Securing Debian GNU/Linux HOWTO
By Alexander Reelsen, ar@rhwd.net
v1.0.0, 8th April 2000
This document is about securing the default Debian
installation in as
many ways as possible. (THIS IS A PRE ALPHA PRE DRAFT!!!)
______________________________________________________________________
Table of Contents
1. Introduction
1.1 Knowledge required
1.2 Purpose
1.3 What this document is about
1.4 Feedback
1.5 Revision history & TODO
1.6 Copyright/Distribution
1.7 Credits
2. During installation
2.1 Choose a BIOS password
2.2 Choose an intelligent partition scheme
2.3 Choose a secure boot order
2.4 Set a root password
2.5 Activate shadow passwords
2.6 No overbloating
3. After installation
3.1 Set a LILO password
3.2 Disallow floppy booting
3.3 PAM - Pluggable authentication modules
3.4 Edit /etc/limits
3.5 Edit /etc/inetd.conf
3.6 Edit /etc/login.defs
3.7 Edit /etc/ftpusers
3.8 Using tcp wrappers
3.9 Using ssh
3.10 Using su
3.11 Using sudo
3.12 Realize the insecurity of X over network
3.13 Using chroot
3.14 Configuring some kernel features
3.15 Do not use software depending on svgalib
3.16 The lpd and lprng issue
3.17 Using mail appropiate in security context
3.18 Secure file transfers
3.19 Using a loghost
3.20 Using quotas
3.21 Audit CGI scripts
3.22 Logfile permissions
3.23 chattr/lsattr
3.24 Your file integrity
3.25 Securing BIND
4. After you have been compromised
4.1 General behaviour
5. Software, useful for making Debian more secure
5.1 Follow the debian security updates
5.2 Exchange software
5.3 Useful kernel patches
5.4 Useful other software
5.5 Genius/Paranoia Ideas, what you could do
______________________________________________________________________
1. Introduction
1.1 Knowledge required
The installation of Debian GNU/Linux is not very difficult and
you should
have been able to install it. If you already have some knowledge
about
Linux or other Unices, it will be easier to understand this
HOWTO.
1.2 Purpose
The purpose of this HOWTO is to increase the security of your
current
Debian GNU/Linux Installation. It is impossible to reach an
absolute
security, but you can at least increase it.
Especially today, security is becoming a very important topic.
Some people,
called crackers, are trying to attack firewalls, routers or other
machines
on the internet, which includes even workstations behind dialup
connections.
What will happen if somebody has stolen important data from your
employer?
What if somebody breaks into your servers and destroys all data
on them?
Even on a LAN, where you know all of your colleagues you cannot
be sure,
that this will not happen.
1.3 What this document is about
One of the hardest things about writing security documents is
that
every case is unique. Two things you have to be concerned about
are the
threat environment and the security needs of the individual
site/machine.
For instance, the security needs of a home user are completely
different
from a network in a bank. While the primary threat of the home
user is
mainly the script kiddie type of cracker, the bank network must
worry
about directed attacks. And the bank has to protect their
customer's
data with arithmetic precision. In short, every user has to
weigh
himself between usability and security/paranoia.
As a very important note I am going to tell you now, that this
HOWTO
only covers software topics. It is completely your problem how
you
physically secure your computer. You can place it under your
workdesk,
or you can place it in a nuclearproofed bunker with an army in
front of
it. Nevertheless the workdesk computer can be much more secure
(from the
software point of view) than the other one. As this HOWTO is only
covering
the software side you also should think about the other side.
In
addition this document just gives a brief overview what you can
do to
increase the security of your Debian GNU/Linux installation.
Many parts of this HOWTO can be transferred to other
distributions as well.
1.4 Feedback
I am always glad to hear some feedback about this document. Of
course it
is not perfect (though you are allowed to write me this), but I
hope it
can help you a little. Proposals for improvements in this
document are
always welcome. As new software appears every day, this HOWTO may
not be
state-of-the-art at the time you read it. If it should be
hopelessy out
of date, I will give over this HOWTO to someone who is willing to
keep it
up to date. Maybe you?
1.5 Revision history & TODO
V1.0
Initial Version
TODO: - suidmanager
- nosuid mount flag
- lpr and lprng
- Switching off the gnome IP things
- LKM, linux kernel modules
1.6 Copyright/Distribution
This document is Copyright (c) 2000 by Alexander Reelsen.
However, you are allowed and encouraged to redistribute it in
any form
without permission of the author. I would be happy if you inform
me
when you are planning to translate this document. If you take
excerpts
from this document be so kind and place a pointer to the full
document.
