Ok, last time I posted a note I asked you ppl to post remarks, SW, idea's or comments. To those who did: thanks. Appreciate it.
To all who read this thread:
please chip in!
Ok, let's munch into removing packages, cleaning out services and configs and adding restrictions.
What packages you remove depends foremost on what
purpose the box has.
This leads leads to a list of packages which can be used as a basis for an installation script like RH's Kickstart[1].
OTOH if the box was prepped using an image (and in any case just to make sure) please look at the "UNIX Security Checklist"[2].
It should have precluded my pt1 as in "The process of hardening Linux"[3].
For configuration look at the "UNIX Security Checklist"[2] as well as at the "The Twenty Most Critical Internet Security Vulnerabilities"[4].
I'll tag on any notes I think necessary walking tru [2] here, please add yours.
In general:
Beware of default settings.
The second note is your mantra:
that what is not explicitly allowed is denied.
Just broadcast a Mental Arp during configuring: who-has access? If you're surprised who responds, reconfigure :-]
Section II. The Basic Operating System: 2.0 Network Services
2.1 /etc/inetd.conf.
Hardening, Xinetd Sensors:
http://www.gate.net/~ddata/xinetd-sensors.html
How to Build, Install, Secure & Optimize Xinetd:
http://www.openna.com/documentations...netd/index.php
2.2 tcp_wrappers
Linux Security HOWTO, 8.6.1. Detecting Port Scans:
http://www.tldp.org/HOWTO/Security-H...-security.html
TCP Wrappers Misconceptions:
http://www.bhodisoft.com/bswopes/nhf...osts.deny.html
IP-spoofing Demystified (Trust-Relationship Exploitation) by daemon9/route/infinity, Phrack Magazine.
2.8 /etc/services
Replace with file from Nmap.
2.10 /etc/login.access
//mental note: wasn't this deprecated on PAM'ified systems?
2.12 /etc/login.defs
Illuminating shadow passwords (configuring, extra checks, halfway down the page):
http://www.linuxworld.com/linuxworld...passwords.html
2.13 PAM (Pluggable Authentication Modules)
PAM is definately a PITA in some situations but good in others. Please note there are several modules available.
Openwall, Pluggable password strength checking (pam_passwdqc):
http://www.openwall.com/passwdqc/
Also note /etc/security contains the stuff for groups, time, ulimits etc etc.
Simple "deterrants" example one:
Add to your /etc/pam.d/<service>: auth required /lib/security/pam_listfile.so item=user sense=allow file=/path/<service>.allow onerr=fail
The "/path/<service>.allow" file contains the local usernames you want to grant access for <service> to.
Simple "deterrants" example two, from vsftp:
echo -e "<user>\n<pass>\n<user>\n<pass>" > /path/fname.txt
db_load -T -t hash -f /path/fname.txt /path/fname.db
Add to your /etc/pam.d/<service>: auth required /lib/security/pam_listfile.so sense=allow file=/path/<fname> onerr=fail
2.14 cron
Cron allows for having restrictions in /etc/cron.(allow|deny)
Section II. The Basic Operating System: 3.0 Networking Administration
3.1 Packet Filtering
Please refer to the LQ Netfilter references as posted before.
Also for routers it's imperative to do
both ingress and egress filtering, see 3.2 below
3.2 Denial of Service Attacks
SANS - Consensus Roadmap for Defeating Distributed Denial of Service Attacks:
http://www.sans.org/ddos_roadmap.htm
SANS - Spoofed IP Address Distributed Denial of Service Attacks: Defense-in-Depth:
http://rr.sans.org/threats/spoofed.php
SANS - Understanding DDOS Attack, Tools and Free Anti-tools with Recommendation:
http://rr.sans.org/threats/understan...nding_ddos.php
Section II. The Basic Operating System: 4.0 File system security
4.1 General
Also note deleting a file doesn't mean traces of it aren't retrievable. If in doubt use shred.
Point five. Make sure "noexec" on ${TMP} disks/partitions doesn't break functionality or make sure you for instance don't use UPX-compressed binaries. Also note "noexec" can be covered using GRSecurity's [5] Trusted Path Execution (TPE)
Point six. Try "/usr/sbin/repquota -sua" for starters.
4.2 Startup and Shutdown Scripts
On a personal note IMO runlevels are grossly underestimated fun.
