Lines 51-58
Link Here
|
51 |
at all.</para> |
51 |
at all.</para> |
52 |
|
52 |
|
53 |
<para>System security also pertains to dealing with various forms of |
53 |
<para>System security also pertains to dealing with various forms of |
54 |
attack, including attacks that attempt to crash or otherwise make a |
54 |
attack, including attacks that attempt to crash, or otherwise make a |
55 |
system unusable but do not attempt to break root. Security concerns |
55 |
system unusable, but do not attempt to break root. Security concerns |
56 |
can be split up into several categories:</para> |
56 |
can be split up into several categories:</para> |
57 |
|
57 |
|
58 |
<orderedlist> |
58 |
<orderedlist> |
Lines 92-104
Link Here
|
92 |
machine of needed resources. Typically, D.O.S. attacks are |
92 |
machine of needed resources. Typically, D.O.S. attacks are |
93 |
brute-force mechanisms that attempt to crash or otherwise make a |
93 |
brute-force mechanisms that attempt to crash or otherwise make a |
94 |
machine unusable by overwhelming its servers or network stack. Some |
94 |
machine unusable by overwhelming its servers or network stack. Some |
95 |
D.O.S. attacks try to take advantages of bugs in the networking |
95 |
D.O.S. attacks try to take advantage of bugs in the networking |
96 |
stack to crash a machine with a single packet. The latter can only |
96 |
stack to crash a machine with a single packet. The latter can only |
97 |
be fixed by applying a bug fix to the kernel. Attacks on servers |
97 |
be fixed by applying a bug fix to the kernel. Attacks on servers |
98 |
can often be fixed by properly specifying options to limit the load |
98 |
can often be fixed by properly specifying options to limit the load |
99 |
the servers incur on the system under adverse conditions. |
99 |
the servers incur on the system under adverse conditions. |
100 |
Brute-force network attacks are harder to deal with. A |
100 |
Brute-force network attacks are harder to deal with. A |
101 |
spoofed-packet attack, for example, is nearly impossible to stop |
101 |
spoofed-packet attack, for example, is nearly impossible to stop, |
102 |
short of cutting your system off from the Internet. It may not be |
102 |
short of cutting your system off from the Internet. It may not be |
103 |
able to take your machine down, but it can saturate your |
103 |
able to take your machine down, but it can saturate your |
104 |
Internet connection.</para> |
104 |
Internet connection.</para> |
Lines 125-131
Link Here
|
125 |
account does not necessarily give the attacker access to root. The |
125 |
account does not necessarily give the attacker access to root. The |
126 |
distinction is important because without access to root the attacker |
126 |
distinction is important because without access to root the attacker |
127 |
cannot generally hide his tracks and may, at best, be able to do |
127 |
cannot generally hide his tracks and may, at best, be able to do |
128 |
nothing more than mess with the user's files or crash the machine. |
128 |
nothing more than mess with the user's files, or crash the machine. |
129 |
User account compromises are very common because users tend not to |
129 |
User account compromises are very common because users tend not to |
130 |
take the precautions that sysadmins take.</para> |
130 |
take the precautions that sysadmins take.</para> |
131 |
|
131 |
|
Lines 145-155
Link Here
|
145 |
to install a backdoor. Many of the root holes |
145 |
to install a backdoor. Many of the root holes |
146 |
found and closed to date involve a considerable amount of work |
146 |
found and closed to date involve a considerable amount of work |
147 |
by the attacker to cleanup after himself, so most attackers install |
147 |
by the attacker to cleanup after himself, so most attackers install |
148 |
backdoors. Backdoors provide the attacker with a way to easily |
148 |
backdoors. A backdoor provides the attacker with a way to easily |
149 |
regain root access to the system, but it also gives the smart |
149 |
regain root access to the system, but it also gives the smart |
150 |
system administrator a convenient way to detect the intrusion. |
150 |
system administrator a convenient way to detect the intrusion. |
151 |
Making it impossible for an attacker to install a backdoor may |
151 |
Making it impossible for an attacker to install a backdoor may |
152 |
actually be detrimental to your security because it will not |
152 |
actually be detrimental to your security, because it will not |
153 |
close off the hole the attacker found to break in the first |
153 |
close off the hole the attacker found to break in the first |
154 |
place.</para> |
154 |
place.</para> |
155 |
|
155 |
|
Lines 294-300
Link Here
|
294 |
guarantees that staff members can only login through secure |
294 |
guarantees that staff members can only login through secure |
295 |
access methods that you have setup. This forces all staff |
295 |
access methods that you have setup. This forces all staff |
296 |
members to use secure, encrypted connections for all of their |
296 |
members to use secure, encrypted connections for all of their |
297 |
sessions which closes an important hole used by many |
297 |
sessions, which closes an important hole used by many |
298 |
intruders: That of sniffing the network from an unrelated, |
298 |
intruders: That of sniffing the network from an unrelated, |
299 |
less secure machine.</para> |
299 |
less secure machine.</para> |
300 |
|
300 |
|
Lines 307-322
Link Here
|
307 |
you should run a password-protected screen blanker. Of course, |
307 |
you should run a password-protected screen blanker. Of course, |
308 |
given physical access to a workstation an attacker can break any |
308 |
given physical access to a workstation an attacker can break any |
309 |
sort of security you put on it. This is definitely a problem that |
309 |
sort of security you put on it. This is definitely a problem that |