Thanks.
In short, this is from the community for the community.
1.7 Credits
- Robert van der Meulen with the quota paragraphas and many
good ideas
- Ethan Benson corrected the PAM paragraph and had some good
ideas
- People who encouraged me to write this HOWTO
- The Debian project of course :)
2. Before/During Installation
2.1 Choose a BIOS password
Before you install any operating system on your computer,
setting up a
BIOS password is essential to ensure basic security as well as
changing
your boot sequence to disable floppy booting. Otherwise the
cracker just
needs to bring a bootdisk with him. Disable booting without a
password
would be the best, if noone should touch that system. This can be
very
effective if you run a server, because usually it does not get
rebooted
often.
2.2 Choose an intelligent partition scheme
An intelligent partition scheme depends on the operational
area of the
machine. Rule of thumb is to be fairly liberal with your
partitions and
to pay attention to the following factors.
1. Any partition a user has write permissions to, should be a
seperate
partition, e.g. /home and /tmp. This reduces the risk of a user
DoS
by filling up your "/" mount point.
2. Any partition which can fluctuate, e.g. /var (especially
/var/log).
In Debian context you should create /var a little bit bigger
than
normal because the downloaded packages aka the apt cache is
stored in
/var/apt/cache/archives.
3. Any partition where you want to install non-distribution
software.
According to the file hierarchy standard now preferrably /opt
or
/usr/local. If you keep this seperate partitions, you do not need
to
remove them, even if you reinstall.
2.3 Choose a secure boot order
As already mentioned above you should set a secure boot order,
that noone
is able to penetrate your system with a bootdisk, what basically
means to
choose the harddisk to boot from. CDROM booting should be
disabled as well.
2.4 Set a root password
Setting a good root password is a basic requirement for having
a secure
system.
2.5 Activate shadow passwords
After the installation, you will be asked if the shadow
passwords should
be enabled. You should say yes to this question, because then the
passwords
will be kept in the file /etc/shadow. And only the user root and
the group
shadow will have read access to this file. So any user will not
be able to
grab a copy of this file and run a password cracker against it.
Optionally,
you can switch from shadow passwords and normal passwords by
using
'shadowconfig' (what normally should not be necessary).
2.6 No overbloating
You should not install services on your machine, which are not
needed.
Every installed service introduces new, perhaps not obvious,
but
existant security holes to your machine. If you still want to
have some
services but you use these rarely, use the update-commands,
eg
'update-inetd' for removing them from the startup process.
3. After Installation
3.1 Set a LILO or GRUB password
Anybody can easily get a root-shell and change your passwords
by entering
"<replace-with-name-of-your-bootimage> init=/bin/sh". After
changing the
passwords and rebooting the system, the person has unlimited
root-access to
it and can do anything with it, which includes changing sensitive
data.
After this procedure you will not have access to your system
anymore, as
you do not know the passwords.
To make sure that this will not happen, you should set
password even for
that. You can choose between a global password or a password for
a certain
image. For LILO you need to follow this steps. You need edit the
file
/etc/lilo.conf.
Add this line to your lilo.conf and rerun lilo:
image=/boot/2.2.14-vmlinuz
label=Linux
read-only
password=hackme
restricted
If you leave out the "restricted" above, you will always be
prompted to
enter a password, regardless if you passed parameters to LILO.
Well,
when adding a password you should make sure, that only root can
read the
lilo config file, so make proper permission changes.
If you use GRUB instead of LILO, edit the file
/boot/grub/menu.lst and add
the following to lines at the top of it. This will set a
boot-password and
also boot the default entry after waiting 3 seconds:
timeout 3
password hackme
3.2 Disallow floppy booting
This paragraph refers to a BIG flamewar in the debian-devel
mailing list
(I think I will get flamed as well because I described something
wrong :)).
But back to the topic. The default MBR in Debian GNU/Linux does
not act
as an usual master boot record. Here is the way howto get into
your
system, even if you changed the BIOS boot sequence AND gave LILO
a
password:
- Press shift at boot time, and Debian's MBR will give you a
prompt
- Then press F, and your system will boot from floppy disk, and
you will
get full root access to the hard disk
Make yourself clear, that this is a DEFAULT master boot record
of
debian, so you really should change this, simply by entering:
lilo -b /dev/hda
Now LILO is put into the MBR. This goal can also be achieved
by writing
"boot=/dev/hda" into lilo.conf But there is as well another
solution where
you can disable mbr prompt at all:
install-mbr -i n
On the other hand, this "backdoor", of which many people are
just not
aware, may save your skin as well if you run into deep trouble
with your
installation out of whatever reasons.
