hardening *nix

Guys.... this was something i wrote/compiled  year ago. i was my
attempt to write a walkthrough on hardening *nix systems comparing it
parallely to windows. Later some better things draw my attension
instead (learning, more learning ;0) so.... i qutted the writing it in
middle.

Here is the copy/past of my scratch pad then...... its a random note
and unsensored since then. deal with it.  but it should be a  mine for
information to many.  Anyone with freetime? considering continuing it!
(O: 

__________________________________________________________________________________________

Default installation & software upgrades not enough!

The article is aimed for those ppl. who have a fair knowledge about the technology. This article just aims to scratch the surface of everything............. maybe a quick flackback to your knowledge.

 

 

Lets start with the obvious... basics:

""""""""

# Obviously, Default Installation doesn't come with a virus/spy ware / Trojan scanner. If your PC isn't a single user OS, there is even a likelihood of mail ware, Trojan, spy wares running with user privileges... or worst a root kit.

 

<.../>

 

""""""""

# Regardless of the OS its always better to encrypt your sensitive files and "shear" (not: rm/del)  temp files & clean it periodically. Many program create unsecure temp files so its better to create seprate temp folders for every users with file/disk quota limit set to them. You can specify unique temp folder location for every user  on '/etc/profile.d' or with "SET" command in windows. Try:

 

Windows: cipher.exe /?

*NIX: shred –-help

 

wipe free.slack space +defrag......

 

<.../>

 

---

# Its always better to run system backups periodically of your documents, and important files. Its quick  to append  new files to your backup in a secure location "via. an secure tunnel"

 

*nix: use a "cron job" to schedule a periodic backup and "tar" to archive the file. Its always advisable to run schedule tasks at that time when there is least system load.

Windows: ntbackup.exe has it all... you need.

 

<.../>

 

""""""""

# Set a Harden firewall rules... Depending on your server/OS. Set strict firewall rules to filter out all unnecessary  inbound/outbound  traffic. Make sure Port scan, Banner grabbing, OS fingerprinting (counter mearures: http://ippersonality.sourceforge.net) doesn't leak sensitive info. to the outer world. Though, this may not stop a willing intruder but... may* buy you some valuable time to spot an willing intruder or patch-up vulnerable service in time.

Moreover, check for easy Connection hijack etc... in your LAN. Detect ARP Spoofing & Man in the middle attack when possible. Set your firewall( iptables) rules to map a ip to its MAC address and set firewall rules based on IP+SYSTEM MAC for local access in your trusted network and discard the rest. This will add an extra level of security. You may even want to disable the whole 'inetnum' of online services like www.netcraft.com

 

<.../>

 

""""""""

# There might be SYSTEM services, & software module that you may not be using. ONLY ENABLE THOSE SERVICES WHAT YOU USE. Disabling those will always reduce probability of a successful intrusion.

 

<.../>

 

""""""""

Does your WAP/ Bluetooth devices... wireless keyboard/mouse support authentication & encryption.?

<.../>

 

""""""""

# Log system events. and don't fear to keep/monitor necessary noise. Its better to mirror "system log" in a remote location. Make sure you monitor and secure LOGS/events generated from softwares & daemons as well... in a clean manner.

 

*nix: /etc/syslog.conf 

 /*    set the parameters:       *.*      "Server's_ip"     */

 

Windows: http://ntsyslog.sourceforge.net/

in windows secpol.msc <---to set sec. policy and manage... eventvwr.msc

Make sure your system logs won't be disrupted in DoS and critical system errors... situation or be fussed away or you run out of disk space!

 

manage internal network & external network.... you don't want a external intruder jump in your network through internal/local proxy!

 

<.../>

 

""""""""

# Auth. network traffic (SSH tunnel, KEYBROS, one-time passwd etc... ) Remember IP based auth. can always be fooled. Use IDS: (Snort) Use Tripwire like tools. Monitor system file hashes, startup dir/scripts, software & security configuration files & sensative registry keys etc.

 

Regularly monitor/log system performance & look for any suspicious packets that come & leave your system. Compare the IDS log with both inside & outside your firewall.  Monitor your system performance.

 perfmon.msc  mrtg, snmp, ps -aux etc

 http://www.nagios.org. How about using load balancing/clustering as well....

