Guys.... this was something i wrote/compiled year ago. i was my
attempt to write a walkthrough on hardening *nix systems comparing it
parallely to windows. Later some better things draw my attension
instead (learning, more learning ;0) so.... i qutted the writing it in
middle.
Here is the copy/past of my scratch pad then...... its a random note
and unsensored since then. deal with it. but it should be a mine for
information to many. Anyone with freetime? considering continuing it!
(O:
__________________________________________________________________________________________
Default installation & software upgrades not enough!
The
article is aimed for those ppl. who have a fair knowledge about the technology.
This article just aims to scratch the surface of everything............. maybe
a quick flackback to your knowledge.
Lets
start with the obvious... basics:
""""""""
#
Obviously, Default Installation doesn't come with a virus/spy ware /
Trojan scanner. If your PC isn't a single user OS, there is even a likelihood
of mail ware, Trojan, spy wares running with user privileges... or worst a root
kit.
<.../>
""""""""
#
Regardless of the OS its always better to encrypt your sensitive files and
"shear" (not: rm/del) temp
files & clean it periodically. Many program create unsecure temp files so
its better to create seprate temp folders for every users with file/disk quota
limit set to them. You can specify unique temp folder location for every
user on '/etc/profile.d' or with
"SET" command in windows. Try:
Windows:
cipher.exe /?
*NIX:
shred –-help
wipe
free.slack space +defrag......
<.../>
---
# Its always better to
run system backups periodically of your
documents, and important files. Its quick
to append new files to your
backup in a secure location "via. an secure tunnel"
*nix:
use a "cron job" to schedule a periodic backup and "tar" to
archive the file. Its always advisable to run schedule tasks at that time when
there is least system load.
Windows:
ntbackup.exe has it all... you need.
<.../>
""""""""
# Set
a Harden firewall rules... Depending on your server/OS. Set strict firewall
rules to filter out all unnecessary
inbound/outbound traffic. Make
sure Port scan, Banner grabbing, OS fingerprinting (counter mearures:
http://ippersonality.sourceforge.net) doesn't leak sensitive info. to the outer
world. Though, this may not stop a willing intruder but... may* buy you some
valuable time to spot an willing intruder or patch-up vulnerable service in
time.
Moreover,
check for easy Connection hijack etc... in your LAN. Detect ARP Spoofing &
Man in the middle attack when possible. Set your firewall( iptables) rules to map
a ip to its MAC address and set firewall rules based on IP+SYSTEM MAC for local
access in your trusted network and discard the rest. This will add an extra
level of security. You may even want to disable the whole 'inetnum' of online
services like www.netcraft.com
<.../>
""""""""
#
There might be SYSTEM services, & software module that you may not be
using. ONLY ENABLE THOSE SERVICES WHAT YOU USE. Disabling those will always
reduce probability of a successful intrusion.
<.../>
""""""""
Does
your WAP/ Bluetooth devices... wireless keyboard/mouse support authentication
& encryption.?
<.../>
""""""""
#
Log system events. and don't fear to keep/monitor necessary noise. Its better
to mirror "system log" in a remote location. Make sure you monitor
and secure LOGS/events generated from softwares & daemons as well... in a
clean manner.
*nix:
/etc/syslog.conf
/*
set the parameters: *.* "Server's_ip" */
Windows:
http://ntsyslog.sourceforge.net/
in
windows secpol.msc <---to set sec. policy and manage... eventvwr.msc
Make
sure your system logs won't be disrupted in DoS and critical system errors...
situation or be fussed away or you run out of disk space!
manage
internal network & external network.... you don't want a external intruder
jump in your network through internal/local proxy!
<.../>
""""""""
#
Auth. network traffic (SSH tunnel, KEYBROS, one-time passwd etc... ) Remember
IP based auth. can always be fooled. Use IDS: (Snort) Use Tripwire like tools.
Monitor system file hashes, startup dir/scripts, software & security
configuration files & sensative registry keys etc.