INFO: The current bootdisks do NOT install the mbr, but only
LILO by
default, so you do not have any hassle anymore.
3.3 PAM - Pluggable Authentication Modules
PAM is an abbrevation for Pluggable Authentication Modules.
PAM is useful
for a kind of "dynamical configuration of authentication". If you
want
to use PAM, you should make sure, that the application uses PAM.
Most
of the applications that are shipped with Debian 2.2 have this
support
compiled in. Note, that PAM did not exist in earlier Debian
versions than
potato For each application there is a seperate configuration
file in
/etc/pam.d/.
PAM offers you the possibiblity to go through several
authentication
steps once, without the user's knowledge. You could authenticate
against
a berkeley database and the passwd and the user only logs in if
he
authenticates correct twice. You can restrict a lot with, as well
as you
can open your system doors very wide. So be careful. A
typical
configuration line has a control field as its third element.
Generally
it should be set to "requisite", what returns a login failure, if
one
module fails. (However, if you know what you do, you can play
around a
lot).
The first thing I like to do, is to add MD5 support to my
PAM
applications, since this protects you against dictionary cracks a
little
bit more. These two lines should be in all the files like 'login'
or
'ssh' in /etc/pam.d/.
password required pam_cracklib.so retry=3 minlen=12
difok=3
password required pam_unix.so use_authtok nullok md5
So, what does this myth do? The first line loads the cracklib
PAM
module, which provides password-strength checking and prompt for
a
new password with 3 retries, a minimum length of 12 characters
and a
difference of at least 3 characters to the old password. The
second line
introducs the standard authentication module with md5 passwords
and a
zero password is ok. The use_authtok directive is necessary to
hand over
the password from the module before.
To make sure, that the user root can only log into the system
from some local
Terminals, the following line should be enabled in
/etc/pam.d/login. Then you
should add the Terminals from which the user root can log into
the system into
the file /etc/securetty:
auth requisite pam_securetty.so
And last but not least the following line should be enabled if
you want to
set up some user limits. This allows the users only to use
certain resources
of the system, as for example a maximum number of logins.
session required pam_limits.so
Now edit the file /etc/pam.d/passwd and change the first line.
You should
add the option "md5" to use md5 passwords and change the minimum
lenght of
password from 4 to 6 and set a maximum length if you desire. Then
the line
should look like this one:
password required pam_unix.so nullok obscure min=6 max=11 md5
If we want to protect su, so that only some people can use it
to become root
on your system, we need to add a new group "wheel" to your system
(at least
that is the cleaner way, since no file has such a group
permission yet).
Add root and the other users that should be able to "su" to the
user root
to this group. Then create the following line in
/etc/pam.d/su:
auth requisite pam_wheel.so group=wheel debug
This makes sure that only people from the group wheel can use
to su to
become root. Other users will not be able to become root. In fact
they
will get a denied message if they enter su.
And edit /etc/pam.d/other and add the following lines:
auth required pam_securetty.so
auth required pam_unix_auth.so
auth required pam_warn.so
auth required pam_deny.so
account required pam_unix_acct.so
account required pam_warn.so
account required pam_deny.so
password required pam_unix_passwd.so
password required pam_warn.so
password required pam_deny.so
session required pam_unix_session.so
sesion required pam_warn.so
session required pam_deny.so
This lines will provide with a good default configuration for
all
applications that support PAM.
3.4 Edit /etc/limits
You should really take a serious look into this file. Here you
can
define the user resource limits. If you use PAM, this file is
invalid.
Use /etc/security/limits.conf instead.
3.5 Edit /etc/inetd.conf
You should stop all services on your system, like echo.
charges,
discard, daytime, time, talk, ntalk and the HIGHLY insecure
considered
r-services. After disabling those, you again should check if you
really
need the inetd daemon. Some persons, including the author, prefer
to use
daemons instead of calling them via inetd, because in past some
Denial
of Service attacked against inetd were found, which increases
the
machine's load rapidly. If you still want to run some kind of
inetd
service, use a more configurable inet daemon like xinetd or
rlinetd.
3.6 Edit /etc/login.defs
The next step is to edit the definitions for the login.
