xref: /freebsd/share/man/man7/security.7 (revision 52fc88b53bb0bc102cf93806c67fc236c1228b0b)
15ecb12e3SWarner Losh.\" Copyright (C) 1998 Matthew Dillon. All rights reserved.
25ecb12e3SWarner Losh.\"
35ecb12e3SWarner Losh.\" Redistribution and use in source and binary forms, with or without
45ecb12e3SWarner Losh.\" modification, are permitted provided that the following conditions
55ecb12e3SWarner Losh.\" are met:
65ecb12e3SWarner Losh.\" 1. Redistributions of source code must retain the above copyright
75ecb12e3SWarner Losh.\"    notice, this list of conditions and the following disclaimer.
85ecb12e3SWarner Losh.\" 2. Redistributions in binary form must reproduce the above copyright
95ecb12e3SWarner Losh.\"    notice, this list of conditions and the following disclaimer in the
105ecb12e3SWarner Losh.\"    documentation and/or other materials provided with the distribution.
115ecb12e3SWarner Losh.\"
125ecb12e3SWarner Losh.\" THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND
135ecb12e3SWarner Losh.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
145ecb12e3SWarner Losh.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
155ecb12e3SWarner Losh.\" ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
165ecb12e3SWarner Losh.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
175ecb12e3SWarner Losh.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
185ecb12e3SWarner Losh.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
195ecb12e3SWarner Losh.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
205ecb12e3SWarner Losh.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
215ecb12e3SWarner Losh.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
225ecb12e3SWarner Losh.\" SUCH DAMAGE.
23f063d76aSMatthew Dillon.\"
247f3dea24SPeter Wemm.\" $FreeBSD$
25f063d76aSMatthew Dillon.\"
26e354922cSRuslan Ermilov.Dd November 29, 2004
27f063d76aSMatthew Dillon.Dt SECURITY 7
283d45e180SRuslan Ermilov.Os
29f063d76aSMatthew Dillon.Sh NAME
30f063d76aSMatthew Dillon.Nm security
3152fc88b5SGiorgos Keramidas.Nd introduction to security under FreeBSD
32f063d76aSMatthew Dillon.Sh DESCRIPTION
33f063d76aSMatthew DillonSecurity is a function that begins and ends with the system administrator.
34f063d76aSMatthew DillonWhile all
35f063d76aSMatthew Dillon.Bx
36d93b26d6SMatthew Dillonmulti-user systems have some inherent security, the job of building and
37992e4638SRobert Watsonmaintaining additional security mechanisms to keep users
38454ba768SRuslan Ermilov.Dq honest
39568e4cbbSGuy Helmeris probably
40454ba768SRuslan Ermilovone of the single largest undertakings of the sysadmin.
41454ba768SRuslan ErmilovMachines are
42f063d76aSMatthew Dillononly as secure as you make them, and security concerns are ever competing
43568e4cbbSGuy Helmerwith the human necessity for convenience.
44568e4cbbSGuy Helmer.Ux
45568e4cbbSGuy Helmersystems,
466ac7e896SDavid E. O'Brienin general, are capable of running a huge number of simultaneous processes
47454ba768SRuslan Ermilovand many of these processes operate as servers \(em meaning that external
48454ba768SRuslan Ermiloventities can connect and talk to them.
49454ba768SRuslan ErmilovAs yesterday's mini-computers and mainframes
50f063d76aSMatthew Dillonbecome today's desktops, and as computers become networked and internetworked,
51f063d76aSMatthew Dillonsecurity becomes an ever bigger issue.
52f063d76aSMatthew Dillon.Pp
53454ba768SRuslan ErmilovSecurity is best implemented through a layered onion approach.
54454ba768SRuslan ErmilovIn a nutshell,
55d93b26d6SMatthew Dillonwhat you want to do is to create as many layers of security as are convenient
56454ba768SRuslan Ermilovand then carefully monitor the system for intrusions.
57454ba768SRuslan ErmilovYou do not want to
587c86a74bSMike Pritchardoverbuild your security or you will interfere with the detection side, and
59d93b26d6SMatthew Dillondetection is one of the single most important aspects of any security
60454ba768SRuslan Ermilovmechanism.
