|
Lines 559-565
Link Here
|
| 559 |
<title>Securing User Accounts</title> |
559 |
<title>Securing User Accounts</title> |
| 560 |
|
560 |
|
| 561 |
<para>User accounts are usually the most difficult to secure. While |
561 |
<para>User accounts are usually the most difficult to secure. While |
| 562 |
you can impose Draconian access restrictions on your staff and |
562 |
you can impose draconian access restrictions on your staff and |
| 563 |
<quote>star</quote> out their passwords, you may not be able to |
563 |
<quote>star</quote> out their passwords, you may not be able to |
| 564 |
do so with any general user accounts you might have. If you do |
564 |
do so with any general user accounts you might have. If you do |
| 565 |
have sufficient control, then you may win out and be able to secure |
565 |
have sufficient control, then you may win out and be able to secure |
|
Lines 568-580
Link Here
|
| 568 |
ssh and Kerberos for user accounts is |
568 |
ssh and Kerberos for user accounts is |
| 569 |
more problematic, due to the extra administration and technical |
569 |
more problematic, due to the extra administration and technical |
| 570 |
support required, but still a very good solution compared to a |
570 |
support required, but still a very good solution compared to a |
| 571 |
crypted password file.</para> |
571 |
encrypted password file.</para> |
| 572 |
</sect2> |
572 |
</sect2> |
| 573 |
|
573 |
|
| 574 |
<sect2> |
574 |
<sect2> |
| 575 |
<title>Securing the Password File</title> |
575 |
<title>Securing the Password File</title> |
| 576 |
|
576 |
|
| 577 |
<para>The only sure fire way is to <literal>*</literal> out as many |
577 |
<para>The only sure fire way is to star out as many |
| 578 |
passwords as you can and use ssh or |
578 |
passwords as you can and use ssh or |
| 579 |
Kerberos for access to those accounts. Even though the encrypted |
579 |
Kerberos for access to those accounts. Even though the encrypted |
| 580 |
password file (<filename>/etc/spwd.db</filename>) can only be read |
580 |
password file (<filename>/etc/spwd.db</filename>) can only be read |
|
Lines 631-637
Link Here
|
| 631 |
<literal>schg</literal> flag for every system file and directory |
631 |
<literal>schg</literal> flag for every system file and directory |
| 632 |
under the sun. Another possibility is to simply mount |
632 |
under the sun. Another possibility is to simply mount |
| 633 |
<filename>/</filename> and <filename>/usr</filename> read-only. |
633 |
<filename>/</filename> and <filename>/usr</filename> read-only. |
| 634 |
It should be noted that being too Draconian in what you attempt to |
634 |
It should be noted that being too draconian in what you attempt to |
| 635 |
protect may prevent the all-important detection of an |
635 |
protect may prevent the all-important detection of an |
| 636 |
intrusion.</para> |
636 |
intrusion.</para> |
| 637 |
</sect2> |
637 |
</sect2> |
|
Lines 650-661
Link Here
|
| 650 |
The last layer of your security onion is perhaps the most |
650 |
The last layer of your security onion is perhaps the most |
| 651 |
important — detection. The rest of your security is pretty |
651 |
important — detection. The rest of your security is pretty |
| 652 |
much useless (or, worse, presents you with a false sense of |
652 |
much useless (or, worse, presents you with a false sense of |
| 653 |
safety) if you cannot detect potential incursions. Half the job |
653 |
security) if you cannot detect potential intrusions. Half the job |
| 654 |
of the onion is to slow down the attacker, rather than stop him, in |
654 |
of the onion is to slow down the attacker, rather than stop him, in |
| 655 |
order to give the detection side of the equation a chance to catch |
655 |
order to be able to catch him in the act.</para> |
| 656 |
him in the act.</para> |
|
|
| 657 |
|
656 |
|
| 658 |
<para>The best way to detect an incursion is to look for modified, |
657 |
<para>The best way to detect an intrusion is to look for modified, |
| 659 |
missing, or unexpected files. The best way to look for modified |
658 |
missing, or unexpected files. The best way to look for modified |
| 660 |
files is from another (often centralized) limited-access system. |
659 |
files is from another (often centralized) limited-access system. |
| 661 |
Writing your security scripts on the extra-secure limited-access |
660 |
Writing your security scripts on the extra-secure limited-access |
|
Lines 678-684
Link Here
|
| 678 |
the audit-trail tracks that ssh |
677 |
the audit-trail tracks that ssh |
| 679 |
lays.</para> |
678 |
lays.</para> |
| 680 |
|
679 |
|
| 681 |
<para>Once you give a limited-access box, at least read access to the |
680 |
<para>Once you have given a limited-access box at least read access to the |
| 682 |
client systems it is supposed to monitor, you must write scripts |
681 |
client systems it is supposed to monitor, you must write scripts |
| 683 |
to do the actual monitoring. Given an NFS mount, you can write |
682 |
to do the actual monitoring. Given an NFS mount, you can write |
| 684 |