Regularly
monitor/log system performance & look for any suspicious packets that come
& leave your system. Compare the IDS log with both inside & outside
your firewall. Monitor your system
performance.
perfmon.msc
mrtg, snmp, ps -aux etc
http://www.nagios.org. How about using load
balancing/clustering as well....
Create
a profile of your system/network activity… this will help you spot the unusual.
If
you have to test a software, run third-party code etc...... its ALWAYS better,
easy & FLEXIBLE to run it in "VIRTUAL MACHINE" (vmware?)
Its
better to run only 1 listening service (network service) per computer.... Make
sure you have "unique" passwords in every system. Make sure…
disruption / compromise in one system won't propagate or affect... rest of the
network. DECENTRALIZATION!?
<.../>
""""""""
In
the internet jungle I'd say... only "unique systems survives longer"
Check if you could be another victim of spam, bandwidth rape, DoS, misuse of
your network resources etc... Use search engines, online directories, telephone
index etc... & try monitor/check the information that's flowing outside.
Try
reducing your probably of being attacked by buffer overflow.
google:
stack guard, lib safe, grsecurity.net, se-linux etc…
Make
sure you won't be another victim of fork bombs, MEM & I/O exhaust attacks.
Use QoS for system bandwidth.
*nix: 'ulimit -a' or use PAM modules.
<.../>
""""""""
Theory
of least privilege always helps. You may not wanna run "system
services" as root... instead create a seprate jail account each services
when possible. Make sure these services don't queue a long list of jobs. You may wany to deny all connection
attempts for [x]inetd, and TCP Wrappers
services. Check... what, level of system resources/information that local users
have access to. For un trusted users its always better to create a jail
environment. It isn't stupid change
default paths... disable the right to schedule tasks (CRON JOBS) for users...
For users you may even wanna disable perl, gcc and many other... system
executables that are unnecessary for users. You don't wanna see your machine get
0wn3d by a malicious user compiling a code locally via gcc, do you? Keep track
of SUID/SGID programs... Make sure users have write access to only limited
directories. Its better to statically compile the modules you need in your
kernel and disable the further add of modules "in linux kernel" or
via WINDOWS REGISTRY.... Did you ever consider about boot security, encypted
file system, bios passwords, and disable autorun on removal medias?
#
Disable telnet and use only the ssh2 protocol to remotely logon to systems.
#
Disable direct root login.
#
Tranfer files via sftp or scp.
""""""""
#
Poor file permission may lead to leak of sensitive information. Executables
could be overwritten by a malicious one.
Only
share what you have to... Even "r" permission to sensitive files
could prove harmful. I suggest, at times its even better to change the file
permission of all system executables to "r-only" (bye…bye virus… you
gotta be little tricky now )
Windows:
cacls.EXE *.(executable extension) /T /C
/P Everyone:R
In
windows make sure, unprivileged users don't have permission to write to
system(variables) path. like c:\ %windir% etc...
threat?:
if you/program don't provide absolute path to run programs... Internet Explorer
by say:, start > run >
"C:\Program Files\Internet Explorer\iexplore.exe" instead just
try start > run > "~path\iexplore" then first... the
system try searching and executing 'program.exe' in c:\ then 'internet.exe' in
C:\Program Files and then only execute
find and execute "C:\Program Files\Internet
Explorer\iexplore.exe" this is a design flaw... in windows and could be
misused. Try keeping a executable named "Program.exe" in c:\ You don't have to
wait very longer before it surprisingly gets automatically executed by other
programs.
System
wide var. in basis of priority from left to right:
Path:
%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
PATHEXT:
.COM;.EXE;.BAT;.CMD ..................
It's
always better to implement software restriction policy(path rule)... (via: gpedit.msc)
in "Temporary Internet Files" c:\*, "removal medias" etc...
In
*nix you can secure, insecure mount points via(say):
/dev/hdd1
/tmp ext3 defaults,noexec,nosuid,nodev
Better…
to '/home' , /var/tmp as well.
Don't
forget /dev/shm too, or wherever your OS happens to mount it......