61454ba768SRuslan ErmilovFor example, it makes little sense to set the
62454ba768SRuslan Ermilov.Cm schg
63d93b26d6SMatthew Dillonflags
64c4d9468eSRuslan Ermilov(see
65c4d9468eSRuslan Ermilov.Xr chflags 1 )
66d93b26d6SMatthew Dillonon every system binary because while this may temporarily protect the
6747afd1f8SDaniel Harrisbinaries, it prevents an attacker who has broken in from making an
68d93b26d6SMatthew Dilloneasily detectable change that may result in your security mechanisms not
6947afd1f8SDaniel Harrisdetecting the attacker at all.
70d93b26d6SMatthew Dillon.Pp
71454ba768SRuslan ErmilovSystem security also pertains to dealing with various forms of attacks,
72d93b26d6SMatthew Dillonincluding attacks that attempt to crash or otherwise make a system unusable
73454ba768SRuslan Ermilovbut do not attempt to break root.
74454ba768SRuslan ErmilovSecurity concerns can be split up into
75d93b26d6SMatthew Dillonseveral categories:
76f063d76aSMatthew Dillon.Bl -enum -offset indent
77f063d76aSMatthew Dillon.It
78454ba768SRuslan ErmilovDenial of Service attacks (DoS)
79f063d76aSMatthew Dillon.It
80f063d76aSMatthew DillonUser account compromises
81f063d76aSMatthew Dillon.It
826ac7e896SDavid E. O'BrienRoot compromise through accessible servers
83f063d76aSMatthew Dillon.It
846ac7e896SDavid E. O'BrienRoot compromise via user accounts
85d93b26d6SMatthew Dillon.It
86d93b26d6SMatthew DillonBackdoor creation
87f063d76aSMatthew Dillon.El
88f063d76aSMatthew Dillon.Pp
89f063d76aSMatthew DillonA denial of service attack is an action that deprives the machine of needed
90454ba768SRuslan Ermilovresources.
91454ba768SRuslan ErmilovTypically, DoS attacks are brute-force mechanisms that attempt
92f063d76aSMatthew Dillonto crash or otherwise make a machine unusable by overwhelming its servers or
93454ba768SRuslan Ermilovnetwork stack.
94454ba768SRuslan ErmilovSome DoS attacks try to take advantages of bugs in the
95454ba768SRuslan Ermilovnetworking stack to crash a machine with a single packet.
96454ba768SRuslan ErmilovThe latter can
97454ba768SRuslan Ermilovonly be fixed by applying a bug fix to the kernel.
98454ba768SRuslan ErmilovAttacks on servers can
99d93b26d6SMatthew Dillonoften be fixed by properly specifying options to limit the load the servers
100454ba768SRuslan Ermilovincur on the system under adverse conditions.
101454ba768SRuslan ErmilovBrute-force network attacks are harder to deal with.
102454ba768SRuslan ErmilovA spoofed-packet attack, for example, is
1037c86a74bSMike Pritchardnearly impossible to stop short of cutting your system off from the Internet.
1047c86a74bSMike PritchardIt may not be able to take your machine down, but it can fill up Internet
105d93b26d6SMatthew Dillonpipe.
106f063d76aSMatthew Dillon.Pp
107454ba768SRuslan ErmilovA user account compromise is even more common than a DoS attack.
108454ba768SRuslan ErmilovMany
109454ba768SRuslan Ermilovsysadmins still run standard
110454ba768SRuslan Ermilov.Xr telnetd 8 ,
111454ba768SRuslan Ermilov.Xr rlogind 8 ,
112454ba768SRuslan Ermilov.Xr rshd 8 ,
113454ba768SRuslan Ermilovand
114454ba768SRuslan Ermilov.Xr ftpd 8
115454ba768SRuslan Ermilovservers on their machines.
116454ba768SRuslan ErmilovThese servers, by default, do not operate over encrypted
117454ba768SRuslan Ermilovconnections.
118454ba768SRuslan ErmilovThe result is that if you have any moderate-sized user base,
119f063d76aSMatthew Dillonone or more of your users logging into your system from a remote location
120c4d9468eSRuslan Ermilov(which is the most common and convenient way to log in to a system)
121454ba768SRuslan Ermilovwill have his or her password sniffed.
