Title: The Problem
1The Problem
- Seclab computers get attacked
- This is expected no way to prevent it
- Attacker breaks in, compromises our systems
- Dangerous to us, because it compromises research
programs, data, papers, and results - Embarrassing to us, as were supposed to prevent
this - Were a research lab!
2Goal of Talk
- Show you how to install and strip down a Linux
box so - its more secure than most systems
3Key Principles
- Least Privilege
- If you dont need it, dont run it or allow it
- If you do need it, confine it as much as possible
- Fail-Safe Defaults
- Disable or deny everything, then make exceptions
to enable servers or allow access - Do not hook up to the Internet until your system
is locked down - May not be possible with Windows
4Practical OS LockdownorHow I Learned to Stop
Worrying and Love the Internet
- Jeff Rowe
- Seclab Seminar
- Oct. 1, 2003
5Typical Seclab Experience
- Start with
- A computer
- OS Installation CDs
- a Network connection and IP address
- Thats it
- Result Seclab computers are hacked once every
few months.
6RedHat Linux Lockdown
- Start with
- A computer
- Three RH9 CDs
- a Network connection and IP address
- a Plan
Rule 1 Plug in the network cable last
7Basic Lockdown Plan
- The Problem The standard installation will allow
attackers to hack your machine immediately - Unnecessary services are installed
- Unnecessary services are started at boot time
- Packages on the CDs contain root level
vulnerabilities - The Plan
- A security aware install
- A reasonably secure configuration after the
install - A strict personal firewall
- An efficient update and patch regimen
8RedHat 9 Installation
9RedHat 9 Installation
Choose whatever suits you
10RedHat 9 Installation
- Choose a new Red Hat Linux installation
11RedHat 9 Installation
- Rule 2 Never, never, never choose a packaged
installation
12RedHat 9 Installation
- Partition the disks. Whatever
13RedHat 9 Installation
- Boot Loader password? I choose No.
14RedHat 9 Installation
- Set up the network addresses. No cables yet!
Even Better Choose Configure using DHCP and
connect to Supports protected network
15DHCP Network Hubs in the Wild
16RedHat 9 Installation
- Rule 3 Use the personal firewall
- Security level High
- Customize rules
- Allow only SSH
- iptables will block all incoming packets to ports
1-1024, sending back an ICMP unreachable. More on
iptables firewall rules later...
17RedHat 9 Installation
- Set a reasonable root password, use default
shadow password and authentication policy.
18RedHat 9 Installation
- Now the Hard Part, package configuration
19RedHat 9 Installation
- Rule 4 Unless you are sure you need it, turn it
off
Add nmap Add nmapfe Add emacs,xemacs Add ethereal
Get rid of IM Get rid of IRC chat Get rid of
network services (FTP, HTTP, DNS, etc.) Get rid
of scanner front-ends, CD labelers, graphics
tools, TV support... They can always be added
later
20RedHat 9 Installation
21RedHat 9 Installation Notes
- RedHat Linuxs installation procedure is called
anaconda. - /root/anaconda-cfg contains a configuration file
that was used in the install. I can supply you
with a sample configuration showing which
packages are reasonable to remove or include. - Dont plug in the network cable yet!
22Configuring RedHat 9
- Even with a security aware installation there are
plenty of services started by default during
boot. - Scan the loopback address (127.0.0.1) with nmapfe
to see what is on - The firewall rules are configured to pass all
traffic to the loopback address.
23Configuring RedHat 9
- Scan the external routable IP address with nmapfe
to see what will get past the firewall.