<.../>
failover
servers, disk.....
clustering,
load-balancing(HPC etc....)
if
you have a high traffic site, things like hosting pic & texts & files
in seprate serves is brainy!
In
internal network... I prefer locking down all ports except the ones needed....
I use my internal GATEWAY as a hub for firewall/router... by sectioning the
network (but make sure there is no bottle neck as all traffic goes through it)
use l-7filter for stateful packet analysis (not just barebone) but you must
seperately have another internal/external firewall........ this will just serve
as a first-aid for some time if there is a local breach.
DEFENCE
IN DEPTH etc....
Too
much service in one system is harmful..... try chroot with each seprate user
for every service. install rootkit hunter & chkrootkit,
install mod_security,
bandwith
management, resource allocation...... DOS, local adware, spyware, worm
detection? Rootkit hunter
IPS?
SELinux
turn
off service you don't need & program features to least possible.
You
could also use some Host-based IDS
or
log analysis tool to improve the detection
capabilities
there. I suggest OSSEC HIDS
(www.ossec.net/hids/),
because it does log analysis
and
integrity checking together (in addition to have a
nice
correlation engine and a nice notification tool),
but
I'm suspicious to talk about it :).
I also have AIDE and Snort setup on this
machine.
As
an attacker, there are other ways to try and subvert these
protections. There is no reason an attacker cannot `find /
-type
d
-perm -o=rwx` prior to download and executing their tool of choice.
You
can try to install APF (Firewall) and BFD (Brute Force Detection)
and
also follow some of the steps outlined here:
http://www.webhostingresourcekit.com/109.html
APF
and BFD are made by rfxnetworks.com. BFD will automatically block
attackers
if they fail to authenticate 5 times by using APF.
try
refer-guard as well!
----------
oes
anyone have a best practices list or
suggestions
of what files are critical to monitor with integrity checking?
/etc/passwd
/etc/shadow
/etc/group
/etc/pam.d/*
/var/www/<static
web pages>
/etc/ssh/sshd_config
???
etc....
They are imp files!
so
always have a auto-compare etc.... with previous backup
-----------------
I
recommend tuning php and disabling commands like system and passthru that
may
be used by an attacker but are probably not going to be used by you. I
like
to think that no webpage or script can be trusted even when I am the
only
person with access to a machine.
Many
people have recommended mounting /tmp and /var/tmp noexec. This is a good
idea
but keep in mind that it is easy to execute commands even on a noexec
filesystem
(using the ld-linux library). So don't be surprised if some
slighly
clever attacker is running a binary from that location.
use
strong passwd.
-----
Partially
speaking, a good dent can be made by exhaustively culling
through
/etc of course, *.cf and *.conf can help, source code if applies
to
your site, all suid and sgid binaries (Modify:) in addition to a few
site
and host-specific executions of 'find' with the '-anewer',
'-cnewer'
and '-newer' flags primarily. Clever (read: site relevant)
application
of [elapsed] times can result in a couple text files that
contain
well beyond the majority of what will need integrity monitoring
to
some degree. Just need to sit for a spell and give thorough
consideration
to each line entity, with a few follow-up finds as needed.
The
rest is just recollection, critical apps and filesystem awareness in
general.
Add them altogether and that's a good dent in what will need
monitoring...... 'best practice' and 'defacto' are too small
of a
scope
versus host-wide, so thorough hardening and monitoring is almost
always
exhaustive and exhaustING..... at least in my experience where it
is
most critical that mishaps be held down to a minimum.....
----
physical
security?
------
Ever
tried tiger?
http://www.nongnu.org/tiger/
---Introduction
Tiger
is a security tool that can be use both as a security audit and
intrusion
detection system. It supports multiple UNIX platforms and it
is
free and provided under a GPL license. Unlike other tools, Tiger
needs
only of POSIX tools and is written entirely in shell language.
&
bastile like tools.....
-------
I
would suggest to use a static kernel without loadable modules.
1)Installing
your servers with bare minimum packages and see to it
that
only needed services are running.