310 |
you should consider but you should also consider the fact that the |
310 |
you should consider, but you should also consider the fact that the |
311 |
vast majority of break-ins occur remotely, over a network, from |
311 |
vast majority of break-ins occur remotely, over a network, from |
312 |
people who do not have physical access to your workstation or |
312 |
people who do not have physical access to your workstation or |
313 |
servers.</para> |
313 |
servers.</para> |
314 |
<indexterm><primary>Kerberos</primary></indexterm> |
314 |
<indexterm><primary>Kerberos</primary></indexterm> |
315 |
|
315 |
|
316 |
<para>Using something like kerberos also gives you the ability to |
316 |
<para>Using something like kerberos also gives you the ability to |
317 |
disable or change the password for a staff account in one place |
317 |
disable or change the password for a staff account in one place, |
318 |
and have it immediately effect all the machine the staff member |
318 |
and have it immediately effect all the machines on which the staff |
319 |
may have an account on. If a staff member's account gets |
319 |
member may have an account. If a staff member's account gets |
320 |
compromised, the ability to instantly change his password on all |
320 |
compromised, the ability to instantly change his password on all |
321 |
machines should not be underrated. With discrete passwords, |
321 |
machines should not be underrated. With discrete passwords, |
322 |
changing a password on N machines can be a mess. You can also |
322 |
changing a password on N machines can be a mess. You can also |
Lines 363-369
Link Here
|
363 |
example, the <application>ntalk</application>, |
363 |
example, the <application>ntalk</application>, |
364 |
<application>comsat</application>, and |
364 |
<application>comsat</application>, and |
365 |
<application>finger</application> daemons can be run in special |
365 |
<application>finger</application> daemons can be run in special |
366 |
user <literal>sandboxes</literal>. A sandbox isn't perfect unless |
366 |
user <literal>sandboxes</literal>. A sandbox is not perfect, unless |
367 |
you go to a large amount of trouble, but the onion approach to |
367 |
you go to a large amount of trouble, but the onion approach to |
368 |
security still stands: If someone is able to break in through |
368 |
security still stands: If someone is able to break in through |
369 |
a server running in a sandbox, they still have to break out of the |
369 |
a server running in a sandbox, they still have to break out of the |
Lines 403-409
Link Here
|
403 |
run these servers as root and rely on other mechanisms to detect |
403 |
run these servers as root and rely on other mechanisms to detect |
404 |
break-ins that might occur through them.</para> |
404 |
break-ins that might occur through them.</para> |
405 |
|
405 |
|
406 |
<para>The other big potential root hole in a system are the |
406 |
<para>The other big potential root holes in a system are the |
407 |
suid-root and sgid binaries installed on the system. Most of |
407 |
suid-root and sgid binaries installed on the system. Most of |
408 |
these binaries, such as <application>rlogin</application>, reside |
408 |
these binaries, such as <application>rlogin</application>, reside |
409 |
in <filename>/bin</filename>, <filename>/sbin</filename>, |
409 |
in <filename>/bin</filename>, <filename>/sbin</filename>, |
Lines 414-425
Link Here
|
414 |
<literal>Xlib</literal> in 1998 that made |
414 |
<literal>Xlib</literal> in 1998 that made |
415 |
<application>xterm</application> (which is typically suid) |
415 |
<application>xterm</application> (which is typically suid) |
416 |
vulnerable. It is better to be safe than sorry and the prudent |
416 |
vulnerable. It is better to be safe than sorry and the prudent |
417 |
sysadmin will restrict suid binaries that only staff should run to |
417 |
sysadmin will restrict suid binaries, that only staff should run, |
418 |
a special group that only staff can access, and get rid of |
418 |
to a special group that only staff can access, and get rid of |
419 |
(<command>chmod 000</command>) any suid binaries that nobody uses. |
419 |
(<command>chmod 000</command>) any suid binaries that nobody uses. |
420 |
A server with no display generally does not need an |
420 |
A server with no display generally does not need an |
421 |
<application>xterm</application> binary. Sgid binaries can be |
421 |
<application>xterm</application> binary. Sgid binaries can be |
422 |
almost as dangerous. If an intruder can break an sgid-kmem binary |
422 |
almost as dangerous. If an intruder can break an sgid-kmem binary, |
423 |
the intruder might be able to read <filename>/dev/kmem</filename> |
423 |
the intruder might be able to read <filename>/dev/kmem</filename> |
424 |
and thus read the crypted password file, potentially compromising |
424 |
and thus read the crypted password file, potentially compromising |
425 |
any passworded account. Alternatively an intruder who breaks |
425 |
any passworded account. Alternatively an intruder who breaks |
Lines 439-449
Link Here
|
439 |
you can impose Draconian access restrictions on your staff and |
439 |
you can impose Draconian access restrictions on your staff and |
440 |
<literal>*</literal> out their passwords, you may not be able to |
440 |
<literal>*</literal> out their passwords, you may not be able to |
441 |
do so with any general user accounts you might have. If you do |
441 |
do so with any general user accounts you might have. If you do |
442 |
have sufficient control then you may win out and be able to secure |
442 |
have sufficient control, then you may win out and be able to secure |
443 |
the user accounts properly. If not, you simply have to be more |
443 |
the user accounts properly. If not, you simply have to be more |
444 |
vigilant in your monitoring of those accounts. Use of |
444 |
