ITSY243-Intrusion Detection Systems Prof. Michael P. Harris Securing the Linux operating system This lesson contains the following topics: "Installing and Patching" "Minimizing the Installation" "Disabling System Services" "Verifying Integrity" "Securing the Console and Front Panel" "Configuring the File System" "Managing Accounts" "Monitoring System Activity" "References and Related Resources" "About the Authors" "Ordering Sun Documents" "Accessing Sun Documentation Online" This lesson is the first part of a two-part series that provides recommendations for securing the Linux operating system. This part provides recommendations for securing local access and file systems. Part II provides recommendations for securing network access and services. The information in this lesson applies to most Red Hat/RPN and Sun based Linux distributions, although most techniques and recommendations should apply to other Linux distributions. It is important to address security for local access and file systems. Often, administrators are solely concerned with protecting a system from remote threats. We recommend that you have equal concern for local, authorized users who can exercise a weak configuration, either inadvertently or maliciously, and gain unauthorized privileges on a system. We highly recommend a layered approach to security where protection is implemented for both local and remote threats, resulting in a more robust security configuration. Sun Linux is based on the Red Hat Linux distribution and is a flexible, general purpose operating system. To secure a Sun Linux system against unauthorized access and modification requires changes to its default configuration. Although these changes are in most cases relatively minor, we strongly recommend that you make these changes to improve the security posture of a system. The changes and recommendations in both lessons address the majority of methods that intruders use to gain unauthorized or privileged access to Sun Linux systems. You should implement these changes immediately after system installation. As with most security strategies, you must achieve a balance between system manageability and security. Some recommendations in this lesson might not apply to your environment and might negatively impact your ability to manage a system. You must know your system and security requirements before starting. Implementing the changes recommended in this lesson requires planning, testing, and documentation. Securing the Linux OS Page 1 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris Installing and Patching All Linux operating systems need several updates and patches. These updates typically include security improvements as well as enhancements related to reliability, performance, and manageability. When building a Linux system, be sure to use the latest software updates and patches to take advantage of these improvements. Install the System Securely To prevent attackers from modifying a system or creating backdoors, do not attach the system to a public network until you have installed security patches and completed security modifications. Attackers do not need much time to exploit an unpatched out-of-the-box system. Most Linux software distributions automates nearly every facet of the installation process. This benefit makes each installation repeatable and less prone to error. A side effect of this process is that you may not be able to select packages or clusters for installation or removal. However, after the installation is completed, you can manually add or remove packages. Apply Patches Immediately after installing a Linux system, update it with all of the available security patches to help prevent the exploit of known attacks. You can download the software updates and security patches for Linux even if you do not have a service contract. To identify which version of Sun Linux your system has, enter the following command. # cat /etc/sun-release Security patches are available in two forms: Product Updates – Download these from http://sunsolve.sun.com/patches/linux. These updates are clusters of patches that address issues related to reliability, availability, security, and system management. These updates are typically downloaded and installed as a complete group. Individual Security Patches – Download these from http://sunsolve.sun.com/patches/linux/security.html. These patches address security issues in a product, tool, or function. You can download these patches in either the Red Hat package management (RPM) or Source RPM (SRPM) format. SRPMs are RPM files that contain the source code for a program instead of its compiled code (stored in the RPM). In addition, an MD5 signature is on the site for each patch, so that you can verify the integrity of downloaded files. We recommend this step to ensure that patches applied are only those provided by Sun. NOTE: Apply only patches that are developed and released by Sun Microsystems, Inc. Although the distribution is based on the Red Hat Linux distribution, patches released by Red Hat should never be applied. Doing so might render the system unsupportable by Sun. Securing the Linux OS Page 2 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris To verify that a patch was applied, use the rpm command. For example, to verify that the xinetd-2.3.7- 4.7x.i386.rpm package, available from the security patch web site, is installed, use the following command. # rpm -q -a | grep xinetd xinetd-2.3.7-4.7x If the rpm command does not return a match with the correct version, then download the patch from Sun, and install it on the system as soon as possible. If the command returns no value, then the related software package is not installed on the system and, therefore, the patch is unnecessary. In addition to the Sun Linux security web site, Sun offers a security bulletin mailing list. This list is for administrators who want to receive security bulletins directly from the Sun Security Coordination Team. For more information on joining this list, email the Sun Security Coordination Team or submit a security alert to the following Web site: http://sunsolve.sun.com/pub-cgi/show.pl?target=security/sec Receiving and acting upon these notifications in a timely manner is essential to sustaining a strong security posture. At this time, Sun does not provide an automated mechanism to ensure that a system is currently using the most recent patches, security or otherwise. This process must be done manually to ensure that all available and applicable patches are installed. NOTE: You can use the Sun Cobalt Control Station to monitor and manage large deployments of Sun LX50 systems. For example, you can use it to apply software updates. Using this product might help simplify the patch management process for these sites. For more information, refer to http://www.sun.com/hardware/serverappliances/controlstation. As with any changes made to a system's configuration, always review the impact of the resulting changes to ensure that the security posture of a system is not diminished. Ensure that previously disabled services remain disabled after patches are applied. In addition, if possible, apply patches to non-production systems first to identify the impact of the changes before implementing them on production systems. Minimizing the Installation It is important to reduce the Sun Linux installation down to the minimum number of packages necessary to support the applications being hosted. This reduction in services, libraries, and applications helps increase security by reducing the number of subsystems that must be disabled, patched, and maintained. Sun Linux uses RPM to install, upgrade, and delete packages. Each package maintains a description, file list, change log, checksum, and dependency information. Use this information to maintain and validate Securing the Linux OS Page 3 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris system integrity when adding, upgrading, or removing packages. To a limited degree, you can use the information to validate a package, before or after you install it on a system. To remove an RPM package that is no longer needed, use the -e option with the rpm command, as in the following example: # rpm -e minicom-2.00.0-3 # rpm -e glibc-2.2.5-42 error: removing these packages would break dependencies: glibc-common = 2.2.5-42 is needed by glibc-2.2.5-42 In the example, the first package minicom-2.00.0-3 is successfully removed. The second package glibc- common-2.2.5-42 is not removed, due to an unresolved package dependency. CAUTION: When manipulating packages, take care to ensure that the RPM dependency tree is not inadvertently corrupted. We strongly recommend that you avoid using the options --force, --replacepkgs, --replacefiles and --oldpackage. Improper use of these options can cause the RPM dependency database to reflect an inaccurate state of a system. Disabling System Services System services are started by the init system. Disable services that are not necessary to system operation. For example, some services might allow a system to be compromised, due to incorrect configuration. System services under the Sun Linux OS are controlled using the chkconfig command, which you can use to list services available, then disable or enable them. NOTE: The chkconfig command does not start or stop system service; it only enables or disables it from running at boot time. If you disable a system service with chkconfig and do not reboot the system, then you must stop the system service using the script in the /etc/rc.d/init.d directory. To list existing services and their states, use the following command: # /sbin/chkconfig –list To disable a system service, use the following command: # /sbin/chkconfig --level 0123456 <service> off To enable a system service, use the following command: # /sbin/chkconfig --level 0123456 <service> on Securing the Linux OS Page 4 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris The previous example enables service for each of the system's seven run levels. Use only the number or numbers corresponding to the run levels at which the service should run. For example, to enable a service only for run level 5, then modify the --level option to include only the number 5. For security purposes, only enable required services. The fewer services that are enabled, the less likely it is that attackers can discover ways to exploit systems. The packages installed determine what services are enabled by default. Removing unnecessary packages disables some extraneous services. Examine the remaining services to determine their relevance to the system and the hosted applications. NOTE: Be aware that installing patches and/or software packages might restore or add new entries for init to start. We recommend that you regularly review the services started by init. In particular, check for new services or changes in the status of existing services after patches or new software are installed on a system. Verifying Integrity After you install or upgrade a system, we strongly recommend that you verify the integrity of the Sun Linux image. You can perform this task using the commands described in the previous section, but to provide a higher degree of assurance, compare the packages on the system against a trusted source such as the Sun Linux CD-ROM distribution. It is possible to verify whether the files installed by RPM were modified after the installation by comparing them with the original .rpm file. The following command compares the installed files with the original xinetd package. # rpm --verify -p xinetd-2.3.7-4.7x.i386.rpm You can use a simple shell script to validate and report on the integrity of all of the RPM packages installed on a system. This result is achieved by comparing the installed packages with their counterparts from the installation or update media. The following shell script is an example of how to generate a usable report. # !