locking down your freebsd install
DESCRIPTION
Locking Down Your FreeBSD Install. Black Hat 6 Rich Murphey. Locking Down Your FreeBSD Install. Locking Down Your FreeBSD Install. Establish a Security Policy. Security Management. Policy. Plan. Access Control. Audit. React. Act. Monitor. Harden. Security Policy. - PowerPoint PPT PresentationTRANSCRIPT
Locking DownYour FreeBSD Install
Black Hat 6Rich Murphey
Black Hat 6 slide 2
Locking Down Your FreeBSD Install
Black Hat 6 slide 3
Locking Down Your FreeBSD Install
Establish a Security Policy
Black Hat 6 slide 4
Security Management
Policy
Harden
Access Control
Monitor
Audit
Reac
t
Act
Plan
Black Hat 6 slide 5
Security Policy
A high-level overall plan embracing the general goals and acceptable procedures.
Black Hat 6 slide 6
Formulating Policy
What are the goals?
What are the procedures?
What is the impact?
Black Hat 6 slide 7
Formulating Policy
What are the goals?What, Why, Who.
What are the procedures? Roles and Responsibilities.
What is the impact?Network, applications, users.
Black Hat 6 slide 8
Policy Example
How does one define a firewall policy…
Black Hat 6 slide 9
Policy Example
"Don't talk to strangers."
"In God we trust.
All else we monitor.“
Black Hat 6 slide 10
Policy Example
"Don't talk to strangers."Authenticate Everything.
"In God we trust.
All else we monitor.“Log All Exceptions.
Black Hat 6 slide 11
Policy Example
How do we lock down FreeBSD?
Default Deny
Authenticate Everything
Log All Exceptions
Black Hat 6 slide 12
Default Deny
Block non-routable, spoofs and source routed IP.
Allow TCP only from specific subnets to specific ports.
Black Hat 6 slide 13
Authenticate Everything
Narrow anonymous services Tftp, Ftp, Http.
Disable clear text authentication Telnet, ftp, http.
Enforce strong authentication SSH, SSL/Http.
Audit (Log) all authentication.
Black Hat 6 slide 14
Log All Exceptions
Spoofing
Denied Access
plus, run Snort.
Black Hat 6 slide 15
Elements of Security Policy
Act:
Harden
Control access
React:Assess
Monitor
Black Hat 6 slide 16
Hardening the Network
IP Stack
Firewall rules
Inetd/TCP Wrappers
Control access
Black Hat 6 slide 17
IP Stack
Log connection attempts to nonexistent servers:
# sysctl -w net.inet.tcp.log_in_vain=1
# sysctl -w net.inet.udp.log_in_vain=1
Black Hat 6 slide 18
IPFW Firewall
In /etc/rc.conf:
firewall_enable="YES"
firewall_type="SIMPLE"
firewall_logging="YES"
Black Hat 6 slide 19
inetd
inetd uses TCP Wrappers by default.
IPSec policy in inetd.conf:
#@in ipsec ah/transport//require
#@out ipsec esp/tunnel/10.1.1.2-10.1.1.1/use
Black Hat 6 slide 20
inetd/etc/hosts.deny:
ALL: ALL
/etc/hosts.allow:
ALL: LOCAL @some_netgroup
ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
% tcpdchk -v To verify rules.
Black Hat 6 slide 21
IPSec
Key distribution
Authentication
Black Hat 6 slide 22
Hardening FreeBSD
Hardening the Host
Black Hat 6 slide 23
Hardening the Host
Known Vulnerabilities
Install Options
Configuration
Black Hat 6 slide 24
Known Vulnerabilities
zlib – decompress crash
Squid - DNS response crash
mod_frontpage - fpexec overflow
Netscape - JavaScript in GIF
OpenSSH - root buffer overflow
Black Hat 6 slide 25
Fixing Known Vulnerabilities
pkg_add the latest version
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable
Black Hat 6 slide 26
Secure LevelCan be raised but not lowered, even by root./etc/rc.conf:
kern_securelevel_enable="YES"
kern_securelevel="3"
If kern.securelevel > 0, even root within a jail cannot set file flags.
