Dns Hardening Linux Os
description
Transcript of Dns Hardening Linux Os
DNS Server Security / Hardening
Linux OS - Fedora 14 / RHEL
Copyright Erwin L. Carrow This work is the intellectual property of the author. Permission is granted for this material to be shared for
non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is
given that the copying is by permission of the author and other identified entities. To disseminate otherwise or to republish requires
written permission from the author. Videos and specific graphics presented are not for public distribution.
9/3/2011 1 Cyber Defense Security Presentation
Session Guide Erwin Carrow IT Audit Director; M.Div., MSIS, CISSP, INFOSEC, CCAI, CCNP, CCSP,
CQS, CCNA, LCP, LCI, OCM, MCSE, MCP+I, LSS Green Belt, etc.
Board of Regents, University System of Georgia; Office of Internal Audit and Compliance
270 Washington Street S.W., Ste. 7087 Atlanta, GA 30334
(404)657-9890 Office, (678)644-3526 Cell, (404)463-0699 Fax
Email: [email protected] [email protected] [email protected]
http://www.linkedin.com/in/ecarrow
http://twitter.com/ecarrow
Skype: erwin.louis.carrow
9/3/2011 2 Cyber Defense Security Presentation
Session Agenda DNS Server Security & Hardening: “Down and Dirty”(4 slides)
9/3/2011 3 Cyber Defense Security Presentation
Other DNS information included for your review (not elaborated on)
Internet threats & associated risks (2 slides)
DNS Service (3 slides)
Connecting hosts to services: protocols, transmission, network topology, & service request resolution
Controls to mitigate DNS service disruption (3 slides)
DNS “How-to” (7 slides)
Installation & configuration DNS Hardening - local file system,
application, managing access control Network topology, architecture, &
exchange
Helpful Hints (4 Slides)
Key Takeaways Understand what “High-level” requirements are needed
to secure a DNS server and access to service (lectures focus)
Slides for Individual Review (not elaborated on, but “How-to” provided)
Recognize common DNS services threats
Recognize the basic components & network topology for the implementation of a secure DNS service
Understand how to install, configure, secure, & administrate DNS service
Helpful hints that apply to any network service implementation
9/3/2011 4 Cyber Defense Security Presentation
Configuring Service Partitioning, Quotas, & ACLs chroot / Jail application tcpwrappers PAM (Pluggable Authentication Modules) SELinux http://fedoraproject.org/wiki/SELinux IPTables (local Firewall)
Key Setup, Exchange, & Management Local User Account Management
Limit remote service admin access File permissions / mitigate escalation Limit service access Manage interdepend services e.g., at & cron
Patch Management Manage DNS Service Logs Audit System Activity
9/3/2011 Cyber Defense Security Presentation 5
DNS Security & Hardening – Local System (1 of 4)
Define, Discuss, Demonstrate, & Do
Manage User Identity & Access Control Limit “Other” Services
NIC / routing: edit /etc/sysctl.conf Run-levels / interactive boot Uninstall or disable all services not needed
Configure & Secure NTP Exchanges Define Server “Role & Responsibility” within
Network Topology DNS Zone & Records Management Deployment, Queries, & Replication
In-band versus Out-of-band Manage Key Exchange
TSIG – Update Exchanges DNSSEC – Validate Sites & SOA
Network Proxy, Firewall, & IDS / IPS Manage Service(s) Logs
9/3/2011 Cyber Defense Security Presentation 6
DNS Security & Hardening - Network (2 of 4)
Define, Discuss, Demonstrate, & Do
DNS Security & Hardening: Network Topology (3 of 4) Define, Discuss, Demonstrate, & Do
9/3/2011 Cyber Defense Security Presentation 7
Local System Configuration Fence in the DNS playground Limit ownership & access Monitor Activity
Network Deployment & Topology Security Threat Gateway (Firewall, Proxy, IDS /IPS,
etc.) Limit services, access, & disable routing functions Manage Request & Responses (Internal & External –
Server to Client) Zone or Record corruption IP Spoofing Cache Poisoning Buffer Overflow – patch Data interception / Impersonation
Track & Manage the Bouncing Bits & Bytes! Vulnerability Matrix & Security Advisories https://www.isc.org/software/bind/security/matrix https://www.isc.org/advisories
9/3/2011 Cyber Defense Security Presentation 8
Summary: DNS Security & Hardening (4 of 4)
Define, Discuss, Demonstrate, & Do
Thank You for Your Patience & Participation - Any Questions?