Create a profile of your system/network activity… this will help you spot the unusual.

 

If you have to test a software, run third-party code etc...... its ALWAYS better, easy & FLEXIBLE to run it in "VIRTUAL MACHINE" (vmware?)

 

Its better to run only 1 listening service (network service) per computer.... Make sure you have "unique" passwords in every system. Make sure… disruption / compromise in one system won't propagate or affect... rest of the network. DECENTRALIZATION!?

 

<.../>

 

""""""""

In the internet jungle I'd say... only "unique systems survives longer" Check if you could be another victim of spam, bandwidth rape, DoS, misuse of your network resources etc... Use search engines, online directories, telephone index etc... & try monitor/check the information that's flowing outside.

 

Try reducing your probably of being attacked by buffer overflow.

google: stack guard, lib safe, grsecurity.net, se-linux etc…

 

Make sure you won't be another victim of fork bombs, MEM & I/O exhaust attacks. Use QoS for system bandwidth.

 

 *nix: 'ulimit -a' or use PAM modules.

 

<.../>

 

""""""""

Theory of least privilege always helps. You may not wanna run "system services" as root... instead create a seprate jail account each services when possible. Make sure these services don't queue a long list of jobs.  You may wany to deny all connection attempts  for [x]inetd, and TCP Wrappers services. Check... what, level of system resources/information that local users have access to. For un trusted users its always better to create a jail environment.  It isn't stupid change default paths... disable the right to schedule tasks (CRON JOBS) for users... For users you may even wanna disable perl, gcc and many other... system executables that are unnecessary for users. You don't wanna see your machine get 0wn3d by a malicious user compiling a code locally via gcc, do you? Keep track of SUID/SGID programs... Make sure users have write access to only limited directories. Its better to statically compile the modules you need in your kernel and disable the further add of modules "in linux kernel" or via WINDOWS REGISTRY.... Did you ever consider about boot security, encypted file system, bios passwords, and disable autorun on removal medias?

# Disable telnet and use only the ssh2 protocol to remotely logon to systems.

# Disable direct root login.

# Tranfer files via sftp or scp.

 

<.../>

 

""""""""

# Poor file permission may lead to leak of sensitive information. Executables could be overwritten by a malicious one.

Only share what you have to... Even "r" permission to sensitive files could prove harmful. I suggest, at times its even better to change the file permission of all system executables to "r-only" (bye…bye virus… you gotta be little tricky now )

 

Windows: cacls.EXE  *.(executable extension) /T /C /P Everyone:R

 

In windows make sure, unprivileged users don't have permission to write to system(variables) path. like c:\ %windir% etc...

 

threat?: if you/program don't provide absolute path to run programs... Internet Explorer by say:, start > run >  "C:\Program Files\Internet Explorer\iexplore.exe" instead just try start > run > "~path\iexplore" then first... the system  try searching and executing  'program.exe' in c:\ then 'internet.exe' in C:\Program Files and then only execute  find and execute "C:\Program Files\Internet Explorer\iexplore.exe" this is a design flaw... in windows and could be misused. Try keeping a executable named "Program.exe" in c:\ You don't have to wait very longer before it surprisingly gets automatically executed by other programs.

System wide var. in basis of priority from left to right:

Path: %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem

PATHEXT: .COM;.EXE;.BAT;.CMD ..................

 

It's always better to implement software restriction policy(path rule)... (via: gpedit.msc) in "Temporary Internet Files" c:\*, "removal medias" etc...

 

In *nix you can secure, insecure mount points via(say):

 /dev/hdd1    /tmp    ext3    defaults,noexec,nosuid,nodev

 

Better… to '/home' , /var/tmp as well.

Don't forget /dev/shm too, or wherever your OS happens to mount it......

 

<.../>

 

 

failover servers, disk.....

clustering, load-balancing(HPC etc....)

 

if you have a high traffic site, things like hosting pic & texts & files in seprate serves is brainy!

 

In internal network... I prefer locking down all ports except the ones needed.... I use my internal GATEWAY as a hub for firewall/router... by sectioning the network (but make sure there is no bottle neck as all traffic goes through it) use l-7filter for stateful packet analysis (not just barebone) but you must seperately have another internal/external firewall........ this will just serve as a first-aid for some time if there is a local breach.