FAIL_DELAY 10
This variable should be set to a higher value to make it
harder using the
terminal to log in. If a wrong password is typed in, he has to
wait for 10
seconds to get a new login prompt, what is quite time consuming
when you
test password. Pay attention to the fact, that this setting is
useless
if using another program than getty, mingetty for example.
FAILLOG_ENAB yes
If you enable this variable, failed logins will be logged. It
is important
to know them to see if someone tries a brute force attack to get
login
information.
LOG_UNKFAIL_ENAB yes
If you set yes to the variable "FAILLOG_ENAB", then you should
also set yes
to the variable "LOG_UNKFAIL_ENAB". This will record unkown
usernames if the
login failed. If you do this, make sure, the logs are set to the
right
permissions (640 I prefer, with appropriate group settings like
adm
group), because if a user incidentally enters his password as
username,
it gets logged and could be read by any other user.
SYSLOG_SU_ENAB yes
This one enables logging 'su' tries to syslog. Quite important
on
serious machines, but note that this can vulnerate privacy issues
as
well.
SYSLOG_SG_ENAB yes
And to see if someone change the group before executing a
command, you should
set this variable to yes.
MD5_CRYPT_ENAB yes
As stated above, md5 sum passwords greatly reduce the problem
of
dictionary attacks, because it is really complicate to perform a
crack
against MD5 hashed passwords, at least it is hard to perform a
successful
crack. But before enable this option, READ the docs about MD5.
This
option only applies to slink users, otherwise you set this in
PAM.
PASS_MAX_LEN 50
If you activated as suggested above md5 passwords in your PAM
configuration,
then you should set this variable to the same value as you used
in your
PAM configuration.
3.7 Editing /etc/ftpusers
This file contains a list of users, who are not allowed to log
into
this host using ftp. Use this file, if you really want to allow
ftp
(which is not recommended by the author, because it uses
cleartext
passwords.)
3.8 Using tcp wrappers
TCP wrappers have been implemented, when there was no packet
filter
available and you needed a sort of access control. The TCP
wrappers
allow you to allow or deny a service for a host or a domain and
define
a default allow or deny rule. This should fit the needs of most
people.
If you want more informations look into the manpage
hosts_access(5).
Now, here comes a small trick and probably the smallest
intrusion
detection system available. In general you should have a decent
firewall
policy as a first line and tcp wrappers as the second line of
defense.
One little trick is to set up a spawn command in /etc/hosts.deny
that
sends mail to root whenever a denied service triggers
wrappers:
ALL: ALL: spawn ( \
echo -e "\n\
TCP Wrappers\: Connection refused\n\
By\: $(uname -n)\n\
Process\: %d (pid %p)\n\
User\: %u\n\
Host\: %c\n\
Date\: $(date)\n\
" | /bin/mail -s "Connection to %d blocked" root)
3.9 Using ssh
If you are still running telnet and not ssh, you should stop
reading
this manual now and change this. You should not use the telnet
for remote
logins and instead use ssh. Especially today, where it is easy to
sniff
traffic in the internet and get cleartext passwords, you should
use a
secure way which is based on cryptography. Encourage all the
other users
on your system to use ssh instead of telnet. Also you should try
to avoid
logging into the system using ssh as root, and use alternative
methods to
become root instead, like su or sudo. The sshd_config file
(placed in
/etc/ssh) should be corrected a little bit as well.
PermitRootLogin No
Try not to permit Root Login wherever possible. If anyone
wants to
become root via ssh, now two logins are needed.
Listen 666
Change the listen port, so the intruder cannot be completely
sure that a
sshd daemon runs.
PermitEmptyPasswords no
Empty passwords are as ugly as hell out of the security view.
AllowUsers alex ref
Allow only certain users to have access via ssh to this machine.
AllowGroups wheel admin
Allow only certain group members to have access via ssh to
this machine.
Both, AllowGroups and AllowUsers have equivalent directives for
denying
access to a machine. Suprisingly they were called "DenyUsers"
and
"DenyGroups".
PasswordAuthentication yes
Here it is completely your choice what you want to do. It is
more secure
only to allow access to machine from users with ssh-keys placed
in the
~/.ssh/authorized_keys file. If you want so, set this one to
"no".
As a final note be aware, that these directives are from a
OpenSSH
configuration file. Right now, there are three types of common
used SSH
daemons, ssh1, ssh2 and OpenSSH by the OpenBSD people (hey, quite
a cool
logo, I still need to buy a t-shirt). ssh1 was the first ssh
daemon
available and it is the one, which is mainly used right now (I
heard
rumors it even exists an windows port). ssh2 has many advantages
over
ssh1 (that is why they called '2' I guess) except the bad
non-opensource
license, what kicks this daemon for Debian. OpenSSH is completely
free ssh
daemon, which is based on an old free ssh1, but then many
improvements and
extensions were made and the most important thing, the non-free
code was
removed, so that this is Debian's No. 1 choice right now.