Gain a basic understanding of the requirements for securing and hardening a DNS server
9/3/2011 9 Cyber Defense Security Presentation
Helpful Resources
9/3/2011 10 Cyber Defense Security Presentation
Linux Server Security by Michael D. Bauer; O’Reilly
DNS and BIND by Paul Albitz & Cricket Liu; O’Reilly
Understanding Data Communications by Gilbert Held; Addison-Wesley
Local Area Network by David A Stamper; Prentice Hall
Trouble shooting TCP/IP by Mark A. Miller; M&T Books
TCP/IP – Running a Successful Network by Kevin Washburn & Jim Evans; Addison-Wesley
ISC BIND page on DNSSEC - http://www.isc.org/software/bind/dnssec
DNSSEC deployment at the root zone - http://www.root-dnssec.org/
DNSSEC information for .org - http://www.pir.org/dnssec/
ENISA Good Practices Guide for Deploying DNSSEC - http://www.enisa.europa.eu/act/res/technologies/tech/gpgdnssec
Appendix: Other Useful Information for Review
Security Threat (2 slides)
DNS Services (3 slides)
Security and tools for hardening DNS (3 slides)
Network Topology and Services DNS Server (8 slides)
Installation Setup / Configuration Security & Administration
Helpful Hints (4 slides)
9/3/2011 Cyber Defense Security Presentation 11
Security Threat (1 of 2)
Define, Discuss, Demonstrate, & Do Functional characteristic: security, monitor , & mitigate malicious
attempts to malign or disrupt network services There are four general categories of security threats to the network:
Unstructured threats, Structured threats, External threats, & Internal threats http://ptgmedia.pearsoncmg.com/images/1587131625/samplechapter/1587131625content.pdf
Classes of Attacks: Reconnaissance attacks, Access attacks, Denial of service attacks, & Worms, Viruses, and Trojan horses
All of the following can be used to compromise your system: packet sniffers, IP weaknesses, password attacks, DoS or DDoS, man-in-the-middle attacks, application layer attacks ,trust exploitation, port redirection , virus, Trojan horse, operator error & worms
9/3/2011 Cyber Defense Security Presentation 12
High
Low
1980 1985 1990 1995 2000
password guessing
self-replicating code
password cracking
exploiting known vulnerabilities
disabling audits
back doors
session hijacking
sweepers
sniffers
packet spoofing
GUI tools
automated probes/scans DOS
web attacks
Tool Capabilities and Ease of Use
Attacks
“stealth” / advanced scanning
spoofing
network attacks against DNS, SNMP, etc
2005 2010
command & control
APT Intruder Knowledge
S
K
I
L
L
worms
viruses
browser
attacks
distributed DOS
anti-forensics
Trojans
crimeware / SSL-evading malware
Security Threat - Attack vs. Knowledge (2 of 2)
Define, Discuss, Demonstrate, & Do
9/3/2011 Cyber Defense Security Presentation 13
DNS Services: Protocols, Topology, & Resolution Define, Discuss, Demonstrate, & Do (1 of 3) Domain Name Service (DNS) provides IP address and Fully
Qualified Domain Name (FQDN) request information to host Type/Role: Authoritative, Recursive / Master (auth.), Slave (auth.,
load balancing & redundancy, Caching (no auth. – name to IP resolution), Forwarding (no auth.)
