Server Hardeningby Shad Rich

ISQS 6342

Spring 2004

Prerequisites Implement and enforce internal security

policy Determine risk Place server in an appropriate physical

location

Server OS This presentation will concentrate on Linux

servers. There are several documents available at

www.microsoft.com describing hardening of Windows XP and 2003.

OS Hardening Basics Install bare necessities Keep all system software up-to-date Delete/disable unnecessary user accounts Do not grant shell access unless needed Run public services in chrooted file systems Remove SUID bits

OS Hardening Basics cont… Configure logging and review the logs

regularly Every host should be its own firewall Check systems with security scanners Document configurations for later use

Before Installation Set BIOS password Plan partitioning scheme

place /var, /opt, /usr/local on separate partitions

OS Installation If possible, do not connect to the internet to

install. Do a very basic install. Do not install the X Window System or any

desktop managers unless absolutely necessary.

Install the latest versions if possible…if not, upgrade.

Post Install Set a boot loader password

/etc/lilo.confimage=/boot/2.2.14-vmlinuz # Kernel location

label=Linux # Arbritrary kernel label

read-only

password=hackme restricted # Sets password

/boot/grub/menu.lsttimeout 3

password hackme # Sets password

Post Install cont… Remove root prompt on the kernel

/etc/mkinitrd/mkinitrd.conf# DELAY The number of seconds the linuxrc

script should wait # to allow the user to interrupt it before the system is brought # up

DELAY=0 Regenerate your ramdisk image

cd /bootmkinitrd -o initrd.img-2.4.18-k7

/lib/modules/2.4.18-k7

Kernel Download Download the latest kernel source from

www.kernel.org or another mirror Many distributions make the kernel source

available through their package managers, e.g. rpm, apt-get, emerge

Extract Kernel Source Move the kernel source to an appropriate

directory, e.g. /usr/src Extract the kernel source:

For tar.gz files:tar –zxvf kernel-source-file.tar.gz

For bz2 filestar –jxvf kernel-source-file.bz2

Configure Kernel Source cd /usr/src/kernel-source-dir/ make config, make menuconfig Select only the most basic options needed

to run the server. Do not enable sound, usb, serial, or parallel

port drivers if not needed for server functionality

Compile Kernel and Modules Generic:

su make dep make clean make bzImage modules modules_install make bzlilo (if using lilo boot loader)

Debian: su make-kpkg clean make-kpkg –append-to-version=.<date>

kernel_image modules_image dpkg –i ../kernel-image.date.deb Edit /etc/lilo.conf or /boot/grub/menu.lst to boot new

kernel

Common Unneeded Services rpc services – nfsd, nfsclient r-services – rsh, rlogin, rcp inetd linuxconfd sendmail telnet, FTP, POP

Identify Unneeded Services What’s running?

ps aux | less What ports are open?

nmap localhost What is started on boot?

ls –la /etc/rc#.d/ (anything starting with “S”) What is inetd running?

chkconfig –list (RedHat) netstat -pn -l -A inet /usr/sbin/lsof -i | grep LISTEN grep -v "^#" /etc/inetd.conf | sort -u

Remove Unneeded Services chkconfig –level 2 linuxconf off rm /etc/rc#.d/S20ssh comment out services in /etc/inetd.conf on

Debian systems

Automated Hardening Bastille Linux

original was going to be a secure distribution instead became a set of scripts for hardening

existing distributions packages for multiple platforms

RedHat/Mandrake Debian Mac OS X HP-UX

Bastille Screenshot

Keeping Software Updated Subscribe to distribution-specific security

lists Automated updates

Red Hat – up2date Debian – apt-get update; apt-get upgrade

Delete Unnecessary User Accounts Directly read /etc/passwd to identify

unnecessary accounts Use find to locate user files

find / -user username –print

Minimize Use of SUID=root Use find to locate violating files

find / -perm +4000 –user root –type f –print

find / -perm +2000 –group root –type f –print

Change permissions on the violating fileschmod u-s /full/path/to/filename

chmod g-s /full/path/to/filename

Run Services In chrooted File System chrooted file systems prevent hijacked

daemons from accessing the entire file system.

Move service’s file structure to an isolated directory.

Change ownership from root to an arbitrary owner and group (Ex. named)

Change file permissions.

Normal File Structure Example of a normal BIND install:

/

/etc

/usr

/usr/bin

/var

/var/run

/var/named

chrooted File Structure /chroot /chroot/named /chroot/named/dev /chroot/named/etc /chroot/named/etc/namedb /chroot/named/etc/namedb/slave /chroot/named/var/ /chroot/named/var/run

Individual Host Firewalls Use ipchains on 2.2 and earlier kernels Use iptables on 2.4 and later kernels

Kernel options to be selected: Connection Tracking FTP Protocol Support IP Tables Support IRC Protocol Support Any other desired modules

Using iptables Create a new chain (-N). Delete an empty chain (-X). Change the policy for a built-in chain (-P). List the rules in a chain (-L). Flush the rules out of a chain (-F). Zero the packet and byte counters on all

rules in a chain (-Z).

Manipulate Rules Inside Chains Append a new rule to a chain (-A). Insert a new rule at some position in a

chain (-I). Replace a rule at some position in a chain

(-R). Delete a rule at some position in a chain,

or the first that matches (-D).

Example Firewall Script http://www.faqs.org/docs/iptables/examplec

ode.html

System Loggers klogd – does kernel logging syslogd – does system logging

/etc/syslog.conf facility.selector /var/log/logfile

syslog-ng – “syslog new generation” more advanced than syslogd /etc/syslog-ng.conf

Log Maintenance/Monitoring logrotate – automatically rotates specified

log files swatch – configured to alert system admin

through e-mail or echo with system bell

Security Scanning To be done later in the semester…

References Bauer, Michael D. (2003). Building Secure

Servers with Linux. Sebastobol: O’Reilly & Associates, Inc.

Fenzi, Kevin (2001). Linux Security HOWTO. Linux Documentation Project.

Burgess, Hal (2002). Security Quick-Start HOWTO for Linux. Linux Documentation Project.