scripts out of simple system utilities such as &man.find.1; and |
683 |
scripts out of simple system utilities such as &man.find.1; and |
|
Lines 707-713
Link Here
|
| 707 |
<para>A good security script will also check for changes to user and |
706 |
<para>A good security script will also check for changes to user and |
| 708 |
staff members access configuration files: |
707 |
staff members access configuration files: |
| 709 |
<filename>.rhosts</filename>, <filename>.shosts</filename>, |
708 |
<filename>.rhosts</filename>, <filename>.shosts</filename>, |
| 710 |
<filename>.ssh/authorized_keys</filename> and so forth… |
709 |
<filename>.ssh/authorized_keys</filename> and so forth, |
| 711 |
files that might fall outside the purview of the |
710 |
files that might fall outside the purview of the |
| 712 |
<literal>MD5</literal> check.</para> |
711 |
<literal>MD5</literal> check.</para> |
| 713 |
|
712 |
|
|
Lines 718-741
Link Here
|
| 718 |
<literal>nosuid</literal> options (see &man.mount.8;) are what you |
717 |
<literal>nosuid</literal> options (see &man.mount.8;) are what you |
| 719 |
want to look into. You should probably scan them anyway, at least |
718 |
want to look into. You should probably scan them anyway, at least |
| 720 |
once a week, since the object of this layer is to detect a break-in |
719 |
once a week, since the object of this layer is to detect a break-in |
| 721 |
whether or not the break-in is effective.</para> |
720 |
attempt, whether or not the attempt succeds.</para> |
| 722 |
|
721 |
|
| 723 |
<para>Process accounting (see &man.accton.8;) is a relatively |
722 |
<para>Process accounting (see &man.accton.8;) is a relatively |
| 724 |
low-overhead feature of the operating system which might help |
723 |
low-overhead feature of the operating system which might help |
| 725 |
as a post-break-in evaluation mechanism. It is especially |
724 |
as a post-break-in evaluation mechanism. It is especially |
| 726 |
useful in tracking down how an intruder has actually broken into |
725 |
useful in tracking down how an intruder has actually broken into |
| 727 |
a system, assuming the file is still intact after the break-in |
726 |
a system, assuming the file is still intact after the break-in has |
| 728 |
occurs.</para> |
727 |
occured.</para> |
| 729 |
|
728 |
|
| 730 |
<para>Finally, security scripts should process the log files, and the |
729 |
<para>Finally, security scripts should process the log files, and the |
| 731 |
logs themselves should be generated in as secure a manner as |
730 |
logs themselves should be generated in as secure a manner as |
| 732 |
possible — remote syslog can be very useful. An intruder |
731 |
possible — remote syslog can be very useful. An intruder |
| 733 |
tries to cover his tracks, and log files are critical to the |
732 |
will try to cover his tracks, and log files are critical to the |
| 734 |
sysadmin trying to track down the time and method of the initial |
733 |
sysadmin trying to track down the time and method of the initial |
| 735 |
break-in. One way to keep a permanent record of the log files is |
734 |
break-in. One way to keep a permanent record of the log files is |
| 736 |
to run the system console to a serial port and collect the |
735 |
to run the system console to a serial port and collect the |
| 737 |
information on a continuing basis through a secure machine |
736 |
information to a secure machine monitoring the consoles.</para> |
| 738 |
monitoring the consoles.</para> |
|
|
| 739 |
</sect2> |
737 |
</sect2> |
| 740 |
|
738 |
|
| 741 |
<sect2> |
739 |
<sect2> |
|
Lines 759-765
Link Here
|
| 759 |
is typically a packet attack. While there is not much you can do |
757 |
is typically a packet attack. While there is not much you can do |
| 760 |
about modern spoofed packet attacks that saturate your network, |
758 |
about modern spoofed packet attacks that saturate your network, |
| 761 |
you can generally limit the damage by ensuring that the attacks |
759 |
you can generally limit the damage by ensuring that the attacks |
| 762 |
cannot take down your servers.</para> |
760 |
cannot take down your servers by:</para> |
| 763 |
|
761 |
|
| 764 |
<orderedlist> |
762 |
<orderedlist> |
| 765 |
<listitem> |
763 |
<listitem> |
|
Lines 772-784
Link Here
|
| 772 |
</listitem> |
770 |
</listitem> |
| 773 |
|
771 |
|
| 774 |
<listitem> |
772 |
<listitem> |
| 775 |
<para>Kernel Route Cache.</para> |
773 |
<para>Overloading the Kernel Route Cache.</para> |
| 776 |
</listitem> |
774 |
</listitem> |
| 777 |
</orderedlist> |
775 |
</orderedlist> |
| 778 |
|
776 |
|
| 779 |
<para>A common DoS attack is against a forking server that attempts |
777 |
<para>A common DoS attack scenario is attacking a forking server and |
| 780 |
to cause the server to eat processes, file descriptors, and memory, |
778 |
making it spawning so many child processes that the host system |
| 781 |
until the machine dies. <application>inetd</application> |
779 |
eventually runs out of memory, file descriptors, etc. and then |
|
|
780 |
