Embed Size (px)
Citation preview
Bastille Linux Past, Present and Future
Jay BealeLead Developer, Bastille Linux
President, JJB Security Consulting
Bastille Linux
A security hardening script for Linux and Unix
Red Hat 7.3Mandrake 8.2
Turbo 7.0SuSE 7.2
Debian currentHP-UX 11.x
Bastille Linux
More operating systems:
SolarisOpenBSD (SSH worm anyone?)
FreeBSD?
Sample Screen
What Does Bastille Do? 1/3
Firewall
Set-UID and Permissions Audit
What Does Bastille Do? 2/3
Deactivate unncessary stuff
Tighten configurations of remaining stuff
What Does Bastille Do? 3/3
Educate Users and Admins
(They have guns pointed at their boots)
Why Do I Need It?
Shipped defaults are not optimized for security
Users need ease-of-useProgrammers want convenience
and
Neither groks security
But Why Do I Need Security? 1/4
You're targeted by clueful hackers (even if you're not interesting)
because you're one hop on the way to the real target.
But Why Do I Need Security? 2/4
You're targeted by script kiddies...
because you have an IP address!
(That got picked up as vulnerable by their vulnerability scanners.)
But Why Do I Need Security? 3/4
You're targeted by worms...
Slightly smarter than script kiddies, but fully automated.
Easy to defeat, with hardening!
But Why Do I Need Security? 4/4
Script kiddies choose your box at random to:
● Run their IRC bots● Run their IRC server● Serve as an exchange point for files, filez...● Attack other machines with DoS/DDoS programs● Brag about how many random machines they 0wn.● <your use here>
How Does It Work? 1/2
Minimize Points of Entry
Network DaemonsUser-accessible programs
How Does It Work? 2/2
Prevent Privilege Escalation
Set-UID programs let me turn my user nobody access into root!
But Does It Work?
Bastille was written before most of the security vulnerabilities in Red Hat 6.0 were discovered.
It could stop or contain almost all of them.
Vulnerabilties Stopped -Red Hat 6.0
BIND - remote rootwu-ftpd - remote rootuserhelper - local root
lpd + sendmail - remote rootdump/restore - local rootgpm - console local root
Vulnerabilties Not Stopped -RH 6.0
nmh - local root?
man - whatever user runs it
So Who's Using it?
You tell me!
MandrakeSoft had it in their distribution.Red Hat has talked about integrating it.
SGI sold appliances with it loaded.Guardent/foo uses it in some appliance.
Estimated around 75,000-150,000 people?
Capabilities
2.0 Release
● Intelligence - "requires" tags● X or Curses configuration● Reusable config file, with consistency checking
Where We're Going Soon
More content: this talk will demonstrate
Growing to run on more platforms: Solaris first.
Enterprise features
Firewall
Configure a default-deny firewall for a masquerading network, or a
single machine
Firewall
Firewall off daemons, but also harden/remove them.
Why both?
Defense in Depth
Protect each service or possible vulnerability through multiple means, so that if one fails, the
remaining methods keep your machine from being compromised.
File Permissions
File Permissions Audit
Want to do something more comprehensive!Educate newbies about groups?
SUID Audit
SUID Audit Blocking all paths to root!
Real Example: UserRooter (userhelper)
SUID Audit 1/2
mount/umount*ping
traceroutedump/restore*
cardctl
( * = has been vulnerable in past 3 years)
SUID Audit 2/2
atdosemuinn toolslpr/lp*r-tools*
usernetctl
Account Security
Protect the users' accountsEnforce good policies to prevent privilege
escalation
Account Security
Protect rhosts via PAMPassword Aging
Restrict CronUmask
Root TTY Logins
Boot Security
Password protect LILOPassword protect runlevel 1
Secure Inetd
Deactivate TelnetDeactivate FTP
...
Applied Minimalism
Since crackers may discover an exploitable vulnerability in any service running with privilege,
minimize both the number of these services and their levels of privilege.
Miscellaneous PAM
Mandatory System Resource Limits
prevent core dumpslimit number of processes per user
filesize limit 100mb
Logging
Lots of extra logging
Remote Logging Host
Process Accounting
Killing Daemons 1/2
apmdnfs/portmapper*
samba
atdpcmcia
dhcp server (*?)
Killing Daemons 2/2
gpm*news server*
routing daemonsNIS
SNMPd*
Sendmail
Reduce attacker's access to Sendmail
Remove recon. Commands.
Run sendmail as a non-root process via inetd/xinetd
Postfix?
Sendmail's security vulnerability history is rich!
Why? Consider PostFix, by Wietse Venema,
author of TCP Wrappers Modular, safer design!
DNS - BIND
Secure BIND
Historical note: We secured BIND before the remote
root exploits were released.
Philosophy: Harden it now, before the bugs are
discovered!
Hardening BIND 1/2
Chroot
Run as user/group dns
CONTAINMENT
Hardening BIND 2/2
Restrict queries to set of hosts
Restrict zone transfers to set of hosts
Choose a random version string
Offer to configure views in BIND 9
Hardening Apache 1/3
Deactivate Apache?
Bind Apache to localhost?
Hardening Apache 2/3
Symlinks
Server Side Includes
CGI Scripts
Indices
Hardening Apache 3/3
Removing Modules
Removing handlers
Restricting .htaccess overrides
FTP
FTP is Really Bad(tm)!
Unauthenticated data transfer channel (file theft)Bad authentication on command channel
Takeover issues (cleartext session)
Try to replace it:HTTP for downloads?
SFTP for password-ed user uploads?
Hardening FTP 1/2
Deactivate anonymous modeDeactivate normal user mode
Hardening FTP 2/2
Apply path filters to all filenames usedDeactivate compression/tar-ing (external progs)Choose version string randomlyChroot normal users via 'guest' accountsRequire RFC 822-compliant e-mail addressesDisable all dynamic 'message file' parsing/deliveryCreate less useful upload areaLog: transfers, commands and security violations
Speaker Bio
Jay Beale is the Lead Developer of Bastille Linux and an independent security consultant/trainer.
Mandrake. He's currently working on a book on Locking Down Linux for Addison Wesley. Read
more of his articles on:
http://www.bastille-linux.org/jay