DHCP can dynamically populate DNS host records
Dynamic Host Control Protocol (DHCP) provides IP address, default router gateway, DNS, WINS, and other service information requested by host to enable connectivity to various internal and external resources Typically applied and configured to support organization intranet Can be implemented locally to a specific broadcast domain or
request forwarded through a relay agent Host broadcast request & responds to 1st DHCP server response
received Host leases information & requires a periodic renewal Renewal request sent to initial DHCP server via unicast, if no
response broadcast for service request
9/3/2011 Cyber Defense Security Presentation 14
Topology Structure Nodes & Zones
Root Domains, Delegation of Authority, & Start of Authority, Authority is delegated to lower levels in the hierarchy, each layer in the
hierarchy may delegate the authoritative control to the next lower level
Domains (SOA) Start of Authority for FQDN, e.g., redhat.com where one or more DNS server IP addresses are registered with Internet Corporation for Assigned Numbers and Names (ICANN)
Sub-domains – internally controlled DNS servers that segment organization resources
Naming convention (FQDN)
Transmission methodology Host request / resolver: /etc/nsswitch.conf, /etc/resolv.conf,
/etc/hosts Server types & role: primary-master; secondary-slave; & caching-
only/forwarders DNS resolution service
Iterative queries: sends FQDN and requests either IP Address of Domain or FQDN of Authoritative DNS Server (typically host’s resolver to primary DNS server and then DNS server to server exchanges until resolution or invalid)
Recursive queries - sends FQDN to DNS server and asks for IP Address of domain (similar to above)
Process: query, cache, & response FQDN IP address IP address FQDN (reverse lookup Domains) Creates dynamic entries in DNS tables
Static entries DNS records for domain services DHCP can be dynamically linked to local DNS for internal hostname
resolution
9/3/2011 Cyber Defense Security Presentation 15
DNS Services: Protocols, Topology, & Resolution Define, Discuss, Demonstrate, & Do (2 of 3)
Cyber Defense Security Presentation
Answer the question: “How will a server fit into the big picture for the network?” DNS Server Service Role & Types of
Exchanges Master: (SOA) authoritative Slave: (SOA?) authoritative (replicate
Master) or non-authoritative (partitioned out or partial load-balancing)
Caching: non-authoritative; static or dynamic updates
Forwarding: non-authoritative
Network Topology Location Service query response service support for:
External (Internet), DMZ, Internal (Intranet), host based (Caching)
http://www.dnsbl.info/dnsbl-list.php
9/3/2011 16
DNS Services: Protocols, Topology, & Resolution Define, Discuss, Demonstrate, & Do (3 of 3)
Content Management Zones - created to distinguish domains and
catalogue host records DB file / records characteristics:
Name - TTL – Time to live (how long the record is
cached) Class - IN for Internet only record class
supported in DNS Type – Per listing below Data - content specific to record type
Record Types:
Start of Authority (SOA) - information that identifies the top of the zone and other general properties
Address (A or AAAA) IPv4/IPv6 Canonical name (CNAME) - Alias Host information (HINFO) Mail exchange (MX) - mail server Name server (NS) – DNS servers Pointer (PTR) - reverse lookup IP to
FQDN Text (TXT) Well-known services (WKS)
Where will the application physically reside on the local OS? Partition type, quotas, & ACLs
Manage space allocation Prevent hard links programs; facilitate precise control over mount options limits user access or influence Allow minimal privileges via mount options
Chroot Jail DNS application If service compromised, limits user rights & privileges escalation - If local user
compromised limits influence on application Function?
Runs a process with root directory other than / $ /usr/sbin/chroot /home/user_name/existing_directory Challenge is to include interdependent binaries / libraries files into the “Jail” environment Once setup, change to location and start service or application
How will you manage DNS’s local functional influence? Must manages applications ability to influence overall system functionality! SELinux (Alt. AppArmor)
http://web.mit.edu/rhel-doc/5/RHEL-5-manual/Deployment_Guide-en-US/ch-selinux.html http://www.nsa.gov/research/selinux/index.shtml
http://hackinglinux.blogspot.com/2007/05/selinux-tutorial.html
PAM – Pluggable Authentication Modules (Access Control) http://www.linuxdocs.org/HOWTOs/User-Authentication-HOWTO/x101.html
How will you manage access to the service ? TCPWrappers: /etc/hosts.allow & /etc/host.deny;
daemon_list:client_list:[:command] Firewall local and remote settings: IPTables
Disable all on unneeded services! Enable application auditing Log Management – monitor activity and events types!
