linux hardening - nullhyd
TRANSCRIPT
HARDENING LINUX SERVERA SECURE APPROACH
BENCHMARKS
• CIS Security Benchmarks for Linux
•NSA Security Configuration Guides for Linux
CHOOSE A FLAVOUR ?
For better or worse, there’s no one “Linux”. Instead, there are loads of Linux
distributions that all run the Linux kernel.
" Server distributions differ from desktop versions,security distros both in
packages and in support "
DIVISION OF LABOUR
Basic idea behind the protection of a Linux server is to have the
system administrator control the work of the entire server and
only use the packages that are necessary for the planned
services.
• BASIC
• SERVER (WEB,DNS,MAIL)
• DESKTOP
KEEP IT SEPARATED ( FILE SYSTEM PARTITIONING)
Keep partitions Separate for a better administration and security
ENCRYPTING THE FILESYSTEM
ENCRYPTING THE RUNNING SERVER
• To encrypt a partition using dm-crypt+LUKS on Linux
• $ sudo yum install cryptsetup
• $ sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb1
• sudo cryptsetup luksDump /dev/sdb1
• sudo cryptsetup luksOpen /dev/sdb1 sdb1
• Follow the FIPS -140
• Install the dracut-fips package:
# yum install dracut-fips
• Recreate the INITRAMFS image:
# dracut -f
SECURE THE BOOT
Root password to access run level 1:
echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab
perl -npe 's/ca::ctrlaltdel:\/sbin\/shutdown/#ca::ctrlaltdel:\/sbin\/shutdown/' -i /etc/inittab
Password Protecting GRUB :
/sbin/grub-md5-crypt
password --md5 <password-hash>
Replace <password-hash> with the value returned by /sbin/grub-md5-crypt
The next time the system boots, the GRUB menu prevents access to the editor or command interface without first pressing p followed by the GRUB password.
IPFILTERS & TCP WRAPPERS
IPTables has the following 4 built-in tables
• FILTER Table - (Input ,output ,Forward chain )
• NAT Table - (Pre routing,Post routing,output chain )
• MANGLE Table - (Pre routing, Output,Forward, Input, Post routing)
• RAW Table - (Pre routing , Output )
• Tcp warppers for a restrictive network
• # /etc/hosts.allow
• # /etc/hosts.deny
EGRESS FILTERING FOR A HEALTHIER INTERNET
When your SERVER is compromised, you are no longer the innocent party
trying to defend yourself, to other machines you have become the attacker.
Just reverse the -d / --dport (destination address / destination port) and -s / -
-sport (source address / source port) arguments.
JUST A SAMPLE FIREWALL RULE
THE "RIGHTS"
Restrict the root :
No one other than root should be allowed in root's home directory. The default
settings are close to this, but not quite paranoid enough.
echo "tty1" > /etc/securetty
chmod 700 /root
USE SUDO :
sudo allows for granular control over privileged actions. This way administrator
can start, stop and otherwise manage the web server without being able to affect
other services.
PERMISSIONS & PASSWORDS
• Narrow down rights for system files and folders
chmod 700 ( files owned by root )
chown root:root ( files owned by root )
Set a crotab to check the permissions periodically.
• Upgrade Password Hashing Algorithm to SHA-512
# authconfig --passalgo=sha512 --update
PASSWORD POLICIES
Set Password Creation Requirement Parameters Using pam_cracklib
Recommended Values:
PASS_MAX_DAYS 90
PASS_MIN_DAYS 6
PASS_MIN_LEN 14
PASS_WARN_AGE 7
#sed -i 's/PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/g' /etc/login.defs
#sed -i 's/PASS_MIN_LEN.*/PASS_MIN_LEN 14/g' /etc/login.defs
#sed -i 's/PASS_MIN_LEN.*/PASS_MIN_DAYS 6/g' /etc/login.defs
#sed -i 's/PASS_WARN_AGE.*/PASS_WARN_AGE 7/g' /etc/login.defs
CLEANUP !