3.10 Using su
If you really need to become the super user on your system, eg
for
installing packages or adding users, you can use the command su
to change
your identity. You should try to avoid any login as user root and
instead
use the command su. The best solution is to remove su and switch
to sudo
in the author's opinion.
3.11 Using sudo
sudo allows the user to execute commands under another users
identity,
even as root. If the user is added in /etc/sudoers and
authenticate
himself with his password, he is able to run commands, which
have
been defined in /etc/sudoers, as user root.
3.12 Realize the insecurity of X over network
Today X-Terminals becoming more and more interesting for
companies, where
one server is needed for a lot of workstations. But this is
dangerous,
because you need to allow the server to connect to the the other
X server
(it is a client, because X switches the definitions of client and
server).
If you follow the suggestion from many docs, you do a "xhost +".
This allows
every X client to connect to your system. So it is recommend to
use the
command "xhost +hostname" instead for certain hosts, that should
be able to
connect to your X serer. Or directly use ssh with X and encrypt
the whole
session.
In addition, if you do not need X over the wires, then you can
switch
off the binding on tcp port 6000 simply by typing:
startx -- -nolisten tcp
3.13 Using chroot
chroot is one of the most powerful possibilities to restrict a
daemon or
a user or another service. Just imagine a jail around your
target, where
the target cannot escape from (except you are root, but that
creates other
security issues). If you do not trust a user, you can create a
changed root
enviroment for him (if you have enough free space, because you
need to copy
the libraries as well or compile everything statically, both eats
up some
space, but security is not without any cutback). If now the user
does
something malicious, he will not be very harmful anymore. A good
example
for this case is, that you do not authenticate against
/etc/passwd but LDAP
or MySQL instead. So your ftp-daemon needs a binary and perhaps a
few
libraries. So a chrooted environment would be an execellent
security
improvement, if a new exploit is known for this ftp-daemon. It is
then only
possible to exploit the UID of the ftp-daemon-user and nothing
else. Of
course, this complies with lots of other daemons as well.
As an additional note, the Debian default BIND (the name-service)
is not
shipped chrooted per default, in fact no daemons comes
chrooted.
3.14 Configuring some kernel features
## FIXME - Content missing ##
You can configure a lot of kernel settings during runtime by
echo'ing
something into the procfile system or by using sysctl. By
entering
'sysctl -A' you can see what you can configure and how it is
configured
right now. Only in rare cases you really need to edit something
here,
but you can increase security that way as well.
net/ipv4/icmp_echo_ignore_broadcasts = 0
This is a 'windows emulator', because it acts like windows on
broadcast
ping, if this one is set to 1. It just does nothing.
net/ipv4/icmp_echo_ignore_all = 0
If you don't want to block ICMP on your firewall, just enable
this.
3.15 Do not use software depending on svgalib
SVGAlib is very nice for console lovers like me, but in the
past it has
been proven several times, that it is very insecure. Exploits
against
zgv were released, and it was simple to become root. Try to
prevent using
SVGAlib programs whereever possible.
3.16 The lpd and lprng issue
Imagine, you are coming to work, and the printer spits out
endless
amounts of paper, because someone is DoS'ing your line
printer
daemon. Nasty, isn't it? So, keep your printer servers specially
secure.
### FIXME. Content missing. (No lpr experience) ###
3.17 Using mail appropiate in security context
Reading/receiving mail is the most common cleartext protocol.
If you
either use POP3 or IMAP to get your mail you send your
password
cleartext across the wires, so almost everyone can read your
mails from
now on. So use SSL (Secure Socket Layer) to receive your
mails.
The other alternative is ssh, if you have a shell account on your
box.
Look at this basic fetchmailrc:
poll my-imap-mailserver.org via "localhost"
with proto IMAP port 1236
user "ref" there with password "hackme" is alex here warnings
3600
folders
.Mail/debian
preconnect 'ssh -f -P -C -L 1236:my-imap-mailserver.org:143 -l
ref
my-imap-mailserver.org sleep 15 </dev/null > /dev/null'
The important line is the preconnect line. It fires up a ssh
session
and creates the necessary tunnel, which automatically
forwards
connections to localhost port 1236 to the imap mail server,
but
encrypted now.
