bh-us-02-murphey-freebsd
TRANSCRIPT
![Page 1: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/1.jpg)
Locking DownYour FreeBSD Install
Black Hat 6Rich Murphey
![Page 2: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/2.jpg)
Black Hat 6 slide 2
Locking Down Your FreeBSD Install
![Page 3: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/3.jpg)
Black Hat 6 slide 3
Locking Down Your FreeBSD Install
Establish a Security Policy
![Page 4: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/4.jpg)
Black Hat 6 slide 4
Security Management
Policy
Harden
Access Control
Monitor
Audit
Reac
t
Act
Plan
![Page 5: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/5.jpg)
Black Hat 6 slide 5
Security Policy
A high-level overall plan embracing the general goals and acceptable procedures.
![Page 6: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/6.jpg)
Black Hat 6 slide 6
Formulating Policy
What are the goals?
What are the procedures?
What is the impact?
![Page 7: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/7.jpg)
Black Hat 6 slide 7
Formulating Policy
What are the goals?What, Why, Who.
What are the procedures? Roles and Responsibilities.
What is the impact?Network, applications, users.
![Page 8: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/8.jpg)
Black Hat 6 slide 8
Policy Example
How does one define a firewall policy…
![Page 9: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/9.jpg)
Black Hat 6 slide 9
Policy Example
"Don't talk to strangers."
"In God we trust.
All else we monitor.“
![Page 10: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/10.jpg)
Black Hat 6 slide 10
Policy Example
"Don't talk to strangers."Authenticate Everything.
"In God we trust.
All else we monitor.“Log All Exceptions.
![Page 11: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/11.jpg)
Black Hat 6 slide 11
Policy Example
How do we lock down FreeBSD?
Default Deny
Authenticate Everything
Log All Exceptions
![Page 12: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/12.jpg)
Black Hat 6 slide 12
Default Deny
Block non-routable, spoofs and source routed IP.
Allow TCP only from specific subnets to specific ports.
![Page 13: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/13.jpg)
Black Hat 6 slide 13
Authenticate Everything
Narrow anonymous services Tftp, Ftp, Http.
Disable clear text authentication Telnet, ftp, http.
Enforce strong authentication SSH, SSL/Http.
Audit (Log) all authentication.
![Page 14: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/14.jpg)
Black Hat 6 slide 14
Log All Exceptions
Spoofing
Denied Access
plus, run Snort.
![Page 15: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/15.jpg)
Black Hat 6 slide 15
Elements of Security Policy
Act:
Harden
Control access
React:Assess
Monitor
![Page 16: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/16.jpg)
Black Hat 6 slide 16
Hardening the Network
IP Stack
Firewall rules
Inetd/TCP Wrappers
Control access
![Page 17: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/17.jpg)
Black Hat 6 slide 17
IP Stack
Log connection attempts to nonexistent servers:
# sysctl -w net.inet.tcp.log_in_vain=1
# sysctl -w net.inet.udp.log_in_vain=1
![Page 18: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/18.jpg)
Black Hat 6 slide 18
IPFW Firewall
In /etc/rc.conf:
firewall_enable="YES"
firewall_type="SIMPLE"
firewall_logging="YES"
![Page 19: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/19.jpg)
Black Hat 6 slide 19
inetd
inetd uses TCP Wrappers by default.
IPSec policy in inetd.conf:
#@in ipsec ah/transport//require
#@out ipsec esp/tunnel/10.1.1.2-10.1.1.1/use
![Page 20: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/20.jpg)
Black Hat 6 slide 20
inetd/etc/hosts.deny:
ALL: ALL
/etc/hosts.allow:
ALL: LOCAL @some_netgroup
ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
% tcpdchk -v To verify rules.
![Page 21: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/21.jpg)
Black Hat 6 slide 21
IPSec
Key distribution
Authentication
![Page 22: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/22.jpg)
Black Hat 6 slide 22
Hardening FreeBSD
Hardening the Host
![Page 23: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/23.jpg)
Black Hat 6 slide 23
Hardening the Host
Known Vulnerabilities
Install Options
Configuration
![Page 24: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/24.jpg)
Black Hat 6 slide 24
Known Vulnerabilities
zlib – decompress crash
Squid - DNS response crash
mod_frontpage - fpexec overflow
Netscape - JavaScript in GIF
OpenSSH - root buffer overflow
![Page 25: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/25.jpg)
Black Hat 6 slide 25
Fixing Known Vulnerabilities
pkg_add the latest version
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable
![Page 26: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/26.jpg)
Black Hat 6 slide 26
Secure LevelCan be raised but not lowered, even by root./etc/rc.conf:
kern_securelevel_enable="YES"
kern_securelevel="3"
If kern.securelevel > 0, even root within a jail cannot set file flags.
Only rebooting lowers it. Dropping to single user mode doesn’t.