vigilant in your monitoring of those accounts. Use of |
445 |
<application>ssh</application> and kerberos for user accounts is |
445 |
<application>ssh</application> and kerberos for user accounts is |
446 |
more problematic due to the extra administration and technical |
446 |
more problematic, due to the extra administration and technical |
447 |
support required, but still a very good solution compared to a |
447 |
support required, but still a very good solution compared to a |
448 |
crypted password file.</para> |
448 |
crypted password file.</para> |
449 |
</sect2> |
449 |
</sect2> |
Lines 485-492
Link Here
|
485 |
to worry about. For that matter, the intruder can still write to |
485 |
to worry about. For that matter, the intruder can still write to |
486 |
raw disk devices. Also, there is another kernel feature called |
486 |
raw disk devices. Also, there is another kernel feature called |
487 |
the module loader, &man.kldload.8;. An enterprising intruder can |
487 |
the module loader, &man.kldload.8;. An enterprising intruder can |
488 |
use a KLD module to install his own bpf device or other sniffing |
488 |
use a KLD module to install his own bpf device, or other sniffing |
489 |
device on a running kernel. To avoid these problems you have to |
489 |
device, on a running kernel. To avoid these problems you have to |
490 |
run the kernel at a higher secure level, at least securelevel 1. |
490 |
run the kernel at a higher secure level, at least securelevel 1. |
491 |
The securelevel can be set with a <command>sysctl</command> on |
491 |
The securelevel can be set with a <command>sysctl</command> on |
492 |
the <literal>kern.securelevel</literal> variable. Once you have |
492 |
the <literal>kern.securelevel</literal> variable. Once you have |
Lines 516-528
Link Here
|
516 |
convenience factor rears its ugly head. For example, using |
516 |
convenience factor rears its ugly head. For example, using |
517 |
<command>chflags</command> to set the <literal>schg</literal> bit |
517 |
<command>chflags</command> to set the <literal>schg</literal> bit |
518 |
on most of the files in <filename>/</filename> and |
518 |
on most of the files in <filename>/</filename> and |
519 |
<filename>/usr</filename> is probably counterproductive because |
519 |
<filename>/usr</filename> is probably counterproductive, because |
520 |
while it may protect the files, it also closes a detection window. |
520 |
while it may protect the files, it also closes a detection window. |
521 |
The last layer of your security onion is perhaps the most |
521 |
The last layer of your security onion is perhaps the most |
522 |
important – detection. The rest of your security is pretty |
522 |
important – detection. The rest of your security is pretty |
523 |
much useless (or, worse, presents you with a false sense of |
523 |
much useless (or, worse, presents you with a false sense of |
524 |
safety) if you cannot detect potential incursions. Half the job |
524 |
safety) if you cannot detect potential incursions. Half the job |
525 |
of the onion is to slow down the attacker rather than stop him in |
525 |
of the onion is to slow down the attacker, rather than stop him, in |
526 |
order to give the detection side of the equation a chance to catch |
526 |
order to give the detection side of the equation a chance to catch |
527 |
him in the act.</para> |
527 |
him in the act.</para> |
528 |
|
528 |
|
Lines 536-563
Link Here
|
536 |
other machines in the business, usually either by doing a |
536 |
other machines in the business, usually either by doing a |
537 |
read-only NFS export of the other machines to the limited-access |
537 |
read-only NFS export of the other machines to the limited-access |
538 |
box, or by setting up <application>ssh</application> key-pairs to |
538 |
box, or by setting up <application>ssh</application> key-pairs to |
539 |
allow the limit-access box to <application>ssh</application> to |
539 |
allow the limited-access box to <application>ssh</application> to |
540 |
the other machines. Except for its network traffic, NFS is the |
540 |
the other machines. Except for its network traffic, NFS is the |
541 |
least visible method – allowing you to monitor the |
541 |
least visible method – allowing you to monitor the |
542 |
filesystems on each client box virtually undetected. If your |
542 |
filesystems on each client box virtually undetected. If your |
543 |
limited-access server is connected to the client boxes through a |
543 |
limited-access server is connected to the client boxes through a |
544 |
switch, the NFS method is often the better choice. If your |
544 |
switch, the NFS method is often the better choice. If your |
545 |
limited-access server is connected to the client boxes through a |
545 |
limited-access server is connected to the client boxes through a |
546 |
hub or through several layers of routing, the NFS method may be |
546 |
hub, or through several layers of routing, the NFS method may be |
547 |
too insecure (network-wise) and using |
547 |
too insecure (network-wise) and using |
548 |
<application>ssh</application> may be the better choice even with |
548 |
<application>ssh</application> may be the better choice even with |
549 |
the audit-trail tracks that <application>ssh</application> |
549 |
the audit-trail tracks that <application>ssh</application> |
550 |
lays.</para> |
550 |
lays.</para> |
551 |
|
551 |
|
552 |
<para>Once you give a limit-access box at least read access to the |
552 |
<para>Once you give a limited-access box, at least read access to the |
553 |
client systems it is supposed to monitor, you must write scripts |
553 |
client systems it is supposed to monitor, you must write scripts |
554 |
to do the actual monitoring. Given an NFS mount, you can write |
554 |
to do the actual monitoring. Given an NFS mount, you can write |
555 |
scripts out of simple system utilities such as &man.find.1; and |
555 |
scripts out of simple system utilities such as &man.find.1; and |