/bin/sh INSTALLED_RPMS="'rpm --query --all' | sort -u" for pkg in 'ls /mnt/cdrom/RedHat/RPMS/*.rpm | sort -u'; do short_pkg="'basename ${pkg} | sed 's/_386_pm//g''" if [ 'echo ${INSTALLED_RPMS} | grep -wc ${short_pkg}' != 0 ]; then rpm --quiet --verify --package ${pkg} Securing the Linux OS Page 5 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris if [ $? = 0 ]; then result="SUCCESS" else result="FAILED" fi printf "Package Check: %-35s RESULT: %s\n" \ ${short_pkg} ${result} fi done NOTE: This verification method is most effective on newly installed or upgraded systems. For systems or packages that have been patched, this method only works if the packages signatures are tested against a patched, trusted copy of the package. The following example illustrates how to verify packages against the package information stored in a system's local RPM database. This check is similar to the pkgchk(1M) command in the Solaris OE. # rpm -verify filesystem-2.1.6-2 # rpm -verify apache-1.3.23-11 S.5....T c /etc/rc.d/init.d/httpd In the example, the integrity of the first package, filesystem-2.1.6-2, was successfully verified. The check failed for the second package, apache-1.3.23-11, when the /etc/rc.d/init.d/httpd was found to have been modified. To verify all packages on a system, use the -a option in place of the package name. # rpm -verify –a This capability is not a substitute for functionality such as Tripwire. This information is used only by the RPM framework to ensure that packages are completely installed, upgraded, or removed, and that all package dependencies are properly met. After you validate the integrity of a system, use products such as Tripwire to establish a baseline database for detecting file integrity violations. The Sun Linux distribution includes the Tripwire Open Source, Linux Edition, product originally developed by Tripwire, Inc. This tool provides data integrity assurance through the collection and management of file signatures and related data. If configured properly, this tool identifies when file system objects are changed. We recommend you consider products such as Tripwire as part of an organization's overall platform security strategy. NOTE: For more information on the Tripwire Open Source, Linux Edition product, refer to the Web site http://www.tripwire.org/. Securing the Linux OS Page 6 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris Other methods can provide a higher degree of assurance, but those methods are outside the scope of this lesson. At this time, Sun does not provide a Sun Linux equivalent to the Solaris Fingerprint Database software. Securing the Console and Front Panel The next task is to consider restricting access to a system's console. This task is useful if the server is located in a common area of a network operations center. NOTE: These tasks do not prevent attackers with physical access from compromising systems. These methods provide incremental security, but caution must always be exercised when physical access to a system and related hardware is permitted. This section contains the following topics: "Access and Modify BIOS Configuration" "Restrict Access to BIOS" "Limit Front Panel, Keyboard, and Video Access" "Restrict Alternate Boot Devices" "Restrict Access to the LILO Boot Loader" "Disable Control-Alt-Delete Reboot Key Sequence" "Require Single-User Mode Password" "Disable the Magic SysRq Key" "Restrict Root Access to Devices" Access and Modify BIOS Configuration The Sun Linux operating system is provided on the Sun LX50 system. The Sun LX50 system uses the American Megatrends, Inc. (AMI) Basic Input and Output System (BIOS). The BIOS provides security features that prevent unauthorized or accidental access to a system. When security measures are enabled, administrators and users can access the system only when they enter correct passwords. You can implement the following security measures: Enable an administrator password, which is used to access and configure BIOS security options Enable a user password, which can be granted full or limited access to BIOS Enable secure mode, which prevents keyboard input, front panel reset access, and power switch access. Enable a keyboard lockout timer, which after a time-out period, requires a password to reactivate keyboard input. Disable booting to alternative devices, such as diskettes and CD-ROMs Securing the Linux OS Page 7 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris A system's BIOS performs power-on self-tests (POST), provides an interface to the hardware components on a system, and facilitates loading an operating system by locating and accessing a boot loader. In addition, the BIOS provides basic security features. To access the BIOS configuration, press the F2 key while the initial boot screen is displayed on a console. To maneuver the BIOS menu system, follow the instructions located at the bottom of the screen. NOTE: If a BIOS administrative password is defined for the system, this password must first be correctly entered before access to the BIOS configuration is granted. If you change any of the BIOS configuration parameters, you must reboot the system for the changes to take effect. Restrict Access to BIOS You can set a user password, an administrator password, or both. The passwords are limited to seven alpha numeric, case-sensitive characters. By default, the passwords are not defined, and unrestricted access is granted to the BIOS for any user with physical access to a console. Setting a user or an administrator password requires: Entering the password to enter BIOS setup. Entering the password to boot the server if "Password on Boot" is enabled. Entering the password to exit "Secure Mode." Setting both passwords requires: Entering the password to enter BIOS setup. o If entering a user password, the user may not be able to change some of the BIOS options, depending upon privilege level granted. o If entering an administrator password, the administrator is able to enter BIOS setup and access all options. Entering either password to exit "Secure Mode." CAUTION: With physical access to a system, BIOS passwords can be reset by changing a jumper on the motherboard. To Set an Administrator Password 1. Enter the BIOS menu by pressing the F2 key while the system's initial boot screen is displayed. 2. Select the Security menu tab to display the security configuration menu. 3. Select the Set Administrative Password option. Securing the Linux OS Page 8 of 47 ITSY243-Intrusion Detection Systems 4. Enter the new administrative password. 5. Re-enter the new administrative password to confirm the new password. 6. Select the Exit menu tab, then select the Exit and Save option. Prof. Michael P. Harris Once set, the Administrative Password parameter changes from Disabled to Enabled. Now the Administrative Password must be entered to access the BIOS configuration. To Set a User Password 1. Enter the BIOS menu by pressing the F2 key while the system's initial boot screen is displayed. 2. Select the Security menu tab to display the security configuration menu. 3. Select the Set User Password option. 4. Enter the new user password. 5. Re-enter the new user password to confirm the new password. 6. Select the privilege level granted to the user: o No Access – Prevents a user from accessing the BIOS configuration. If a user is assigned to this level, the user password is used only to unlock the system when it is operating in "Secure Mode." o Limited – Allows a user to access the BIOS and to change a limited number of noncritical fields. o View Only – Allows a user to access the BIOS but in read-only mode. The user is not permitted to change any of the BIOS parameters. o Full – Allows a user to access the BIOS and change all parameters, except for the Administrator Password. 7. Select the Exit menu tab, then select the Exit and Save option. Limit Front Panel, Keyboard, and Video Access After setting the administrator password, limit access to the front panel, keyboard, and video. The following additional options appear on the BIOS Security menu: Secure Mode Timer – This timer is the period of inactivity in minutes before "Secure Mode" is activated and the system's keyboard and mouse are locked. Secure Mode Hot Key – This keyboard sequence places the system in "Secure Mode." By default, the sequence is Control-Alt-[L], which is performed by holding down the Control and Alt keys and simultaneously pressing the L key. Secure Mode Boot – This setting configures the BIOS to prevent the system from starting the boot process until a user or administrator password is entered. A password is required to boot from removable media such as a diskette or CD-ROM. Video Blanking – This setting disables the use of a video monitor when a system is in "Secure Mode." When video blanking is off, the system displays information on the monitor even in "Secure Mode." If a monitor is disabled in addition to the keyboard and mouse when in "Secure Mode," video blanking should be enabled. Securing the Linux OS Page 9 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris Disable Power Button – This setting configures the BIOS to ignore the use of the front-panel power button. When enabled, this setting prevents a running system from being powered off using the front-panel power button. To Set Access Options 1. Enter the BIOS menu by pressing the F2 key while the initial boot screen is displayed. 2. Select the Security menu tab to display the security configuration menu. 3. Select the appropriate option, and enable or disable it. 4. Select the Exit menu tab, then select the Exit and Save option. Restrict Alternate Boot Devices You can use the Sun Linux BIOS configuration to specify the order in which devices are polled when locating an operating system. This boot device priority selects the order in which hard-drives, CD-ROM drives, and disk drives are accessed during boot processes. It is recommended that the system be configured to boot first from the local hard drive before other media. This approach can prevent a system from being compromised through a boot diskette or CD-ROM inserted during the boot process. To Set Boot Device Priority 1. Enter the BIOS menu by pressing the F2 key while the initial boot screen is displayed. 2. Select the Server tab to display the server configuration menu. 3. Select the Boot Priority menu to change the default boot priority. 4. Select the hard drive as the first boot device. 5. Disable any boot devices that are not required. 6. Select the Exit menu tab, then select the Exit and Save option. Restrict Access to the LILO Boot Loader Sun Linux uses the LILO boot loader to load the Linux kernel. LILO allows users to pass parameters to the kernel, several of which can be used to gain unrestricted access to a system (such as single for single-user mode). You can configure LILO to require a password before allowing access. To Configure LILO to Require a Password for Access Add the following lines (see bold lines) to the /etc/lilo.conf file. image=/boot/vmlinuz-2.4.9-31enterprise password=<password> restricted label=linux initrd=/boot/initrd-2.4.9-31enterprise.img append="console=ttyS1,9600 console=tty0" Securing the Linux OS Page 10 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris read-only root=/dev/sda3 In this example, the password and restriction options are added to the kernel 2.4.9-31enterprise. In practice, there exist multiple kernel definitions or image entries in the /etc/lilo.conf, often as a result of kernel upgrades. We recommend that you define these options for each of the kernels listed in your /etc/lilo.conf file. NOTE: The version number 2.4.9-31enterprise changes based on the version of the kernel running on the system. Using the restricted directive in LILO allows booting of the default kernel without password verification, but requires a password if any additional arguments are added (such as single to boot into single-user mode) or if a kernel image other than the default is selected. Access to the /etc/lilo.conf file should be restricted to only the root user, because the password contained in that file is in clear-text. Set this restriction by executing the following command. # chmod go-rwx /etc/lilo.conf After any modifications, you must run the command /sbin/lilo to propagate any changes to LILO. The following command is usually sufficient. # /sbin/lilo Disable Control-Alt-Delete Reboot Key Sequence By default, a Sun Linux system reboots when the key combination Control-Alt-Delete is entered. To Disable the Control-Alt-Delete Key Sequence 1. Comment out the following line in the /etc/inittab file: 2. # Trap CTRL-ALT-DELETE # ca::ctrlaltdel:/sbin/shutdown -t3 -r now 3. Reload the inittab by either rebooting the system or by entering /sbin/telinit q. Require Single-User Mode Password You can configure the system to prompt for a password when booted into single-user mode. Add the following line to the /etc/inittab file. ~~:S:wait:/sbin/sulogin Securing the Linux OS Page 11 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris CAUTION: It is highly recommended that you add a password to the LILO configuration file instead of setting a password for single-user mode. Users can circumvent single-user password restrictions using the command linux init=/bin/bash instead of the linux single command at the LILO boot prompt. Disable the Magic SysRq Key If enabled, the SysRq key can be used for activities such as rebooting systems, inspecting memory, synchronizing disks, and killing processes. It is mainly useful to kernel developers, because it allows them to diagnose and recover a system state