 

DEFENCE IN DEPTH etc....

 

Too much service in one system is harmful..... try chroot with each seprate user for every service. install rootkit hunter & chkrootkit,

 

 install mod_security,

 

bandwith management, resource allocation...... DOS, local adware, spyware, worm detection? Rootkit hunter

 

 

 

 

IPS?

SELinux

 

turn off service you don't need & program features to least possible.

 

You could also use some Host-based IDS

or log analysis tool to improve the detection

capabilities there. I suggest OSSEC HIDS

(www.ossec.net/hids/), because it does log analysis

and integrity checking together (in addition to have a

nice correlation engine and a nice notification tool),

but I'm suspicious to talk about it :).

 

 I also have AIDE and Snort setup on this machine.

 

 

As an attacker, there are other ways to try and subvert these

protections.  There is no reason an attacker cannot `find / -type

d -perm -o=rwx` prior to download and executing their tool of choice.

 

 

 

 

You can try to install APF (Firewall) and BFD (Brute Force Detection)

and also follow some of the steps outlined here:

 

http://www.webhostingresourcekit.com/109.html

 

APF and BFD are made by rfxnetworks.com. BFD will automatically block

attackers if they fail to authenticate 5 times by using APF.

 

try refer-guard as well!

 

----------

oes anyone have a best practices list or

suggestions of what files are critical to monitor with integrity checking?

 

/etc/passwd

/etc/shadow

/etc/group

/etc/pam.d/*

/var/www/<static web pages>

/etc/ssh/sshd_config

 

???

 

etc.... They are imp files!

so always have a auto-compare etc.... with previous backup

-----------------

 

I recommend tuning php and disabling commands like system and passthru that

may be used by an attacker but are probably not going to be used by you. I

like to think that no webpage or script can be trusted even when I am the

only person with access to a machine.

 

Many people have recommended mounting /tmp and /var/tmp noexec. This is a good

idea but keep in mind that it is easy to execute commands even on a noexec

filesystem (using the ld-linux library). So don't be surprised if some

slighly clever attacker is running a binary from that location.

 

use strong passwd.

 

-----

Partially speaking, a good dent can be made by exhaustively culling

through /etc of course, *.cf and *.conf can help, source code if applies

to your site, all suid and sgid binaries (Modify:) in addition to a few

site and host-specific executions of 'find' with the '-anewer',

'-cnewer' and '-newer' flags primarily. Clever (read: site relevant)

application of [elapsed] times can result in a couple text files that

contain well beyond the majority of what will need integrity monitoring

to some degree. Just need to sit for a spell and give thorough

consideration to each line entity, with a few follow-up finds as needed.

The rest is just recollection, critical apps and filesystem awareness in

general. Add them altogether and that's a good dent in what will need

monitoring......   'best practice' and 'defacto' are too small of a

scope versus host-wide, so thorough hardening and monitoring is almost

always exhaustive and exhaustING..... at least in my experience where it

is most critical that mishaps be held down to a minimum.....

----

physical security?

------

Ever tried tiger?

http://www.nongnu.org/tiger/

---Introduction

 

Tiger is a security tool that can be use both as a security audit and

intrusion detection system. It supports multiple UNIX platforms and it

is free and provided under a GPL license. Unlike other tools, Tiger

needs only of POSIX tools and is written entirely in shell language.

 

& bastile like tools.....

 

-------

I would suggest to use a static kernel without loadable modules.

 

 

1)Installing your servers with bare minimum packages and see to it

that only needed services are running.

2)Before you install a new package on your production do check for

known vulnerabilities for that package and if possible always get the

latest package.always verfiy the integrity of the package using

md5sum.

3)With integrity checkers like tripwire periodically check your

essential binaries and configuration files for any modifications.

4)DO use log analyzers like logcheck and swath to detect important events.

5)Periodically check your system for rootkits using rootkit hunter and

chkrootkit.

6)Regulary backup your essential data to other machines or hard disks

such that in case of failure the data can be recovered.

7)get packages from autorized sites only.

8)Keep a watch for upcoming attacks and vulnerabilites for the

softwares installed on ur machine.Patch them and keep them uptodate.

9)check your system for possible viruses using antivirus like clamAV.

 

 

 

1)  Harden your server with tight ACLs (SELinux or LIDS).