556 |
&man.md5.1;. It is best to physically md5 the client-box files |
556 |
&man.md5.1;. It is best to physically md5 the client-box files |
557 |
boxes at least once a day, and to test control files such as those |
557 |
at least once a day, and to test control files such as those |
558 |
found in <filename>/etc</filename> and |
558 |
found in <filename>/etc</filename> and |
559 |
<filename>/usr/local/etc</filename> even more often. When |
559 |
<filename>/usr/local/etc</filename> even more often. When |
560 |
mismatches are found relative to the base md5 information the |
560 |
mismatches are found, relative to the base md5 information the |
561 |
limited-access machine knows is valid, it should scream at a |
561 |
limited-access machine knows is valid, it should scream at a |
562 |
sysadmin to go check it out. A good security script will also |
562 |
sysadmin to go check it out. A good security script will also |
563 |
check for inappropriate suid binaries and for new or deleted files |
563 |
check for inappropriate suid binaries and for new or deleted files |
Lines 572-578
Link Here
|
572 |
scripts use. The <application>ssh</application> daemon on the |
572 |
scripts use. The <application>ssh</application> daemon on the |
573 |
client box may already be compromised. All in all, using |
573 |
client box may already be compromised. All in all, using |
574 |
<application>ssh</application> may be necessary when running over |
574 |
<application>ssh</application> may be necessary when running over |
575 |
unsecure links, but it's also a lot harder to deal with.</para> |
575 |
unsecure links, but it is also a lot harder to deal with.</para> |
576 |
|
576 |
|
577 |
<para>A good security script will also check for changes to user and |
577 |
<para>A good security script will also check for changes to user and |
578 |
staff members access configuration files: |
578 |
staff members access configuration files: |
Lines 581-592
Link Here
|
581 |
files that might fall outside the purview of the |
581 |
files that might fall outside the purview of the |
582 |
<literal>MD5</literal> check.</para> |
582 |
<literal>MD5</literal> check.</para> |
583 |
|
583 |
|
584 |
<para>If you have a huge amount of user disk space it may take too |
584 |
<para>If you have a huge amount of user disk space, it may take too |
585 |
long to run through every file on those partitions. In this case, |
585 |
long to run through every file on those partitions. In this case, |
586 |
setting mount flags to disallow suid binaries and devices on those |
586 |
setting mount flags to disallow suid binaries and devices on those |
587 |
partitions is a good idea. The <literal>nodev</literal> and |
587 |
partitions is a good idea. The <literal>nodev</literal> and |
588 |
<literal>nosuid</literal> options (see &man.mount.8;) are what you |
588 |
<literal>nosuid</literal> options (see &man.mount.8;) are what you |
589 |
want to look into. You should probably scan them anyway at least |
589 |
want to look into. You should probably scan them anyway, at least |
590 |
once a week, since the object of this layer is to detect a break-in |
590 |
once a week, since the object of this layer is to detect a break-in |
591 |
whether or not the break-in is effective.</para> |
591 |
whether or not the break-in is effective.</para> |
592 |
|
592 |
|
Lines 597-603
Link Here
|
597 |
a system, assuming the file is still intact after the break-in |
597 |
a system, assuming the file is still intact after the break-in |
598 |
occurs.</para> |
598 |
occurs.</para> |
599 |
|
599 |
|
600 |
<para>Finally, security scripts should process the log files and the |
600 |
<para>Finally, security scripts should process the log files, and the |
601 |
logs themselves should be generated in as secure a manner as |
601 |
logs themselves should be generated in as secure a manner as |
602 |
possible – remote syslog can be very useful. An intruder |
602 |
possible – remote syslog can be very useful. An intruder |
603 |
tries to cover his tracks, and log files are critical to the |
603 |
tries to cover his tracks, and log files are critical to the |
Lines 612-624
Link Here
|
612 |
<title>Paranoia</title> |
612 |
<title>Paranoia</title> |
613 |
|
613 |
|
614 |
<para>A little paranoia never hurts. As a rule, a sysadmin can add |
614 |
<para>A little paranoia never hurts. As a rule, a sysadmin can add |
615 |
any number of security features as long as they do not effect |
615 |
any number of security features, as long as they do not effect |
616 |
convenience, and can add security features that do effect |
616 |
convenience, and can add security features that |
617 |
convenience with some added thought. Even more importantly, a |
617 |
<emphasis>do</emphasis> effect convenience with some added thought. |
618 |
security administrator should mix it up a bit – if you use |
618 |
Even more importantly, a security administrator should mix it up a |
619 |
recommendations such as those given by this document verbatim, you |
619 |
bit – if you use recommendations such as those given by this |
620 |
give away your methodologies to the prospective attacker who also |
620 |
document verbatim, you give away your methodologies to the |
621 |
has access to this document.</para> |
621 |
prospective attacker who also has access to this document.</para> |
622 |
</sect2> |
622 |
</sect2> |
623 |
|
623 |
|
624 |
<sect2> |
624 |
<sect2> |
Lines 647-656
Link Here
|
647 |
</orderedlist> |
647 |
</orderedlist> |
648 |
|
648 |
|
649 |
<para>A common DoS attack is against a forking server that attempts |
649 |
<para>A common DoS attack is against a forking server that attempts |
650 |
to cause the server to eat processes, file descriptors, and memory |
650 |
to cause the server to eat processes, file descriptors, and memory, |
651 |
until the machine dies. Inetd (see &man.inetd.8;) has several |
651 |