after problems. However, be aware that it can be used to gain unauthorized root access. t To Disable the Magic SysReq Key 1. Enter the following in the /etc/sysctl.conf file: kernel.sysrq = 0 2. Reboot the system to implement this configuration change. Restrict Root Access to Devices The Sun Linux operating system provides the ability to restrict from where a remote user can log into a system as root user. This restriction is an important capability to help promote accountability on a system. Typically, we recommend that administrators do not log into systems directly using a root account; instead they should log into systems using their unique account and assume root privileges as needed. Often this recommendation is combined with role-based access control capabilities such as sudo to further restrict what may be done with elevated privileges. By following this recommendation, actions can be better associated with specific individuals. The login command is part of the authentication process to access a local Sun Linux account. Except for a root user, any user can log in to any valid device on a system, serial or virtual. A root user is not permitted to log in to any device unless the device is listed in the /etc/securetty file. If a root user attempts to log in to a device not listed, then the attempt fails and a failure notice is logged to the syslog facility. If you need to configure the system to permit direct root login over the primary serial interface, then add the following line to the /etc/securetty file. /dev/ttyS0 NOTE: Be sure to review the contents of the /etc/securetty file, removing any entries that are not required. Be careful not to remove root accounts, which would inadvertently lock root users out of the system. Securing the Linux OS Page 12 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris Configuring the File System The default file permissions on some files might not be adequate in all situations; therefore, configure the Sun Linux file system to provide additional protection. Also, several mount options are available to increase security, when used effectively. Sun Linux systems need some adjustment to prevent attackers from gaining superuser privileges. This section contains the following topics: "Review set-user-ID and set-group-ID Files" "Review World-Writable File System Objects" "Review Unowned File System Objects" Review set-user-ID and set-group-ID Files The set-user-ID and set-group-ID bits (often referred to as SUID and SGID bits) on an executable file indicate to a system that the executable should operate with the privileges of the file's owner or group. For example, the effective user ID of the running program becomes that of the executable's owner, in the set-user-ID instance. Similarly, a set-group-ID file sets the running program's effective group ID to the executable's group. If the command with the set-user-ID and/or set-group-ID bit set is written correctly with security in mind, it can be a useful method for solving some tricky operational challenges. These operational challenges can often be solved using forms of role-based access control, such as sudo. For more information on sudo, see "Limit Root Access" on page 25." Many set-user-ID and set-group-ID commands have had flaws. Attackers have used these flaws to successfully exploit systems. When security problems are reported, Sun fixes them and provides a patch. Attackers might use the set-user-ID or set-group-ID commands to create backdoors. One way they do this is by copying a system shell to a hidden location and adding the set-user-ID bit. This technique allows attackers to execute shells to gain elevated privileges (most often superuser). To Find All set-user-ID and set-group-ID Files 1. To find all the set-user-ID and set-group-ID files on a server, use the following command: # find / -type f \( -perm -u+s -o -perm -g+s \) –ls 2. Store the output to a file on another system. 3. Compare the output against the current file system from time to time, especially after applying patches, to find any unwanted additions. Securing the Linux OS Page 13 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris Review World-Writable File System Objects A world-writable object is one that has the world-write permission bit set. World-writable objects are problematic because any user can modify the object. An attacker might use a world-writable file to perform a disk space-based denial of service attack on a system, or an attacker might modify the object, violating its integrity. We recommend that all world-writable objects be catalogued and tracked over a system's lifecycle. Objects that do not require this setting should have their permissions reset to a stronger value. To Find World-Writable File System Objects To find all of the world-writable files and directories on a system, use the following command. # find / \(-type f -o -type d \)-perm -0002 –ls NOTE: All world-writable directories should be configured with the "sticky" bit to prevent users from deleting files owned by other users. For more information on this capability, refer to the chmod(1) manual page. Review Unowned File System Objects Typically, file system objects stored on a system can be directly attributed to a user and group that exists either on the system or in a naming service (for example, LDAP) used by the system. It is possible for a user or group to be removed from a system, leaving file system objects in an unowned state. That is, the files and directories are now owned by a user or group that no longer exists on the system. This situation can also occur when extracting archives (for example, tar) built on a different system. These programs can be configured to preserve the original object's ownership and permissions of the archived objects. These programs restore the settings without regard to whether the user or group assigned to the object actually exists on the new system. To Find Unowned File System Objects 1. To find all file system objects that are not owned by a valid user on a system, use the command: # find / -nouser –ls 2. To find all file system objects that are not owned by a valid group on a system, use the following command: # find / -nogroup –ls Securing the Linux OS Page 14 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris NOTE: In general, all file system objects on a system should be assigned to a valid user and group. Be sure to assign a valid user or group to any files found using the previous commands. Managing Accounts Managing user and system accounts is an important aspect of Linux security. Some system accounts might need to be deleted or modified. The time-based command execution system tools cron and at might need to be configured to restrict user access. This section contains the following topics: "Delete and Modify System Accounts" "Restrict at, cron, and batch Command Access" "Limit Root Access" "Use the Pluggable Authentication Module (PAM)" Delete and Modify System Accounts A default Sun Linux installation contains several accounts that either need to be deleted or modified to strengthen security. Some accounts are not necessary for normal system operation. These accounts include games, gopher, and news and uucp. To Delete Accounts To delete accounts in /etc/passwd and /etc/shadow entries, use the userdel command, similar to the following example: # /usr/sbin/userdel games This example removes the /etc/passwd and /etc/shadow entries for user games. Except for the root account, modify any remaining system accounts for added security by locking them, setting account expiration, or setting their login shells to a restricted value. To Lock Accounts To lock unused accounts that are not locked by default, use the passwd -1 option. For example, if the uucp account is not used, then lock it using the following command. # passwd -l <username> The password of the account is changed to a string that can never be a valid encrypted password. Securing the Linux OS Page 15 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris To Expire an Account To schedule a user account to expire, use the following command: # /usr/sbin/usermod -e YYYY-MM-DD <username> An expired account has similar characteristics to those of an account where the password is locked. The account can still be accessed by root via superuser, daemons can be started, and files and directories can be owned by the account. As with locked accounts, expired accounts cannot be used to login to a system or to access any of the services where authentication is required, such as Telnet, FTP, or IMAP. To disable interactive access to a user account, use the following command. # usermod -s /bin/false <username> An account with a disabled shell (one that is not listed in /etc/shells and does not permit access to the system) only impacts applications that check for valid shells, such as Telnet, FTP, and Secure Shell. This method does not impact other applications such as IMAP and POP that by default do not check this setting. A better alternative to using /bin/false as a disabled shell is to use a program that not only prevents access to the system but also logs the attempted access. The following shell script could be used to implement such functionality. This example is based on the file /sbin/noshell program available from the Solaris™ Security Toolkit software. For more information on the Solaris Security Toolkit software, refer to http://www.sun.com/security/jass. #!/bin/sh # trap "" 1 2 3 4 5 6 7 8 9 10 12 15 19 PATH=/bin:/usr/bin export PATH HNAME="'uname -n'" UNAME="'id | awk '{ print $1 }''" logger -i -p auth.crit "Unauthorized access attempt on ${HNAME} by ${UNAME}" wait exit To change default account parameters used during new account creation (via useradd), change the following values in either the /etc/login.defs or the /etc/default/useradd file. TABLE 1 describes the parameters in the /etc/login.defs file. Securing the Linux OS Page 16 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris TABLE 1 /etc/login.defs File Parameters Parameter Description PASS_MIN_DAYS Minimum days allowed between password changes PASS_MIN_LEN Minimum acceptable password length PASS_WARN_AGE Days warning given before a password expires PASS_MAX_DAYS Maximum days a password may be used TABLE 2 describes the parameters in the /etc/default/useradd file. TABLE 2 /etc/default/useradd File Parameters Parameter Description GROUP Default group HOME Default user home location EXPIRE Expiration date of an account in the format YYYY-MM-DD INACTIVE Maximum days after an unchanged and expired password that the account is locked out and can only be accessed by root SHELL Default shell Restrict at, cron, and batch Command Access The at, cron, and batch commands execute processes (events) at a specified future time. Access control files are stored in the /etc directory. The cron.deny and cron.allow files manage access to the cron command. The at.deny and at.allow files manage the access to the at and batch commands. The allow files are checked first to determine if an account is explicitly allowed to use these facilities. Attackers can use these commands to implement logic bombs (triggered by a system condition, logic that causes damage to data processing systems) or other programmed attacks that begin in the future. Unless administrators examine every at, batch, and cron event, tracking usage and abuse can be difficult. Therefore, we recommend that you restrict access to the at, batch, and cron commands to prevent attacks and abuse. Securing the Linux OS Page 17 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris By default, Sun Linux includes scheduled cron events for the root account. Do not include the root account in the deny files, because any scheduled jobs will be prevented from running. Add to the deny files any additional system or software-specific accounts that do not require cron, batch, or at access. You might want to restrict user access to these commands as well. List individual user accounts in the deny files. To restrict all user account access, create an empty allow file, then add only the accounts that need access. Limit Root Access The sudo program implements a form of role based access control (RBAC). It is a commonly used tool for limiting access to privileged commands and accounts. Using sudo has the following benefits: sudo is configured by default to ask for a user's password Fewer users need to log in as privileged users and know the password Access to privileged commands is determined by a policy; users are given access only to the commands they need Access to privileged commands can be logged Common uses for sudo are allowing system operators to make backups and create user accounts without giving operators full root access. To