Delete non-used user accounts
# userdel ( shutdown, halt, games, operator, gopher, games )
Disable unnecessary services
#for i in rpcbind restorecond nfslock lldpad fcoe rpcidmapd; do service $i stop;
chkconfig $i off; done
Remove unnecessary packages
# yum groupremove (package names )
# sudo apt-get remove pino
Make sure no non-root accounts have UID set to 0
# % awk -F: '($3 == "0") {print}' /etc/passwd
BASH HARDENING
• Define Read-Only environment variables -> To avoid
being overwriten by users (declare –r
HISTFILE=~/.bash_history && chattr +I .bash_history)
• HISTFILESIZE -> Maximum number of lines to keep
• HISTFSIZE -> Maximum stored commands in memory
• HISTTIMEFORMAT -> Date/Time format to store
commands execution
• Force to commit HISTFILE every time a command is
typed instead of logout -> readonly || declare -r
PROMPT_COMMAND="history -a"
• Limit Timeout login session -> declare -r TMOUT=120
AVOID THE FORK BOMBS
• The ulimit and sysctl programs allow to limit system-wide resource use. This can help a lot in
system administration, e.g. when a user starts too many processes and therefore makes the system
unresponsive for other users.
• # ulimit -u 30
# ulimit -a
…
max user processes (-u) 30
• # sysctl -a
…
vm.swappiness = 60
• # sysctl vm.swappiness=0
vm.swappiness = 0
• "fork: resource temporarily unavailable".
STRIPPING DOWN LINUX( REMOVE THE UNNECESSARY PACKAGES)
• One of the simplest ways to hinder an intruder is to remove unnecessary
system binaries.On a typical Linux server, there are many unneeded tools,
which can be useful to an attacker if he gains entry.
• Unnecessary Binaries
• Network Utilities
• Compilers and Interpreters
SECURE REMOTE ADMINISTRATION
• Remove the legacy , unsecure tools.
• Make sure to keep the crypto libraries updated ( Patch them)
• Avoid installing ssh client
• Harden the SSH
• Use jumphosts, vpn to connect.
• Avoid using passwords, start using key based authentication.
• Remove the non-ssl processes
# yum remove erase xinetd tftp-server ypserv telnet-server rsh-server
SSH HARDENING PARAMETERS
KEY BASED AUTHENTICATION
# ssh-keygen
Created directory '/home/username/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa. Your public key has been saved in /home/username/.ssh/id_rsa.pub. The key fingerprint is: a9:49:2e:2a:5e:33:3e:a9:de:4e:77:11:58:b6:90:26 username@remote_host The key's randomart image is: +--[ RSA 2048]----+ | ..o | | E o= . | | o. o | | .. | | ..S | | o o. | | =o.+. | |. =++.. | |o=++. | +-----------------+
KERNEL HARDENING: DISABLE AND BLACKLIST LINUX MODULES
• The Linux kernel is modular, which makes it more flexible than monolithic kernels. New
functionality can be easily added to a run kernel, by loading the related module.
One option to disallow loading modules, is by blacklisting them.
# modinfo
# modprobe --showconfig | grep blacklist
# /etc/modprobe.d/blacklist-firewire.conf
# modprobe --showconfig | grep "^install" | grep "/bin"
By using the kernel setting kernel.modules_disabled and set its value to 1, we can make sure
things are really tightened. Even the root user can not load any modules anymore.
TUNING KERNEL FOR BETTER SECURITY
• Enable TCP SYN Cookie Protection - net.ipv4.tcp_syncookies = 1
• Disable IP Source Routing - net.ipv4.conf.all.accept_source_route = 0
• Disable ICMP Redirect Acceptance - net.ipv4.conf.all.accept_redirects = 0
• Enable IP Spoofing Protection - net.ipv4.conf.all.rp_filter = 1
• Enable Ignoring to ICMP Requests - net.ipv4.icmp_echo_ignore_all = 1
• Enable Ignoring Broadcasts Request - net.ipv4.icmp_echo_ignore_broadcasts = 1
• Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packets
• (net.ipv4.conf.all.log_martians = 1 )
•
CRITICAL,UNKNOWN AND THIRD PARTY
• SE LINUX Security-Enhanced Linux (SELinux) is a Linux feature that
provides a variety of security policies for Linux kernel.
• APP ARMOUR (Application Armor) is another security software for Linux
which maintained and released by Novell under GPL. AppArmor was
created as an alternative to SELinux. AppArmor works with file paths.
• GRSECURITY is a set of patches for the Linux kernel with an emphasis on
enhancing security. It utilizes a multi-layered detection, prevention, and
containment model.
AUDIT ,LOG, INTEGRITY CHECK
Record Events That Modify Date and Time Information,
System's Network Environment ,System's Mandatory Access
Controls ,Unsuccessful Unauthorized Access Attempts to Files
Install AIDE, Implement Periodic Execution of File Integrity.
( TRIP WIRE ,AIDE ,AUDITD,LOGWATCH)
QUESTIONS & SUGGESTIONS