![Page 27: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/27.jpg)
Black Hat 6 slide 27
Secure Level 1
Cannot remove immutable and append-only flags.
Cannot mount file systems
Cannot write to /dev/mem,kmem.Breaks XFree86!!!
Cannot load kernel modules.
![Page 28: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/28.jpg)
Black Hat 6 slide 28
Secure Level 2
Only `mount' may open disks for writing.
Time changes are limited to one second.
Level 3:
ipfw and dummynet configuration are fixed.
![Page 29: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/29.jpg)
Black Hat 6 slide 29
Caveats
One must still harden the boot process (loader, autoconfig) because securelevel is set late in the boot process.
![Page 30: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/30.jpg)
Black Hat 6 slide 30
Harden User Land
Protect against free space exhaustion in rc.conf:
check_quotas="YES“
Protect against set-uid files in /home and /var:/dev/ad… /home ufs rw,nosuid,userquota
![Page 31: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/31.jpg)
Black Hat 6 slide 31
Hardening User Land
Block Broad/Multicast pings:/etc/sysctl.conf:icmp.bmcastecho=0
Hide logs/etc/newsyslog.conf:
/var/log/authlog root:wheel 600 3 100 * Z
![Page 32: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/32.jpg)
Black Hat 6 slide 32
Harden the executables
chflags -F schg /kernel
chflags -F schg /bin /sbin
![Page 33: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/33.jpg)
Black Hat 6 slide 33
Hardening Services
DNS – restrict zone transfers
HTTP – disable CGI
Samba – IP address ACLs
Email – spam, filtering
telnet, FTP, finger – don’t
![Page 34: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/34.jpg)
Black Hat 6 slide 34
SSH - Secure Shell
host.allow
RSA authentication
Listen on a non-standard port
![Page 35: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/35.jpg)
Black Hat 6 slide 35
Auditing
Authentication for:
HTTP
FTP
Samba
Telnet, Rlogin wrappers
![Page 36: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/36.jpg)
Black Hat 6 slide 36
Log Monitoring
Use regexp to match 'interesting' log entries and email a periodic report to an administrator.
'Systems Under Siege', Chris Boyd, SANS
![Page 37: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/37.jpg)
Black Hat 6 slide 37
Log Monitoring
Syslog-ng w/regex
Swatch - perl
LogSurfer
LogSentry - tail logfile | grep | mail
![Page 38: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/38.jpg)
Black Hat 6 slide 38
Host-Based Intrusion Detection
Tripwire/AIDE
Systrace
![Page 39: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/39.jpg)
Black Hat 6 slide 39
Tripwire/AideFile adds,deletes,modifications
File permissions
Inode number, number of links
User id of owner,group id of owner
File type, file size
Device number that stores the inode.
Device number that the inode points to.
Number of blocks allocated
Modification timestamp
Inode creation/modification timestamp
Access timestamp
![Page 40: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/40.jpg)
Black Hat 6 slide 40
SysTraceA BlackHat Zero Day Tool!
Like tcpwrappers but for syscalls.
Filters:
specific routines: open(), fork(), exec(), etc.
specific arguments: filename, file mode, etc.
FreeBSD version on the conference CDROM!
More details at Defcon Talks:
“FreeBSD Exploits and Remedies”
“Intrusion Prevention with SysTrace for FreeBSD
![Page 41: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/41.jpg)
Black Hat 6 slide 41
SysTrace
Policy: /usr/libexec/ftpd, Emulation: native
native-open: filename eq "$HOME" and oflags sub "ro" then permit
native-open: filename eq "/etc" then deny[eperm], if group != wheel
native-fchdir: permit
native-stat: permit
![Page 42: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/42.jpg)
Black Hat 6 slide 42
Network-Based Intrusion Detection
Snort
ACID
![Page 43: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/43.jpg)
Black Hat 6 slide 43
Honeypots
Use inetd.conf to provide honeypot services.
Use hosts.allow to log each connection to them.
![Page 44: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/44.jpg)
Black Hat 6 slide 44
Countermeasures
Trace route
Firewall rules
/etc/hosts.deny:
in.tftpd: ALL: (finger -l @%h | /usr/ucb/mail -s %d-%h root) &
![Page 45: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/45.jpg)
Black Hat 6 slide 45
Monitoring
In /etc/syslog.conf:
auth.*,authpriv.*/var/log/authlog
![Page 46: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/46.jpg)
Black Hat 6 slide 46
Keeping Abreast of Vulnerabilities
CERT announcements:echo "subscribe freebsd-security-notifications"
| mail [email protected]
Archive of announcements: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories
![Page 47: bh-us-02-murphey-freebsd](https://reader036.vdocuments.net/reader036/viewer/2022070316/555a71cbd8b42a972b8b5003/html5/thumbnails/47.jpg)
Black Hat 6 slide 47
Future
ACLs - finer grained access controls.
Robert Watson’s ACLs for VFS, still need UFS support.