create a new account, an operator enters: # sudo useradd newuser It is very important to ensure that mail to root is checked or forwarded. Unauthorized use of sudo generates an email to the root user and creates an entry in the system log /var/log/messages file. May 4 18:25:14 scl1 sudo(pam_unix)[28769]: authentication failure; logname=attackerid uid=0 euid=0 tty=pts/2 ruser= rhost= user=attackerid To review valid uses of sudo, refer to /var/log/secure. In the following example, the sudo command was used by the user joe to access the /bin/bash command as root. May 4 18:25:28 scl1 sudo: sudoerid: TTY=pts/2 ; PWD=/home/sudoerid/joe ; USER=root ; COMMAND=/bin/bash The sudo command consults the /etc/sudoers configuration file to determine if a command is allowed. This configuration file contains access control lists (ACLs) as in the following example. <user> <hostname> = '(' <account> ')' <command> [',' <command>] Securing the Linux OS Page 18 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris A rule of this form allows user logged in to hostname to run command as user account. By including the hostname in the rule, it is possible to share a single /etc/sudoers file between multiple machines. For more information about the format of these ACLs, refer to the sudoers manual page. Use the visudo command to edit the /etc/sudoers file. This command checks the syntax of edited contents before overwriting /etc/sudoers. If the /etc/sudoers syntax is incorrect, sudo does not work. To keep the description concise, you can define aliases for sets of users, hostnames, and commands. You can use the alias ALL in any field. In the following example, we allow a group of operators to make backups and restore them. # provide access to dump and restore for backup operators User_Alias OPERATORS = tom, dick, harriet Cmnd_Alias BACKUPCMD = /sbin/dump, /sbin/restore OPERATORS ALL = (root) BACKUPCMD Be aware that with a little creativity, any user who can make backups and restore them can gain root access, so this example is not a completely secure setup. In general, we advise that you create scripts or programs that wrap commands executed with privilege to limit the options available to its users. In addition, these scripts can sanitize the execution environment by checking or resetting variables such as a user's path to help ensure sane settings. This way, the use of privileged commands can be better controlled. You can configure sudo to allow only certain parameters to be passed to privileged commands. Verify that operators cannot pass any arguments to privileged commands that have unintended consequences. The following rule allows operators to change passwords for all users except for root. # User alias specification User_Alias OPERATORS = tom, dick, harriet # Cmnd alias specification Cmnd_Alias PASSWDCMD = /usr/bin/passwd, !/usr/bin/passwd root # Defaults specification OPERATORS ALL = (root) PASSWDCMD The previous example prevents execution of the sudo passwd root command. However, it does allow execution of the sudo passwd --stdin root command. In this case, you can fix the problem by changing the definition of PASSWDCMD slightly, as in the next example. The following example allows two classes of users (web masters and operators) to manage a system. Web masters can stop and start a web server. Operators can change forgotten user passwords (except for root passwords), start system backups, and perform web master duties. Securing the Linux OS Page 19 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris # User alias specification User_Alias OPERATORS = tom, dick, harriet User_Alias WEBMASTERS = josephine, OPERATORS # Cmnd alias specification Cmnd_Alias PASSWDCMD = /usr/bin/passwd [!-]*, !/usr/bin/passwd root Cmnd_Alias BACKUPCMD = /usr/sbin/backup_script Cmnd_Alias HTTPDCTL = /etc/rc.d/init.d/httpd # Defaults specification Defaults authenticate, timestamp_timeout = 60 # User privilege specification root ALL=(ALL) NOPASSWD: ALL OPERATORS ALL = (root) PASSWDCMD OPERATORS ALL = (root) BACKUPCMD WEBMASTERS ALL = (root) HTTPDCTL Use the Pluggable Authentication Module (PAM) The Pluggable Authentication Module (PAM) architecture allows administrators to control and replace the methods used for authentication. In concept, while this is similar to the PAM functionality that is available in the Solaris OE, note that there are differences. For more information on the Solaris OE implementation of PAM, refer to the Sun BluePrints OnLine twopart lesson titled "Extending Authentication in the Solaris 9 OE Using Pluggable Authentication Modules (PAM)." Part I: http://www.sun.com/blueprints/0902/816-7669-10.pdf Part II: http://www.sun.com/blueprints/1002/816-7670-10.pdf Although PAM makes authentication operations more robust, it requires that system authentication information be maintained in more places than just /etc/passwd and /etc/shadow. PAM can be expanded to support Kerberos, LDAP, OPIE, S/Key, RSA SecureID, RADIUS, TACACS+, and others. Understanding how the PAM system functions is essential for maintaining the security of a system. All primary applications such as login, su, ssh, and sudo are PAM aware. Each application that uses PAM does so through a common API that references the general configuration file /etc/pam.conf or the application-specific file in the directory /etc/pam.d/, if it exists. Securing the Linux OS Page 20 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris NOTE: If the directory /etc/pam.d/ exists, the file /etc/pam.conf is ignored. The directory /etc/pam.d/ is part of the standard Sun Linux installation. CAUTION Before editing PAM configuration files, make a backup of the files. Errors made in configuration files can prevent PAM or the service you modified from operating correctly, and might prevent privileged users from logging in. Also, you could inadvertently disable authentication and expose the system. Do not change the default ownership or file permissions of the /etc/pam.d/ directory or its contents. Within the PAM configuration file, define methods for authentication. Enter one line per method using the following format. [service] [type] [control] <module-path> <module-arguments> TABLE 3 lists the values for entering authentication methods. TABLE 3 PAM Configuration Values Field/Value Description service This field exists only if the /etc/pam.conf file is used and is the name of the service defined, such as login or su. If the file is in /etc/pam.d/ and is specific to the application, then it is not used. type This field is the management group and can be one of the following: control account - Verify that the account is valid. For example: has the account expired? authentication - Verify the user's identity by using a password, smart card, or biometric device. password - Maintain the authentication method. For example: if the password has expired, prompt for a new one. session - Provide methods that are performed before the session is started and after the session is ended, such as setting up and reclaiming resources the user requires. This field specifies what to do when a module fails its task: Securing the Linux OS requisite - Immediate termination of the authentication process; do not call additional modules. required - If this module fails, then allow other modules to be called, but ultimately fail the authentication attempt. Each required module must succeed for the authentication to succeed. sufficient - Success of the module is enough to succeed in Page 21 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris authentication. optional - Success or failure of this module is important if it is the only module in the stack associated with this service and type. More complex control syntax can be used; refer to the pam(8) manual page. module-path This path is the full file name of the authentication module called with the default location /lib/security/. A special module used by many configuration files is pam_stack. This module lets you call a service from inside the stack. This feature allows multiple services to include a system-wide configuration, so that it only needs to be maintained in one place. The most common use for this feature is the configuration file /etc/pam.d/system-auth. modulearguments Valid arguments are space-separated lists of tokens that modify behavior of the module called. They are module specific. For additional information on PAM, refer to the Linux PAM site at http://www.kernel.org/pub/linux/libs/pam/, the pam(8) manual pages, and the PAM documentation in /usr/share/doc/pam. After editing the configuration file, test the changes and make any necessary adjustments. NOTE: If you lock yourself out of a system, reboot into single-user mode, then restore the configuration file from the backup. Disabling Null Passwords A null password allows users to log onto a system without having to first supply a valid password string. When users have null passwords, they can press the Enter key when prompted for a password and gain access to systems without a password. Obviously, this poses a significant security risk to the system and to the accountability of actions performed by users. To Disable Null Passwords Make a backup of the /etc/pam.d/system-auth file, then modify the original by removing nullok from the line, resulting in the following: auth sufficient /lib/security/pam_unix.so likeauth Checking Passwords Against a Dictionary Sun Linux can be configured to verify that passwords cannot be guessed easily. On Sun Linux, this check is performed by the module /lib/security/pam_cracklib.so. It checks to ensure that passwords are a minimum length and verifies that a password does not occur in a dictionary. Securing the Linux OS Page 22 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris The dictionary used by this module is located in /usr/lib and is in cracklib format. By default, each of the dictionary files is prefixed with the file name cracklib_dict. For more information on cracklib including how to add new words to the dictionary, refer to http://www.crypticide.org/users/alecm/. This module has a number of parameters, the most useful of which are as follows. TABLE 4 pam_cracklib Parameters Parameter Description minlen Specifies the minimum password length allowed for an account difok Specifies the minimum number of characters that have to differ from the previous password To Check Passwords Add the following parameters to an entry in /etc/pam.d/system-auth, resulting in the following single line: password required /lib/security/pam_cracklib.so retry=3 type= minlen=8 difok=3 Preventing Reuse of Old Passwords The PAM module pam_unix.so can be configured to maintain a list of old passwords for every user, to prohibit the reuse of old passwords. The list /etc/security/opasswd is not maintained as plain text, but should be protected the same as shadow password files. This capability is often referred to as password history. To Retain a List of Passwords To remember the last 15 passwords, add the following line in /etc/pam.d/system-auth file: password sufficient /lib/security/pam_unix.so use_authtok md5 shadow remember=15 Preventing Password Guessing The module pam_tally keeps track of unsuccessful login attempts, and disables user accounts (not user IDs) when a preset limit is reached. This capability is often referred to as account lockout. Securing the Linux OS Page 23 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris To Prevent Password Guessing Add two entries in the /etc/pam.d/system-auth file: auth required /lib/security/pam_tally.so onerr=fail no_magic_root account required /lib/security/pam_tally.so deny=5 no_magic_root reset Because the order of the lines in /etc/pam.d/system-auth is important, we list the complete file contents. auth required /lib/security/pam_env.so auth required /lib/security/pam_tally.so onerr=fail no_magic_root auth sufficient /lib/security/pam_unix.so likeauth auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so account required /lib/security/pam_tally.so deny=5 no_magic_root reset password required /lib/security/pam_cracklib.so retry=3 type= minlen=8 difok=3 password sufficient /lib/security/pam_unix.so use_authtok md5 shadow remember=15 password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so Monitoring System Activity Examine all of the log files regularly for errors, warnings, and signs of an attack. This task can be automated by using log analysis tools or a simple grep command. Sun Linux includes an automatic log analysis and reporting tool named logwatch. This tool sends nightly email reports to a root user. The email address can be changed by editing the /etc/log.d/conf/logwatch.conf file. Logwatch is of limited use from a security perspective, because it does not constantly monitor for