2)Before
you install a new package on your production do check for
known
vulnerabilities for that package and if possible always get the
latest
package.always verfiy the integrity of the package using
md5sum.
3)With
integrity checkers like tripwire periodically check your
essential
binaries and configuration files for any modifications.
4)DO
use log analyzers like logcheck and swath to detect important events.
5)Periodically
check your system for rootkits using rootkit hunter and
chkrootkit.
6)Regulary
backup your essential data to other machines or hard disks
such
that in case of failure the data can be recovered.
7)get
packages from autorized sites only.
8)Keep
a watch for upcoming attacks and vulnerabilites for the
softwares
installed on ur
machine.Patch them and keep them uptodate.
9)check
your system for possible viruses using antivirus like clamAV.
1) Harden your server with tight ACLs (SELinux
or LIDS).
2) Use a good firewall.
3) Secure your web apps.
More
and more, the web apps are becoming the preferred intrusion method.
No
need for port scans and since there are so many languages they can be
written
in, it's hard to keep track of the vulnerabilities. Not to
mention
the fact that many of them don't have an announce list so you have
to
subscribe to the general one. Then you
have to wade through all the
garbage
just to watch for updates...
If
you really want to harden linux, by all means use PaX+Grsecurity+SSP.
PaX
is better and mature than Redhat's execshield.. or OpenBSD's stackgap/w^x
But
don't take my word for it <http://pax.grsecurity.net/docs/index.html>
Having
a exact clone of your production machine & testing everything out there
first... always help
Anything
in: bin boot dev etc lib opt sbin usr
although
you can exclude stuff like documentation from /usr.
You
can exclude most of: home mnt proc root tmp var
Although
sometimes services live under /home (e.g. /home/httpd), in
which
case you might need to monitor such directories.
&
create a list of cmds that users can execute...... nothing more than that!
always
create ACLS for everything..... & limit users
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-----------------MORE--------------------------------------------
Install & configure Tripwire
http://sourceforge.net/projects/tripwire/
Install & configure Snort
http://www.snort.org/
Install & configure Bastille
http://www.bastille-linux.org/
Install & configure LIDS
http://www.lids.org/
Install & configure modsecurity http://www.modsecurity.org/
Install & configure chkrootkit
http://www.chkrootkit.org/
install dansguardian
http://www.dansguardian.org
install squid
http://www.squid-cache.org/
Install & configure DCC
http://www.dcc-servers.net
Install & configure Pyzor
http://pyzor.sourceforge.net
Install & configure Razor
http://razor.sourceforge.net
install & configure Clamav
http://www.clamav.net
Install & configure MailScanner
http://www.sng.ecs.soton.ac.uk/mailscanner/
Install & configure Ntop
http://www.ntop.org/
Install & configure Spamassassin
http://spamassassin.apache.org/
install root access email command
create a seprate /tmp partition and mount noexec,
nosuid
Configure Apache
configure for php safe mode
configure /internal web directory w/ access from private network
only
configure /external web directory w/ password authentication
Configure SSH
respond on alternate port
only allow me to logon
Configure Fireall:
only allow access to ssh from my domains
BETTER, RUN MOST SERVICES WARPED WITH SSH INSTEAD.
SECURITY is more a mindset and manner of operation then it is
installaing a
whole lot of software (which it appears doubtful to me that you
understand
the scope and opperation of the software that you list)
Having a perception of security, if devoid of reality (which you
can only
properly evaluate after careful consideration and a lot
of experience) could be more dangerous then just leaving your
system alone.
I will add these steps to the list:
- Only allow ssh V.2
- Deny root ssh logins
- Allow only ssh login with pub/priv keys and secure your priv key
on
a encrypted filesystem on a USB key
-Turn off all unneeded services
- Remove all unneeded binaries
- If you need to access the server from outside your privatenet use
ipsec, openvpn or something related.
- If data integrity is of interest use a journalized filesystem
for
both metadata AND data (by default ext3 put only metadata in the
journal), LVM and RAID5 and pay attention to SMART
1. Disable all of your
unnecessary services ((x)inetd, telnet, ftpd,
etc.).
