Dns Hardening Linux Os

DNS Server Security / Hardening

Linux OS - Fedora 14 / RHEL

Copyright Erwin L. Carrow This work is the intellectual property of the author. Permission is granted for this material to be shared for

non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is

given that the copying is by permission of the author and other identified entities. To disseminate otherwise or to republish requires

written permission from the author. Videos and specific graphics presented are not for public distribution.

9/3/2011 1 Cyber Defense Security Presentation

Session Guide Erwin Carrow IT Audit Director; M.Div., MSIS, CISSP, INFOSEC, CCAI, CCNP, CCSP,

CQS, CCNA, LCP, LCI, OCM, MCSE, MCP+I, LSS Green Belt, etc.

Board of Regents, University System of Georgia; Office of Internal Audit and Compliance

270 Washington Street S.W., Ste. 7087 Atlanta, GA 30334

(404)657-9890 Office, (678)644-3526 Cell, (404)463-0699 Fax

Email: [email protected] [email protected] [email protected]

http://www.linkedin.com/in/ecarrow

http://twitter.com/ecarrow

Skype: erwin.louis.carrow


mailto:[email protected]











Session Agenda DNS Server Security & Hardening: “Down and Dirty”(4 slides)


Other DNS information included for your review (not elaborated on)

Internet threats & associated risks (2 slides)

DNS Service (3 slides)

Connecting hosts to services: protocols, transmission, network topology, & service request resolution

Controls to mitigate DNS service disruption (3 slides)

DNS “How-to” (7 slides)

Installation & configuration DNS Hardening - local file system,

application, managing access control Network topology, architecture, &

exchange

Helpful Hints (4 Slides)

Key Takeaways Understand what “High-level” requirements are needed

to secure a DNS server and access to service (lectures focus)

Slides for Individual Review (not elaborated on, but “How-to” provided)

Recognize common DNS services threats

Recognize the basic components & network topology for the implementation of a secure DNS service

Understand how to install, configure, secure, & administrate DNS service

Helpful hints that apply to any network service implementation


Configuring Service Partitioning, Quotas, & ACLs chroot / Jail application tcpwrappers PAM (Pluggable Authentication Modules) SELinux http://fedoraproject.org/wiki/SELinux IPTables (local Firewall)

Key Setup, Exchange, & Management Local User Account Management

Limit remote service admin access File permissions / mitigate escalation Limit service access Manage interdepend services e.g., at & cron

Patch Management Manage DNS Service Logs Audit System Activity

9/3/2011 Cyber Defense Security Presentation 5

DNS Security & Hardening – Local System (1 of 4)

Define, Discuss, Demonstrate, & Do

http://fedoraproject.org/wiki/SELinux




Manage User Identity & Access Control Limit “Other” Services

NIC / routing: edit /etc/sysctl.conf Run-levels / interactive boot Uninstall or disable all services not needed

Configure & Secure NTP Exchanges Define Server “Role & Responsibility” within

Network Topology DNS Zone & Records Management Deployment, Queries, & Replication

In-band versus Out-of-band Manage Key Exchange

TSIG – Update Exchanges DNSSEC – Validate Sites & SOA

Network Proxy, Firewall, & IDS / IPS Manage Service(s) Logs


DNS Security & Hardening - Network (2 of 4)


DNS Security & Hardening: Network Topology (3 of 4) Define, Discuss, Demonstrate, & Do


Local System Configuration Fence in the DNS playground Limit ownership & access Monitor Activity

Network Deployment & Topology Security Threat Gateway (Firewall, Proxy, IDS /IPS,

etc.) Limit services, access, & disable routing functions Manage Request & Responses (Internal & External –

Server to Client) Zone or Record corruption IP Spoofing Cache Poisoning Buffer Overflow – patch Data interception / Impersonation

Track & Manage the Bouncing Bits & Bytes! Vulnerability Matrix & Security Advisories https://www.isc.org/software/bind/security/matrix https://www.isc.org/advisories


Summary: DNS Security & Hardening (4 of 4)


https://www.isc.org/software/bind/security/matrix



https://www.isc.org/advisories



Thank You for Your Patience & Participation - Any Questions?