until the machine dies. Inetd (see &man.inetd.8;) has several |
652 |
options to limit this sort of attack. It should be noted that |
652 |
options to limit this sort of attack. It should be noted that |
653 |
while it is possible to prevent a machine from going down it is |
653 |
while it is possible to prevent a machine from going down, it is |
654 |
not generally possible to prevent a service from being disrupted |
654 |
not generally possible to prevent a service from being disrupted |
655 |
by the attack. Read the inetd manual page carefully and pay |
655 |
by the attack. Read the inetd manual page carefully and pay |
656 |
specific attention to the <option>-c</option>, <option>-C</option>, |
656 |
specific attention to the <option>-c</option>, <option>-C</option>, |
Lines 660-671
Link Here
|
660 |
servers have self-fork-limitation parameters.</para> |
660 |
servers have self-fork-limitation parameters.</para> |
661 |
|
661 |
|
662 |
<para><application>Sendmail</application> has its |
662 |
<para><application>Sendmail</application> has its |
663 |
<option>-OMaxDaemonChildren</option> option which tends to work |
663 |
<option>-OMaxDaemonChildren</option> option, which tends to work |
664 |
much better than trying to use sendmail's load limiting options |
664 |
much better than trying to use sendmail's load limiting options |
665 |
due to the load lag. You should specify a |
665 |
due to the load lag. You should specify a |
666 |
<literal>MaxDaemonChildren</literal> parameter when you start |
666 |
<literal>MaxDaemonChildren</literal> parameter, when you start |
667 |
<application>sendmail</application> high enough to handle your |
667 |
<application>sendmail</application>, high enough to handle your |
668 |
expected load but no so high that the computer cannot handle that |
668 |
expected load, but not so high that the computer cannot handle that |
669 |
number of <application>sendmails</application> without falling on |
669 |
number of <application>sendmails</application> without falling on |
670 |
its face. It is also prudent to run sendmail in queued mode |
670 |
its face. It is also prudent to run sendmail in queued mode |
671 |
(<option>-ODeliveryMode=queued</option>) and to run the daemon |
671 |
(<option>-ODeliveryMode=queued</option>) and to run the daemon |
Lines 673-680
Link Here
|
673 |
(<command>sendmail -q15m</command>). If you still want real-time |
673 |
(<command>sendmail -q15m</command>). If you still want real-time |
674 |
delivery you can run the queue at a much lower interval, such as |
674 |
delivery you can run the queue at a much lower interval, such as |
675 |
<option>-q1m</option>, but be sure to specify a reasonable |
675 |
<option>-q1m</option>, but be sure to specify a reasonable |
676 |
<literal>MaxDaemonChildren</literal> option for that sendmail to |
676 |
<literal>MaxDaemonChildren</literal> option for |
677 |
prevent cascade failures.</para> |
677 |
<emphasis>that</emphasis> sendmail to prevent cascade failures. |
|
|
678 |
</para> |
678 |
|
679 |
|
679 |
<para><application>Syslogd</application> can be attacked directly |
680 |
<para><application>Syslogd</application> can be attacked directly |
680 |
and it is strongly recommended that you use the <option>-s</option> |
681 |
and it is strongly recommended that you use the <option>-s</option> |
Lines 701-717
Link Here
|
701 |
services. If you try to configure the firewall the other way |
702 |
services. If you try to configure the firewall the other way |
702 |
– as an inclusive or permissive firewall, there is a good |
703 |
– as an inclusive or permissive firewall, there is a good |
703 |
chance that you will forget to <quote>close</quote> a couple of |
704 |
chance that you will forget to <quote>close</quote> a couple of |
704 |
services or that you will add a new internal service and forget |
705 |
services, or that you will add a new internal service and forget |
705 |
to update the firewall. You can still open up the high-numbered |
706 |
to update the firewall. You can still open up the high-numbered |
706 |
port range on the firewall to allow permissive-like operation |
707 |
port range on the firewall, to allow permissive-like operation, |
707 |
without compromising your low ports. Also take note that FreeBSD |
708 |
without compromising your low ports. Also take note that FreeBSD |
708 |
allows you to control the range of port numbers used for dynamic |
709 |
allows you to control the range of port numbers used for dynamic |
709 |
binding via the various <literal>net.inet.ip.portrange</literal> |
710 |
binding, via the various <literal>net.inet.ip.portrange</literal> |
710 |
<command>sysctl</command>'s (<command>sysctl -a | fgrep |
711 |
<command>sysctl</command>'s (<command>sysctl -a | fgrep |
711 |
portrange</command>), which can also ease the complexity of your |
712 |
portrange</command>), which can also ease the complexity of your |
712 |
firewall's configuration. For example, you might use a normal |
713 |
firewall's configuration. For example, you might use a normal |
713 |
first/last range of 4000 to 5000, and a hiport range of 49152 to |
714 |
first/last range of 4000 to 5000, and a hiport range of 49152 to |
714 |
65535, then block everything under 4000 off in your firewall |
715 |
65535, then block off everything under 4000 in your firewall |
715 |
(except for certain specific Internet-accessible ports, of |
716 |
(except for certain specific Internet-accessible ports, of |
716 |
course).</para> |
717 |
course).</para> |
717 |
|
718 |
|
Lines 776-785
Link Here
|
776 |
</orderedlist> |
777 |
</orderedlist> |
777 |
|
778 |
|
778 |
<para>If your servers are connected to the Internet via a T3 or |
779 |
<para>If your servers are connected to the Internet via a T3 or |
779 |
better it may be prudent to manually override both |
780 |
better, it may be prudent to manually override both |
780 |
<literal>rtexpire</literal> and <literal>rtminexpire</literal> |
781 |