3.18 Secure file transfers
Copying files in a secure manner from a host to another can be
achieved
by using 'scp' which is included in the ssh packages. It works
like rcp
but is encrypted completely, so the bad guys cannot even find out
WHAT you
copy, what is not bad in some situations.
3.19 Using a loghost
A loghost is a host which collects the syslog data remote over
the
network. If one of your machines is cracked the intruder is not
able to
blur his spoors, except he hacks that loghost as well. So, spend
your
loghost an extra amount of paranoia. Making your machine a
loghost is
really simple. Just start the syslogd with 'syslogd -r' and a
new
loghost is born. Now you have to configure your other machines to
send
the data to the loghost. Add an entry like this one:
facility.level @your_loghost
facility should be one of authpriv, cron, daemon, kern, lpr,
mail, news,
syslog, user, uucp and local1 up to local7. level should be
alert, crit,
err, warning, notice, info debug. If you want to log everything
remote,
just write:
*.* @your_loghost
into your syslog.conf. Logging remote as well as local would
be the best
solution (the attacker could presume not to be found after
deletion of
local log files, an often used method to mask an intrusion). See
the
syslog(3), syslogd(8) and syslog.conf(5) manpage for some
additional
information.
3.20 Using quotas
Having a good quota policy is important, as it keeps your
users from
filling up your disk(s).
You can use two different quota systems - user quota and group
quota.
As you probably figured out, user quota limits the amount of
space a user
can take up, group quota does the equivalent for groups. Keep
this in mind
when you're working out quota sizes.
There are a few important points to think about in setting up
a quota
system:
- Keep the quotas small enough, so users do not eat up your disk
space
- Keep the quotas big enough, so users do not complain or their
mail
quota keeps them from accepting mail over a longer period
- Use quotas on all user-writable areas, on /home as well as on
/tmp to
restrict the user as good as possible.
Every partition/directory users have full write access should
be quota
enabled. So find out those partitions and directories and
calculate a
valuable quota size, which concatenates usability and
security.
So, now you want to use quotas. First of all you need to check
whether
you enabled quota support in your kernel. If not, you will need
to
recompile it. After this, control whether the package 'quota'
is
installed. If not you will need this one as well.
Enabling quota for the respective filesystems is as easy as
modifying
the 'defaults' setting to 'defaults,usrquota' in your /etc/fstab
file. If
you need group quota, substitute 'usrquota' to 'grpquota'. You
can also
use them both.
Then create empty quota.user and quota.group files in the roots
of the
filesystems you want to use quotas on (e.g. 'touch
/home/quota.user',
'touch /home/quota.group' for a /home filesystem).
Restart quota by doing '/etc/init.d/quota
stop;/etc/init.d/quota
start'. Now quota should be running, and quota sizes can be
set.
Editing quotas for a specific user (say 'ref') can be done
by
'edquota -u ref'. Group quotas can be modified with edquota
-g
<group>.
Then set the soft and hard quota and/or inode quotas as
needed.
For more information about quotas, read the quota man page,
and the
quota mini-howto.
3.21 Audit CGI scripts
If you do not trust your users (what you generally should not,
this is a
hard world), take a closer look at their scripts they run,
especially
CGI scripts, since those can be accessed by nearly everyone. You
only
need to know the right URL and you have some kind of shell
running as
the uid of the webserver. Think twice, whether you want to allow
CGI
script execution for your users.
### FIXME - security webserver stuff, config examples ###
3.22 Logfile permissions
Some logfile permissions are not perfect after the
installation. First
/var/log/lastlog and /var/log/faillog need not to be readable for
the
normal users. In the lastlog file you can see the who logged in
the
lasttime and in the faillog you see a summary of the failed
logins. The
author recommends chmod'ing both to 660 both files. Take a brief
log
over your logfiles and decide very carefully which logfiles you
make
read/writeable for a user with another UID than 0 and a group
other
named than 'adm' or 'root'.
I want to emphasize that the apache logfile permissions are
really
screwed due to the fact, that the apache user owns the apache log
files.
When you get a shell as such user with a apache backdoor, you
easily can
remove the logfiles and blur your spoors.
3.23 chattr/lsattr
These two commands are very useful, but they only work for the
ext2
filesystem. With 'lsattr' you can list the attributes of a file
and with
'chattr' you can change them. Note that attributes do not equal
to
permissions. In fact, they are completely different. Here are
only
listed the most important attributes for increasing your security
listed,
but there are other as well.