Gain a basic understanding of the requirements for securing and hardening a DNS server


Helpful Resources


Linux Server Security by Michael D. Bauer; O’Reilly

DNS and BIND by Paul Albitz & Cricket Liu; O’Reilly

Understanding Data Communications by Gilbert Held; Addison-Wesley

Local Area Network by David A Stamper; Prentice Hall

Trouble shooting TCP/IP by Mark A. Miller; M&T Books

TCP/IP – Running a Successful Network by Kevin Washburn & Jim Evans; Addison-Wesley

ISC BIND page on DNSSEC - http://www.isc.org/software/bind/dnssec

DNSSEC deployment at the root zone - http://www.root-dnssec.org/

DNSSEC information for .org - http://www.pir.org/dnssec/

ENISA Good Practices Guide for Deploying DNSSEC - http://www.enisa.europa.eu/act/res/technologies/tech/gpgdnssec

http://www.isc.org/software/bind/dnssec




http://www.root-dnssec.org/





http://www.pir.org/dnssec/





http://www.enisa.europa.eu/act/res/technologies/tech/gpgdnssec




Appendix: Other Useful Information for Review

Security Threat (2 slides)

DNS Services (3 slides)

Security and tools for hardening DNS (3 slides)

Network Topology and Services DNS Server (8 slides)

Installation Setup / Configuration Security & Administration

Helpful Hints (4 slides)


Security Threat (1 of 2)

Define, Discuss, Demonstrate, & Do Functional characteristic: security, monitor , & mitigate malicious

attempts to malign or disrupt network services There are four general categories of security threats to the network:

Unstructured threats, Structured threats, External threats, & Internal threats http://ptgmedia.pearsoncmg.com/images/1587131625/samplechapter/1587131625content.pdf

Classes of Attacks: Reconnaissance attacks, Access attacks, Denial of service attacks, & Worms, Viruses, and Trojan horses

All of the following can be used to compromise your system: packet sniffers, IP weaknesses, password attacks, DoS or DDoS, man-in-the-middle attacks, application layer attacks ,trust exploitation, port redirection , virus, Trojan horse, operator error & worms


http://ptgmedia.pearsoncmg.com/images/1587131625/samplechapter/1587131625content.pdf

http://ptgmedia.pearsoncmg.com/images/1587131625/samplechapter/1587131625content.pdf

High

Low

1980 1985 1990 1995 2000

password guessing

self-replicating code

password cracking

exploiting known vulnerabilities

disabling audits

back doors

session hijacking

sweepers

sniffers

packet spoofing

GUI tools

automated probes/scans DOS

web attacks

Tool Capabilities and Ease of Use

Attacks

“stealth” / advanced scanning

spoofing

network attacks against DNS, SNMP, etc

2005 2010

command & control

APT Intruder Knowledge

S

K

I

L

L

worms

viruses

browser

attacks

distributed DOS

anti-forensics

Trojans

crimeware / SSL-evading malware

Security Threat - Attack vs. Knowledge (2 of 2)



DNS Services: Protocols, Topology, & Resolution Define, Discuss, Demonstrate, & Do (1 of 3) Domain Name Service (DNS) provides IP address and Fully

Qualified Domain Name (FQDN) request information to host Type/Role: Authoritative, Recursive / Master (auth.), Slave (auth.,

load balancing & redundancy, Caching (no auth. – name to IP resolution), Forwarding (no auth.)

DHCP can dynamically populate DNS host records

Dynamic Host Control Protocol (DHCP) provides IP address, default router gateway, DNS, WINS, and other service information requested by host to enable connectivity to various internal and external resources Typically applied and configured to support organization intranet Can be implemented locally to a specific broadcast domain or

request forwarded through a relay agent Host broadcast request & responds to 1st DHCP server response

received Host leases information & requires a periodic renewal Renewal request sent to initial DHCP server via unicast, if no

response broadcast for service request


Topology Structure Nodes & Zones

Root Domains, Delegation of Authority, & Start of Authority, Authority is delegated to lower levels in the hierarchy, each layer in the

hierarchy may delegate the authoritative control to the next lower level

Domains (SOA) Start of Authority for FQDN, e.g., redhat.com where one or more DNS server IP addresses are registered with Internet Corporation for Assigned Numbers and Names (ICANN)