<literal>rtexpire</literal> and <literal>rtminexpire</literal> |
781 |
via &man.sysctl.8;. Never set either parameter to zero (unless |
782 |
via &man.sysctl.8;. Never set either parameter to zero (unless |
782 |
you want to crash the machine. Setting both |
783 |
you want to crash the machine). Setting both |
783 |
parameters to 2 seconds should be sufficient to protect the route |
784 |
parameters to 2 seconds should be sufficient to protect the route |
784 |
table from attack.</para> |
785 |
table from attack.</para> |
785 |
</sect2> |
786 |
</sect2> |
Lines 792-798
Link Here
|
792 |
<para>There are a few issues with both kerberos and |
793 |
<para>There are a few issues with both kerberos and |
793 |
<application>ssh</application> that need to be addressed if |
794 |
<application>ssh</application> that need to be addressed if |
794 |
you intend to use them. Kerberos V is an excellent |
795 |
you intend to use them. Kerberos V is an excellent |
795 |
authentication protocol but there are bugs in the kerberized |
796 |
authentication protocol, but there are bugs in the kerberized |
796 |
<application>telnet</application> and |
797 |
<application>telnet</application> and |
797 |
<application>rlogin</application> applications that make them |
798 |
<application>rlogin</application> applications that make them |
798 |
unsuitable for dealing with binary streams. Also, by default |
799 |
unsuitable for dealing with binary streams. Also, by default |
Lines 807-813
Link Here
|
807 |
<application>ssh</application> to an unsecure machine, your keys |
808 |
<application>ssh</application> to an unsecure machine, your keys |
808 |
becomes exposed. The actual keys themselves are not exposed, but |
809 |
becomes exposed. The actual keys themselves are not exposed, but |
809 |
<application>ssh</application> installs a forwarding port for the |
810 |
<application>ssh</application> installs a forwarding port for the |
810 |
duration of your login and if a attacker has broken root on the |
811 |
duration of your login, and if an attacker has broken root on the |
811 |
unsecure machine he can utilize that port to use your keys to gain |
812 |
unsecure machine he can utilize that port to use your keys to gain |
812 |
access to any other machine that your keys unlock.</para> |
813 |
access to any other machine that your keys unlock.</para> |
813 |
|
814 |
|
Lines 857-867
Link Here
|
857 |
|
858 |
|
858 |
<para>Unfortunately the only secure way to encrypt passwords when |
859 |
<para>Unfortunately the only secure way to encrypt passwords when |
859 |
Unix came into being was based on DES, the Data Encryption |
860 |
Unix came into being was based on DES, the Data Encryption |
860 |
Standard. This is not such a problem for users that live in |
861 |
Standard. This was not such a problem for users resident in |
861 |
the US, but since the source code for DES could not be exported |
862 |
the US, but since the source code for DES could not be exported |
862 |
outside the US, FreeBSD had to find a way to both comply with |
863 |
outside the US, FreeBSD had to find a way to both comply with |
863 |
US law and retain compatibility with all the other Unix |
864 |
US law and retain compatibility with all the other Unix |
864 |
variants that still use DES.</para> |
865 |
variants that still used DES.</para> |
865 |
|
866 |
|
866 |
<para>The solution was to divide up the encryption libraries |
867 |
<para>The solution was to divide up the encryption libraries |
867 |
so that US users could install the DES libraries and use |
868 |
so that US users could install the DES libraries and use |
Lines 877-883
Link Here
|
877 |
<para>It is pretty easy to identify which encryption method |
878 |
<para>It is pretty easy to identify which encryption method |
878 |
FreeBSD is set up to use. Examining the encrypted passwords in |
879 |
FreeBSD is set up to use. Examining the encrypted passwords in |
879 |
the <filename>/etc/master.passwd</filename> file is one way. |
880 |
the <filename>/etc/master.passwd</filename> file is one way. |
880 |
Passwords encrypted with the MD5 hash are longer than those with |
881 |
Passwords encrypted with the MD5 hash are longer than those |
881 |
encrypted with the DES hash and also begin with the characters |
882 |
encrypted with the DES hash and also begin with the characters |
882 |
<literal>$1$</literal>. DES password strings do not |
883 |
<literal>$1$</literal>. DES password strings do not |
883 |
have any particular identifying characteristics, but they are |
884 |
have any particular identifying characteristics, but they are |
Lines 896-902
Link Here
|
896 |
|
897 |
|
897 |
<para>Identifying which library is being used by the programs on |
898 |
<para>Identifying which library is being used by the programs on |
898 |
your system is easy as well. Any program that uses crypt is linked |
899 |
your system is easy as well. Any program that uses crypt is linked |
899 |
against libcrypt which for each type of library is a symbolic link |
900 |
against libcrypt, which for each type of library is a symbolic link |
900 |
to the appropriate implementation. For example, on a system using |
901 |
to the appropriate implementation. For example, on a system using |
901 |
the DES versions:</para> |
902 |
the DES versions:</para> |
902 |
|
903 |
|
Lines 980-986
Link Here
|
980 |
will discuss below. The <command>key</command> program accepts an |
981 |
will discuss below. The <command>key</command> program accepts an |
981 |
iteration count, a seed, and a secret password, and generates a |
982 |
iteration count, a seed, and a secret password, and generates a |
982 |
one-time password. The <command>keyinit</command> program is used |
983 |
one-time password. The <command>keyinit</command> program is used |
983 |
to initialized S/Key, and to change passwords, iteration counts, or |
984 |
to initialize S/Key, and to change passwords, iteration counts, or |
984 |