24Configuring RedHat 9
- To see what is started at boot time use
- chkconfig list grep on
chkconfig --list grep on kudzu 0off
1off 2off 3on 4on 5on
6off syslog 0off 1off 2on
3on 4on 5on 6off netfs
0off 1off 2off 3on 4on 5on
6off network 0off 1off 2on
3on 4on 5on 6off random
0off 1off 2on 3on 4on 5on
6off rawdevices 0off 1off 2off
3on 4on 5on 6off pcmcia
0off 1off 2on 3on 4on 5on
6off keytable 0off 1on 2on
3on 4on 5on 6off apmd
0off 1off 2on 3on 4on 5on
6off atd 0off 1off 2off
3on 4on 5on 6off gpm
0off 1off 2on 3on 4on 5on
6off autofs 0off 1off 2off
3on 4on 5on 6off iptables
0off 1off 2on 3on 4on 5on
6off isdn 0off 1off 2on
3on 4on 5on 6off sshd
0off 1off 2on 3on 4on 5on
6off portmap 0off 1off 2off
3on 4on 5on 6off nfslock
0off 1off 2off 3on 4on 5on
6off sendmail 0off 1off 2on
3on 4on 5on 6off rhnsd
0off 1off 2off 3on 4on 5on
6off crond 0off 1off 2on
3on 4on 5on 6off anacron
0off 1off 2on 3on 4on 5on
6off xfs 0off 1off 2on
3on 4on 5on 6off xinetd
0off 1off 2off 3on 4on 5on
6off cups 0off 1off 2on
3on 4on 5on 6off canna
0off 1off 2on 3on 4on 5on
6off sgi_fam on
25Configuring RedHat 9
- Rule 5 Turn off everything you dont need,
especially network services (i.e. sendmail) - Step 1 Remove them from the startup procedure.
chkconfig modifies all appropriate /etc/rc.d
configuration files. - Step 2 Stop the currently running server.
chkconfig portmap --levels 345 off chkconfig
--list portmap portmap 0off 1off
2off 3off 4off 5off 6off
/etc/init.d/portmap stop Stopping portmapper
OK
26Configuring RedHat 9
- Check the services again to see that only the
essential services remain. - chkconfig list grep on
chkconfig --list grep on syslog
0off 1off 2on 3on 4on 5on
6off network 0off 1off 2on
3on 4on 5on 6off random
0off 1off 2on 3on 4on 5on
6off keytable 0off 1on 2on
3on 4on 5on 6off apmd
0off 1off 2on 3on 4on 5on
6off atd 0off 1off 2off
3on 4on 5on 6off gpm
0off 1off 2on 3on 4on 5on
6off autofs 0off 1off 2off
3on 4on 5on 6off iptables
0off 1off 2on 3on 4on 5on
6off sshd 0off 1off 2on
3on 4on 5on 6off rhnsd
0off 1off 2off 3on 4on 5on
6off crond 0off 1off 2on
3on 4on 5on 6off anacron
0off 1off 2on 3on 4on 5on
6off cups 0off 1off 2on
3on 4on 5on 6off
27Configuring RedHat 9
- Scan the external routable IP address again after
turning off most services to see how attackers
will see your computer over the network. - Dont plug in the network cable yet!
28Iptables Firewall Rules
- RedHat 9 uses iptables for its personal
firewall. - The iptables firewall is configured using rule
chains. - The firewall configuration uses three standard
chains - INPUT governing acceptance of incoming packets
- OUTPUT governing acceptance of outgoing packets
- FORWARD for passing packets from one interface
to another.
29Iptables Firewall Rules
- Check the firewall rules with
- iptables list
Chain INPUT (policy ACCEPT) target prot opt
source destination
RH-Lokkit-0-50-INPUT all -- anywhere
anywhere Chain FORWARD (policy
ACCEPT) target prot opt source
destination RH-Lokkit-0-50-INPUT all
-- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot
opt source destination
Chain RH-Lokkit-0-50-INPUT (2
references) target prot opt source
destination ACCEPT udp --
regnant7.cs.ucdavis.edu anywhere udp
sptdomain dpts102565535 ACCEPT tcp --
anywhere anywhere tcp dptssh
flagsSYN,RST,ACK/SYN ACCEPT all --
anywhere anywhere REJECT tcp --
anywhere anywhere tcp dpts01023
flagsSYN,RST,ACK/SYN reject-with
icmp-port-unreachable REJECT tcp --
anywhere anywhere tcp dptnfs
flagsSYN,RST,ACK/SYN reject-with
icmp-port-unreachable REJECT udp --
anywhere anywhere udp dpts01023 reject-with
icmp-port-unreachable REJECT udp --
anywhere anywhere udp dptnfs reject-with
icmp-port-unreachable REJECT tcp --
anywhere anywhere tcp dptsx116009
flagsSYN,RST,ACK/SYN reject-with
icmp-port-unreachable REJECT tcp --
anywhere anywhere tcp dptxfs
flagsSYN,RST,ACK/SYN reject-with
icmp-port-unreachable
30Iptables Firewall Rules
- Modify the current iptables ruleset to block
everything except ssh. - Important! The modifications must be saved to
take effect even after reboot.