122454ba768SRuslan ErmilovThe attentive system administrator will analyze
123d93b26d6SMatthew Dillonhis remote access logs looking for suspicious source addresses
124f063d76aSMatthew Dilloneven for successful logins.
125f063d76aSMatthew Dillon.Pp
126f063d76aSMatthew DillonOne must always assume that once an attacker has access to a user account,
127454ba768SRuslan Ermilovthe attacker can break root.
128454ba768SRuslan ErmilovHowever, the reality is that in a well secured
129f063d76aSMatthew Dillonand maintained system, access to a user account does not necessarily give the
130454ba768SRuslan Ermilovattacker access to root.
131454ba768SRuslan ErmilovThe distinction is important because without access
132f063d76aSMatthew Dillonto root the attacker cannot generally hide his tracks and may, at best, be
133b94231daSDima Dorfmanable to do nothing more than mess with the user's files or crash the machine.
134d93b26d6SMatthew DillonUser account compromises are very common because users tend not to take the
1357c86a74bSMike Pritchardprecautions that sysadmins take.
136f063d76aSMatthew Dillon.Pp
137d93b26d6SMatthew DillonSystem administrators must keep in mind that there are potentially many ways
138454ba768SRuslan Ermilovto break root on a machine.
139454ba768SRuslan ErmilovThe attacker may know the root password,
140d93b26d6SMatthew Dillonthe attacker
141f063d76aSMatthew Dillonmay find a bug in a root-run server and be able to break root over a network
142454ba768SRuslan Ermilovconnection to that server, or the attacker may know of a bug in an SUID-root
143f063d76aSMatthew Dillonprogram that allows the attacker to break root once he has broken into a
144454ba768SRuslan Ermilovuser's account.
145454ba768SRuslan ErmilovIf an attacker has found a way to break root on a machine,
146f167d7fbSSheldon Hearnthe attacker may not have a need to install a backdoor.
147d93b26d6SMatthew DillonMany of the root holes found and closed to date involve a considerable amount
14847afd1f8SDaniel Harrisof work by the attacker to clean up after himself, so most attackers do install
149454ba768SRuslan Ermilovbackdoors.
150454ba768SRuslan ErmilovThis gives you a convenient way to detect the attacker.
151454ba768SRuslan ErmilovMaking
15247afd1f8SDaniel Harrisit impossible for an attacker to install a backdoor may actually be detrimental
1534c0d8029SDaniel Harristo your security because it will not close off the hole the attacker used to
1544c0d8029SDaniel Harrisbreak in in the first place.
155f063d76aSMatthew Dillon.Pp
156d93b26d6SMatthew DillonSecurity remedies should always be implemented with a multi-layered
157454ba768SRuslan Ermilov.Dq onion peel
158f063d76aSMatthew Dillonapproach and can be categorized as follows:
159f063d76aSMatthew Dillon.Bl -enum -offset indent
160f063d76aSMatthew Dillon.It
161f063d76aSMatthew DillonSecuring root and staff accounts
162f063d76aSMatthew Dillon.It
163454ba768SRuslan ErmilovSecuring root \(em root-run servers and SUID/SGID binaries
164f063d76aSMatthew Dillon.It
165f063d76aSMatthew DillonSecuring user accounts
166f063d76aSMatthew Dillon.It
167f063d76aSMatthew DillonSecuring the password file
168f063d76aSMatthew Dillon.It
169f063d76aSMatthew DillonSecuring the kernel core, raw devices, and file systems
170f063d76aSMatthew Dillon.It
171d93b26d6SMatthew DillonQuick detection of inappropriate changes made to the system
172f063d76aSMatthew Dillon.It
173f063d76aSMatthew DillonParanoia
174f063d76aSMatthew Dillon.El
175f063d76aSMatthew Dillon.Sh SECURING THE ROOT ACCOUNT AND SECURING STAFF ACCOUNTS
176454ba768SRuslan ErmilovDo not bother securing staff accounts if you have not secured the root
177454ba768SRuslan Ermilovaccount.
178454ba768SRuslan ErmilovMost systems have a password assigned to the root account.
179454ba768SRuslan ErmilovThe
180568e4cbbSGuy Helmerfirst thing you do is assume that the password is
181454ba768SRuslan Ermilov.Em always
182454ba768SRuslan Ermilovcompromised.
183454ba768SRuslan ErmilovThis does not mean that you should remove the password.