seeds; it takes either a secret password, or an iteration count, |
985 |
seeds; it takes either a secret password, or an iteration count, |
985 |
seed, and one-time password. The <command>keyinfo</command> program |
986 |
seed, and one-time password. The <command>keyinfo</command> program |
986 |
examines the <filename>/etc/skeykeys</filename> file and prints out |
987 |
examines the <filename>/etc/skeykeys</filename> file and prints out |
Lines 1261-1267
Link Here
|
1261 |
<para>If any additional files (such as <filename>principal.*</filename> |
1262 |
<para>If any additional files (such as <filename>principal.*</filename> |
1262 |
or <filename>master_key</filename>) exist, then use the |
1263 |
or <filename>master_key</filename>) exist, then use the |
1263 |
<command>kdb_destroy</command> command to destroy the old Kerberos |
1264 |
<command>kdb_destroy</command> command to destroy the old Kerberos |
1264 |
database, of if Kerberos is not running, simply delete the extra |
1265 |
database, or if Kerberos is not running, simply delete the extra |
1265 |
files.</para> |
1266 |
files.</para> |
1266 |
|
1267 |
|
1267 |
<para>You should now edit the <filename>krb.conf</filename> and |
1268 |
<para>You should now edit the <filename>krb.conf</filename> and |
Lines 1429-1435
Link Here
|
1429 |
Generating 'grunt-new-srvtab'....</screen> |
1430 |
Generating 'grunt-new-srvtab'....</screen> |
1430 |
|
1431 |
|
1431 |
<para>Now, this command only generates a temporary file which must be |
1432 |
<para>Now, this command only generates a temporary file which must be |
1432 |
renamed to <filename>srvtab</filename> so that all the server can pick |
1433 |
renamed to <filename>srvtab</filename> so that all the servers can pick |
1433 |
it up. Use the <command>mv</command> command to move it into place on |
1434 |
it up. Use the <command>mv</command> command to move it into place on |
1434 |
the original system:</para> |
1435 |
the original system:</para> |
1435 |
|
1436 |
|
Lines 1955-1961
Link Here
|
1955 |
separate firewall and accounting entries. The present version |
1956 |
separate firewall and accounting entries. The present version |
1956 |
provides packet accounting with each firewall entry.</para> |
1957 |
provides packet accounting with each firewall entry.</para> |
1957 |
|
1958 |
|
1958 |
<para>If an <emphasis>index</emphasis> value is supplied, it used to |
1959 |
<para>If an <emphasis>index</emphasis> value is supplied, it is used to |
1959 |
place the entry at a specific point in the chain. Otherwise, the |
1960 |
place the entry at a specific point in the chain. Otherwise, the |
1960 |
entry is placed at the end of the chain at an index 100 greater than |
1961 |
entry is placed at the end of the chain at an index 100 greater than |
1961 |
the last chain entry (this does not include the default policy, rule |
1962 |
the last chain entry (this does not include the default policy, rule |
Lines 2169-2175
Link Here
|
2169 |
|
2170 |
|
2170 |
<listitem> |
2171 |
<listitem> |
2171 |
<para>Matches if the packet is an attempt to establish a TCP |
2172 |
<para>Matches if the packet is an attempt to establish a TCP |
2172 |
connection (the SYN bit set is set but the ACK bit is |
2173 |
connection (the SYN bit is set but the ACK bit is |
2173 |
not).</para> |
2174 |
not).</para> |
2174 |
</listitem> |
2175 |
</listitem> |
2175 |
</varlistentry> |
2176 |
</varlistentry> |
Lines 2348-2354
Link Here
|
2348 |
through the firewall, so large FTP/http transfers, etc, will really |
2349 |
through the firewall, so large FTP/http transfers, etc, will really |
2349 |
slow the system down. It also increases the latencies on those |
2350 |
slow the system down. It also increases the latencies on those |
2350 |
packets as it requires more work to be done by the kernel before the |
2351 |
packets as it requires more work to be done by the kernel before the |
2351 |
packet can be passed on. syslogd with also start using up a lot |
2352 |
packet can be passed on. syslogd will also start using up a lot |
2352 |
more processor time as it logs all the extra data to disk, and it |
2353 |
more processor time as it logs all the extra data to disk, and it |
2353 |
could quite easily fill the partition <filename>/var/log</filename> |
2354 |
could quite easily fill the partition <filename>/var/log</filename> |
2354 |
is located on.</para> |
2355 |
is located on.</para> |
Lines 2383-2394
Link Here
|
2383 |
<listitem> |
2384 |
<listitem> |
2384 |
<para>Block <emphasis>all</emphasis> incoming UDP traffic. There |
2385 |
<para>Block <emphasis>all</emphasis> incoming UDP traffic. There |
2385 |
are very few useful services that travel over UDP, and what useful |
2386 |
are very few useful services that travel over UDP, and what useful |
2386 |
traffic there is normally a security threat (e.g. Suns RPC and |
2387 |
traffic there is, is normally a security threat (e.g. Suns RPC and |
2387 |
NFS protocols). This has its disadvantages also, since UDP is a |
2388 |
NFS protocols). This has its disadvantages also, since UDP is a |
2388 |
connectionless protocol, denying incoming UDP traffic also blocks |
2389 |
connectionless protocol, denying incoming UDP traffic also blocks |
2389 |
the replies to outgoing UDP traffic. This can cause a problem for |
2390 |
the replies to outgoing UDP traffic. This can cause a problem for |
2390 |
people (on the inside) using external archie (prospero) servers. |
2391 |
people (on the inside) using external archie (prospero) servers. |
2391 |
If you want to allow access to archie, you'll have to allow |
2392 |
If you want to allow access to archie, you will have to allow |
2392 |
packets coming from ports 191 and 1525 to any internal UDP port |
2393 |
packets coming from ports 191 and 1525 to any internal UDP port |
2393 |
through the firewall. ntp is another service you may consider |
2394 |
through the firewall. ntp is another service you may consider |
2394 |