unusual activity. The syslog daemon receives log messages from several sources and directs them to the appropriate location based on the configured facility and priority. The programmer interface syslog() and system command logger are available for creating log messages. The facility or application type and the priority Securing the Linux OS Page 24 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris are configured in the /etc/syslog.conf file to forward log messages to specified locations. The location can be a log file, network host, selected users, or all users. By default, Sun Linux defines several log files in the /etc/syslog.conf file: The /var/log/messages log file contains a majority of the system messages. The /var/log/maillog file contains mail system messages. The /var/log/secure log file contains a majority of the security messages from sudo and ssh. If you change the /etc/syslog.conf file, the syslog daemon must be restarted. Use the following command. # killall -HUP syslogd In addition to logging syslog events locally on each client system, Sun recommends that syslog events be sent to a centralized log server where logs can be more safely stored and analyzed. As an added benefit, by logging events to a central location, logs may be more readily preserved in the event that the client system is compromised. Note that syslog monitoring is just a single process. Sun recommends that users protect their environments through architectures that implement defense-in-depth through mutually reinforcing, complementary security controls. The methodology for determining which controls are most appropriate to your environment and where they should be positioned in your architecture is outside the scope of this lesson. Additional layered monitoring methods such as periodic-vulnerability assessments, file system integrity monitoring, and host-based intrusion detection mechanisms can greatly improve your ability to detect attempted or actual breaches of security whereas a single method might be more easily subverted. References and Related Resources Publications "Extending Authentication in the Solaris 9 OE Using Pluggable Authentication Modules (PAM)." Part I: http://www.sun.com/blueprints/0902/816-7669-10.pdf Part II: http://www.sun.com/blueprints/1002/816-7670-10.pdf Hatch, Brian, and Osborne, James Lee. Hacking Linux Exposed, Second Edition McGraw-Hill, ISBN: 0072225645, November 2002. Nemeth, Evi, Snyder, Garth, Seebass, Scott, and Hein, Trent R. UNIX System Administration Handbook, 3rd Edition, Prentice Hall PTR, ISBN: 0130206016, August 2000. Securing the Linux OS Page 25 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris Noordergraaf, Alex. "Solaris Operating Environment Network Settings for Security: Updated for Solaris 9 Operating Environment," Sun BluePrints OnLine, June 2003, http://www.sun.com/solutions/blueprints/0603/816-5240.html. Noordergraaf, Alex and Watson, Keith. "Solaris Operating Environment Security: Updated for the Solaris 9 Operating Environment," Sun BluePrints OnLine, December 2002, http://www.sun.com/solutions/blueprints/1202/816-5242.pdf. Reid, Jason. "Building OpenSSH - Tools and Tradeoffs," Sun BluePrints OnLine, January 2003, http://www.sun.com/blueprints/0103/817-1307.pdf. Reid, Jason. "Configuring the Secure Shell Software," Sun BluePrints OnLine, April 2003, http://www.sun.com/blueprints/0403/817-2485.pdf. Reid, Jason. "Integrating the Secure Shell Software," Sun BluePrints OnLine, May 2003, http://www.sun.com/blueprints/0503/817-2821.pdf. Red Hat Linux 9: Red Hat Linux Security Guide, Red Hat Inc., 2002. Stevens, Richard W. TCP/IP Illustrated, Volume 1, 1st Edition, Addison-Wesley Publishing Company, ISBN: 0201633469, January 1994. Web Sites NOTE: Sun is not responsible for the availability of third-party Web sites mentioned in this document. Sun does not endorse and is not responsible or liable for any content, advertising, products, or other material on or available from such sites or resources. Sun will not be responsible or liable for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods, or services that are available on or through any such sites or resources. Center for Internet Security - Linux Benchmark http://www.cisecurity.org/ OpenSSH tool: http://www.openssh.com/ Sendmail Consortium: sendmail configuration information, http://www.sendmail.org/ SSH Communications Security, Secure Shell (SSH) tool: http://www.ssh.com/ Sun BluePrints: http://www.sun.com/blueprints TCP Wrappers tool, Wietse Venema: ftp://ftp.porcupine.org/pub/security/index.html Ordering Sun Documents The SunDocsSM program provides more than 250 manuals from Sun Microsystems, Inc. If you live in the United States, Canada, Europe, or Japan, you can purchase documentation sets or individual manuals through this program. Accessing Sun Documentation Online The docs.sun.com web site enables you to access Sun technical documentation online. You can browse the docs.sun.com archive or search for a specific book title or subject. The URL is http://docs.sun.com/ Securing the Linux OS Page 26 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris To reference Sun BluePrints OnLine lessons, visit the Sun BluePrints OnLine Web site at: http://www.sun.com/blueprints/online.html Part II This lesson is the second part of a two-part lesson that provides recommendations for securing the Linux operating system. This part provides recommendations for network security. Part I provides recommendations for securing local access and file systems. The information in this lesson applies only to the Sun Linux distribution, although some techniques or recommendations might apply to other Linux distributions. Sun Linux is based on the Red Hat Linux Distribution and is a flexible, general purpose operating system. To secure a Sun Linux system against unauthorized access and modification requires changes to its default configuration. Although these changes are, in most cases, relatively minor, we strongly recommend that you make these changes to improve the security posture of a system. The changes and recommendations in this lesson address the majority of methods that intruders use to gain unauthorized or privileged access to Sun Linux systems. You can implement many of the changes during or immediately after system installation. As with most security strategies, a balance must be achieved between system manageability and security. Some recommendations in this lesson might not apply to your environment. Removing some services as recommended in this lesson might negatively impact your ability to manage a system. You must know your system and security requirements before starting. Implementing the changes recommended in this lesson requires planning, testing, and documentation. This lesson contains the following topics: "Securing Network Services" "Turning Kernel Network Parameters" "References and Related Resources" "About the Authors" "Ordering Sun Documents" "Accessing Sun Documentation Online" Securing Network Services Secure network services and configure network parameters for better security. The network services a system provides are entry points that can be attacked and exploited to gain access. It is important to understand the default configuration of Sun Linux, including its services and the methods used to disable or protect them. Often, organizations need to use protocols or services that are not secure. Where possible, we provide recommendations for improving the security of those services. Securing the Linux OS Page 27 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris Network services enable distributed computers and their users to communicate, access remote systems and information, transfer files, send electronic mail, print on network printers, and manage remote systems. Multi-user operating systems such as Sun Linux typically provide many network services. These services are either necessary for the operation and management of an application or are essential to the service an application provides. By default, Sun Linux only runs the portmap, rpc.statd, and sshd services. This default improves the overall security posture of a system by limiting the number of unnecessary services that are started on a system. In general, all network services that are not required to meet a business requirement should be disabled. Protect services that are offered by a system by using as many layers as feasible. The most secure systems are not necessarily those with the most layers. The layers added must support the practice of defense-indepth by implementing complementary and mutually reinforcing security controls. The layers must adhere to the principle of proportionality, whereby the costs of the controls are weighed against the value of the assets being protected. In this lesson, we describe layers at the network level, such as filtering and logging options, available in both xinetd and TCP Wrappers. Network services can be attacked in many ways. These services might contain programming flaws, use weak or no authentication, transfer sensitive data in unencrypted format, or allow connections from any network host. These weaknesses allow attackers to access entry points and potentially exploit weaknesses in the installation or configuration. Some simple methods are available to reduce the risk of attacks against systems. In addition to disabling unneeded services and applying all security patches, use security features (for example, encryption, strong authentication, etc.) with network services whenever possible. You can deploy firewalls like iptables on servers and desktops alike where IP forwarding is not required, but network service protection is. Massive deployments and management of firewalls on many systems can be burdensome, so plan appropriately. Additionally, there are well-regarded open source and commercial tools that add protection. These tools address security concerns by providing the following protection: access control, logging, strong authentication, and privacy through encryption. The open source toolkit OpenSSH is a suite of tools to replace UNIX® network commands such as telnet, ftp, rlogin, rsh, and rcp. OpenSSH provides strong authentication and privacy through the use of publickey authentication and support of PAM. Also, OpenSSH provides the capability to securely tunnel X Window network communications over an encrypted channel. When built with the TCP Wrappers library, as is the case in Sun Linux, it provides additional access control. It is a very valuable tool because of the unsafe commands it replaces. After deploying OpenSSH, disable the replaced network services in favor of OpenSSH services. The OpenSSH tool is very powerful and highly configurable. As a result, it is essential that the tool be configured to be as secure as possible. For recommendations on OpenSSH configuration and tuning, refer Securing the Linux OS Page 28 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris to the Sun BluePrint Online lessons titled "Configuring the Secure Shell Software" and "Integrating the Secure Shell Software." To secure network services, perform the following tasks: "Enable and Disable Network Services" "Limit Access to Services Managed by xinetd" "Enable TCP Wrappers" "Enable Packet Filtering" "Secure Telnet Connections" "Secure Remote Access Connections" "Secure FTP" "Secure the Remote Procedure Call (RPC) Services" "Disable or Secure automount Services" "Secure the NFS Services" "Secure the sendmail Services" "Configure Name Service Caching" "Secure Print Services" "Display Access Warnings" Enable and Disable Network Services Network services are generally started either at boot time by /sbin/init or on demand by the xinetd daemon. Sun Linux provides the general purpose command chkconfig to enable and disable services that are started by init and xinetd. Using chkconfig is easier and less error prone than editing configuration files. To enable or disable a service started by init, use the following command. # chkconfig --level <runlevels> <service> [on | off] To enable the Apache Web Server to run on levels 3, 4, and 5, use the following command. # chkconfig --level 345 httpd on This command configures the httpd service to start at boot time for run levels 3, 4, and 5 only. This command only enables or prevents a service from starting; it does not actually start the service itself. To start the service manually, use the following command. # /etc/rc.d/init.d/httpd start Securing the Linux OS Page 29 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris Services started from xinetd are managed in a similar way. The exception is that the run level should not be specified, as it is irrelevant to services managed by xinetd. By default, the xinetd service is automatically started at run levels 4 and 5. To enable Telnet, use the following command. # chkconfig telnet on This command enables Telnet and reloads the xinetd daemon, which makes Telnet available immediately. Limit Access to Services Managed by xinetd Sun Linux uses the xinetd daemon to control availability to minor network services. All network services are disabled by default. Services that are required to support a business requirement should be enabled as appropriate. Use the /sbin/chkconfig command to control xinetd services. The format and operations are the same for init services. When listing services using chkconfig, the init services are listed first followed by the services controlled by xinetd. An ideally secured server often does not run xinetd, because the daemons started in the /etc/xinetd.conf are frequently not needed. The xinetd daemon provides a number of facilities that are useful for limiting and monitoring access to the services it manages. Access can be limited by network address, time, and other parameters. To Change a Managed Service 1. Edit the /etc/xinetd.d/<service> file, where <service> is the name of the network service to be customized. 