Sub-domains – internally controlled DNS servers that segment organization resources

Naming convention (FQDN)

Transmission methodology Host request / resolver: /etc/nsswitch.conf, /etc/resolv.conf,

/etc/hosts Server types & role: primary-master; secondary-slave; & caching-

only/forwarders DNS resolution service

Iterative queries: sends FQDN and requests either IP Address of Domain or FQDN of Authoritative DNS Server (typically host’s resolver to primary DNS server and then DNS server to server exchanges until resolution or invalid)

Recursive queries - sends FQDN to DNS server and asks for IP Address of domain (similar to above)

Process: query, cache, & response FQDN IP address IP address FQDN (reverse lookup Domains) Creates dynamic entries in DNS tables

Static entries DNS records for domain services DHCP can be dynamically linked to local DNS for internal hostname

resolution


DNS Services: Protocols, Topology, & Resolution Define, Discuss, Demonstrate, & Do (2 of 3)

http://www.icann.org/

http://www.icann.org/

Cyber Defense Security Presentation

Answer the question: “How will a server fit into the big picture for the network?” DNS Server Service Role & Types of

Exchanges Master: (SOA) authoritative Slave: (SOA?) authoritative (replicate

Master) or non-authoritative (partitioned out or partial load-balancing)

Caching: non-authoritative; static or dynamic updates

Forwarding: non-authoritative

Network Topology Location Service query response service support for:

External (Internet), DMZ, Internal (Intranet), host based (Caching)

http://www.dnsbl.info/dnsbl-list.php

9/3/2011 16

DNS Services: Protocols, Topology, & Resolution Define, Discuss, Demonstrate, & Do (3 of 3)

Content Management Zones - created to distinguish domains and

catalogue host records DB file / records characteristics:

Name - TTL – Time to live (how long the record is

cached) Class - IN for Internet only record class

supported in DNS Type – Per listing below Data - content specific to record type

Record Types:

Start of Authority (SOA) - information that identifies the top of the zone and other general properties

Address (A or AAAA) IPv4/IPv6 Canonical name (CNAME) - Alias Host information (HINFO) Mail exchange (MX) - mail server Name server (NS) – DNS servers Pointer (PTR) - reverse lookup IP to

FQDN Text (TXT) Well-known services (WKS)







Where will the application physically reside on the local OS? Partition type, quotas, & ACLs

Manage space allocation Prevent hard links programs; facilitate precise control over mount options limits user access or influence Allow minimal privileges via mount options

Chroot Jail DNS application If service compromised, limits user rights & privileges escalation - If local user

compromised limits influence on application Function?

Runs a process with root directory other than / $ /usr/sbin/chroot /home/user_name/existing_directory Challenge is to include interdependent binaries / libraries files into the “Jail” environment Once setup, change to location and start service or application

How will you manage DNS’s local functional influence? Must manages applications ability to influence overall system functionality! SELinux (Alt. AppArmor)

http://web.mit.edu/rhel-doc/5/RHEL-5-manual/Deployment_Guide-en-US/ch-selinux.html http://www.nsa.gov/research/selinux/index.shtml

http://hackinglinux.blogspot.com/2007/05/selinux-tutorial.html

PAM – Pluggable Authentication Modules (Access Control) http://www.linuxdocs.org/HOWTOs/User-Authentication-HOWTO/x101.html

How will you manage access to the service ? TCPWrappers: /etc/hosts.allow & /etc/host.deny;

daemon_list:client_list:[:command] Firewall local and remote settings: IPTables

Disable all on unneeded services! Enable application auditing Log Management – monitor activity and events types!