Consider having a LILO append line looks like "nogcc nosvc_S"
If you add a check like this:
no_gcc_tgt="/usr/bin/gcc"
case "$(grep /proc/cmdline -qe "nogcc")" in
0) for t in ${no_gcc_tgt}; do chattr -iu ${t}; chmod 0100 ${t}; chattr +iu ${t}; done;;
1) /bin/false;; esac
Of course you can do this depending on runlevel, access whatever else.
Same goes for "sealing" the kernel using /proc values or using it to take away global LINUX_CAPABILITIES (using lcap).
The Linux kernel capabilities FAQ:
http://www.kernel.org/pub/linux/libs...capfaq-0.2.txt
4.4 File Permissions
For tools look at Cops, Tiger and Lsat for example.
Point ten. See also "fixperms" for instance at:
http://www.stanford.edu/group/itss-c...x/fixperms.sh.
Have a look at
http://online.securityfocus.com/arch...6/2002-12-12/0 for a nice seteuid/setuid example.
Point eleven. Umask can be set using a simple script. Example in /etc/profile (which is run on a user's login using Bash shell):
case $(id -u) in 666) MASK="027";; *) MASK="022";; esac; export MASK
Point twelve. On a PAM'ified system, also look in /etc/security for the perms file.
Point thirteen/fourteen. Another example where mount options and GRSecurity can help. Tara Tiger also recognizes device files outside /dev.
4.9 The Coroner's Toolkit
Please note using TCT, TASK etc, etc requires you to
practice beforehand. If you're not about to invest some serious time, skip this, else read up first:
Docs:
Forensics Basic Steps:
http://staff.washington.edu/dittrich/misc/forensics/
Forensics presentation by Weld Pond and Tan:
http://www.cs.neu.edu/groups/acm/lectures/Forensics_NU/
OSSTM: Institute for Security and Open Methodologies (formerly ideahamster.org):
http://www.isecom.org/projects/osstmm.htm
Honeypot project (hone your skills! :
http://project.honeynet.org/scans/
Section II. The Basic Operating System: 5.0 Account Security
Policies, Site Security Handbook:
http://www.faqs.org/rfcs/rfc2196.html
5.1 Policy
Point six. Last time I used John on a remote passwd file I had 10 accounts in under 30mins, at least use pam_passwdqc.
5.2 Administration
Again, auditing a system look at Cops, Tiger and Lsat for example.
Logwatch, logsentry etc etc. Freshmeat.
GRSecurity has several options for logging user activity, there are also LKM's out there that will log for the exec family.
There's also a Bash patch that can log keystrokes to syslog or remote.
5.3 Special Accounts
Not interested? Look at the Default Password List:
http://www.phenoelit.de/dpl/dpl.html :-]
Point six. There are no-access shells out there that can log an attempt to syslog.
5.4 root Account
Also watch out for LD_SO_PRELOAD.
Section II. The Basic Operating System: 6.0 System Monitoring //I'll have no notes for this.
Section III. Major Services //I'll have no notes for this, move on to Section V. Appendixes.
Section V. Appendixes
Chkwtmp and chklastlog are included in chkrootkit.
*Chkrootkit has (AFAIK) a problem with recognizing promiscuous device in linux-2.4x due to device driver flag handling.
Haven't seen a resolve for this.
PLEASE CORRECT ME IF I'M WRONG!
In addition to the tools listing, maybe look here as well:
Top 50 tools:
http://www.insecure.org/tools.html
CERIAS, huge archive:
http://www.cerias.purdue.edu/coast/a...ory_index.html
CERT:
http://www.cert.org/other_sources/tool_sources.html
OSSTM Tools listing:
http://www.isecom.org/projects/operationaltools.htm
CERT: Other Sources of Security Books and Articles:
http://www.cert.org/other_sources/books.html
References:
[1] RedHat Linux KickStart HOWTO:
http://www.redhat.com/mirrors/LDP/HO...art-HOWTO.html
[2] UNIX Security Checklist v2.0:
http://www.cert.org/tech_tips/unix_s...cklist2.0.html
[3] The process of hardening Linux:
http://www.sans.org/rr/linux/hardening.php
[4] The Twenty Most Critical Internet Security Vulnerabilities:
http://www.sans.org/top20/
[5] GRSecurity:
http://www.grsecurity.net
===
Ok. This concludes my contribution to the 2nd part: configuring.
Hope you enjoy it and
please add your tools, procedures and comments.
//and please keep this thread
on topic.
