1 / 48

Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux

Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting. A security hardening script for Linux and Unix Red Hat 7.3 Mandrake 8.2 Turbo 7.0 SuSE 7.2 Debian current HP-UX 11.x. Bastille Linux. More operating systems: Solaris

maylin
Download Presentation

Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting

  2. A security hardening script for Linux and Unix Red Hat 7.3 Mandrake 8.2 Turbo 7.0 SuSE 7.2 Debian current HP-UX 11.x Bastille Linux

  3. More operating systems: Solaris OpenBSD (SSH worm anyone?) FreeBSD? Bastille Linux

  4. Sample Screen

  5. Firewall Set-UID and Permissions Audit What Does Bastille Do? 1/3

  6. Deactivate unncessary stuff Tighten configurations of remaining stuff What Does Bastille Do? 2/3

  7. Educate Users and Admins (They have guns pointed at their boots) What Does Bastille Do? 3/3

  8. Shipped defaults are not optimized for security Users need ease-of-use Programmers want convenience and Neither groks security Why Do I Need It?

  9. You're targeted by clueful hackers (even if you're not interesting) because you're one hop on the way to the real target. But Why Do I Need Security? 1/4

  10. You're targeted by script kiddies... because you have an IP address! (That got picked up as vulnerable by their vulnerability scanners.) But Why Do I Need Security? 2/4

  11. You're targeted by worms... Slightly smarter than script kiddies, but fully automated. Easy to defeat, with hardening! But Why Do I Need Security? 3/4

  12. Script kiddies choose your box at random to: Run their IRC bots Run their IRC server Serve as an exchange point for files, filez... Attack other machines with DoS/DDoS programs Brag about how many random machines they 0wn. <your use here> But Why Do I Need Security? 4/4

  13. Minimize Points of Entry Network Daemons User-accessible programs How Does It Work? 1/2

  14. Prevent Privilege Escalation Set-UID programs let me turn my user nobody access into root! How Does It Work? 2/2

  15. Bastille was written before most of the security vulnerabilities in Red Hat 6.0 were discovered. It could stop or contain almost all of them. But Does It Work?

  16. BIND - remote root wu-ftpd - remote root userhelper - local root lpd + sendmail - remote root dump/restore - local root gpm - console local root Vulnerabilties Stopped -Red Hat 6.0

  17. nmh - local root? man - whatever user runs it Vulnerabilties Not Stopped -RH 6.0

  18. You tell me! MandrakeSoft had it in their distribution. Red Hat has talked about integrating it. SGI sold appliances with it loaded. Guardent/foo uses it in some appliance. Estimated around 75,000-150,000 people? So Who's Using it?

  19. 2.0 Release Intelligence - "requires" tags X or Curses configuration Reusable config file, with consistency checking Capabilities

  20. More content: this talk will demonstrate Growing to run on more platforms: Solaris first. Enterprise features Where We're Going Soon

  21. Configure a default-deny firewall for a masquerading network, or a single machine Firewall

  22. Firewall off daemons, but also harden/remove them. Why both? Firewall

  23. Protect each service or possible vulnerability through multiple means, so that if one fails, the remaining methods keep your machine from being compromised. Defense in Depth

  24. File Permissions Audit Want to do something more comprehensive! Educate newbies about groups? File Permissions

  25. SUID Audit Blocking all paths to root! Real Example: UserRooter (userhelper) SUID Audit

  26. mount/umount* ping traceroute dump/restore* cardctl ( * = has been vulnerable in past 3 years) SUID Audit 1/2

  27. at dosemu inn tools lpr/lp* r-tools* usernetctl SUID Audit 2/2

  28. Protect the users' accounts Enforce good policies to prevent privilege escalation Account Security

  29. Protect rhosts via PAM Password Aging Restrict Cron Umask Root TTY Logins Account Security

  30. Password protect LILO Password protect runlevel 1 Boot Security

  31. Deactivate Telnet Deactivate FTP ... Secure Inetd

  32. Since crackers may discover an exploitable vulnerability in any service running with privilege, minimize both the number of these services and their levels of privilege. Applied Minimalism

  33. Mandatory System Resource Limits prevent core dumps limit number of processes per user filesize limit 100mb Miscellaneous PAM

  34. Lots of extra logging Remote Logging Host Process Accounting Logging

  35. apmd nfs/portmapper* samba atd pcmcia dhcp server (*?) Killing Daemons 1/2

  36. gpm* news server* routing daemons NIS SNMPd* Killing Daemons 2/2

  37. Reduce attacker's access to Sendmail Remove recon. Commands. Run sendmail as a non-root process via inetd/xinetd Sendmail

  38. Sendmail's security vulnerability history is rich! Why? Consider PostFix, by Wietse Venema, author of TCP Wrappers Modular, safer design! Postfix?

  39. Secure BIND Historical note: We secured BIND before the remote root exploits were released. Philosophy: Harden it now, before the bugs are discovered! DNS - BIND

  40. Chroot Run as user/group dns CONTAINMENT Hardening BIND 1/2

  41. Restrict queries to set of hosts Restrict zone transfers to set of hosts Choose a random version string Offer to configure views in BIND 9 Hardening BIND 2/2

  42. Deactivate Apache? Bind Apache to localhost? Hardening Apache 1/3

  43. Symlinks Server Side Includes CGI Scripts Indices Hardening Apache 2/3

  44. Removing Modules Removing handlers Restricting .htaccess overrides Hardening Apache 3/3

  45. FTP is Really Bad(tm)! Unauthenticated data transfer channel (file theft) Bad authentication on command channel Takeover issues (cleartext session) Try to replace it: HTTP for downloads? SFTP for password-ed user uploads? FTP

  46. Deactivate anonymous mode Deactivate normal user mode Hardening FTP 1/2

  47. Apply path filters to all filenames used Deactivate compression/tar-ing (external progs) Choose version string randomly Chroot normal users via 'guest' accounts Require RFC 822-compliant e-mail addresses Disable all dynamic 'message file' parsing/delivery Create less useful upload area Log: transfers, commands and security violations Hardening FTP 2/2

  48. Jay Beale is the Lead Developer of Bastille Linux and an independent security consultant/trainer. Mandrake. He's currently working on a book on Locking Down Linux for Addison Wesley. Read more of his articles on: http://www.bastille-linux.org/jay Speaker Bio

More Related