grinds to a halt. <application>inetd</application> |
| 782 |
(see &man.inetd.8;) has several |
781 |
(see &man.inetd.8;) has several |
| 783 |
options to limit this sort of attack. It should be noted that |
782 |
options to limit this sort of attack. It should be noted that |
| 784 |
while it is possible to prevent a machine from going down, it is |
783 |
while it is possible to prevent a machine from going down, it is |
|
Lines 857-863
Link Here
|
| 857 |
The attacker spoofs ping packets sent to your LAN's broadcast |
856 |
The attacker spoofs ping packets sent to your LAN's broadcast |
| 858 |
address with the source IP address set to the actual machine they |
857 |
address with the source IP address set to the actual machine they |
| 859 |
wish to attack. If your border routers are not configured to |
858 |
wish to attack. If your border routers are not configured to |
| 860 |
stomp on ping's to broadcast addresses, your LAN winds up |
859 |
stomp on ping packets to broadcast addresses, your LAN winds up |
| 861 |
generating sufficient responses to the spoofed source address to |
860 |
generating sufficient responses to the spoofed source address to |
| 862 |
saturate the victim, especially when the attacker uses the same |
861 |
saturate the victim, especially when the attacker uses the same |
| 863 |
trick on several dozen broadcast addresses over several dozen |
862 |
trick on several dozen broadcast addresses over several dozen |
|
Lines 868-874
Link Here
|
| 868 |
attacker can saturate a server's incoming network and cause the |
867 |
attacker can saturate a server's incoming network and cause the |
| 869 |
server to saturate its outgoing network with ICMP responses. This |
868 |
server to saturate its outgoing network with ICMP responses. This |
| 870 |
type of attack can also crash the server by running it out of |
869 |
type of attack can also crash the server by running it out of |
| 871 |
mbuf's, especially if the server cannot drain the ICMP responses |
870 |
memory, especially if the server cannot drain the ICMP responses |
| 872 |
it generates fast enough. |
871 |
it generates fast enough. |
| 873 |
Use the <application>sysctl</application> |
872 |
Use the <application>sysctl</application> |
| 874 |
variable <literal>net.inet.icmp.icmplim</literal> to limit these attacks. |
873 |
variable <literal>net.inet.icmp.icmplim</literal> to limit these attacks. |
|
Lines 927-933
Link Here
|
| 927 |
|
926 |
|
| 928 |
<para>There are a few issues with both Kerberos and |
927 |
<para>There are a few issues with both Kerberos and |
| 929 |
ssh that need to be addressed if |
928 |
ssh that need to be addressed if |
| 930 |
you intend to use them. Kerberos V is an excellent |
929 |
you intend to use them. Kerberos 5 is an excellent |
| 931 |
authentication protocol, but there are bugs in the kerberized |
930 |
authentication protocol, but there are bugs in the kerberized |
| 932 |
<application>telnet</application> and |
931 |
<application>telnet</application> and |
| 933 |
<application>rlogin</application> applications that make them |
932 |
<application>rlogin</application> applications that make them |
|
Lines 936-942
Link Here
|
| 936 |
<option>-x</option> option. <application>ssh</application> |
935 |
<option>-x</option> option. <application>ssh</application> |
| 937 |
encrypts everything by default.</para> |
936 |
encrypts everything by default.</para> |
| 938 |
|
937 |
|
| 939 |
<para>ssh works quite well in every |
938 |
<para>Ssh works quite well in every |
| 940 |
respect except that it forwards encryption keys by default. What |
939 |
respect except that it forwards encryption keys by default. What |
| 941 |
this means is that if you have a secure workstation holding keys |
940 |
this means is that if you have a secure workstation holding keys |
| 942 |
that give you access to the rest of the system, and you |
941 |
that give you access to the rest of the system, and you |
|
Lines 950-959
Link Here
|
| 950 |
|
949 |
|
| 951 |
<para>We recommend that you use ssh in |
950 |
<para>We recommend that you use ssh in |
| 952 |
combination with Kerberos whenever possible for staff logins. |
951 |
combination with Kerberos whenever possible for staff logins. |
| 953 |
<application>ssh</application> can be compiled with Kerberos |
952 |
<application>Ssh</application> can be compiled with Kerberos |
| 954 |
support. This reduces your reliance on potentially exposed |
953 |
support. This reduces your reliance on potentially exposed |
| 955 |
ssh keys while at the same time |
954 |
ssh keys while at the same time |
| 956 |
protecting passwords via Kerberos. ssh |
955 |
protecting passwords via Kerberos. Ssh |
| 957 |
keys should only be used for automated tasks from secure machines |
956 |
keys should only be used for automated tasks from secure machines |
| 958 |
(something that Kerberos is unsuited to do). We also recommend that |
957 |
(something that Kerberos is unsuited to do). We also recommend that |
| 959 |
you either turn off key-forwarding in the |
958 |
you either turn off key-forwarding in the |