Only rebooting lowers it. Dropping to single user mode doesn’t.
Black Hat 6 slide 27
Secure Level 1
Cannot remove immutable and append-only flags.
Cannot mount file systems
Cannot write to /dev/mem,kmem.Breaks XFree86!!!
Cannot load kernel modules.
Black Hat 6 slide 28
Secure Level 2
Only `mount' may open disks for writing.
Time changes are limited to one second.
Level 3:
ipfw and dummynet configuration are fixed.
Black Hat 6 slide 29
Caveats
One must still harden the boot process (loader, autoconfig) because securelevel is set late in the boot process.
Black Hat 6 slide 30
Harden User Land
Protect against free space exhaustion in rc.conf:
check_quotas="YES“
Protect against set-uid files in /home and /var:/dev/ad… /home ufs rw,nosuid,userquota
Black Hat 6 slide 31
Hardening User Land
Block Broad/Multicast pings:/etc/sysctl.conf:icmp.bmcastecho=0
Hide logs/etc/newsyslog.conf:
/var/log/authlog root:wheel 600 3 100 * Z
Black Hat 6 slide 32
Harden the executables
chflags -F schg /kernel
chflags -F schg /bin /sbin
Black Hat 6 slide 33
Hardening Services
DNS – restrict zone transfers
HTTP – disable CGI
Samba – IP address ACLs
Email – spam, filtering
telnet, FTP, finger – don’t
Black Hat 6 slide 34
SSH - Secure Shell
host.allow
RSA authentication
Listen on a non-standard port
Black Hat 6 slide 35
Auditing
Authentication for:
HTTP
FTP
Samba
Telnet, Rlogin wrappers
Black Hat 6 slide 36
Log Monitoring
Use regexp to match 'interesting' log entries and email a periodic report to an administrator.
'Systems Under Siege', Chris Boyd, SANS
Black Hat 6 slide 37
Log Monitoring
Syslog-ng w/regex
Swatch - perl
LogSurfer
LogSentry - tail logfile | grep | mail
Black Hat 6 slide 38
Host-Based Intrusion Detection
Tripwire/AIDE
Systrace
Black Hat 6 slide 39
Tripwire/AideFile adds,deletes,modifications
File permissions
Inode number, number of links
User id of owner,group id of owner
File type, file size
Device number that stores the inode.
Device number that the inode points to.
Number of blocks allocated
Modification timestamp
Inode creation/modification timestamp
Access timestamp
Black Hat 6 slide 40
SysTraceA BlackHat Zero Day Tool!
Like tcpwrappers but for syscalls.
Filters:
specific routines: open(), fork(), exec(), etc.
specific arguments: filename, file mode, etc.
FreeBSD version on the conference CDROM!
More details at Defcon Talks:
“FreeBSD Exploits and Remedies”
“Intrusion Prevention with SysTrace for FreeBSD
Black Hat 6 slide 41
SysTrace
Policy: /usr/libexec/ftpd, Emulation: native
native-open: filename eq "$HOME" and oflags sub "ro" then permit
native-open: filename eq "/etc" then deny[eperm], if group != wheel
native-fchdir: permit
native-stat: permit
Black Hat 6 slide 42
Network-Based Intrusion Detection
Snort
ACID
Black Hat 6 slide 43
Honeypots
Use inetd.conf to provide honeypot services.
Use hosts.allow to log each connection to them.
Black Hat 6 slide 44
Countermeasures
Trace route
Firewall rules
/etc/hosts.deny:
in.tftpd: ALL: (finger -l @%h | /usr/ucb/mail -s %d-%h root) &
Black Hat 6 slide 45
Monitoring
In /etc/syslog.conf:
auth.*,authpriv.*/var/log/authlog
Black Hat 6 slide 46
Keeping Abreast of Vulnerabilities
CERT announcements:echo "subscribe freebsd-security-notifications"
| mail [email protected]
Archive of announcements: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories
Black Hat 6 slide 47
Future
ACLs - finer grained access controls.
Robert Watson’s ACLs for VFS, still need UFS support.