2. Use the chkconfig command to switch the service on. This command sends a USR2 signal to the xinetd process to reread its configuration files. Note that the signal differs from the signal used to reconfigure inetd. Address-based access control is provided through two configuration parameters: only_from and no_access. Both parameters specify an access list, which can contain IP addresses and ranges, host names, domain names, and other parameters. Refer to the xinetd.conf(5) manual page for details. Of the daemons started from the /etc/xinetd.d directory, the Telnet, FTP, and standard r* commands are described in the following sections. In Sun Linux, these services are disabled by default. For restricted access servers, all connections to services managed by xinetd should be logged. Logging is enabled by default in Sun Linux. Securing the Linux OS Page 30 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris Sun recommends that you review and consider the use of the xinetd options listed in TABLE 1. You can use them to enforce additional policies such as limiting access times. Also, they allow for binding sockets to individual network interfaces. TABLE 1 xinetd Options Option Description only_from Specifies a list of host names, IP addresses, and/or IP address ranges that are allowed access to this service. Packets originating from one of the permitted addresses or address ranges are permitted, while all others are denied access to this service. Note that, especially in the case of UDP services, a packet with a spoofed source address is permitted to access the service. The xinetd daemon filters UDP services as well as TCP services, unlike TCP Wrappers, which only filter the first packet to a UDP server. However, xinetd runs a separate process that acts as filter, which is a relatively inefficient process and should be limited to low-traffic services. no_access Specifies a list of host names, IP addresses, and/or IP address ranges that are not allowed access to a service. If a source address matches an entry on both only_from and no_access lists, the most-specific entry takes precedence. banner_fail References a file containing contents sent over a TCP data connection that does not meet the access criteria. The connection is closed immediately after the data is sent. bind Listens only for connections on a specified interface address. We strongly recommend that you use this capability to configure services to listen only on those interfaces where the service is required. If a service is not required to run on a specific network, do not make it available. For example, consider binding management services to listen for connections only on management networks. The following example shows a possible configuration for the Telnet service. # default: on # description: The telnet server serves telnet sessions; it uses # unencrypted username/password pairs for authentication. service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = no Securing the Linux OS Page 31 of 47 ITSY243-Intrusion Detection Systems only_from bind Prof. Michael P. Harris = 192.168.1.0/24 = 192.168.1.50 banner_fail = /etc/telnet_banner } In this example, the Telnet service is configured to bind to the system's IP address 192.168.1.50 and to accept connection requests only from systems on the same network, 192.168.1.0/24. In addition, the banner message defined in /etc/telnet_banner is displayed to any user attempting to connect to this service from an IP address not on the 192.168.1.0/24 network. Enable TCP Wrappers The TCP Wrappers tool is an open source tool, developed by Wietse Venema, that provides a flexible configuration mechanism for controlling incoming connections based on pattern matching for hostnames, DNS domains, and network addresses. With Sun Linux, this functionality is integrated into the OS and provides protection for most network services, even those started by xinetd. The tool provides a good logging capability and detects DNS hostname discrepancies that can indicate an attack. TCP Wrappers are enabled by default on Sun Linux. TCP Wrappers are configured into a number of services, which include ssh, portmap, and every service managed by xinetd. A simple TCP Wrapper configuration could have the following configuration in its /etc/hosts.allow and /etc/hosts.deny files. # cat /etc/hosts.allow ALL: LOCAL 10.8.10.0/255.255.255.0 10.8.11.0/255.255.255.0 portmap: 10.8.31.100 sshd: 10.0.0.0/255.0.0.0 192.168.0.0/255.255.0.0 # cat /etc/hosts.deny ALL: ALL This sample configuration restricts access to all services using TCP Wrappers to the local subnet and two class C IP ranges (10.8.10.0 and 10.8.11.0). In addition, ssh and portmap allow other IP addresses to connect. For more information about TCP Wrapper capabilities, refer to the tcpd(8) manual page. Sun Linux uses xinetd as a replacement for the venerable inetd managed network services daemon. The xinetd provides facilities that are similar to TCP Wrappers, and is generally much more flexible than inetd. Unlike TCP Wrappers, xinetd can provide protection for UDP services by intercepting all packets and matching them with access control lists before passing them on. Also, xinetd can perform rate limiting and provides many logging options. On Sun Linux, xinetd has support built in for TCP Wrappers. It is not necessary to use the tcpd binary. Enable Packet Filtering Linux kernels based on version 2.4 and newer, such as Sun Linux 5.0, come equipped with a built-in packet filter called netfilter, that is also referred to by the name of the command that controls it: Securing the Linux OS Page 32 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris iptables. Netfilter supports all the features commonly found in modern IP packet filters, including stateful inspection filtering. A stateful inspection filter such as netfilter uses knowledge of packets that were previously seen as a factor in its filtering decisions. It is no longer necessary to pass all TCP packets that have the ACK flag set; DNS responses can be matched to requests. It is only necessary to add rules for the initial packet of a session, then the stateful inspection mechanism takes care of the remaining traffic. Rule sets become more concise, and there is less interference between rules for different protocols, which is a common problem with static packet filters. Netfilter also supports application level gateways (ALGs). These are rules that handle problem protocols such as FTP that negotiate additional connections, which have to be passed by the filter. The ALGs inspect the contents of packets to determine which additional connections to expect. Only a few protocols are supported at this time, however. Netfilter is an excellent tool for constructing host-based firewalls to protect against attacks from other hosts, not just those outside a perimeter firewall. They provide an additional layer of defense to protect against unneeded services being enabled by mistake, or when other security tools fail and are circumvented. Always practice defense in depth where possible. More information on the netfilter tool including source code, how-to documents, and tutorials are available at: http://www.netfilter.org/. An exhaustive list of netfilter and iptables related material is available at: http://www.linuxguruz.com/iptables/. Secure Telnet Connections Telnet is a user-interactive service for accessing remote systems on a network. Unfortunately, this service provides little in the way of security. By default, the only authentication information required is user name and password. Neither of these items are encrypted while in transit, and are, therefore, vulnerable to a variety of attacks including: man in the middle attack, session hijacking, and network sniffing. Tools implementing the Secure Shell protocol can serve as an effective replacement and are strongly recommended. By default, the Telnet service is disabled in Sun Linux. If this service must be used, then consider using strong authentication mechanisms such as Kerberos, One-time passwords, tokens, or other methods. In addition, consider restricting access to the Telnet service using xinetd filtering, TCP Wrappers, or hostbased firewalls. That way, the risks associated with running a nonsecure service are reduced by limiting who can access it. Host-based firewalls and TCP Wrappers limit the hosts that may connect to a system. By restricting access to services based on IP addresses, a system can limit its exposure to network attacks. Note that firewalls do not prevent sniffing of Telnet connections. Securing the Linux OS Page 33 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris CAUTION: One-time passwords and filtering access do not protect the contents of a session from being disclosed through network sniffing. In addition, be aware that these alternatives typically do not protect a session against being hijacked by a malicious user. The malicious user, in effect, can take over a session from an authorized user. Secure Remote Access Connections Access control and accountability are critical to the security of a system. Access control should involve strong authentication for system access, while accountability information should provide tracking data relative to system changes. The standard r* commands (rsh, rlogin, and rcp) break both of these recommendations, because most implementations of r* commands involve zones of trust. Within a zone of trust, all systems are trusted and no additional authentication is required. Hence, an intruder need only gain access to one server to gain access to all servers. The default authentication mechanism of the r* commands uses the hostname or IP address of a system and a user ID for authentication. No additional authentication is required. Considering the ease with which an IP address and user ID can be stolen or misused, this default is clearly not a secure mechanism. We recommend that you do not use the r* commands in this manner, and that you do not allow servers to offer a service in this manner. Where possible, the use of the r* commands should be replaced with a more secure alternative such as Secure Shell. There might be times when this is not possible. In those cases, it is recommended that the host-based authentication mechanism used by the rlogin command be disabled. To Disable Host-Based Authentication Comment out the pam_rhosts_auth.so entry in /etc/pam.d/rlogin file as follows: #%PAM-1.0 # For root login to succeed here with pam_securetty, "rlogin" must be # listed in /etc/securetty. auth required /lib/security/pam_nologin.so auth required /lib/security/pam_securetty.so auth required /lib/security/pam_env.so #auth auth account required /lib/security/pam_stack.so service=system-auth sufficient /lib/security/pam_rhosts_auth.so required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth Securing the Linux OS Page 34 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris Shown in bold text, this change forces rlogin to prompt for a password. The rsh protocol does not allow for password authentication, and should therefore always be disabled. Note that the pound sign (#) is added to the line. Secure FTP The ftp daemon has many of the same security issues as the telnet daemon. By default, all authentication information transmitted over a network is in clear-text, in much the same fashion as the Telnet protocol. This exposes the FTP protocol to many of the same attack scenarios as Telnet, including man in the middle, session hijacking, and network sniffing. For these reasons, consider alternatives to FTP when FTP transport functionality is required. OpenSSH provides a secure alternative to FTP, providing most of the functionality of command-line based FTP access. The Washington University FTP (wu-ftp) service is provided in Sun Linux. This implementation of the FTP service supports several security enhancements not commonly found in its predecessors. In particular, the wu-ftp service supports: Enhanced access control using the /etc/ftpaccess file. Use this file to restrict access to specific users and restrict access based on group membership, source address or network, and user classes. Extended logging capabilities that permit you to log connection events, individual FTP commands, individual file transfers, upload or download, and security rule violations as defined by the FTP configuration. Explicit definition of the control and data ports used by the FTP server. This capability is very useful for controlling FTP access in firewall environments. Containment using the chroot(1M) facility. This facility allows a service to be configured to run in a contained area, such as a user's home directory, thereby limiting the file system objects a user can access. For more information on these capabilities and other configuration options provided by this service, refer to ftpaccess(5). Sun Linux includes a fully configured set of directories for anonymous access. A default /etc/ftpusers file is included as well. In this file, specify all accounts not allowed to use the incoming FTP service. At a minimum, include all system accounts (for example, games, news, uucp, and so forth) in addition to the root account. Frequently, intruders use FTP with these accounts to gain unauthorized access. Commonly, root access to a server over Telnet or Secure Shell is disabled while root FTP access is not. This configuration provides a backdoor for intruders who might modify a system's configuration by uploading modified configuration files, thereby accessing a system remotely. Securing the Linux OS Page 35 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris The second security feature of the in.ftpd daemon is the ability of the daemon to log IP addresses of all connections and commands issued to the ftp daemon through the syslog service. Logging is enabled with the -l option. Commands issued to the ftp daemon are logged when the -d option is used. By logging FTP connection requests and commands to a log server for parsing, you can track and resolve unauthorized access attempts. CAUTION: Using the -d option has the potential for logging passwords that are erroneously entered at the login prompt. It is important that the log files be sufficiently protected to prevent the disclosure of this sensitive information. The wu-ftp daemon can change the banner message shown before login. Use this daemon to hide from potential attackers the version of the FTP server used. To Change Banner Messages for Incoming FTP Connections 1. Review the /etc/ftpaccess file to determine if the following entry is present: banner=/etc/ftpd/banner.msg 2. If the entry is not present, add it. 3. Replace the contents of the /etc/banner.msg file with a line similar to the following, as appropriate for your environment: Authorized Use Only Secure the Remote Procedure Call (RPC) Services The Remote Procedure Call (RPC) mechanism provides a way for network services to communicate and make procedure calls on remote systems. When a new RPC service is started, it registers with portmap, the central RPC service agent. The portmap maintains a table of RPC services (listed by program number) and the network addresses on which they listen for clients to connect. A client first communicates with the portmap service to determine the network address it must use to contact an RPC service. You can list current RPC services by using the rpcinfo command, which communicates with the portmap service. CAUTION: Typically, the RPC services available in most Linux distributions are not secure. This situation is not true of other operating systems, such as the Solaris OE, that implement protocols such as AUTH_DH and RPCSEC_GSS and have the ability to restrict RPC usage to a local system using RPC that is implemented over TLI. For more information on AUTH_DH, RPCSEC_GSS, and TLI, refer to the Solaris documentation available at http://docs.sun.com/. Given that the Sun Linux operating system does not support these capabilities, unless RPCbased services are required to support a business function, such as accessing or sharing files via NFS, then disable them. Securing the Linux OS Page 36 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris To Disable the RPC portmap Service Use the following commands together: # /sbin/chkconfig -level 0123456 portmap off # /etc/rc.d/init.d/portmap stop The first command prevents the RPC portmap service from starting at boot time and the second command stops any currently running instances of the portmap service. The second command illustrates how you can disable a service without the need for a reboot. You could omit the second command, but then a system reboot would be required to completely disable the service. NOTE: This approach to disabling services applies to any services managed by the chkconfig command. Use this command to either allow or prevent a service from starting at boot time. It does not start or stop services on a running system. CAUTION: Be aware that stopping the portmap service does not directly prevent RPC services from running on a system. In particular, if an RPC service is configured to listen on a fixed port, such as through xinetd, then it can still be accessed. Be sure to review the contents of the /etc/xinetd.d directory for services with type parameters that include RPC. For these services, disable or restrict access to them. Disable or Secure automount Services The automount service automates the process of mounting file systems and devices without requiring that users have administrative privileges on a system. This process is accomplished using the kernel level autofs service with the automountd system daemon. File systems mounted by this service are automatically unmounted after a predefined period of inactivity. In Sun Linux, the automount service is capable of mounting not only NFS shares but also removable media such as CD-ROMs and diskettes. Typically, the automount service is used heavily in environments that use naming services such as NIS or LDAP, because remote file system information used by this service can be easily stored in these directories. It can be used on a standalone system as well, where there might be a requirement for automatically mounting local removable media. As with any service, if the automount service is not required to support business functions, it should be disabled or removed. To Disable autofs Use the following command: # /sbin/chkconfig -levels 0123456 autofs off Securing the Linux OS Page 37 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris To Remove autofs Use the following command: # rpm -e autofs If the automount service is required, then take steps to ensure that its configuration is as secure as possible. First, ensure that the automount service is configured to obtain its information from the correct naming service (for example, files, NIS, LDAP, etc.). Next, ensure that the file systems listed in the automount configuration are mounted appropriately. For example, the /etc/auto.misc file can be configured to mount various forms of removable media. If this file is configured improperly, a user could mount a diskette, formatted as a Linux (ext2) file system, that contains set-user-ID binaries. These binaries could then be run, giving the user added privileges and possibly allowing the entire system to be breached. To prevent this situation, ensure that only valid devices are listed and that mount options are added, where appropriate, to the automount service configuration files such as /etc/auto.master and /etc/auto.misc. In the next example, the keywords nosuid and nodev are added to the /etc/auto.misc file for the cd and floppy resources. This action instructs the system to ignore set-user-ID or set-group-ID bits set on any files mounted on the devices, and to not interpret any character or block special devices stored on them as well. This change is made because the Sun Linux NFS implementation does not currently support NFSSEC. Consequently, the NFS services are not able to use strong authentication or encryption such as is provided by Kerberos. cd -fstype=iso9660,ro,nosuid,nodev :/dev/cdrom floppy -fstype=auto,nosuid,nodev :/dev/fd0 NOTE: These options are part of the standard configuration provided by Sun Linux. For other mount options, refer to the mount(8) manual page. CAUTION: Some mount options are specific to certainly file system types. Always be sure to use the correct options for the file systems that you are using. Secure the NFS Services A Sun Linux system can be an NFS server, an NFS client, both, or neither. From a security perspective, the best option is to neither provide NFS services nor accept them from any other systems as long as they are not required. If both NFS server and client services are not required, they can be uninstalled by removing the nfs-utils package as follows: Securing the Linux OS Page 38 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris # rpm -e nfs-utils If either the NFS client or server services are needed, then this package should not be disabled because both the client and server software is contained in the same package. By default, the NFS client service is enabled, whereas the server service is disabled. To Disable the NFS Client Service Use the following commands: # chkconfig --level 0123456 nfslock off # /etc/rc.d/init.d/nfslock stop The first command prevents the NFS client service from starting at boot time. The second command stops the NFS client service if it is already running on a system. Frequently, business requirements require an NFS server. If this is the case, ensure that the NFS server configuration is as secure as possible. To Improve Security of the NFS Server Configuration 1. Explicitly list hosts allowed access to NFS server directories. 2. Do not open access to all systems. 3. Export only the lowest directory necessary. 4. Never share more data than is needed to meet the business requirement. 5. Export read-only wherever possible. In addition, consider the use of other flags such as secure and root_squash. For more information on these options, refer to the exports(5) and mount(8) manual pages. The NFS server and various mechanisms available to secure it encompass more material than can be covered here. Secure the sendmail Services The sendmail daemon forwards and receives mail from other systems. You should use centralized mail servers to receive mail instead of using local servers. However, allow local systems to generate outgoing mail and forward it to other servers. Ideally, a more secure Mail Transport Agent (MTA) should be used instead of the MTA bundled with Sun Linux. The sendmail daemon bundled with Sun Linux has been subject to denial of service, buffer overflow, and misconfiguration attacks. Alternative MTAs with smaller and more robust code are available. These other MTAs are more security conscious and if configured properly, compromise the security of the server less than sendmail. Securing the Linux OS Page 39 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris If sendmail must be used as the Mail Transfer Agent (MTA), then refer to recommendations made at SendMail Consortium, in the Sendmail O'Reilly publications, and through the SunSolve OnLine SM service. There are a wide variety of sendmail versions in use, and there are differences in the associated sendmail.cf configuration files. Because of this, a sample sendmail.cf file is not included with this lesson. If sendmail is not required or only outgoing sendmail is required, we recommend that you remove, disable, or enable only outgoing sendmail. The following sections provide instructions and recommendations. To Remove or Disable sendmail If no sendmail functionality is required to support a business need, remove or disable it. Base your decision on the need to provide outgoing mail from a system. If this capability is needed, then do not remove the sendmail software. To remove the sendmail software, use the following command: # rpm -e sendmail sendmail-cf sendmail-doc To disable the sendmail service, use the following commands: # chkconfig --level 0123456 sendmail off # /etc/rc.d/init.d/sendmail stop The first command prevents the sendmail service from starting at boot time. The second command stops the sendmail service if it is already running on a system. To Allow Only Outgoing sendmail The sendmail daemon is not needed