9/3/2011 Cyber Defense Security Presentation 17
DNS Service: Security Considerations Define, Discuss, Demonstrate, & Do (1 of 3)
DNS Service Access Control: Sample exploit http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html Access Control Lists (ACLs) TSIG Transactions – shared hashed key DNSSEC: Relies on public/private key authentication. DNSSEC
specifications (RFC 4033, RFC 4034and RFC 4035 augmented with others) answer three questions: Authentication - the DNS responding really is the DNS that the request was sent to. Integrity - the response is complete and nothing is missing or changed. Proof of non-existence - if the DNS returns a status that the name does not exist (NXDOMAIN) this response can be proven to have come from the authoritative server. RHEL # dns-keygen edit /etc/rndc.key [insert key] or RHEL/Fedora # rndc-confgen > /etc/rndc.conf; rndc status
Use DNSSEC to verify recursive DNS results Default DNS BIND configuration in RHEL 6
options { dnssec-enable yes; dnssec-validate yes; };
In /etc/named.conf will set a “trust anchor” trust the root DNSKEY managed-keys { /* not the real root key */ “.” initial-key 257 3 5 “BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEf K3clRbGaTwSJxrGkxJWoZu6I7PzJu/E9 gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9 mZhkdUpd1Vso/HAdjNe8L”; };
Testing the validating recursive DNS server # dig www.example.com +dnssec
9/3/2011 Cyber Defense Security Presentation 18
DNS Service: Security Considerations Define, Discuss, Demonstrate, & Do (2 of 3)
Authoritative Server: Configuration Overview Create a normal DNS zone file (1) Generate the zone-signing key and key-signing key (2) Add DNSKEY records for both keys to the zone file (3) Sign the zone (creates RRSIG and NSEC/NSEC3) (4) Point /etc/named.conf at the signed zone file (5) Reload the zone (6) Provide DS record for zone's KSK to your parent zone
(7)
(1) Set up DNSSEC with each signed zone having its own directory, and zone file has same name as zone /var/named/example.com/example.com would be the
zone file for the zone example.com Directory and zone file needs to be readable by group
named, have SELinux type named_zone_t
(2) Generating the ZSK and KSK Change to the zone file's directory in /var/named
# cd /var/named/example.com/
Create the zone-signing key (ZSK) # dnssec-keygen example.com
Create the key-signing key (KSK) # dnssec-keygen -fk example.com
Both dnssec-keygen commands should add the -3 option if you want to use NSEC3 records
(3) Add the keys to the zone file Each command results in two key pair files
Kexample.com+005+00000.{key,private}
Add the public key files to the zone file cat *.key >> /var/named/example.com/example.com
9/3/2011 Cyber Defense Security Presentation 19
DNS Service: Security Considerations Define, Discuss, Demonstrate, & Do (3 of 3)
(4) Manually sign the zone file Sign the zone manually:
dnssec-signzone example.com
Add -3 option if you want NSEC3 records Active keys in the zone are automatically used Creates example.com.signed file BIND 9.7 has a number of new features to support
automatic signing on dynamic update, key rotation management, and so on...see the documentation in /usr/share/doc/bind-9.7*/arm/
(5) Update zone directive and reload zone Zone directive in /etc/named.conf needs to be pointed at
the signed file zone “example.com” IN { type master; file “example.com/example.com.signed”; };
(6) Reload the zone to make changes take effect # service named reload | rndc reload
(7) Provide DS record to parent zone operator If the parent zone is DNSSEC signed and ready,
provide your zone's DS record to your registrar You can generate it from your zone file if necessary
# cd /var/named/example.com/ # dnssec-dsfromkey -f example.com
Creates dsset-example.com. file containing DS records
http://www.redhat.com/promo/summit/2010/presentations/taste_of_training/Summit_2010_DNSSEC.pdf
Network Services: Protocols, Topology, & Resolution Define, Discuss, Demonstrate, & Do
9/3/2011 Cyber Defense Security Presentation 20
Client / Server: Resolver settings How will queries be made? Resolution priority & precedence search method - edit local system