There are two flags which can only be set by the superuser. Those
are
tho most important ones.
First there is the 'a' flag. If set on a file, this file can only
be
opened for appending. This attribute is useful for some of the
files in
/var/log/, though you should consider they get moved sometimes
due to the
log rotation scripts.
The second flag is the 'i' flag, short for immutable. If set on a
file,
this file can neither be modified nor deleted nor renamed and no
link be
created to this file. If you do not want you users to look into
your
config files you could set this flag and remove readability.
Furthermore
it might give you a little bit security against intruders,
because the
cracker might confused of not being able to remove a file.
Although you
should never assume that the cracker is blind, he got into your
system,
so he defeated your security policy.
3.24 Your file integrity
Are you sure /bin/login on your harddrive is still the binary
you
installed there some months ago? What if it is a hacked version,
which
stores the entered password in a hidden file or mails it in
cleartext
version all over the internet?
The only method to have some kind of protection is to check your
files
every day/hour/month (I prefer daily) by comparing the actual and
the
old md5sum of this file. Two files cannot have the same md5sum,
so
you're on the secure site here, except someone hacked the
algorithm to
create md5sums on that machine, what is, well sticky. You really
should
consider this auditing of your binaries as very important, since
it is
an easy way to recognize changes at your binaries. Common tools
used for
this are sXid, AIDE (Advanced Intrusion Detection Environment)
and
TripWire (non-free).
Furthermore you can exchange your locate package with
'slocate' tool.
slocate is a security enhanced version of the GNU locate.
When
performing a locate, the user only sees the files he really has
access
to. In addition you can exclude any files or directoriey you want
to
exclude.
3.25 Securing BIND
On a standard Debian installation, the name service daemon,
BIND, runs
as user root and group root. It is possible and quite easy to
achieve to
run BIND under another's UID. However, running BIND not as root
prevents
it from detecting and using interfaces automatically, for example
if you
stick a PCMCIA card into your laptop (anyway, I don't think BIND
runs on
a laptop per default). Check the README.Debian file in your
named
documentation directory for more.
Anyway, noone can deny the existing security problems, which
occured in
the last months concerning BIND, so switchting the user is useful
where
it is possible. First you should create a seperate user and group
for it
(don't use either nobody or nogroup for every service not running
as
root or another user). In this case I will use user and group
'named'.
Now edit /etc/init.d/bind with your favourite editor and
change the line
beginning with 'start-stop-daemon --start' to
start-stop-daemon --start --quiet --exec /usr/sbin/named -- -g named -u named
All you need to do now is to restart bind via
'/etc/init.d/bind
restart', and then check your syslog for two entries like
this:
Sep 4 15:11:08 nexus named[13439]: group = named
Sep 4 15:11:08 nexus named[13439]: user = named
Voila! Your named now does not run as root. To achieve maximum
BIND
security, now build a chroot jail (See 3.13) around your
daemon.
### FIXME - Add chrooting bind help with /var/chroot ###
4. After you have been compromised
4.1 General behaviour
If you really want to clean up residual wastes, you should
remove the
compromised host out of your network and install a new OS from
scratch
on. This might not take any effect if you do not know how the
intruder
got root. So just check everything, firewall/file
integration/loghost
logfiles and so on.
5. Exchange other software
5.1 Follow the debian security updates
As soon as new security bugs are revealed in packages,
debian
maintainers and upstream authors try to patch them within days or
even
hours. After the bug is fixed, a new package is provided on
http://security.debian.org
Put the following line in your sources.list and you will get the
security
updates as well.
deb http://security.debian.org/debian-security
potato/updates main
contrib non-free
And for most people (unless you live in a country which
prohibits importing
or using strong cryptography) this one as well:
deb http://security.debian.org/debian-non-US
potato/non-US main contrib
non-free
If you want, you can add the deb-src lines to apt as well, see
the manpage
for further details.
5.2 Exchange software
FTP/Telnet/NIS/RPC:
You should try to avoid every network service which sends and
receives
passwords in cleartext over a net. The author recommends the use
of ssh
instead of telnet and ftp to everybody.
Also you should stop using NIS -the network information
service- , if
it is possible, because it allows password sharing. This can be
highly
insecure, if your setup is broken.
Last, but of sure not least, disable RPC whereever possible.
Lots of
security holes are known and can be exploited. On the other hand
NFS
services are quite important in some networks, so find a balance
of
security and usability in a network. Most of the DDOS
(distributed
denial of service) attacks use rpc exploits to get into the
system and
act as a so called agent/handler.
