 2.2.x
Not stateful, firewalling protocols like DNS and FTP can be tricky
Supports NAT, IPSec
Upgrade to 2.4 and NETFILTER if possible
Firewalling - Netfilter
Currently in kernel release 2.4.x
Stateful, easier to firewall protocols like DNS and FTP
Supports NAT, IPSec, MAC filtering, limiting
http://netfilter.kernelnotes.org/
logging
interesting options
Logging
--log-level
--log-prefix
--log-tcp-sequence [caution]
--log-tcp-options
--log-ip-options
Interesting options
-i (in interface)
-o (out interface)
--mac-source 00:00:00:00:00:00
-limit 5/hour (limit 5 per hour)
-m state -state NEW
-f (packet fragments)
unclean (mangled packets)
--set-tos (set type of service)
Firewalling FW-1
Stateful filtering, good anti-attack features
Has add-on VPN software
Configuration tool only available for Windows currently
Good authentication mechanism
Supports NAT, IPSec
http://checkpoint.com/products/firewall-1/
VPN - FreeS/WAN IPSec
Supports 3DES, does not officially support DES
Interoperability with most other IPSec products (Cisco, PGP, etc.)
GPL licensed (free as in free beer and free speech)
Still in development, suitable for static networks, has management issues
Linux does not support many crypto accelerators (unlike OpenBSD)
http://freeswan.org/
VPN - SSH + PPP
OpenSSH, PPP tools are all free
Useful for tunneling through firewalls
Relatively system independent
Tools to ease setup and maintenance exist
Not recommended for heavy VPN requirements / usage
http://linuxdoc.org/HOWTO/VPN-HOWTO.html
Hardening scripts overview
Vendor specific scripts
SuSE’s "harden SuSE"
Bastille Linux
Supports Red Hat, several other RM based distributions
Provides quick fixes for some common problems, but is not a solution
Be careful, check that the system is hardened
http://bastille-linux.org/
Limiting users overview
General notes
PAM
Bash
Tcsh
Pdksh
Zsh
General notes
Make sure you do not limit the root account accidentally, or other administrative and system accounts to heavily (you may end up "locked out")
Most limits can be abused by a savvy attacker, they will prevent normal / honest users from making mistakes
PAM
Typically most effective way of limiting user login sessions
require "pam_limits.so" for sshd, etc.
edit /etc/security/limits.conf
define by user, group, or default
soft and hard limits
core files, memory usage, stack size, cpu usage, maximum number of logins, etc.
sysadminmag.com/archive/0909/feature.shtml
BASH
Only effective if user cannot change login shell
use ulimit, typically in /etc/profile to apply to all users
soft and hard limits
core files, files, cpu usage, memory usage, etc.
use ulimit in ~/.bash_profile and set the file immutable (chattr +i) as root
Tcsh
Only effective if user cannot change login shell
use limit, typically in /etc/csh.login
hard limits
core files, memory usage, cpu usage, etc.
use limit in ~/.tcshrc and set the file immutable (chattr +I) as root
Pdksh
Only effective if user cannot change login shell
use ulimit, typically in /etc/profile to apply to all users
soft and hard limits
core files, files, cpu usage, memory usage, etc.
use ulimit in ~/.profile and set the file immutable (chattr +i) as root
Zsh
Only effective if user cannot change login shell
use limit, typically in /etc/zprofile
soft and hard limits
core files, memory usage, cpu usage, etc.
use limit in ~/.zprofile and set the file immutable (chattr +I) as root
Advanced security overview
Openwall kernel patch (Solar Designer’s patch)
StackGuard
FormatGuard
SubDomain
Chroot techniques / tools
Fuzz
ITS4
Openwall kernel patch (Solar Designer’s patch)
Non-executable user stack area
Restricted links and FIFO’s in /tmp
Restricted /proc
Special handling of fd 0, 1, and 2
http://www.openwall.com/linux/
StackGuard
Compiler patch to create libraries/programs that are resistant (or immune) to buffer overflow attacks
Available for most version of gcc
Most useful for programs invoked by untrusted entities (users, web based applications, etc.)
http://immunix.org/stackguard.html
FormatGuard
Patches library for certain system calls
Prevents format string attacks (discovered last summer, Wu-FTPD, syslog, etc.)
Publically available
http://immunix.org/formatguard.html
SubDomain
Let’s you restrict access to files on a process by process basis
Check signatures of files and can be used to minimize the chances of trojan code (like a real time Tripwire)
mediates via system calls, should be difficult for attackers to circumnavigate
http://immunix.org/subdomain.html
Chroot techniques / tools
Chroot restricts access to the filesystem
If software is running as root it can break out of a chroot’ed environment
ldd is useful for find required libraries
rpm and dpkg installs can be relocated, making populating the chroot environment easier
Fuzz
Black box testing tool
Fuzz tests for buffer overflows by pounding a program with random input to see if it dies
Useful for testing third party, proprietary software
Automated tool, easy to scan all the binaries on a system (time consuming however)
http://fuzz.sourceforge.net/
ITS4
White box testing tool (clear box?)
Scans C and C++ code for buffer overflows and other nasty problems
Can be used in UNIX or Windows (requires CygWin which is free)
http://www.cigital.com/its4/
NSA Security Enhanced Linux
GPL licensed, freely available, steep learning curve
provides security policies, type enforcement, etc.
http://www.nsa.gov/selinux/
Summary
Safe computing practices:
Keep software up to date
Do not run foreign code
Make backups, keep a set off site, this includes OS installation media
Security in depth
Have systems fail close instead of open
Summary (cont.)
Have a written security policy and abide by it, make sure people can get a copy to read
Involve users in security, teach them why it matters, listen to them
Subscribe to mailing lists, the bad guys do
Keep things in perspective
Don’t panic
Reference URL’s
Recommended books
Running Linux
Linux Network Administrators Guide
Process of network security
Secret’s and lies
Last updated 3/24/2002
Copyright Kurt Seifried 2002