files /etc/nsswitch.conf; /etc/hosts; /etc/resolv.conf
Consider who the DNS server will support (internal/external) Only serve DNS for those types Segregate support requirements – don’t do both in one server
instance Do not arbitrarily allow zone transfers or do recursion
Partition and ACL setup:
Install & configure ACL # yum install acl Edit /etc/fstab
“/dev/dhc1 /var/named ext4 defaults,acl 1 2” # mount –t ext –o acl, remount /dev/hdc1 /var/named Apply security via getfacl & setfacl
# setfacl –m u:named:rwx /var/named
Prevent hard links to setuid programs Specify precise control over mount options Allow minimal privileges via mount options
Modify /etc/fstab: noexec on everything possible; nodev everywhere except / and chroot partitions; nosetuid everywhere except /
Consider making /var/tmp link to /tmp, or maybe mount –bind option
GUI Management Utility - http://www.webmin.com/
9/3/2011 Cyber Defense Security Presentation 21
DNS Server – Install, Setup, & Administration (1 of 7)
Define, Discuss, Demonstrate, & Do
Identify type of server and location Master, Slave, Caching, or Forwarding
Server setup: Install – bind, bind-utils, bind-chroot [jail application], caching-
nameserver [RHEL - install for cache server function], system-config-bind
Network interface configuration: Define & apply static IP address to interface Modify /etc/sysconfig/network-scripts/ifcfg-ethX; PEERDNS=no Modify /etc/host; place host name to IP address of resources for DNS
lookups [optional] Modify /etc/resolv.conf; insert at beginning of file nameserver 127.0.0.1
Security considerations Chroot / Jail application due to ever changing & challenging security issues
# yum install bind-chroot /var/named/chroot/etc/named.conf Copy dependent binaries & libraries into chroot directory and manage links Edit /etc/sysconfig/named directory and change it to /var/named/chroot
Modify /etc/sysconfig/named file and set ROOTDIR shell variable to /var/named/chroot, e.g., ROOTDIR=“/var/named/chroot”
Test - do inode comparison # ls /var/named/chroot/var/named # ls –ldi /var/named/chroot/var/named # ls –ldi /var/named # service named start # ls –ldi /var/named/chroot/var/named [should now reflect the
/var/named inode]
9/3/2011 Cyber Defense Security Presentation 22
DNS Server – Install, Setup, & Administration (2 of 7)
Define, Discuss, Demonstrate, & Do
More security considerations http://www.puschitz.com/SecuringLinux.shtml Modify / edit Firewall & SELinux settings: allow TCP & UDP port 53 Secure transaction exchange:
TSIGs signatures – hashed key exchange to support secure record exchange / replication Time synchronization is critical –if TSIG exchange fails check time Split Horizon server / Proxy Server place in DMZ; internal versus external name
resolution can support two different query types, not recommended
Logs /var/log/messages [assume DNS chroot] # mk /var/named/chroot/var/log # chmod 744 /var/named/chroot/var/log/bind # chown named /var/named/chroot/var/log/bind # ls –ld /var/named/chroot/var/log/bind
NTP Time services must be properly configured and secured
9/3/2011 Cyber Defense Security Presentation 23
DNS Server – Install, Setup, & Administration (3 of 7)
Define, Discuss, Demonstrate, & Do
Server Service Init & start – # chkconfig named on; service named start Service modification – # service network [stop | start | restart ] RHEL configuration test - # service named configtest Documentation –
http://www.zytrax.com/books/dns/ file:///usr/share/doc/bind-9.7.2/arm/Bv9ARM.html
Server configuration: Edit/etc/named.conf
See /usr/share/doc/bind*/sample/ for example named configuration files
RHEL and Fedora have distinctions [see page 786 for details] Determine type/role of DNS server(s) per topology design or
requirements Master, Slave, or Caching Modify settings Create Zones: root domains, local global domains, & reverse lookup
domain Configure security – exchange methods & keys
Populate domains with appropriate static records, e.g., name server (NS), mail server (MX), host records (A/AAAA), services records (IP and service port specific), reverse loop up record (PTR) etc.
