Bastille Linux - PowerPoint PPT Presentation

1 / 48
About This Presentation
Title:

Bastille Linux

Description:

Since crackers may discover an exploitable. vulnerability in any service running with privilege, ... SFTP for password-ed user uploads? Hardening FTP 1/2 ... – PowerPoint PPT presentation

Number of Views:32
Avg rating:3.0/5.0
Slides: 49
Provided by: packe8
Category:
Tags: bastille | linux

less

Transcript and Presenter's Notes

Title: Bastille Linux


1
  • Bastille Linux
  • Past, Present and Future
  • Jay Beale
  • Lead Developer, Bastille Linux
  • President, JJB Security Consulting

2
Bastille Linux
  • A security hardening script for Linux and Unix
  • Red Hat 7.3
  • Mandrake 8.2
  • Turbo 7.0
  • SuSE 7.2
  • Debian current
  • HP-UX 11.x

3
Bastille Linux
  • More operating systems
  • Solaris
  • OpenBSD (SSH worm anyone?)
  • FreeBSD?

4
Sample Screen
5
What Does Bastille Do? 1/3
  • Firewall
  • Set-UID and Permissions Audit

6
What Does Bastille Do? 2/3
  • Deactivate unncessary stuff
  • Tighten configurations of remaining stuff

7
What Does Bastille Do? 3/3
  • Educate Users and Admins
  • (They have guns pointed at their boots)

8
Why Do I Need It?
  • Shipped defaults are not optimized for security
  • Users need ease-of-use
  • Programmers want convenience
  • and
  • Neither groks security

9
But Why Do I Need Security? 1/4
  • You're targeted by clueful hackers
  • (even if you're not interesting)
  • because you're one hop on the way to the real
    target.

10
But Why Do I Need Security? 2/4
  • You're targeted by script kiddies...
  • because you have an IP address!
  • (That got picked up as vulnerable by their
    vulnerability scanners.)

11
But Why Do I Need Security? 3/4
  • You're targeted by worms...
  • Slightly smarter than script kiddies, but fully
    automated.
  • Easy to defeat, with hardening!

12
But Why Do I Need Security? 4/4
  • Script kiddies choose your box at random to
  • Run their IRC bots
  • Run their IRC server
  • Serve as an exchange point for files, filez...
  • Attack other machines with DoS/DDoS programs
  • Brag about how many random machines they 0wn.
  • ltyour use heregt

13
How Does It Work? 1/2
  • Minimize Points of Entry
  • Network Daemons
  • User-accessible programs

14
How Does It Work? 2/2
  • Prevent Privilege Escalation
  • Set-UID programs let me turn my user nobody
    access into root!

15
But Does It Work?
  • Bastille was written before most of the security
    vulnerabilities in Red Hat 6.0 were discovered.
  • It could stop or contain almost all of them.

16
Vulnerabilties Stopped -Red Hat 6.0
  • BIND - remote root
  • wu-ftpd - remote root
  • userhelper - local root
  • lpd sendmail - remote root
  • dump/restore - local root
  • gpm - console local root

17
Vulnerabilties Not Stopped -RH 6.0
  • nmh - local root?
  • man - whatever user runs it

18
So Who's Using it?
  • You tell me!
  • MandrakeSoft had it in their distribution.
  • Red Hat has talked about integrating it.
  • SGI sold appliances with it loaded.
  • Guardent/foo uses it in some appliance.
  • Estimated around 75,000-150,000 people?

19
Capabilities
  • 2.0 Release
  • Intelligence - "requires" tags
  • X or Curses configuration
  • Reusable config file, with consistency checking

20
Where We're Going Soon
  • More content this talk will demonstrate
  • Growing to run on more platforms Solaris first.
  • Enterprise features

21
Firewall
  • Configure a default-deny firewall for a
  • masquerading network, or a
  • single machine

22
Firewall
  • Firewall off daemons, but also harden/remove
    them.
  • Why both?

23
Defense in Depth
  • Protect each service or possible vulnerability
  • through multiple means, so that if one fails,
    the
  • remaining methods keep your machine from being
  • compromised.