2)  Use a good firewall.

3)  Secure your web apps.

 

More and more, the web apps are becoming the preferred intrusion method.

No need for port scans and since there are so many languages they can be

written in, it's hard to keep track of the vulnerabilities.  Not to

mention the fact that many of them don't have an announce list so you have

to subscribe to the general one.  Then you have to wade through all the

garbage just to watch for updates...

 

 

If you really want to harden linux, by all means use PaX+Grsecurity+SSP.

PaX is better and mature than Redhat's execshield.. or OpenBSD's stackgap/w^x

But don't take my word for it <http://pax.grsecurity.net/docs/index.html>

 

 

 

Having a exact clone of your production machine & testing everything out there first... always help

 

 

 

 

Anything in: bin boot dev etc lib opt sbin usr

 

although you can exclude stuff like documentation from /usr.

 

You can exclude most of: home mnt proc root tmp var

 

Although sometimes services live under /home (e.g. /home/httpd), in

which case you might need to monitor such directories.

 

& create a list of cmds that users can execute...... nothing more than that!

 

always create ACLS for everything..... & limit users

 

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 

-----------------MORE--------------------------------------------

 

Install & configure Tripwire    http://sourceforge.net/projects/tripwire/

Install & configure Snort       http://www.snort.org/

Install & configure Bastille    http://www.bastille-linux.org/

Install & configure LIDS        http://www.lids.org/

Install & configure modsecurity http://www.modsecurity.org/

Install & configure chkrootkit  http://www.chkrootkit.org/

install dansguardian            http://www.dansguardian.org

install squid                   http://www.squid-cache.org/

Install & configure DCC         http://www.dcc-servers.net

Install & configure Pyzor       http://pyzor.sourceforge.net

Install & configure Razor       http://razor.sourceforge.net

install & configure Clamav      http://www.clamav.net

Install & configure MailScanner http://www.sng.ecs.soton.ac.uk/mailscanner/

Install & configure Ntop        http://www.ntop.org/

Install & configure Spamassassin        http://spamassassin.apache.org/

install root access email command

create a seprate /tmp partition and mount noexec, nosuid

 

  Configure Apache

configure for php safe mode

configure /internal web directory w/ access from private network only

configure /external web directory w/ password authentication

 

  Configure SSH

respond on alternate port

only allow me to logon

 

  Configure Fireall:

only allow access to ssh from my domains

 

 

 

BETTER, RUN MOST SERVICES WARPED WITH SSH INSTEAD.

 

 

SECURITY is more a mindset and manner of operation then it is installaing a

whole lot of software (which it appears doubtful to me that you understand

the scope and opperation of the software that you list)

 

Having a perception of security, if devoid of reality (which you can only

properly evaluate after careful consideration and a lot

of experience) could be more dangerous then just leaving your system alone.

 

 

I will add these steps to the list:

- Only allow ssh V.2

- Deny root ssh logins

- Allow only ssh login with pub/priv keys and secure your priv key on

a encrypted filesystem on a USB key

-Turn off all unneeded services

- Remove all unneeded binaries

- If you need to access the server from outside your privatenet use

ipsec, openvpn or something related.

- If data integrity is of interest use a journalized filesystem for

both metadata AND data (by default ext3 put only metadata in the

journal), LVM and RAID5 and pay attention to SMART

 

 

 

 

1.  Disable all of your unnecessary services ((x)inetd, telnet, ftpd,

etc.).

2.  SSH should already be installed (you said FC4 right?), configure

it with your public keys/trusted hosts, whetever you like.

3.  Set up tcp_wrappers.  (This is redundant of the firewall, but is

nice to have, and easy to configure/maintain.)

4.  Set up your firewall.  I like firestarter (should come with FC4).

 Other people like shorewall.  Ultimately, it's the same outcome.

5.  Install/configure Bastille  (this sort of overlaps some things,

but can also affect installation of others, so it might be a good

idea to do it early.  SELinux might be better here, but I think

SELinux depends on some of the kernel hooks and such.  The two have

really meshed over time, and I haven't folowed it that closely.

6.  Install/configure (I/c) chkrootkit.

7.  If you have another mail host for external mail (adminitrative

messages and such), configure sendmail to only send mail internally

(local system).  You can configure spam assassin if you want, but

unless you're actually transferring bulk mail, you don't really need

it, nor the other 3 spam filters you listed.