184454ba768SRuslan ErmilovThe
185d93b26d6SMatthew Dillonpassword is almost always necessary for console access to the machine.
186d93b26d6SMatthew DillonWhat it does mean is that you should not make it possible to use the password
187d93b26d6SMatthew Dillonoutside of the console or possibly even with a
188d93b26d6SMatthew Dillon.Xr su 1
189454ba768SRuslan Ermilovutility.
190454ba768SRuslan ErmilovFor example, make sure that your PTYs are specified as being
191454ba768SRuslan Ermilov.Dq Li unsecure
192d93b26d6SMatthew Dillonin the
193454ba768SRuslan Ermilov.Pa /etc/ttys
194d93b26d6SMatthew Dillonfile
195454ba768SRuslan Ermilovso that direct root logins via
196454ba768SRuslan Ermilov.Xr telnet 1
197454ba768SRuslan Ermilovor
198454ba768SRuslan Ermilov.Xr rlogin 1
199454ba768SRuslan Ermilovare disallowed.
200454ba768SRuslan ErmilovIf using
201454ba768SRuslan Ermilovother login services such as
202454ba768SRuslan Ermilov.Xr sshd 8 ,
203454ba768SRuslan Ermilovmake sure that direct root logins are
204454ba768SRuslan Ermilovdisabled there as well.
205454ba768SRuslan ErmilovConsider every access method \(em services such as
206454ba768SRuslan Ermilov.Xr ftp 1
207454ba768SRuslan Ermilovoften fall through the cracks.
208454ba768SRuslan ErmilovDirect root logins should only be allowed
209d93b26d6SMatthew Dillonvia the system console.
210f063d76aSMatthew Dillon.Pp
2117626ae52SMatthew DillonOf course, as a sysadmin you have to be able to get to root, so we open up
212454ba768SRuslan Ermilova few holes.
213454ba768SRuslan ErmilovBut we make sure these holes require additional password
214454ba768SRuslan Ermilovverification to operate.
215454ba768SRuslan ErmilovOne way to make root accessible is to add appropriate
216454ba768SRuslan Ermilovstaff accounts to the
217454ba768SRuslan Ermilov.Dq Li wheel
218454ba768SRuslan Ermilovgroup (in
219c4d9468eSRuslan Ermilov.Pa /etc/group ) .
220454ba768SRuslan ErmilovThe staff members placed in the
221454ba768SRuslan Ermilov.Li wheel
222454ba768SRuslan Ermilovgroup are allowed to
223454ba768SRuslan Ermilov.Xr su 1
224454ba768SRuslan Ermilovto root.
225454ba768SRuslan ErmilovYou should never give staff
226454ba768SRuslan Ermilovmembers native
227454ba768SRuslan Ermilov.Li wheel
228454ba768SRuslan Ermilovaccess by putting them in the
229454ba768SRuslan Ermilov.Li wheel
230454ba768SRuslan Ermilovgroup in their password entry.
231454ba768SRuslan ErmilovStaff accounts should be placed in a
232454ba768SRuslan Ermilov.Dq Li staff
233454ba768SRuslan Ermilovgroup, and then added to the
234454ba768SRuslan Ermilov.Li wheel
235454ba768SRuslan Ermilovgroup via the
236454ba768SRuslan Ermilov.Pa /etc/group
237454ba768SRuslan Ermilovfile.
238454ba768SRuslan ErmilovOnly those staff members who actually need to have root access
239454ba768SRuslan Ermilovshould be placed in the
240454ba768SRuslan Ermilov.Li wheel
241454ba768SRuslan Ermilovgroup.
242454ba768SRuslan ErmilovIt is also possible, when using an
243454ba768SRuslan Ermilovauthentication method such as Kerberos, to use Kerberos's
244454ba768SRuslan Ermilov.Pa .k5login
245d93b26d6SMatthew Dillonfile in the root account to allow a
246d93b26d6SMatthew Dillon.Xr ksu 1
247454ba768SRuslan Ermilovto root without having to place anyone at all in the
248454ba768SRuslan Ermilov.Li wheel
249454ba768SRuslan Ermilovgroup.