DNS Service: Security Considerations Define, Discuss, Demonstrate, & Do (1 of 3)

http://web.mit.edu/rhel-doc/5/RHEL-5-manual/Deployment_Guide-en-US/ch-selinux.html




















http://www.nsa.gov/research/selinux/index.shtml












http://www.linuxdocs.org/HOWTOs/User-Authentication-HOWTO/x101.html












DNS Service Access Control: Sample exploit http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html Access Control Lists (ACLs) TSIG Transactions – shared hashed key DNSSEC: Relies on public/private key authentication. DNSSEC

specifications (RFC 4033, RFC 4034and RFC 4035 augmented with others) answer three questions: Authentication - the DNS responding really is the DNS that the request was sent to. Integrity - the response is complete and nothing is missing or changed. Proof of non-existence - if the DNS returns a status that the name does not exist (NXDOMAIN) this response can be proven to have come from the authoritative server. RHEL # dns-keygen edit /etc/rndc.key [insert key] or RHEL/Fedora # rndc-confgen > /etc/rndc.conf; rndc status

Use DNSSEC to verify recursive DNS results Default DNS BIND configuration in RHEL 6

options { dnssec-enable yes; dnssec-validate yes; };

In /etc/named.conf will set a “trust anchor” trust the root DNSKEY managed-keys { /* not the real root key */ “.” initial-key 257 3 5 “BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEf K3clRbGaTwSJxrGkxJWoZu6I7PzJu/E9 gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9 mZhkdUpd1Vso/HAdjNe8L”; };

Testing the validating recursive DNS server # dig www.example.com +dnssec



http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html












http://www.zytrax.com/books/dns/apd/rfc4033.txt









Authoritative Server: Configuration Overview Create a normal DNS zone file (1) Generate the zone-signing key and key-signing key (2) Add DNSKEY records for both keys to the zone file (3) Sign the zone (creates RRSIG and NSEC/NSEC3) (4) Point /etc/named.conf at the signed zone file (5) Reload the zone (6) Provide DS record for zone's KSK to your parent zone

(7)

(1) Set up DNSSEC with each signed zone having its own directory, and zone file has same name as zone /var/named/example.com/example.com would be the

zone file for the zone example.com Directory and zone file needs to be readable by group

named, have SELinux type named_zone_t

(2) Generating the ZSK and KSK Change to the zone file's directory in /var/named

# cd /var/named/example.com/

Create the zone-signing key (ZSK) # dnssec-keygen example.com

Create the key-signing key (KSK) # dnssec-keygen -fk example.com

Both dnssec-keygen commands should add the -3 option if you want to use NSEC3 records

(3) Add the keys to the zone file Each command results in two key pair files

Kexample.com+005+00000.{key,private}

Add the public key files to the zone file cat *.key >> /var/named/example.com/example.com



(4) Manually sign the zone file Sign the zone manually:

dnssec-signzone example.com

Add -3 option if you want NSEC3 records Active keys in the zone are automatically used Creates example.com.signed file BIND 9.7 has a number of new features to support

automatic signing on dynamic update, key rotation management, and so on...see the documentation in /usr/share/doc/bind-9.7*/arm/

(5) Update zone directive and reload zone Zone directive in /etc/named.conf needs to be pointed at

the signed file zone “example.com” IN { type master; file “example.com/example.com.signed”; };

(6) Reload the zone to make changes take effect # service named reload | rndc reload

(7) Provide DS record to parent zone operator If the parent zone is DNSSEC signed and ready,

provide your zone's DS record to your registrar You can generate it from your zone file if necessary

# cd /var/named/example.com/ # dnssec-dsfromkey -f example.com

Creates dsset-example.com. file containing DS records

http://www.redhat.com/promo/summit/2010/presentations/taste_of_training/Summit_2010_DNSSEC.pdf









Network Services: Protocols, Topology, & Resolution Define, Discuss, Demonstrate, & Do


Client / Server: Resolver settings How will queries be made? Resolution priority & precedence search method - edit local system

files /etc/nsswitch.conf; /etc/hosts; /etc/resolv.conf

Consider who the DNS server will support (internal/external) Only serve DNS for those types Segregate support requirements – don’t do both in one server

instance Do not arbitrarily allow zone transfers or do recursion

Partition and ACL setup:

Install & configure ACL # yum install acl Edit /etc/fstab

“/dev/dhc1 /var/named ext4 defaults,acl 1 2” # mount –t ext –o acl, remount /dev/hdc1 /var/named Apply security via getfacl & setfacl

# setfacl –m u:named:rwx /var/named

Prevent hard links to setuid programs Specify precise control over mount options Allow minimal privileges via mount options

Modify /etc/fstab: noexec on everything possible; nodev everywhere except / and chroot partitions; nosetuid everywhere except /