Disabling portmap is quite simple. There are different
methods. The
simplest one is to remove every symlink in /etc/rc${runlevel}.d/
(I mean
you should only remove the portmap symlinks, not the others!).
You could
as well chmod 644 /etc/init.d/portmap, but that gives you an
error
message. Or you could strip of the "start-stop-daemon" part in
the init.d
shell script. Follow the perl motto...
Keep in mind, that migrating from telnet to ssh, but using any
other
cleartext protocol does not increase your security in ANY way!
Best
would be to remove ftp, telnet, pop, imap, http and to supersede
them
with their respective crypted services.
Of course all these above listed hints apply to every Unix system.
5.3 Useful kernel patches
There do exist some kernel patches, which significant enhance
the system
security. Here are the one I know:
- OpenWall patch by Solar Designer
This is a useful set of kernel restrictions, like restricted
links,
FIFOs in /tmp, restricted /proc, special file descriptor
handling,
non-executable user stack area and some more.
Available under: http://www.openwall.com/linux/
- LIDS - Linux intrusion detection patch by Huagang Xie &
Philippe
Biondi
This patch should make the process of intrusion detection into
a
Linux system easier. It has a lot of features but is still
considered beta. It supports protection of ioports, disallows
accessing the raw disk, protection of whole files, so they
cannot
be changed even from root, bsd-alike append only mode for files
and
some more.
Available under: http://lids.org
- POSIX Access Control Lists (ACLs) for Linux
This patch adds some kind of access control lists, an
advanced
access method to files, to the linux kernel.
Available under: http://acl.bestbits.at/
- Linux trustees
This patch adds a decent advanced permissions system to your
Linux
kernel. All the objects are stored in the kernel memory, what
allows a real quick lookup of all these permissions.
Available under: http://www.braysystems.com/linux/trustees.html
- International kernel patch
This is a crypt-orientated kernel patch, therefore you have to
pay
attention to your local crypt policy. It basically adds use
of
encrypted file systems.
Available under: http://www.kerneli.org
- SubDomain
A kernel extension to create a more secure and easier to
setup
chroot environment. You can specify the files needed for the
chrooted service manually and do not have to compile the
services
statically. (Not yet completed at the time of writing this).
Available under: http://www.immunix.org
5.4 Useful other software
First of it all, use a firewall. Use a firewall you are able
to
administer and to control.
Then, use log analysis tools. Here are some tools (not only
log
analysis), of which some are included in Debian GNU/Linux potato,
others
not. The one which are included are prepended with a '+':
+ Nessus
+ sxid
+ syslog-ng
+ ippl
+ makepasswd
+ pwgen
+ logcheck
+ snort
+ nmap
+ cheops
+ ethereal
+ karpski
+ ntop
+ gnupg/pgp
+ lsof
+ ngrep
+ satan
+ LASG
+ gfcc
+ arpwatch
- saint
- sinus firewall
- portsentry
- john the ripper
- crack 5.0
- sentinel
5.5 Genius/Paranoia Ideas, what you could do
This is probably the most fluctuent and funny section, since I
hope that
some of the "duh. that sounds crazy"-ideas might be realized.
Following here you will find some - well, it depends on the point
of view
whether you say they are genius, paranoid, crazy or secure -
ideas to
increase your security rapidly but you will not come unscathed
out of
it.
- Playing around with PAM
As said in the phrack 56 PAM article the nice thing with PAM is
that
"You are limited only by what you can think of.". It is true.
Imagine root login only possible with fingerprint or eyescan
or
cryptocard (hm, why did I do an OR conjunction and not AND
here).
- Fascist Logging
I would say everything we talked about logging above is "soft
logging". If you want to perform real logging, get a printer
with
fanfold paper and log everything hard by printing on it.
Sounds
funny, but it's reliable and it cannot be removed.
- CD distribution
This idea is very easy to realize but the hell secure. Create
a
hardened debian distribution, a damned good firewall, make an ISO
of
it and burn it on CD. Make it bootable. Upshot of all this is a
ro
whole distribution with about 600 MB space for services and the
fact
to make it impossible for intruders to get read write access on
this
system. Just make sure every data which should get written,
gets
written over the wires. Anyway, the intruder cannot change
firewall
rules, routing entries or start own daemons.
- Switch module capability off
When you disable the usage of kernel modules at kernel compile
time,
many kernel based backdoors are impossible to implement, since
most
of them are based on kernel modules.