1 / 47

Locking Down Your FreeBSD Install

Locking Down Your FreeBSD Install. Black Hat 6 Rich Murphey. Locking Down Your FreeBSD Install. Locking Down Your FreeBSD Install. Establish a Security Policy. Security Management. Policy. Plan. Access Control. Audit. React. Act. Monitor. Harden. Security Policy.

stash
Download Presentation

Locking Down Your FreeBSD Install

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Locking DownYour FreeBSD Install Black Hat 6 Rich Murphey

  2. Locking Down Your FreeBSD Install

  3. Locking Down Your FreeBSD Install Establish a Security Policy

  4. Security Management Policy Plan Access Control Audit React Act Monitor Harden

  5. Security Policy A high-level overall plan embracing the general goals and acceptable procedures.

  6. Formulating Policy • What are the goals? • What are the procedures? • What is the impact?

  7. Formulating Policy • What are the goals? • What, Why, Who. • What are the procedures? • Roles and Responsibilities. • What is the impact? • Network, applications, users.

  8. Policy Example How does one define a firewall policy…

  9. Policy Example "Don't talk to strangers." "In God we trust. All else we monitor.“

  10. Policy Example "Don't talk to strangers." Authenticate Everything. "In God we trust. All else we monitor.“ Log All Exceptions.

  11. Policy Example How do we lock down FreeBSD? • Default Deny • Authenticate Everything • Log All Exceptions

  12. Default Deny Block non-routable, spoofs and source routed IP. Allow TCP only from specific subnets to specific ports.

  13. Authenticate Everything • Narrow anonymous services • Tftp, Ftp, Http. • Disable clear text authentication • Telnet, ftp, http. • Enforce strong authentication • SSH, SSL/Http. • Audit (Log) all authentication.

  14. Log All Exceptions • Spoofing • Denied Access • plus, run Snort.

  15. Elements of Security Policy • Act: • Harden • Control access • React: • Assess • Monitor

  16. Hardening the Network • IP Stack • Firewall rules • Inetd/TCP Wrappers • Control access

  17. IP Stack Log connection attempts to nonexistent servers: # sysctl -w net.inet.tcp.log_in_vain=1 # sysctl -w net.inet.udp.log_in_vain=1

  18. IPFW Firewall In /etc/rc.conf: firewall_enable="YES" firewall_type="SIMPLE" firewall_logging="YES"

  19. inetd inetd uses TCP Wrappers by default. IPSec policy in inetd.conf: #@in ipsec ah/transport//require #@out ipsec esp/tunnel/10.1.1.2-10.1.1.1/use

  20. inetd /etc/hosts.deny: ALL: ALL /etc/hosts.allow: ALL: LOCAL @some_netgroup ALL: .foobar.edu EXCEPT terminalserver.foobar.edu % tcpdchk -v To verify rules.

  21. IPSec Key distribution Authentication

  22. Hardening FreeBSD Hardening the Host

  23. Hardening the Host • Known Vulnerabilities • Install Options • Configuration

  24. Known Vulnerabilities • zlib – decompress crash • Squid - DNS response crash • mod_frontpage - fpexec overflow • Netscape - JavaScript in GIF • OpenSSH - root buffer overflow

  25. Fixing Known Vulnerabilities • pkg_add the latest version • ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable

  26. Secure Level • Can be raised but not lowered, even by root. • /etc/rc.conf: • kern_securelevel_enable="YES" • kern_securelevel="3" • If kern.securelevel > 0, even root within a jail cannot set file flags. • Only rebooting lowers it. Dropping to single user mode doesn’t.

  27. Secure Level 1 • Cannot remove immutable and append-only flags. • Cannot mount file systems • Cannot write to /dev/mem,kmem. • Breaks XFree86!!! • Cannot load kernel modules.

  28. Secure Level 2 • Only `mount' may open disks for writing. • Time changes are limited to one second. • Level 3: • ipfw and dummynet configuration are fixed.

  29. Caveats One must still harden the boot process (loader, autoconfig) because securelevel is set late in the boot process.

  30. Harden User Land • Protect against free space exhaustion in rc.conf: • check_quotas="YES“ • Protect against set-uid files in /home and /var: • /dev/ad… /home ufs rw,nosuid,userquota

  31. Hardening User Land • Block Broad/Multicast pings: • /etc/sysctl.conf: • icmp.bmcastecho=0 • Hide logs • /etc/newsyslog.conf: • /var/log/authlog root:wheel 600 3 100 * Z

  32. Harden the executables • chflags -F schg /kernel • chflags -F schg /bin /sbin

  33. Hardening Services DNS – restrict zone transfers HTTP – disable CGI Samba – IP address ACLs Email – spam, filtering telnet, FTP, finger – don’t

  34. SSH - Secure Shell host.allow RSA authentication Listen on a non-standard port

  35. Auditing Authentication for: HTTP FTP Samba Telnet, Rlogin wrappers

  36. Log Monitoring Use regexp to match 'interesting' log entries and email a periodic report to an administrator. 'Systems Under Siege', Chris Boyd, SANS

  37. Log Monitoring Syslog-ng w/regex Swatch - perl LogSurfer LogSentry - tail logfile | grep | mail

  38. Host-Based Intrusion Detection Tripwire/AIDE Systrace

  39. Tripwire/Aide • File adds,deletes,modifications • File permissions • Inode number, number of links • User id of owner,group id of owner • File type, file size • Device number that stores the inode. • Device number that the inode points to. • Number of blocks allocated • Modification timestamp • Inode creation/modification timestamp • Access timestamp

  40. SysTrace • A BlackHat Zero Day Tool! • Like tcpwrappers but for syscalls. • Filters: • specific routines: open(), fork(), exec(), etc. • specific arguments: filename, file mode, etc. • FreeBSD version on the conference CDROM! • More details at Defcon Talks: • “FreeBSD Exploits and Remedies” • “Intrusion Prevention with SysTrace for FreeBSD

  41. SysTrace Policy: /usr/libexec/ftpd, Emulation: native native-open: filename eq "$HOME" and oflags sub "ro" then permit native-open: filename eq "/etc" then deny[eperm], if group != wheel native-fchdir: permit native-stat: permit

  42. Network-Based Intrusion Detection Snort ACID

  43. Honeypots • Use inetd.conf to provide honeypot services. • Use hosts.allow to log each connection to them.

  44. Countermeasures Trace route Firewall rules /etc/hosts.deny: in.tftpd: ALL: (finger -l @%h | /usr/ucb/mail -s %d-%h root) &

  45. Monitoring • In /etc/syslog.conf: • auth.*,authpriv.*/var/log/authlog

  46. Keeping Abreast of Vulnerabilities • CERT announcements: • echo "subscribe freebsd-security-notifications" • | mail majordomo@FreeBSD.org • Archive of announcements: • ftp://ftp.freebsd.org/ • pub/FreeBSD/CERT/advisories

  47. Future • ACLs - finer grained access controls. • Robert Watson’s ACLs for VFS, still need UFS support.

More Related