allowing through, which comes from port 123.</para> |
2395 |
allowing through, which comes from port 123.</para> |
Lines 2475-2481
Link Here
|
2475 |
<para><emphasis>Contributed by &a.shin;, 5 March |
2476 |
<para><emphasis>Contributed by &a.shin;, 5 March |
2476 |
2000.</emphasis></para> |
2477 |
2000.</emphasis></para> |
2477 |
|
2478 |
|
2478 |
<para>The IPsec mechanism provides secure communication either for IP |
2479 |
<para>The IPsec mechanism provides secure communication for IP |
2479 |
layer and socket layer communication. This section should |
2480 |
layer and socket layer communication. This section should |
2480 |
explain how to use them. For implementation details, please |
2481 |
explain how to use them. For implementation details, please |
2481 |
refer to <ulink |
2482 |
refer to <ulink |
Lines 2496-2507
Link Here
|
2496 |
<sect2> |
2497 |
<sect2> |
2497 |
<title>Transport mode example with IPv4</title> |
2498 |
<title>Transport mode example with IPv4</title> |
2498 |
|
2499 |
|
2499 |
<para>Let's setup security association to deploy a secure channel |
2500 |
<para>Let us setup security association to deploy a secure channel |
2500 |
between HOST A (10.2.3.4) and HOST B (10.6.7.8). Here we show a little |
2501 |
between HOST A (10.2.3.4) and HOST B (10.6.7.8). Here we show a little |
2501 |
complicated example. From HOST A to HOST B, only old AH is used. |
2502 |
complicated example. From HOST A to HOST B, only old AH is used. |
2502 |
From HOST B to HOST A, new AH and new ESP are combined.</para> |
2503 |
From HOST B to HOST A, new AH and new ESP are combined.</para> |
2503 |
|
2504 |
|
2504 |
<para>Now we should choose algorithm to be used corresponding to |
2505 |
<para>Now we should choose an algorithm to be used corresponding to |
2505 |
"AH"/"new AH"/"ESP"/"new ESP". Please refer to the &man.setkey.8; man |
2506 |
"AH"/"new AH"/"ESP"/"new ESP". Please refer to the &man.setkey.8; man |
2506 |
page to know algorithm names. Our choice is MD5 for AH, new-HMAC-SHA1 |
2507 |
page to know algorithm names. Our choice is MD5 for AH, new-HMAC-SHA1 |
2507 |
for new AH, and new-DES-expIV with 8 byte IV for new ESP.</para> |
2508 |
for new AH, and new-DES-expIV with 8 byte IV for new ESP.</para> |
Lines 2511-2517
Link Here
|
2511 |
and 8 for new-DES-expIV. Now we choose "MYSECRETMYSECRET", |
2512 |
and 8 for new-DES-expIV. Now we choose "MYSECRETMYSECRET", |
2512 |
"KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively.</para> |
2513 |
"KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively.</para> |
2513 |
|
2514 |
|
2514 |
<para>OK, let's assign SPI (Security Parameter Index) for each protocol. |
2515 |
<para>OK, let us assign SPI (Security Parameter Index) for each protocol. |
2515 |
Please note that we need 3 SPIs for this secure channel since three |
2516 |
Please note that we need 3 SPIs for this secure channel since three |
2516 |
security headers are produced (one for from HOST A to HOST B, two for |
2517 |
security headers are produced (one for from HOST A to HOST B, two for |
2517 |
from HOST B to HOST A). Please also note that SPI MUST be greater |
2518 |
from HOST B to HOST A). Please also note that SPI MUST be greater |
Lines 2546-2552
Link Here
|
2546 |
SPI=3000 |
2547 |
SPI=3000 |
2547 |
</screen> |
2548 |
</screen> |
2548 |
|
2549 |
|
2549 |
<para>Now, let's setup security association. Execute &man.setkey.8; |
2550 |
<para>Now, let us setup security association. Execute &man.setkey.8; |
2550 |
on both HOST A and B:</para> |
2551 |
on both HOST A and B:</para> |
2551 |
|
2552 |
|
2552 |
<screen> |
2553 |
<screen> |
Lines 2557-2564
Link Here
|
2557 |
^D |
2558 |
^D |
2558 |
</screen> |
2559 |
</screen> |
2559 |
|
2560 |
|
2560 |
<para>Actually, IPsec communication doesn't process until security policy |
2561 |
<para>Actually, IPsec communication does not process until security policy |
2561 |
entries will be defined. In this case, you must setup each host.</para> |
2562 |
entries are defined. In this case, you must setup each host.</para> |
2562 |
|
2563 |
|
2563 |
<screen> |
2564 |
<screen> |
2564 |
At A: |
2565 |
At A: |
Lines 2675-2681
Link Here
|
2675 |
EOF |
2676 |
EOF |
2676 |
</screen> |
2677 |
</screen> |
2677 |
|
2678 |
|
2678 |
<para>If port number field is omitted such above then "[any]" is |
2679 |
<para>If the port number field is omitted such as above then "[any]" is |
2679 |
employed. `-m' specifies the mode of SA to be used. "-m any" means |
2680 |
employed. `-m' specifies the mode of SA to be used. "-m any" means |
2680 |
wild-card of mode of security protocol. You can use this SA for both |
2681 |
wild-card of mode of security protocol. You can use this SA for both |
2681 |
tunnel and transport mode.</para> |
2682 |
tunnel and transport mode.</para> |
Lines 2859-2866
Link Here
|
2859 |
<para>The login will continue just as it would have if a session was |
2860 |
<para>The login will continue just as it would have if a session was |
2860 |
created using rlogin or telnet. SSH utilizes a key fingerprint |
2861 |
created using rlogin or telnet. SSH utilizes a key fingerprint |
2861 |
system for verifying the authenticity of the server when the |
2862 |
system for verifying the authenticity of the server when the |
2862 |
client connects. The user is prompted to enter 'yes' only during |
2863 |
client connects. The user is prompted to enter 'yes' only when |
2863 |
the first time connecting. Future attempts to login are all |
2864 |
connecting for the first time. Future attempts to login are all |
2864 |
verified against the saved fingerprint key. The SSH client |
2865 |
verified against the saved fingerprint key. The SSH client |
2865 |
will alert you if the saved fingerprint differs from the |
2866 |
will alert you if the saved fingerprint differs from the |
2866 |
received fingerprint on future login attempts. The fingerprints |
2867 |
received fingerprint on future login attempts. The fingerprints |