Consider making /var/tmp link to /tmp, or maybe mount –bind option

GUI Management Utility - http://www.webmin.com/


DNS Server – Install, Setup, & Administration (1 of 7)


http://www.webmin.com/




Identify type of server and location Master, Slave, Caching, or Forwarding

Server setup: Install – bind, bind-utils, bind-chroot [jail application], caching-

nameserver [RHEL - install for cache server function], system-config-bind

Network interface configuration: Define & apply static IP address to interface Modify /etc/sysconfig/network-scripts/ifcfg-ethX; PEERDNS=no Modify /etc/host; place host name to IP address of resources for DNS

lookups [optional] Modify /etc/resolv.conf; insert at beginning of file nameserver 127.0.0.1

Security considerations Chroot / Jail application due to ever changing & challenging security issues

# yum install bind-chroot /var/named/chroot/etc/named.conf Copy dependent binaries & libraries into chroot directory and manage links Edit /etc/sysconfig/named directory and change it to /var/named/chroot

Modify /etc/sysconfig/named file and set ROOTDIR shell variable to /var/named/chroot, e.g., ROOTDIR=“/var/named/chroot”

Test - do inode comparison # ls /var/named/chroot/var/named # ls –ldi /var/named/chroot/var/named # ls –ldi /var/named # service named start # ls –ldi /var/named/chroot/var/named [should now reflect the

/var/named inode]




More security considerations http://www.puschitz.com/SecuringLinux.shtml Modify / edit Firewall & SELinux settings: allow TCP & UDP port 53 Secure transaction exchange:

TSIGs signatures – hashed key exchange to support secure record exchange / replication Time synchronization is critical –if TSIG exchange fails check time Split Horizon server / Proxy Server place in DMZ; internal versus external name

resolution can support two different query types, not recommended

Logs /var/log/messages [assume DNS chroot] # mk /var/named/chroot/var/log # chmod 744 /var/named/chroot/var/log/bind # chown named /var/named/chroot/var/log/bind # ls –ld /var/named/chroot/var/log/bind

NTP Time services must be properly configured and secured




http://www.puschitz.com/SecuringLinux.shtml




Server Service Init & start – # chkconfig named on; service named start Service modification – # service network [stop | start | restart ] RHEL configuration test - # service named configtest Documentation –

http://www.zytrax.com/books/dns/ file:///usr/share/doc/bind-9.7.2/arm/Bv9ARM.html

Server configuration: Edit/etc/named.conf

See /usr/share/doc/bind*/sample/ for example named configuration files

RHEL and Fedora have distinctions [see page 786 for details] Determine type/role of DNS server(s) per topology design or

requirements Master, Slave, or Caching Modify settings Create Zones: root domains, local global domains, & reverse lookup

domain Configure security – exchange methods & keys

Populate domains with appropriate static records, e.g., name server (NS), mail server (MX), host records (A/AAAA), services records (IP and service port specific), reverse loop up record (PTR) etc.

Restart services Zones information located in /var/named




http://www.zytrax.com/books/dns/





/usr/share/doc/bind-9.7.2/arm/Bv9ARM.html






Only common references below, e.g., change below files system locations to jailed DNS file locations

Caching-Only Server yum install –y caching-nameserver # cp /etc/named.caching-nameserver.conf /etc/named.conf

Slave zone files # ls /var/named/slaves Manually pull Master file to Slave # dig –t axfr zone_name.com @servername RHEL6 /var/named not writable zone modifications /var/named/dynamic and then update

/etc/named.conf Local System Security Settings

ACL Define an ACL directive acl “local-net” { 127.0.0.1; 192.168.1.0/24; }; Place in named.conf allow-transfer { local-net; }; allow-query { local-net; };

User Access DNS files owned by application “named user” and not root! # chown root:named /etc/named/*; chown root:named /var/named/*;

IPTables – Firewall security settings – general settings provided # iptables –I INPUT 5 –p udp –m udp –dport 53 –j ACCEPT # iptables –I INPUT 5 –p tcp –m tcp –dport 53 –j ACCEPT # iptables –I INPUT 5 –p udp –m udp –dport 953 –j ACCEPT [rndc key exchange] # service iptables save; service iptables restart