Restart services Zones information located in /var/named
9/3/2011 Cyber Defense Security Presentation 24
DNS Server – Install, Setup, & Administration (4 of 7)
Define, Discuss, Demonstrate, & Do
Only common references below, e.g., change below files system locations to jailed DNS file locations
Caching-Only Server yum install –y caching-nameserver # cp /etc/named.caching-nameserver.conf /etc/named.conf
Slave zone files # ls /var/named/slaves Manually pull Master file to Slave # dig –t axfr zone_name.com @servername RHEL6 /var/named not writable zone modifications /var/named/dynamic and then update
/etc/named.conf Local System Security Settings
ACL Define an ACL directive acl “local-net” { 127.0.0.1; 192.168.1.0/24; }; Place in named.conf allow-transfer { local-net; }; allow-query { local-net; };
User Access DNS files owned by application “named user” and not root! # chown root:named /etc/named/*; chown root:named /var/named/*;
IPTables – Firewall security settings – general settings provided # iptables –I INPUT 5 –p udp –m udp –dport 53 –j ACCEPT # iptables –I INPUT 5 –p tcp –m tcp –dport 53 –j ACCEPT # iptables –I INPUT 5 –p udp –m udp –dport 953 –j ACCEPT [rndc key exchange] # service iptables save; service iptables restart
SELinux # getsebool –a | grep named_dis # setsebool –P named_disable_trans=1 # chcon –t named_conf_t /etc/named.conf # ls –Z /etc | grep named.conf
9/3/2011 Cyber Defense Security Presentation 25
DNS: Server – Install, Setup, & Administration (5 of 7)
Define, Discuss, Demonstrate, & Do
Only common references below, e.g., change below files system locations to jailed DNS file locations Modify named.conf and insert include “/etc/rndc.key”; Create key # dns-keygen
[Fedora $ /usr/sbin/dnssec-keygen –a hmac –md5 –b 512 –n HOST keyname ] $ cat Kkeyname.+243+14321.private similar as below see page 803 Create key file # vi /etc/rndc.key
key “rndckey” { algorithm hmac-md5; secret “aresrntynratbYjhjdslo863eWEDvOVCmdvfvb”; [not a real key] };
Create config file # rndc-confgen > /etc/rndc.conf Edit /etc/rndc.conf paste in key content listed above Edit named.conf & add controls { inet 127.0.0.1 port 953 allow {127.0.0.1; } keys { “rndc.key”; }; }; include “etc/rndc.key Change ownership of files
# chown root:named /etc/rndc.* # chmod 400 /etc/rndc.*; service named configtest; service named restart; rndc status # chcon –t named_conf_t rndc.key rndc.conf;
Logs /var/log/bind; /var/log/messages
9/3/2011 Cyber Defense Security Presentation 26
DNS: Server Key Exchange Setup (6 of 7)
Define, Discuss, Demonstrate, & Do [RHEL]
9/3/2011 Cyber Defense Security Presentation 27
DNS Service Security: Topology ACLs / Key Exchange (7 of 7)
Define, Discuss, Demonstrate, & Do
GUI - system-config-network; system-config-network-tui
CLI Query Resolver $ dig fully_qualify_domain_hostname; dig –x
ip_address; dig –t MX fully_qualify_domain_hostname
$ host ip_address; hostname; nslookup FQDN or IP_ADD; ping FQDN or IP_ADD; whois domain_name (lookup info for hostname or ip address)
CLI Configure Interface & Routes $ ifconfig interface up|down
Check out $ ethtool eth0 must be installed Server: static configuration per node w/ host FQDN, host IP,
subnet mask, default gateway, & DNS server IP
$ ip # ip addr add 1.2.3.4/24 brd + dev eth0 (add or delete IP &
subnet mask) # ip route add default via 1.2.3.254 (add or delete default
gateway – change default to network address to create a static route)
# ip link set dev eth0 up (bring interface up or down) # ip addr show; ip -s link; ip route show; hostname –i;
ip or route commands # route add default gw 192.168.1.1 [destination address] eth0
[interface on the same network as destination gateway address]
Edit related files: etc/sysconfig/network-scripts; http://lartc.org/howto/lartc.rpdb.multiple-links.html http://www.itsyourip.com/Linux/howto-add-a-persistent-
static-route-in-redhat-enterprise-linux/
9/3/2011 Cyber Defense Security Presentation 28
DNS Server – Helpful Hints for Setup & Administration (1 of 4)
Define, Discuss, Demonstrate, & Do CLI Configure Service & Status
# service --status-all state of service on system
# service service_name [stop | start | restart| status]
# chkconfig service_name [on | off] # service service_name configtest # netstat -tupl (internet services on a
system); netstat –tup (active connections to/from system); netstat -tanp | grep LISTEN
Troubleshooting methodology: start with local host remote host or service
Check local interface (hostname, ifconfig, iwconfig, ping, netstat)
Check local gateway, route or shout? (ping, route, traceroute)
Check local services ACLs, firewall, proxy, DNS, file share, etc. (netstat, dig, hosts, nslookup)
Check remote host services or resources (ping, finger, jwhois, lynx, nmap, mtr, browsers)
Key file locations: /sbin; /etc/sysconfig/network; /etc/sysconfig/network-scripts; /etc/init.d/network “start, restart, or stop”
Disabling unnecessary daemons that are “Listening” Locate the pid in the netstat command cat /proc/<pid>/cmdline If not full path, run which or locate to find utility rpm -qf full_path_of_daemon rpm -e package_name If difficult to remove due to dependencies: chkconfig <service> off
tcp_wrappers Even if iptables is in use, configure this just in case Set /etc/hosts.deny to ALL: ALL Many daemons compiled with support Find by using: egrep libwrap /usr/bin/* /usr/sbin/*
| sort For each program found, use its base name to set
expected access rights (if there are any)Example: smbd: 192.168.1.