24
File Permissions
  • File Permissions Audit
  • Want to do something more comprehensive!
  • Educate newbies about groups?

25
SUID Audit
  • SUID Audit
  • Blocking all paths to root!
  • Real Example UserRooter (userhelper)

26
SUID Audit 1/2
  • mount/umount
  • ping
  • traceroute
  • dump/restore
  • cardctl
  • ( has been vulnerable in past 3 years)

27
SUID Audit 2/2
  • at
  • dosemu
  • inn tools
  • lpr/lp
  • r-tools
  • usernetctl

28
Account Security
  • Protect the users' accounts
  • Enforce good policies to prevent privilege
    escalation

29
Account Security
  • Protect rhosts via PAM
  • Password Aging
  • Restrict Cron
  • Umask
  • Root TTY Logins

30
Boot Security
  • Password protect LILO
  • Password protect runlevel 1

31
Secure Inetd
  • Deactivate Telnet
  • Deactivate FTP
  • ...

32
Applied Minimalism
  • Since crackers may discover an exploitable
  • vulnerability in any service running with
    privilege,
  • minimize both the number of these services and
  • their levels of privilege.

33
Miscellaneous PAM
  • Mandatory System Resource Limits
  • prevent core dumps
  • limit number of processes per user
  • filesize limit 100mb

34
Logging
  • Lots of extra logging
  • Remote Logging Host
  • Process Accounting

35
Killing Daemons 1/2
  • apmd
  • nfs/portmapper
  • samba
  • atd
  • pcmcia
  • dhcp server (?)

36
Killing Daemons 2/2
  • gpm
  • news server
  • routing daemons
  • NIS
  • SNMPd

37
Sendmail
  • Reduce attacker's access to Sendmail
  • Remove recon. Commands.
  • Run sendmail as a non-root process via
    inetd/xinetd

38
Postfix?
  • Sendmail's security vulnerability history is
    rich!
  • Why?
  • Consider PostFix, by Wietse Venema,
  • author of TCP Wrappers
  • Modular, safer design!

39
DNS - BIND
  • Secure BIND
  • Historical note
  • We secured BIND before the remote
  • root exploits were released.
  • Philosophy
  • Harden it now, before the bugs are
  • discovered!

40
Hardening BIND 1/2
  • Chroot
  • Run as user/group dns
  • CONTAINMENT

41
Hardening BIND 2/2
  • Restrict queries to set of hosts
  • Restrict zone transfers to set of hosts
  • Choose a random version string
  • Offer to configure views in BIND 9

42
Hardening Apache 1/3
  • Deactivate Apache?
  • Bind Apache to localhost?

43
Hardening Apache 2/3
  • Symlinks
  • Server Side Includes
  • CGI Scripts
  • Indices

44
Hardening Apache 3/3
  • Removing Modules
  • Removing handlers
  • Restricting .htaccess overrides

45
FTP
  • FTP is Really Bad(tm)!
  • Unauthenticated data transfer channel (file
    theft)
  • Bad authentication on command channel
  • Takeover issues (cleartext session)
  • Try to replace it
  • HTTP for downloads?
  • SFTP for password-ed user uploads?

46
Hardening FTP 1/2
  • Deactivate anonymous mode
  • Deactivate normal user mode

47
Hardening FTP 2/2
  • Apply path filters to all filenames used
  • Deactivate compression/tar-ing (external progs)
  • Choose version string randomly
  • Chroot normal users via 'guest' accounts
  • Require RFC 822-compliant e-mail addresses
  • Disable all dynamic 'message file'
    parsing/delivery
  • Create less useful upload area
  • Log transfers, commands and security violations

48
Speaker Bio
  • Jay Beale is the Lead Developer of Bastille Linux
    and an independent security consultant/trainer.
    Mandrake. He's currently working on a book on
    Locking Down Linux for Addison Wesley. Read more
    of his articles on
  • http//www.bastille-linux.org/jay
Write a Comment
User Comments (0)
About PowerShow.com