SELinux # getsebool –a | grep named_dis # setsebool –P named_disable_trans=1 # chcon –t named_conf_t /etc/named.conf # ls –Z /etc | grep named.conf


DNS: Server – Install, Setup, & Administration (5 of 7)


Only common references below, e.g., change below files system locations to jailed DNS file locations Modify named.conf and insert include “/etc/rndc.key”; Create key # dns-keygen

[Fedora $ /usr/sbin/dnssec-keygen –a hmac –md5 –b 512 –n HOST keyname ] $ cat Kkeyname.+243+14321.private similar as below see page 803 Create key file # vi /etc/rndc.key

key “rndckey” { algorithm hmac-md5; secret “aresrntynratbYjhjdslo863eWEDvOVCmdvfvb”; [not a real key] };

Create config file # rndc-confgen > /etc/rndc.conf Edit /etc/rndc.conf paste in key content listed above Edit named.conf & add controls { inet 127.0.0.1 port 953 allow {127.0.0.1; } keys { “rndc.key”; }; }; include “etc/rndc.key Change ownership of files

# chown root:named /etc/rndc.* # chmod 400 /etc/rndc.*; service named configtest; service named restart; rndc status # chcon –t named_conf_t rndc.key rndc.conf;

Logs /var/log/bind; /var/log/messages


DNS: Server Key Exchange Setup (6 of 7)

Define, Discuss, Demonstrate, & Do [RHEL]


DNS Service Security: Topology ACLs / Key Exchange (7 of 7)


GUI - system-config-network; system-config-network-tui

CLI Query Resolver $ dig fully_qualify_domain_hostname; dig –x

ip_address; dig –t MX fully_qualify_domain_hostname

$ host ip_address; hostname; nslookup FQDN or IP_ADD; ping FQDN or IP_ADD; whois domain_name (lookup info for hostname or ip address)

CLI Configure Interface & Routes $ ifconfig interface up|down

Check out $ ethtool eth0 must be installed Server: static configuration per node w/ host FQDN, host IP,

subnet mask, default gateway, & DNS server IP

$ ip # ip addr add 1.2.3.4/24 brd + dev eth0 (add or delete IP &

subnet mask) # ip route add default via 1.2.3.254 (add or delete default

gateway – change default to network address to create a static route)

# ip link set dev eth0 up (bring interface up or down) # ip addr show; ip -s link; ip route show; hostname –i;

ip or route commands # route add default gw 192.168.1.1 [destination address] eth0

[interface on the same network as destination gateway address]

Edit related files: etc/sysconfig/network-scripts; http://lartc.org/howto/lartc.rpdb.multiple-links.html http://www.itsyourip.com/Linux/howto-add-a-persistent-

static-route-in-redhat-enterprise-linux/


DNS Server – Helpful Hints for Setup & Administration (1 of 4)

Define, Discuss, Demonstrate, & Do CLI Configure Service & Status

# service --status-all state of service on system

# service service_name [stop | start | restart| status]

# chkconfig service_name [on | off] # service service_name configtest # netstat -tupl (internet services on a

system); netstat –tup (active connections to/from system); netstat -tanp | grep LISTEN

Troubleshooting methodology: start with local host remote host or service

Check local interface (hostname, ifconfig, iwconfig, ping, netstat)

Check local gateway, route or shout? (ping, route, traceroute)

Check local services ACLs, firewall, proxy, DNS, file share, etc. (netstat, dig, hosts, nslookup)

Check remote host services or resources (ping, finger, jwhois, lynx, nmap, mtr, browsers)

Key file locations: /sbin; /etc/sysconfig/network; /etc/sysconfig/network-scripts; /etc/init.d/network “start, restart, or stop”

http://lartc.org/howto/lartc.rpdb.multiple-links.html








http://www.itsyourip.com/Linux/howto-add-a-persistent-static-route-in-redhat-enterprise-linux/
