iptables -R RH-Lokkit-0-50-INPUT 4 -p tcp -m
tcp --dport 065535 --syn -j REJECT iptables -R
RH-Lokkit-0-50-INPUT 6 -p udp -m udp --dport
065535 -j REJECT
/sbin/service iptables save
31Iptables Firewall Rules
- Check the firewall rules with
- iptables list
Chain INPUT (policy ACCEPT) target prot opt
source destination
RH-Lokkit-0-50-INPUT all -- anywhere
anywhere Chain FORWARD (policy
ACCEPT) target prot opt source
destination RH-Lokkit-0-50-INPUT all
-- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot
opt source destination
Chain RH-Lokkit-0-50-INPUT (2
references) target prot opt source
destination ACCEPT udp --
regnant7.cs.ucdavis.edu anywhere udp
sptdomain dpts102565535 ACCEPT tcp --
anywhere anywhere tcp dptssh
flagsSYN,RST,ACK/SYN ACCEPT all --
anywhere anywhere REJECT tcp --
anywhere anywhere tcp flagsSYN,RST,ACK/SYN
reject-with icmp-port-unreachable REJECT tcp
-- anywhere anywhere tcp dptnfs
flagsSYN,RST,ACK/SYN reject-with
icmp-port-unreachable REJECT udp --
anywhere anywhere udp reject-with
icmp-port-unreachable REJECT udp --
anywhere anywhere udp dptnfs reject-with
icmp-port-unreachable REJECT tcp --
anywhere anywhere tcp dptsx116009
flagsSYN,RST,ACK/SYN reject-with
icmp-port-unreachable REJECT tcp --
anywhere anywhere tcp dptxfs
flagsSYN,RST,ACK/SYN reject-with
icmp-port-unreachable
32Test the Configuration
- Finally you can plug in the network cable.
- Open the web browser and connect to a web site to
verify that networking is available. - Check your configuration from another host.
33Patch
- We still arent done patches need to be applied.
- ssh remains open and available to anyone on the
Internet. Two weeks ago 3 vulnerabilities were
found in OpenSSH within the course of two days. - Red Hat Network provides free updating for one
machine per person. 65/year each additional.
34Patching with up2date
- In RedHat 9 the up2date tool provides distributed
patches up2date --register
35Patching with up2date
- Register with username, password, email
36Patching with up2date
- Send them your system profile and package set
37Patching with up2date
- Subscribe to a patch channel
38Patching with up2date
- Every time you run up2date you get the latest
patches
39Windows Lockdown
- The Problem
- Windows is designed to give you limited control.
- The inside may be as worrisome as the outside.
- The Plan
- Make your computer a strict client
- Keep it up to date and patched
- Run a personal firewall
- Put it on the unroutable DHCP network
40DHCP Network Hubs in the Wild
41Windows Lockdown
- A Windows Strict Client Dont Install List
- IIS Web Server
- Windows messenger (hard to turn off)
- Chat
- Turn off file sharing
- Use and Love Windows Update
- The department now scans for vulnerable machines.
Dont make them track you down.
42Windows Personal Firewall
- Use free ZoneAlarm - www.zonelabs.com
The free download of ZoneAlarm basic is here on
ZoneLabs main web page.
43Windows Personal Firewall
- ZoneAlarm intercepts
- Application bindings to local sockets. Blocks
remote connections to the local machine. - Local connections to remote sockets. Your own
applications can be prevented from connecting out
without your knowledge or permission. - Shows a histogram of active in and out
connections on the taskbar
44Windows Personal Firewall
- ZoneAlarm is configured interactively no
preconfiguration is needed.
Check this box and youll never be bothered again.
45Windows Personal Firewall
- Fine grained control is obtained using the tray
icon.