http://linuxhelp.blogspot.com/2005/10/using-tcp-wrappers-to-secure-linux.html
init Disable interactive boot by editing
/etc/sysconfig/init Make PROMPT=no to disable Also add password to single user mode. Edit
/etc/inittab Add the following ~~:S:wait:/sbin/sulogin
9/3/2011 Cyber Defense Security Presentation 29
DNS Server – Helpful Hints for Network Settings (2 of 4)
Define, Discuss, Demonstrate, & Do Edit /etc/sysctl.conf settings
Don't reply to broadcasts. Prevents joining a smurf attack net.ipv4.icmp_echo_ignore_broadcasts = 1
Enable protection for bad icmp error messages net.ipv4.icmp_ignore_bogus_error_responses = 1
Enable syncookies for SYN flood attack protection net.ipv4.tcp_syncookies = 1
Log spoofed, source routed, and redirect packets net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1
Don't allow source routed packets net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0
Turn on reverse path filtering net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1
Don't allow outsiders to alter the routing tables net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0
Don't pass traffic between networks or act as a router net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0
at & cron Only allow root and people with
verified need to run cron jobs Setup cron.allow and cron.deny Setup equivalents if you have 'at'
installed
sshd Enable only ssh2 protocol If multi-homed, consider if it needs to
listen on all addresses or just one Do not allow root logins Consider adding group permission for
logins, AllowGroups wheel
MySQL If database is used internally to
machine, make it listen on localhost Change passwords
Apache Remove all unneeded modules Use mod_security to weed out
injection attacks Set correct SE Linux Booleans to
maintain functionality and protection
9/3/2011 Cyber Defense Security Presentation 30
DNS Server – Helpful Hints for Network Settings (3 of 4)
Define, Discuss, Demonstrate, & Do SELinux
Leave enabled and in enforcing mode Does not affect daemons it doesn't know
about - unless they are started in a confined domain (note earlier suggestions for chroot changes)
Provides a behavioral model that known applications should be
following Can stop attacks before they become
complete system breaches
Use targeted policy Strict and MLS should be used only if you
need that kind of protection
Do boolean lockdown Review all booleans and set appropriately
getsebool -a Generally, to secure the machine, look at
things that are set to “on” and change to “off” if they do not apply
SELinux Boolean Lockdown # getsebool -a | grep ' on' allow_daemons_dump_core --> on allow_daemons_use_tty --> on allow_execmem --> on allow_execstack --> on allow_gadmin_exec_content --> on allow_gssd_read_tmp --> on allow_kerberos --> on allow_mounton_anydir --> on allow_postfix_local_write_mail_spool --> on allow_staff_exec_content --> on allow_sysadm_exec_content --> on allow_unconfined_exec_content --> on allow_unlabeled_packets --> on allow_user_exec_content --> on allow_xserver_execmem --> on allow_zebra_write_config --> on browser_confine_xguest --> on httpd_builtin_scripting --> on httpd_enable_cgi --> on httpd_enable_homedirs --> on httpd_tty_comm --> on httpd_unified --> on read_default_t --> on spamd_enable_home_dirs --> on user_ping --> on
9/3/2011 Cyber Defense Security Presentation 31
DNS Server – Helpful Hints for Network Settings (4 of 4)
Define, Discuss, Demonstrate, & Do Access Control
Do not allow root logins This messes up the audit system since root is a shared
account sshd and gdm have settings to disallow root login
pam_tally2 This is used to lockout an account for consecutive failed login
attempts
pam_access Used to forbid logins from certain locations, consoles, and
accounts /etc/security/access.conf controls its config
pam_time Used to forbid logins during non-business hours /etc/security/time.conf controls its config
pam_limits Used to limit maximum concurrent sessions and other user
restrictions /etc/security/limits.conf controls its config
pam_loginuid Used for all entry point daemons to set the task's loginuid
and session identifier. loginuid and session ID are inherited by all processes at fork Limit access to su command
Edit /etc/pam.d/su Uncomment the line saying require wheel to allow uid
change “auth required pam_wheel.so use_uid”
http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf
http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf