Reasonably Secure Installs
George Mason University Linux Users Group
9 December, 1999
© 1999, Bradley Alexander
Background: Security
System security affects each person who has a networked computer. Whether on an isolated private network or connected to the Internet, the possibility exists for unauthorized users to break in to a machine or cause the machine to become unusable through a denial of service attack. They may also use the network to perform insertion (also known as man in the middle) attacks.
Even home computer users must, in this day and age, protect themselves by securing their systems.
Background: Security (cont.)
Security will, in my opinion become the next Y2K-esque "buzzword." With Sony and Sun Microsystems working to put PCs into refrigerators and other appliances, home firewalls will become the next big deal, after the Y2K concerns are overcome by reality.
This does not, however, reduce the need for security. If they start putting household appliances online, security will become more and more crucial. It's bad enough if a scriptkiddie wipes your hard drive, but if, for example, one burns your house down by getting root access to your stove, thats something else completely.
Security Myths
Before continuing, we need to dispel a few myths:
"I don't have anything a cracker would want." This is just plain wrong. You have a system on the Internet. You have a system that is unexplored territory. Many times, a cracker is after the experience. They may be practicing for larger targets, or even merely for bragging rights. Some- times, they are merely curious or break in simply because the host is vulnerable. Some even have an agenda, like breaking Windows machines because they run Windows. In addition, do you have your Quicken database on the computer? It goes online each time you do.
Security Myths (cont.)
"I'm not listed in a DNS, I'm safe, right?" Many people think that since there are so many hosts on the Internet, they are safely anonymous. This phenomenon is called Security through Obscurity, and is completely false. You may not be "advertised" in a DNS server, but you still have an IP address when you are connected. Today's cracking tools give anyone the ability to automatically scan an entire Class B network (65,536 hosts) by IP address and display vulnerabilities for each host in a few hours. Once one of your machines is compromised, it is fairly easy to break other machines you connect to.
Risks Posed by Crackers
Your system is at risk of not only compromise, but also destruction. Once the cracker has root access, he literally owns your system. Some crackers are just plain mean- spirited and want to cause damage. Some damage is caused by a cracker who feels as if he is about to be caught, and he destroys the system or parts of it to cover his escape. Many damage or destroy systems through ignorance. They are not truly technical, and they don't know their tools. A good backup plan, while not directly security-related, is crucial to recovering from an attack.
Risks Posed by Crackers (cont.)
And what are system crackers after? Aside from the previously-listed examples:
A jumping-off point for SPAM.
A safe haven for launching other attacks.
Specific files on the current machine.
The bottom line is this:
Crackers unauthorized users who, for whatever reason has taken an interest in your system, network or data. They do not belong there. Do not make it easy for them.
Views on Security
The following few slides will cover my personal views on security. There are four layers or levels of system and network security.
Views on Security
The following few slides will cover my personal views on security. There are four layers or levels of system and network security.
Internal Security - Tripwire, FCheck, TCP_Wrappers, etc.
Views on Security
The following few slides will cover my personal views on security. There are four layers or levels of system and network security.
Internal Security - Tripwire, Fcheck, TCP_Wrappers, etc.
Intrusion Detection - Programs that watch ports or network
Views on Security
The following few slides will cover my personal views on security. There are four layers or levels of system and network security.
Internal Security - Tripwire, FCheck, TCP_Wrappers, etc.
Intrusion Detection - Programs that watch ports or network
Perimeter Defense - Access control, firewalls, etc.
Views on Security
The following few slides will cover my personal views on security. There are four layers or levels of system and network security.
Internal Security - Tripwire, FCheck, TCP_Wrappers, etc.
Intrusion Detection - Programs that watch ports or network
Perimeter Defense - Access control, firewalls, etc.
Personal Awareness - Watching logs, knowing the host, security auditing.
Personal Awareness
Of these four layers, awareness is the most important of all. Awareness of the system goes beyond mere security auditing. Awareness allows you to note changes, and helps you to find the evidence of intruders before too much damage is done. This includes watching your logs, updating your Tripwire databases, noticing changes (e.g. the ethernet interface suddenly going into promiscuous mode) and just being familiar with the system or network. This is crucial to seeing changes that could indicate malicious activity. Awareness also involves staying informed on security issues (e.g. vulnerabilities, etc.)
Intrusion Detection
Intrusion Detection is the second most important layer. Intrusion Detection is the set of tools to find cracking activities, things such as portscanners, repeated attempts to log in to nonexistent accounts, repeated wrong passwords on a valid account or malicious packets traversing the network. There are two types of Intrusion Detection Systems (IDS): host-based and network IDS. Host-based IDS live on individual hosts. Network-based IDS use dedicated sensor machines placed around the network to watch for malicious activities.
Perimeter Defenses
Perimeter Defenses include firewalls and screening routers, as well as access control mechanisms, such as Secure Shell (ssh), Kerberos and S/Key one-time encryption algorithms. The goal of perimeter defenses is to keep the bad guys out. Disabling or limiting unneeded or dangerous services (NFS, NETBIOS, RPC, etc)
For network security, this would also include inter-host communications, and trust models.
Internal Security
The goal of internal security is to safeguard critical files against corruption in the even that the black hat is already in. One of the methods used by crackers is to replace critical files such as ps, ls, find, locate with versions that will hide the activities of the cracker (a rootkit attack). Programs such as Tripwire or FCheck will authenticate these files, so their replacement will be noticed. It is extremely important to store copies of these databases offline, since if someone does get into the machine, he cannot access media that is not online from a remote location.
What are you security needs?
I have covered quite a bit of (probably) pretty scary stuff here. Do you need to defend against everything? Probably not. While security is a good thing, it is possible to be too paranoid. A good rule of thumb is that security times convenience is a constant. I have said before, "The only truly secure computer is one that has been unplugged from the network, powered off, packed in concrete and fired into the Sun. But then, it ain't very usable, is it?" Each adminstrator needs to determine what level of security they need, then tailor their defenses to the threat. This is an administrator decision, since the user will nearly always err on the side of convenience.
What are you security needs?
This is probably the most important question you will consider this entire process. The question can be broken into two parts:
Who are you defending against?
What are you protecting?
These two questions will help you to determine your entire security posture.
Who are you defending against?
There are a number of types of persons that are considered threats. A few examples of these would be:
"Scriptkiddies" - Amateur crackers that are searching the Net for machines that can be easily exploited, generally using automated tools. They are dangerous because they are so common and the toolkits they use are rather powerful. They break systems because they are there, and possibly for bragging rights. They are generally looking for the "easy kill." Scriptkiddies' attacks are usually quite noisy, and they can crash your machines.
Who are you defending against?
Professional - Not generally a threat to the home user. These crackers are after something specific, with a specific purpose in mind. They generally have some motivation, be it money, patriotism, religion or something else. Their purpose may be industrial espionage, terrorism, or some other task. The professional is extremely stealthy. If they are after information on your system, they go in, get it, and you never know they were there. If their goal is to take you down, you will not know of their presence until the attack is launched.
Who are you defending against?
Insider - 70-80% of all security violations are caused by "inside jobs." Whether due to malice, such as a disgruntled employee, or due to ignorance, such as taping passwords to the monitor or using guessable passwords, the user is the cause of the bulk of the security incidents in a corporate environment. One of the most common methods of exploiting this is called social engineering. An example of this is the cracker calling a secretary and saying "This is Joe from Network. We're having mail problems and I need your password so I can test it."
Who are you defending against?
- Consider the following real-world analogy:
- The pro can be compared to a professional thief. Their attacks are well-planned, they have a goal in mind and are efficiently pursuing that goal.
- The scriptkiddie is the teenager that breaks into your house by kicking in your back door.
- The insider can be compared to a roommate who leaves the door unlocked, or leaves the a smoldering cigarette and starts a fire, or decides to ransack your CD collection and move out.
What are you protecting?
Are your systems physically secure?
Access Control to the physical box, CMOS and LILO password.
Is your data important or irreplacable?
For instance, financial records, classified data, etc?
Is your machine on the Internet?
You are vulnerable to scriptkiddies.
Static IP addresses are more vulnerable than dynamic. Cablemodems are worse yet. There is no security.
Basic Security
I use a six step process for basic system security:
1. Planning
2. Installation
3. Patching/Initial Security Steps
4. Perimeter and Internal Measures
5. Intrusion Detection
6. Testing/Attacking
Security Planning
Security planning is to a secure system as a solid foundation is to a solid house. If you proceed from a flawed or nonexistent security plan, expect trouble at a later date. Even for a home network, you should define your security policy, make your users aware of it, then enforce it.
Security Planning
You need to determine, in broad terms, your security posture.
Consider the purpose of the machine. A public ftp server will generally have looser security than a firewall.
In broad terms, this posture will fall into one of two categories:
Everything not specifically denied is implicitly allowed.
Everything not specifically allowed is implicitly denied.
I prefer the latter option, as it is more secure.
Security Planning
Starting with your posture statement, begin to develop your policy.
Your security requirements will determine how you tailor your defenses. Consider the two questions I asked earlier:
Who am I defending against?
What do I need to protect?
The answers, along with the broad posture, will form the basis of your security policy..
Security Planning
Two excellent references for the planning stage:
RFC 2196, Site Security Handbook
RFC 2504, Users' Security Handbook
Use these two documents to write a security policy. Note that this policy will cover non-security items such as backups and sites which are restricted. You should also grow it to the point that it covers things like power failure procedures and the like.
Security Planning
Another side of security planning is called incident response. As the name implies, it is what you, the administrator will do if you are cracked. Will you ignore it and continue to march? Reformat and reinstall from backups? Rebuild your entire Oracle db from scratch?
Who will you alert? NoVALUG SecSIG? USA Today? CERT? DARPA? Not tell anyone and just suffer in silence?
You should also consider the term "incident" and tailor your responses. A scan does not warrant the same response someone gaining root on your system.
Hardware Planning
Once your security policy begins to take shape, you should consider your hardware. Are you running a single machine on a dialup or a network connected by OC12? Cablemodem, DSL or T3? Secure facility (a whole other ball of wax) or University computer lab? These should factor into your planning. You should also take time to inventory the hardware in your machines. Get makes, models, serial numbers, MAC addresses, etc. Put it on paper and file it away.
Hardware Planning
Match the mission of the machine to its physical hardware and the OS. (No Win95 firewalls here...)
Determine whether the machine is to be a multi function host or a bastion host.
I personally prefer a bastion host configuration, where each host has a specific function, however, many home setups do not make this possible.
Hardware Planning
A bastion host is a machine which serves a single purpose. It can be dangerous to have one machine as the web server, name server, firewall, ftp server and so forth. If the host is compromised through, say, a cgi exploit on the webserver, it would be trivial to compromise all of the network services on this host, and expose your other hosts to compromise. The more you can separate critical services, the harder it is to compromise them.
Filesystem planning
Note that at this point, we have not even touched the machine. This is normal, as the more you plan in advance, the easier it will be to execute. Next you should determine how you need to partition your disks. Beginners can use one large partition, though from a security standpoint, especially on multiuser systems, it is not sufficient.
Multiuser systems should be protected from users actions, both malicious and accidental.
Historically, Unix systems crashed if the root partition fills. Modern Unix filesystems reserves 5-10% against this eventuality. For large drives allocate around 1-2%.
Filesystem Planning (cont.)
My rules for disk partitioning:
Separate partition for filesystems which users can write to: /home and /tmp.
Separate partition for filesystems which have files that you might want to keep if you upgrade: /usr/local, /opt.
Separate partition for filesystems that are dynamic or change frequently: /var.
If necessary, separate / and /usr. I generally keep these two partitions together, though if using multiple OSes, you can also build /boot in cyl < 1023.
Filesystem Planning (cont.)
A few thoughts on partition sizing:
/ + /usr requires about 1.5-2GB for a RedHat custom with a fairly comfortable workstation load and KDE or Gnome.
/var should be as large as possible, since it contains print queues, mail spools and logs. (Depends on machine use.)
/opt and /usr/local are for non-distribution software. Both are optional, and I use /opt for packages (e.g. StarOffice), and /usr/local for system software (e.g. Secure Shell and gnupg).
Partition sizes should fit the available drives. (Duh!)
Installation
Install the distribution of your choice. This is beyond the scope of this presentation, however install according to the distro's install instructions.
You should take your time and select the individual packages which you want to install. Install as few packages as you can. The more packages you install, the greater the number of possible exploits.
Installation (cont.)
Until your defenses are in place, do not expose this host to the open network. If you are on a closed, controlled network, this is acceptable, however, avoid situations where the machine can be compromised. If it is compromised during the next two steps, it will be difficult to detect. Note that machines have been broken in the first 15 minutes after being put online.
Always remember:
It is impossible to prove that any machine has not been compromised. It can only be proven that the machine has been compromised.
Patching the system
Install the most current updates for the distribution you installed. These will eliminate the most obvious and readily available exploits.
Set up a "dual homed" machine to talk to the host you are building and to the net to keep the new host from exposure, otherwise, transfer via removable media.
Patching the system (cont.)
Install security programs which will help you in later steps, such as SecureShell, pgp, gnupg.
A few basic changes to the system:
Make sure /tmp has the sticky bit set:
chmod 1777 /tmp
This sets a flag so files in the dir can only be deleted by owner.
Make sure shadow passwords and md5 encryption are enabled. (This should be selected in RH6.x install options.)
Change the mode of swap devices to 0600.
Patching the System (cont.)
Delete extraneous users (like uucp) from /etc/passwd. Inactive users should have a * in field 2 of /etc/passwd and the shell set to /bin/false.
Install Pretty Good Privacy (pgp) and/or GNU Privacy Guard (gpg), since many of the security packages are signed. Make sure you get the detached sig file and keys.
Set up Secure Shell.
This will give you secure access to the rest of the network.
Compile with tcp-wrappers support and without rsh.
Patching the System (cont.)
Set up inetd.conf. Comment out or remove all unnecessary services then restart inetd.
My inetd.conf only has telnet and ftp. (The firewall does not.)
Change the login banners to remove all of the OS info.
Disable all unnecessary services in the startup scripts in /etc/rc.d/rc*.d.
Check your message logging in /etc/syslog.conf
Remove unnecessary suid and sgid bits from files.
Armoring the System
At this point, we can continue putting the defenses in place. We should have already got ssh up and running and keys generated, inetd tightened. We should proceed to set up internal defenses, perimeter defenses and logging helps. There are a growing number of security-related applications for Linux. In the next few slides, I will give a number of apps which I use or have used in the past.
Application Links
- System Security
- Tripwire - This app traverses the filesystem and creates checksums for files and directories. The checksum will change if the file is changed in any way. Version 1.3 is free, 2.0 is payware, though you may be able to get a freeware version of 2.0 for Linux.
- http://www.tripwiresecurity.com
- FCheck - Much like Tripwire, this is a GPL perl script. It is easier to set up and seems to work well.
- http://sites.netscape.net/fcheck
- Make copies of the databases on floppy diskette.
Application Links (cont.)
- System Security (cont.)
- Sentinel - Along the same lines as Tripwire and FCheck.
- TCP_Wrappers - Written by Weise Venema, wrappers is a staple of modern Unix. The concept is that each service in inetd.conf is "wrapped" by an access control layer. Two files, hosts.allow and hosts.deny control access to the file. TCP wrappers should be installed by default with most distros.
Application Links (cont.)
- Intrusion Detection
- Psionic Portsentry - A host-based IDS, it watches for, and optionally responds to portscans. If it detects a portscan against the machine, it can optionally block that host through tcp_wrappers, blocked routes and firewall rules. Care should be taken in using firewall rules and blocked routes, since most scanners can spoof up to about a dozen sites, setting up a denial of service situation.
Application Links (cont.)
- Intrusion Detection (cont.)
- Shadow - Distributed by the Naval Surface Warfare Center, Shadow is a Network IDS. Shadow uses a number of "sensors" placed around the network. These sensors collect traffic and ship it off at intervals to an analysis station. The analysis station then checks for malicious patterns which indicate attacks.
- http://www.nswc.navy.mil/step.htm
Application Links (cont.)
- Intrusion Detection (cont.)
- Network Flight Recorder - Another NIDS, Network Flight Recorder is a payware application much in the same way as Shadow. NFR uses attack "modules" or profiles to detect nefarious activity. Many of these modules were written by L0pht, the (in)famous hacker organization.
- http://www.nfr.net/download/
- http://www.l0pht.com
- http://www.nwsc.navy.mil/ISSEC/CID/nfr_id.tar.gz
Application Links (cont.)
- Intrusion Detection (cont.)
- RealSecure - ISS Inc.'s network IDS. This is payware.
- Note: No IDS is perfect, nor will it catch everything. If the situation warrants, a site could run more than one IDS, for instance a NIDS and a host-based IDS or multiple NIDS. An extra set of eyes never hurt...
Application Links (cont.)
- Perimeter Defense
- Secure Shell - A replacement for the insecure r-commands, for telnet and for ftp. Unlike telnet, which sends information (including passwords) in clear text, which can be easily picked off of the wire by a sniffer. SSH encrypts all traffic between two hosts using strong cryptography, including passwords.
- SSH-1 http://www.cs.hut.fi/ssh
- Do not use RSAREF with ssh-1.2.27. It has a buffer overflow exploit.
- SSH-2 http://www.ssh.fi
- OpenSSH http://www.openssh.net
Application Links (cont.)
- Perimeter Defense (cont.)
- Firewalling - There are three major types of firewalls:
- Packet Filtering - This type takes traffic and accepts or denies it based on the address and port of the source and destination machines. Packets never traverse the firewall between the "inside" and "outside" networks.
- Stateful Inspection - Each packet is inspected and more information can be flagged e.g. Type Of Service (TOS).
- Application Proxying - Similar to packet filtering, but on an application level. Each app talks directly to a proxy or wrapper that filters the information based on rules.
Application Links (cont.)
- Perimeter Defense (cont.)
- Firewalling (cont.)
- Linux IPMasq is configured in userspace using ipfwadm for 2.0.x kernels, and ipchains for kernel 2.2.x. 2.4.x kernels will use an improved ipchains called netfilter.
- Linux has but one Stateful Inspection firewall called SINUS, however, Checkpoint is slated to release Firewall-1 in 1Q 2000.
- The most common Linux application proxy firewall is Trusted Information Systems' Firewall Toolkit (TIS FWTK).
Application Links (cont.)
- Perimeter Defense (cont.)
- Firewalling (cont.)
- Linux supports packet filtering out of the box, and can be easily configured to use Network Address Translation (a.k.a. IP Masquerading).
- While firewalling is not as important as Intrusion detection, you should always have filtering up on all untrusted interfaces.
Application Links (cont.)
- Awareness
- This is the human part of system security. Automated tools are not perfect. Watch the watchers. This is known as security auditing.
- Keep an eye on your internal system monitors. Update your tripwire or fcheck databases regularly to reflect authorized changes. It is easier to find bad changes if you keep updated.
- Watch your logs. Set up additional logging for forensics purposes. Watching logs is tedious, yet necessary.
- Deploy an ip logger to catch strange datagrams. Syslogd and klogd will not report half open (SYN) scans.
- Use a log checker like logcheck or logsurfer to manage your messages. Logs must still be checked, but these will give a snapshot.
Final Testing
- Before placing the machine on the Net for the first time, you should check your defenses. The best way to check your security is by trying to break into it. Attack the system and see if there are obvious holes or deficiencies you have missed.
- Use the very tools that the cracker would use, and attack from within and without.
Final Testing (cont.)
- Attack first from within. Use portscanners, such as nmap, sscan, mscan etc. to identify listening ports, then decide whether or not they are needed.
- Use vulnerability scanners (e.g. Nessus, ISS' System Scanner, and Internet Scanner, and ARC's TARA and SARA). Again, find, identify and correct any vulnerabilities the scanner detects.
- Scan from inside and from all interfaces. If a firewall, make sure to scan from outside of the firewall interface.
- When looking for holes, you may have to disable your defenses. Don't forget to reenable them.
Conclusion
As stated earlier, there is no such thing as a truly secure machine that is usable. Taking the steps above will give you a reasonably secure machine. Watching your logs and responding to the system's prompts will give you a reasonable chance of success against all but the most determined cracker. Stay aware, watch the security alerts pages, stay up to date on patches and new security software.
Remember, security is not any specific action, it's a way of life.
Links
SecurityFocus:
http://www.securityfocus.com
SecurityPortal:
http://www.securityportal.com
Linux Administrators Security Guide:
http://www.securityportal.com/lasg
TrinityOS:
http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html
SANS Institute
http://www.sans.org