for email delivery to other systems. All messages that can be are immediately delivered. Messages that cannot be immediately delivered are queued for future delivery. The sendmail daemon, if running, retries to deliver these messages again. To enable only outgoing sendmail, use a cron job to start sendmail every hour to process undelivered messages. The following cron entry starts sendmail every hour to flush the mail queue: 0 * * * * /usr/lib/sendmail –q Configure Name Service Caching The name service cache daemon nscd provides caching for name service requests. It exists to provide a performance boost to pending requests and to reduce name service network traffic. By default, the nscd Securing the Linux OS Page 40 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris package is installed, but the nscd daemon is disabled. This section applies only if you need to enable the nscd daemon. The nscd daemon maintains cache entries for databases such as passwd, group, and hosts. For security reasons, it does not cache the shadow password file. All name service requests made through system library calls are routed to nscd. Because caching name service data makes spoofing attacks easier, we recommend that you modify the configuration of nscd to cache as little data as possible. This task is accomplished by setting the positive ttl to zero in the /etc/nscd.conf file for the name service requests deemed vulnerable to spoofing attacks. In particular, modify the configuration so that passwd and group have positive and negative ttl values of zero. NOTE: There might be a performance impact on systems that use name services intensively. Use the nscd -g option to view the current nscd configuration on a server. This option is a helpful resource when tuning nscd. Secure Print Services When a Sun Linux system is installed, the line printing package is installed, but needs to be configured. By default, the lpd daemon is not started. To Secure Print Services 1. To ensure that line printer services are not started, disable the package at startup by using the following command. # /sbin/chkconfig --level 0123456 lpd off 2. If printing services are not required for the system, remove the package by using the following command: # rpm -e LPRng Display Access Warnings Displaying access warnings allows companies to pursue full legal recourse if a system is accessed or compromised by unauthorized users. These warnings contain messages about inappropriate and unauthorized use of a system. They generally warn users that their sessions and accounts might be monitored for illegal or inappropriate use. Consult your legal counsel for requirements and verbiage. Securing the Linux OS Page 41 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris The contents of the /etc/issue file are displayed for local and serial access. The contents of /etc/issue.network are displayed for incoming Telnet connections. Also, you can use the message of the day /etc/motd file. The following is an example warning. This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel. In the course of monitoring individuals improperly using this system or in the course of system maintenance, the activities of authorized users may also be monitored. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials. If sendmail service must be configured to run on a system, then consider modifying the banner message that is displayed to clients connecting to a service on TCP port 25. By default, the banner includes host name and version information that might be used by attackers and automated vulnerability scanners. Changing the banner text does not impact the ability of the service to function. To Change the Banner Message 1. Add the following line to the /etc/mail/sendmail.mc file and rebuild the configuration file: define(´confSMTP_LOGIN_MSG', ´´Mail Server Ready'')dnl 2. Place the line after the include directive in this file, and before any FEATURE lines. If you modify the contents in /etc/sendmail.cf file, which is generated from the /etc/mail/sendmail.mc file, all changes are lost at the next generation cycle. 3. To generate the /etc/sendmail.cf from the /etc/mail/sendmail.mc file, do the following: # m4 /etc/mail/sendmail.mc > /tmp/sendmail.cf Securing the Linux OS Page 42 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris Turning Kernel Network Parameters Configure kernel variables to improve network security. Some changes might cause a system to not strictly comply with relevant RFCs and might require testing before being placed on production systems. Configure kernel variables by performing the following tasks: "Configure IP Forwarding" "Disable Source Routing" "Ignore Broadcast ICMP ECHO Packets" "Log Invalid Addresses" "Configure ICMP Redirect Messages" "Use Source Route Verification" "Disable Protocol Stacks" Configure IP Forwarding During startup, the /etc/sysctl.conf file is read by the sysctl command. This file contains settings for kernel parameters. You can disable or enable IP Forwarding by assigning net.ipv4.ip_forward to the kernel parameter. Assigning a 0 disables and assigning a 1 enables forwarding. Be aware of the following: Assigning a 0 resets all IPv4-related variables to conform with RFC 1122 (requirements for Internet hosts–communication layers). Assigning a 1 resets all variables to conform with RFC 1812 (requirements for IP version 4 routers). NOTE: It is important to set this kernel parameter first, before changing any other related parameters. To Disable or Enable IP Forwarding To disable IP forwarding, set the parameter in the /etc/sysctl.conf file as follows: net.ipv4.ip_forward = 0 To enable IP Forwarding, set the parameter in the /etc/sysctl.conf file as follows. net.ipv4.ip_forward = 1 Securing the Linux OS Page 43 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris Disable Source Routing Source routing has been used in attacks, and legitimate uses of source routing are few. It is a good idea to discard all packets that use source routing, unless you have a specific need for them. To Disable Source Routing Add the following lines to the /etc/sysctl.conf file: net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_source_route = 0 The first line disables source routing on all current interfaces. The second line provides a default for any new interfaces that might be configured later. Ignore Broadcast ICMP ECHO Packets Many operating systems respond to ICMP ECHO (ping) packets that are sent to the network broadcast address. This behavior has been used to mount denial-of-service attacks by causing all hosts on a network segment to send ICMP REPLY packets to a host under attack. Our advice is to disable this behavior. To Disable Echo Broadcasts Add the following line to the /etc/sysctl.conf file: net.ipv4.icmp_echo_ignore_broadcasts = 1 Log Invalid Addresses When a kernel receives packets with obviously invalid addresses, they are discarded. To Log Invalid Addresses Add the following two lines to the /etc/sysctl.conf file. net.ipv4.conf.default.log_martians = 1 net.ipv4.conf.all.log_martians = 1 Configure ICMP Redirect Messages ICMP redirect messages are used by network gateways to inform a host sending data to forward packets to a different gateway. If a Sun Linux system is not configured to act as a gateway, that is the net.ipv4.ip_forward parameter is set to 0, then the system should never need to send ICMP redirect messages. Securing the Linux OS Page 44 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris To configure the system to never send ICMP redirect messages, add the following line to the /etc/sysctl.conf file. net.ipv4.send_redirects = 0 Similarly, if you only have one gateway on the network to which the host is attached, then it is safe to ignore any incoming ICMP redirect messages. These messages could not be generated in such a case, because there is only one path out of the network. An attacker can forge redirect messages to install bogus routes. This action might initiate a denial of service attack if a newly specified router is not a router at all. Similarly, this technique could be used to force network packets to be routed through an attacker's machine, where the packets could be inspected, captured, or modified. Although there are rules governing valid ICMP redirect messages, all of them can be easily spoofed. If possible, configure the system to ignore ICMP redirect messages by adding the following line to the /etc/sysctl.conf file. net.ipv4.accept_redirects = 0" Use Source Route Verification The Sun Linux source route verification mechanism verifies that a packet comes in on an expected network interface. The routing table is consulted for each incoming packet. The interface the packet comes in on must match the interface that would be used to reach the source of the packet. If these interfaces do not match, the packet is discarded. This feature is enabled by default. Source route verification adds overhead to packet processing and might not work in environments where asymmetric routing occurs. Source route verification is controlled by the following parameters. net.ipv4.conf.default.rp_filter net.ipv4.conf.all.rp_filter Our recommendation is to leave it enabled unless it causes performance or routing problems. To Disable Source Route Verification Add the following lines to the /etc/sysctl.conf file: net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.rp_filter = 0 Securing the Linux OS Page 45 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris Protocol Stacks The kernel supports on-demand loading of kernel modules. Many components of the kernel such as file systems, protocol stacks, and device drivers are loaded the first time they are needed. The process of loading a required kernel module is quite simple: the kernel creates a new user process and runs the program /sbin/modprobe, which loads the required module. This simple and effective mechanism has one drawback: protocol stacks other than TCP/IP might be loaded inadvertently. When a network socket is created for protocol family N, the kernel executes the following command. # /sbin/modprobe -s net-pf-N The protocol stack is loaded. We recommend that you disable all unnecessary protocol stacks. To Disable All Unnecessary Protocol Stacks Modify the following lines to the /etc/modules.conf file: alias net-pf-4 off # IPX alias net-pf-5 off # Appletalk alias net-pf-10 off # IPv6 alias net-pf-12 off # Decnet References and Related Resources Publications Hatch, Brian, and Osborne, James Lee. Hacking Linux Exposed, Second Edition McGraw-Hill, ISBN: 0072225645, November 2002. Nemeth, Evi, Snyder, Garth, Seebass, Scott, and Hein, Trent R. UNIX System Administration Handbook, 3rd Edition, Prentice Hall PTR, ISBN: 0130206016, August 2000. Noordergraaf, Alex. "Solaris Operating Environment Network Settings for Security: Updated for Solaris 9 Operating Environment," Sun BluePrints OnLine, June 2003, http://www.sun.com/solutions/blueprints/0603/816-5240.html. Noordergraaf, Alex and Watson, Keith. "Solaris Operating Environment Security: Updated for the Solaris 9 Operating Environment," Sun BluePrints OnLine, December 2002, http://www.sun.com/solutions/blueprints/1202/816-5242.pdf. Red Hat Linux 9: Red Hat Linux Security Guide, Red Hat Inc., 2002. Reid, Jason. "Building OpenSSH - Tools and Tradeoffs," Sun BluePrints OnLine, January 2003, http://www.sun.com/blueprints/0103/817-1307.pdf. Reid, Jason. "Configuring the Secure Shell Software," Sun BluePrints OnLine, April 2003, http://www.sun.com/blueprints/0403/817-2485.pdf. Securing the Linux OS Page 46 of 47 ITSY243-Intrusion Detection Systems Prof. Michael P. Harris Reid, Jason. "Integrating the Secure Shell Software," Sun BluePrints OnLine, May 2003, http://www.sun.com/blueprints/0503/817-2821.pdf. Stevens, Richard W. TCP/IP Illustrated, Volume 1, 1st Edition, Addison-Wesley Publishing Company, ISBN: 0201633469, January 1994. Web Sites NOTE: Sun is not responsible for the availability of third-party Web sites mentioned in this document. Sun does not endorse and is not responsible or liable for any content, advertising, products, or other material on or available from such sites or resources. Sun will not be responsible or liable for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods, or services that are available on or through any such sites or resources. Center for Internet Security - Linux Benchmark http://www.cisecurity.org/ OpenSSH tool: http://www.openssh.com/ Sendmail Consortium: sendmail configuration information, http://www.sendmail.org/ SSH Communications Security, Secure Shell (SSH) tool: http://www.ssh.com/ Sun BluePrints: http://www.sun.com/blueprints TCP Wrappers tool, Wietse Venema: ftp://ftp.porcupine.org/pub/security/index.html Securing the Linux OS Page 47 of 47