Upload
gabriel-bradford
View
232
Download
0
Embed Size (px)
Citation preview
Prerequisites Implement and enforce internal security
policy Determine risk Place server in an appropriate physical
location
Server OS This presentation will concentrate on Linux
servers. There are several documents available at
www.microsoft.com describing hardening of Windows XP and 2003.
OS Hardening Basics Install bare necessities Keep all system software up-to-date Delete/disable unnecessary user accounts Do not grant shell access unless needed Run public services in chrooted file systems Remove SUID bits
OS Hardening Basics cont… Configure logging and review the logs
regularly Every host should be its own firewall Check systems with security scanners Document configurations for later use
Before Installation Set BIOS password Plan partitioning scheme
place /var, /opt, /usr/local on separate partitions
OS Installation If possible, do not connect to the internet to
install. Do a very basic install. Do not install the X Window System or any
desktop managers unless absolutely necessary.
Install the latest versions if possible…if not, upgrade.
Post Install Set a boot loader password
/etc/lilo.confimage=/boot/2.2.14-vmlinuz # Kernel location
label=Linux # Arbritrary kernel label
read-only
password=hackme restricted # Sets password
/boot/grub/menu.lsttimeout 3
password hackme # Sets password
Post Install cont… Remove root prompt on the kernel
/etc/mkinitrd/mkinitrd.conf# DELAY The number of seconds the linuxrc
script should wait # to allow the user to interrupt it before the system is brought # up
DELAY=0 Regenerate your ramdisk image
cd /bootmkinitrd -o initrd.img-2.4.18-k7
/lib/modules/2.4.18-k7
Kernel Download Download the latest kernel source from
www.kernel.org or another mirror Many distributions make the kernel source
available through their package managers, e.g. rpm, apt-get, emerge
Extract Kernel Source Move the kernel source to an appropriate
directory, e.g. /usr/src Extract the kernel source:
For tar.gz files:tar –zxvf kernel-source-file.tar.gz
For bz2 filestar –jxvf kernel-source-file.bz2
Configure Kernel Source cd /usr/src/kernel-source-dir/ make config, make menuconfig Select only the most basic options needed
to run the server. Do not enable sound, usb, serial, or parallel
port drivers if not needed for server functionality
Compile Kernel and Modules Generic:
su make dep make clean make bzImage modules modules_install make bzlilo (if using lilo boot loader)
Debian: su make-kpkg clean make-kpkg –append-to-version=.<date>
kernel_image modules_image dpkg –i ../kernel-image.date.deb Edit /etc/lilo.conf or /boot/grub/menu.lst to boot new
kernel
Common Unneeded Services rpc services – nfsd, nfsclient r-services – rsh, rlogin, rcp inetd linuxconfd sendmail telnet, FTP, POP
Identify Unneeded Services What’s running?
ps aux | less What ports are open?
nmap localhost What is started on boot?
ls –la /etc/rc#.d/ (anything starting with “S”) What is inetd running?
chkconfig –list (RedHat) netstat -pn -l -A inet /usr/sbin/lsof -i | grep LISTEN grep -v "^#" /etc/inetd.conf | sort -u
Remove Unneeded Services chkconfig –level 2 linuxconf off rm /etc/rc#.d/S20ssh comment out services in /etc/inetd.conf on
Debian systems
Automated Hardening Bastille Linux
original was going to be a secure distribution instead became a set of scripts for hardening
existing distributions packages for multiple platforms
RedHat/Mandrake Debian Mac OS X HP-UX
Keeping Software Updated Subscribe to distribution-specific security
lists Automated updates
Red Hat – up2date Debian – apt-get update; apt-get upgrade
Delete Unnecessary User Accounts Directly read /etc/passwd to identify
unnecessary accounts Use find to locate user files
find / -user username –print
Minimize Use of SUID=root Use find to locate violating files
find / -perm +4000 –user root –type f –print
find / -perm +2000 –group root –type f –print
Change permissions on the violating fileschmod u-s /full/path/to/filename
chmod g-s /full/path/to/filename
Run Services In chrooted File System chrooted file systems prevent hijacked
daemons from accessing the entire file system.
Move service’s file structure to an isolated directory.
Change ownership from root to an arbitrary owner and group (Ex. named)
Change file permissions.
Normal File Structure Example of a normal BIND install:
/
/etc
/usr
/usr/bin
/var
/var/run
/var/named
chrooted File Structure /chroot /chroot/named /chroot/named/dev /chroot/named/etc /chroot/named/etc/namedb /chroot/named/etc/namedb/slave /chroot/named/var/ /chroot/named/var/run
Individual Host Firewalls Use ipchains on 2.2 and earlier kernels Use iptables on 2.4 and later kernels
Kernel options to be selected: Connection Tracking FTP Protocol Support IP Tables Support IRC Protocol Support Any other desired modules
Using iptables Create a new chain (-N). Delete an empty chain (-X). Change the policy for a built-in chain (-P). List the rules in a chain (-L). Flush the rules out of a chain (-F). Zero the packet and byte counters on all
rules in a chain (-Z).
Manipulate Rules Inside Chains Append a new rule to a chain (-A). Insert a new rule at some position in a
chain (-I). Replace a rule at some position in a chain
(-R). Delete a rule at some position in a chain,
or the first that matches (-D).
System Loggers klogd – does kernel logging syslogd – does system logging
/etc/syslog.conf facility.selector /var/log/logfile
syslog-ng – “syslog new generation” more advanced than syslogd /etc/syslog-ng.conf
Log Maintenance/Monitoring logrotate – automatically rotates specified
log files swatch – configured to alert system admin
through e-mail or echo with system bell