Disabling unnecessary daemons that are “Listening” Locate the pid in the netstat command cat /proc/<pid>/cmdline If not full path, run which or locate to find utility rpm -qf full_path_of_daemon rpm -e package_name If difficult to remove due to dependencies: chkconfig <service> off

tcp_wrappers Even if iptables is in use, configure this just in case Set /etc/hosts.deny to ALL: ALL Many daemons compiled with support Find by using: egrep libwrap /usr/bin/* /usr/sbin/*

| sort For each program found, use its base name to set

expected access rights (if there are any)Example: smbd: 192.168.1.

http://linuxhelp.blogspot.com/2005/10/using-tcp-wrappers-to-secure-linux.html

init Disable interactive boot by editing

/etc/sysconfig/init Make PROMPT=no to disable Also add password to single user mode. Edit

/etc/inittab Add the following ~~:S:wait:/sbin/sulogin


DNS Server – Helpful Hints for Network Settings (2 of 4)

Define, Discuss, Demonstrate, & Do Edit /etc/sysctl.conf settings

Don't reply to broadcasts. Prevents joining a smurf attack net.ipv4.icmp_echo_ignore_broadcasts = 1

Enable protection for bad icmp error messages net.ipv4.icmp_ignore_bogus_error_responses = 1

Enable syncookies for SYN flood attack protection net.ipv4.tcp_syncookies = 1

Log spoofed, source routed, and redirect packets net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1

Don't allow source routed packets net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0

Turn on reverse path filtering net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1

Don't allow outsiders to alter the routing tables net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0

Don't pass traffic between networks or act as a router net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0














at & cron Only allow root and people with

verified need to run cron jobs Setup cron.allow and cron.deny Setup equivalents if you have 'at'

installed

sshd Enable only ssh2 protocol If multi-homed, consider if it needs to

listen on all addresses or just one Do not allow root logins Consider adding group permission for

logins, AllowGroups wheel

MySQL If database is used internally to

machine, make it listen on localhost Change passwords

Apache Remove all unneeded modules Use mod_security to weed out

injection attacks Set correct SE Linux Booleans to

maintain functionality and protection



Define, Discuss, Demonstrate, & Do SELinux

Leave enabled and in enforcing mode Does not affect daemons it doesn't know

about - unless they are started in a confined domain (note earlier suggestions for chroot changes)

Provides a behavioral model that known applications should be

following Can stop attacks before they become

complete system breaches

Use targeted policy Strict and MLS should be used only if you

need that kind of protection

Do boolean lockdown Review all booleans and set appropriately

getsebool -a Generally, to secure the machine, look at

things that are set to “on” and change to “off” if they do not apply

SELinux Boolean Lockdown # getsebool -a | grep ' on' allow_daemons_dump_core --> on allow_daemons_use_tty --> on allow_execmem --> on allow_execstack --> on allow_gadmin_exec_content --> on allow_gssd_read_tmp --> on allow_kerberos --> on allow_mounton_anydir --> on allow_postfix_local_write_mail_spool --> on allow_staff_exec_content --> on allow_sysadm_exec_content --> on allow_unconfined_exec_content --> on allow_unlabeled_packets --> on allow_user_exec_content --> on allow_xserver_execmem --> on allow_zebra_write_config --> on browser_confine_xguest --> on httpd_builtin_scripting --> on httpd_enable_cgi --> on httpd_enable_homedirs --> on httpd_tty_comm --> on httpd_unified --> on read_default_t --> on spamd_enable_home_dirs --> on user_ping --> on



Define, Discuss, Demonstrate, & Do Access Control

Do not allow root logins This messes up the audit system since root is a shared

account sshd and gdm have settings to disallow root login

pam_tally2 This is used to lockout an account for consecutive failed login

attempts

pam_access Used to forbid logins from certain locations, consoles, and

accounts /etc/security/access.conf controls its config

pam_time Used to forbid logins during non-business hours /etc/security/time.conf controls its config

pam_limits Used to limit maximum concurrent sessions and other user

restrictions /etc/security/limits.conf controls its config

pam_loginuid Used for all entry point daemons to set the task's loginuid

and session identifier. loginuid and session ID are inherited by all processes at fork Limit access to su command

Edit /etc/pam.d/su Uncomment the line saying require wheel to allow uid

change “auth required pam_wheel.so use_uid”

http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf

http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf






















Dns Hardening Linux Os

Documents

Transcript of Dns Hardening Linux Os