2. SSH should already be
installed (you said FC4 right?), configure
it with your public keys/trusted hosts, whetever you like.
3. Set up
tcp_wrappers. (This is redundant of the
firewall, but is
nice to have, and easy to configure/maintain.)
4. Set up your
firewall. I like firestarter (should
come with FC4).
Other people like
shorewall. Ultimately, it's the same
outcome.
5. Install/configure
Bastille (this sort of overlaps some
things,
but can also affect installation of others, so it might be a good
idea to do it early.
SELinux might be better here, but I think
SELinux depends on some of the kernel hooks and such. The two have
really meshed over time, and I haven't folowed it that closely.
6. Install/configure (I/c)
chkrootkit.
7. If you have another mail
host for external mail (adminitrative
messages and such), configure sendmail to only send mail
internally
(local system). You can
configure spam assassin if you want, but
unless you're actually transferring bulk mail, you don't really
need
it, nor the other 3 spam filters you listed.
8. configure apache and
modsecurity.
9. Now configure tripwire
(or aide).
-block pinging your server
-use nessus for scanning your server
-use nmap for scanning your server
- Keep things simple!
- Keep your servers updated (yum, up2date, apt or whatever works
on your
linux-distribution).
- And keep your servers updated!! (this is simple and does magic).
- Remove the suid bit from any suids you don't need.
Constantly keep eye on file permissions
Install LIDS but it doesn't
like BIND. There are things that SELinux
does that LIDS
doesn't
try Spamassassin. Train it to block junk.
tune the network stack a bit, something like this:
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.accept_source_route=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_max_syn_backlog=4096
(and, if you use ipv6, the equivalents of course)
create a seprate /tmp partition and mount noexec,
nosuid
Also consider a separate /var partition (/var/tmp is just as
dangerous as
/tmp). use /boot, /, /var, /tmp and /usr. Consider
which
partitions can be mounted with the nodev, nosuid and noexec
options (/tmp is
one that should have all three; only / needs dev available AFAIK).
If you
use /boot, you need not have it mounted at all. You might get away
with
mounting /usr read-only.
Go over the files in /etc/security and see if anything might be
beneficial
for you (limits.conf might be worth checking out to set some
limits on user
apache, for instance).
1. Start with the latest stable distribution of your chosen flavor
of Linux.
- Use this to do a clean install.
- Do not install all of the packages and certainly do not install
X-Windows
(Aka KDE Gnome or any other skin for X)
2. Download the latest stable releases as source of your www
accessible
daemons. (DNS, HTTP, SSH etc) Install these as source. If you do not
know how
to compile these correctly it is better you learn first or at
least make sure
that you are getting the latest version !!!
** Do not trust the Linux vendor to provide you the latest stable
versions by
default **
While I am on this subject make sure that OpenSSL and Zlib lib's
are up to
date. These software have a reputation and lots of stuff relies on
them.
Only run what you need to run and use sensible settings.
- Only allowing unpriv users to SSH is a good idea.
- Running seperate authoritive and caching NS is a good idea.
- Installing IP tables is a good idea.
Running all sorts of crap is not a good idea.
Now on the subject of mindset, here are some good pointers:
1. Running games or IRC servers is like a magnet for trouble.
2. Hosting hate sites or anything attractive to troubled people is
a bad idea.
3. Sex sites are also dumb.
And consider - is my server phsically secure? Do I trust my
employees (If
applicable). Do not talk about your systems or security measures
with people
unless they need to know AND you really trust them.
KEEP YOUIR MACHINE UP TO DATE. Check at least once a day for
updates.
Take the rest one step at a time, and remember 1. your security is
only as
good as the weakest link 2. threats some from many places. be
aware.
My major problem with SELinux was that it was so complex
DB server might not neet spamassasin installed or mail
server would not require for php related things and so
on...
use "mount -o data="" /device /mountpoint" for
mounting the
device or add data="" in the fstab to do this.
=====================================
Even
still... You're not free of security
problems, you just have different ones. (O;
