# # From: J C Lawrence # Date: Sun, 24 Sep 2000 10:23:50 -0700 # To: lsec@mail.linux-consulting.com # cc: svlug@svlug.org # Subject: Re: [lsec] svlug stuff # # I'm interested in what people do to harden their boxes. The basic pattern for me, written off the top of my head and in the order I thought of them (I really should document this and checklist this all): -- Remove everything from /etc/inet.d. Nothing should ever run from inet in my world if possible. Note: I have no problem with inet daemons -- its just that my current preferred set of daemons prefer running standalone (eg exim, muddleftpd). and I like the fact that I can use `ps` to check on possibly running daemons. -- if the system will be sourcing publicly received mail, add back in identd. -- if the system must run POP3/IMAP, chose which daemons to run very carefully and then TCP Wrap tightly. -- Carefully work thru every single package you have installed on your system and remove every one you don't ABSOLUTELY need. If possible, make sure you remove the compilers and all development libraries as well. -- Ensure that all network daemons (eg MTA, FTPd, etc) are built against libwrap (TCP Wrappers). -- Put TCP Wrappers into paranoid mode by adding "ALL:PARANOID" to /etc/hosts.deny -- Carefully edit the TCP Wrappers setup on the system so that network services may only be accessed from where I want them to be (I usually only allow access from localhost, thus requiring remote users to use an SSH port forward, stunnel SSL wrap). -- If possible, remove all user logins except for yourself and root. -- If there are going to be multiple people with root access to the box, create user acounts for them and individual root accounts as well (I use the naming pattern of their normal userID siffixed with a capital 'R'. eg "clawR" for me.) To create these accounts, just create them as per normal with adduser, and then change their UID and GID to 0 so they're really root (/etc/passwd and /etc/groups). -- If you do this, never tell anyone the actual root password -- Install tripwire, suitably configure, gen a database for it, and if possible, stick the DB on a CD. More typically I stick the databases on a local partition (saves CD effort) which is mounted RO. I then have a cron job or tiny daemon that checks that the partition is really mounted RO, and if not sends alerts. -- Install and configure portsentry. -- Install and configure iplogger. -- Install and configure logckeck. -- Install and configure XNTP3 and point at at least two statum 1 servers amd a couple stratum 2 and 3s. -- Install and configure snort (if you don't have one running on the local net already). -- If possible remove Apache. If not possible, replace Apache with thttpd (ie if you are doing static content only). If still not possible, remove all the images etc from your Apache confs and put under thttp. Why? Simpler traffic shaping and prevention of certain (small) classes of DoS attacks. -- Note: You can probably substitute hernel httpd for thttp above, but I haven't checked into this. -- If you run a daemon that supports CGIs, remove and if not possible, audit all CGIs. -- If you are running Debian, ensure that all your documentation is not exported to the Internet via http://.../doc/. Either configure it for localhost, or remove entirely. -- Remove your FTPD daemon. Replace with either Marcus Ranum's AFTPD or MuddleFTPd (I like and use the latter for purely historical reasons). -- If you go for muddleftpd, configure for anonymous logins only. -- Aside: I run muddleftpd in a chroot jail atop an FTP tree which is copied from wu-ftpd's but is filled with trojan binaries. ie it looks like wu-ftpd, but when or if they ever get run they send alerts to me that someone tried to run them. Reason: muddleftpd doesn't run external binaries for the 'ls' command etc. -- If you're going to run chroot jails, a good idea in general, use Weitse Venema's chroot tools from: ftp://ftp.porcupine.org/pub/security/index.html. -- Rebuild the kernel and remove everything you don't absolutely need. -- Especially remove all SMBFS and NFS supports. (If you don't have 'em you can't use 'em and you can't open holes with 'em) -- Install SSH. -- Ensure it disallows root logins. -- Set logging to fascist. -- Disallow rsh logins (you should have removed all RSH-style supports above). -- If you are running a multi-user box, install some form of password checker. There's a PAM module for this. -- If at all possible, remove all user logins from the box. -- If you have to have some level of user logins (eg for terminating SSH port forwards), bolt them down (if SSHv2 set their shell to /bin/false, remove all write permissions to their home directory, etc) -- Install and configure an SNMP daemon (I usually set to only allowing sets from localhost, queries from remote connections, and then further limit to only allowing queries from specific IPs). Note: I like the UCD SNMP daemon. -- Configure your SNMP daemon to export specifics about all your filesystems and critical processes (eg number of running instances of server daemons, free space, etc.) -- On a different box, install and configure cricket and point it at this box to collect and graph your SNMP data. -- Example: http://www.kanga.nu/stats/cricket/grapher.cgi -- Note: I don't recommend exposing the collected data as I have. Those interested however can find my cricket configs here: ftp://ftp.kanga.nu/pub/Kanga.Nu/cricket/kanga.nu.cricket.config.tar.gz -- Install and configure an SNMP monitor on a remote box ala Mon to watch your system values and send alerts if things vary outside of tolerance. -- Configure your daemons to help prevent DoS attacks (eg max number of running instances (Exim/Apache), bandwidth profiling (thttpd) etc. -- Make sure /tmp is on its own partition, and is large (I typically use 500Meg, often on its own disk). -- Point /usr/tmp and /var/tmp at /tmp. -- Install and configure tmpwatcher. -- Make sure /var/log is on its own partition and is large (I typically allocate at least a couple Gig). -- Check and fix/configure how your logs are rotated. Except for extremely spammy logs (eg MySQL reply logs) I generally like to keep at least a year's history for logfiles. -- If possible, run a seperate box as a loghost for all your systems (in addition to having local logs). -- Edit /etc/syslog.conf to ALSO send all logged data to your loghost (should be on same network) as well as to local disk. -- Your loghost should have only one open port (syslog) with all system access only occurring thru the console. If not possible, add one extra open port for SSH, and the use something like Opie for one-time-password logins. -- Remove BIND. -- If you need a local cacheing nameserver, install DJB's cachedns. -- Remove sendmail. I prefer Exim tho Postfix is also a good solution as is QMail. -- Make sure you remove lpd/lprng/cups. Daemonised printing supports have no business on 'net connected systems. -- Run nmap against your box and list and account for EVERY open TCP and UDP port. Work hard to make the total number of open ports zero. You won't make it as the whole reason for the box is to offer some sort of services, but you can get close. -- Make sure you do this after a fresh reboot. -- Make sure you have and are running an suidmanager. -- Audit your system (`find` is your friend) and make sure that all SUID files are registered with your suidmanager. ...and a bunch more things I can't think of right now. -- J C Lawrence Home: claw@kanga.nu ---------(*) Other: coder@kanga.nu http://www.kanga.nu/~claw/ Keys etc: finger claw@kanga.nu --=| A man is as sane as he is dangerous to his environment |=-- # ----------------------------------------------------------------------------------------- # -- echo "unsubscribe lsec" | mail -s "unsubscribe lsec" Majordomo@Linux-Consulting.com # -----------------------------------------------------------------------------------------