8.  configure apache and modsecurity.

9.  Now configure tripwire (or aide).

 

-block pinging your server

-use nessus for scanning your server

-use nmap for scanning your server

 

 

 

- Keep things simple!

- Keep your servers updated (yum, up2date, apt or whatever works on your

 linux-distribution).

- And keep your servers updated!! (this is simple and does magic).

- Remove the suid bit from any suids you don't need.

 

 

 

 

Constantly keep eye on file permissions

 

 

 

Install  LIDS but it doesn't like BIND.  There are things that SELinux does that LIDS

doesn't

 

 

try Spamassassin. Train it to block junk.

 

 

 

 

 

tune the network stack a bit, something like this:

net.ipv4.conf.all.secure_redirects=0

net.ipv4.conf.default.secure_redirects=0

net.ipv4.conf.all.accept_redirects=0

net.ipv4.conf.default.accept_redirects=0

net.ipv4.conf.all.send_redirects=0

net.ipv4.conf.default.send_redirects=0

net.ipv4.conf.all.rp_filter=1

net.ipv4.conf.default.accept_source_route=0

net.ipv4.icmp_echo_ignore_broadcasts=1

net.ipv4.tcp_syncookies=1

net.ipv4.tcp_max_syn_backlog=4096

 

(and, if you use ipv6, the equivalents of course)

 

create a seprate /tmp partition and mount noexec, nosuid

 

Also consider a separate /var partition (/var/tmp is just as dangerous as

/tmp).   use /boot, /, /var, /tmp and /usr. Consider which

partitions can be mounted with the nodev, nosuid and noexec options (/tmp is

one that should have all three; only / needs dev available AFAIK). If you

use /boot, you need not have it mounted at all. You might get away with

mounting /usr read-only.

 

Go over the files in /etc/security and see if anything might be beneficial

for you (limits.conf might be worth checking out to set some limits on user

apache, for instance).

 

 

1. Start with the latest stable distribution of your chosen flavor of Linux.

- Use this to do a clean install.

- Do not install all of the packages and certainly do not install X-Windows

(Aka KDE Gnome or any other skin for X)

 

2. Download the latest stable releases as source of your www accessible

daemons. (DNS, HTTP, SSH etc) Install these as source. If you do not know how

to compile these correctly it is better you learn first or at least make sure

that you are getting the latest version !!!

 

** Do not trust the Linux vendor to provide you the latest stable versions by

default **

 

While I am on this subject make sure that OpenSSL and Zlib lib's are up to

date. These software have a reputation and lots of stuff relies on them.

 

Only run what you need to run and use sensible settings.

- Only allowing unpriv users to SSH is a good idea.

- Running seperate authoritive and caching NS is a good idea.

- Installing IP tables is a good idea.

Running all sorts of crap is not a good idea.

 

Now on the subject of mindset, here are some good pointers:

1. Running games or IRC servers is like a magnet for trouble.

2. Hosting hate sites or anything attractive to troubled people is a bad idea.

3. Sex sites are also dumb.

 

And consider - is my server phsically secure? Do I trust my employees (If

applicable). Do not talk about your systems or security measures with people

unless they need to know AND you really trust them.

 

KEEP YOUIR MACHINE UP TO DATE. Check at least once a day for updates.

 

Take the rest one step at a time, and remember 1. your security is only as

good as the weakest link 2. threats some from many places. be aware.

 

                       

                       

 

 

 

My major problem with SELinux was that it was so complex

 

DB server might not neet spamassasin installed or mail

server would not require for php related things and so

on...

 

 

 

 

 

 

 

 

 

use "mount -o data="" /device /mountpoint" for mounting the

device or add data="" in the fstab to do this.

 

 

 

 

=====================================

Even still... You're  not free of security problems, you just have different ones. (O;

 

 

--~--~---------~--~----~------------~-------~--~----~
FOSS Nepal mailing list
 
 foss-nepal-/JYPxA39Uh5TLH3MbocFFw@xxxxxxxxxxxxxxxx
 
 http://groups.google.com/group/foss-nepal

Community website: http://www.fossnepal.org/
-~----------~----~----~----~------~----~------~--~---