250454ba768SRuslan ErmilovThis
251454ba768SRuslan Ermilovmay be the better solution since the
252454ba768SRuslan Ermilov.Li wheel
253454ba768SRuslan Ermilovmechanism still allows an
254d93b26d6SMatthew Dillonintruder to break root if the intruder has gotten hold of your password
255454ba768SRuslan Ermilovfile and can break into a staff account.
256454ba768SRuslan ErmilovWhile having the
257454ba768SRuslan Ermilov.Li wheel
258454ba768SRuslan Ermilovmechanism
259454ba768SRuslan Ermilovis better than having nothing at all, it is not necessarily the safest
260d93b26d6SMatthew Dillonoption.
261f063d76aSMatthew Dillon.Pp
262f063d76aSMatthew DillonAn indirect way to secure the root account is to secure your staff accounts
263f063d76aSMatthew Dillonby using an alternative login access method and *'ing out the crypted password
264454ba768SRuslan Ermilovfor the staff accounts.
265454ba768SRuslan ErmilovThis way an intruder may be able to steal the password
26647afd1f8SDaniel Harrisfile but will not be able to break into any staff accounts or root, even if
26747afd1f8SDaniel Harrisroot has a crypted password associated with it (assuming, of course, that
268454ba768SRuslan Ermilovyou have limited root access to the console).
269454ba768SRuslan ErmilovStaff members
270f063d76aSMatthew Dillonget into their staff accounts through a secure login mechanism such as
271a3f9c9fcSRuslan Ermilov.Xr kerberos 8
272568e4cbbSGuy Helmeror
273568e4cbbSGuy Helmer.Xr ssh 1
274568e4cbbSGuy Helmerusing a private/public
275454ba768SRuslan Ermilovkey pair.
276454ba768SRuslan ErmilovWhen you use something like Kerberos you generally must secure
277454ba768SRuslan Ermilovthe machines which run the Kerberos servers and your desktop workstation.
278454ba768SRuslan ErmilovWhen you use a public/private key pair with SSH, you must generally secure
279454ba768SRuslan Ermilovthe machine you are logging in
280454ba768SRuslan Ermilov.Em from
281c4d9468eSRuslan Ermilov(typically your workstation),
282568e4cbbSGuy Helmerbut you can
283f063d76aSMatthew Dillonalso add an additional layer of protection to the key pair by password
284568e4cbbSGuy Helmerprotecting the keypair when you create it with
285568e4cbbSGuy Helmer.Xr ssh-keygen 1 .
286568e4cbbSGuy HelmerBeing able
2876ac7e896SDavid E. O'Briento *-out the passwords for staff accounts also guarantees that staff members
288454ba768SRuslan Ermilovcan only log in through secure access methods that you have set up.
289454ba768SRuslan ErmilovYou can
290f063d76aSMatthew Dillonthus force all staff members to use secure, encrypted connections for
291454ba768SRuslan Ermilovall their sessions which closes an important hole used by many intruders: that
292f063d76aSMatthew Dillonof sniffing the network from an unrelated, less secure machine.
293f063d76aSMatthew Dillon.Pp
294f063d76aSMatthew DillonThe more indirect security mechanisms also assume that you are logging in
295454ba768SRuslan Ermilovfrom a more restrictive server to a less restrictive server.
296454ba768SRuslan ErmilovFor example,
297454ba768SRuslan Ermilovif your main box is running all sorts of servers, your workstation should not
298454ba768SRuslan Ermilovbe running any.
299454ba768SRuslan ErmilovIn order for your workstation to be reasonably secure
300f063d76aSMatthew Dillonyou should run as few servers as possible, up to and including no servers
301f063d76aSMatthew Dillonat all, and you should run a password-protected screen blanker.
302f063d76aSMatthew DillonOf course, given physical access to
303454ba768SRuslan Ermilova workstation, an attacker can break any sort of security you put on it.
304f063d76aSMatthew DillonThis is definitely a problem that you should consider but you should also
3056ac7e896SDavid E. O'Brienconsider the fact that the vast majority of break-ins occur remotely, over
3067626ae52SMatthew Dillona network, from people who do not have physical access to your workstation or
307f063d76aSMatthew Dillonservers.
308f063d76aSMatthew Dillon.Pp
309454ba768SRuslan ErmilovUsing something like Kerberos also gives you the ability to disable or
310f063d76aSMatthew Dillonchange the password for a staff account in one place and have it immediately
311454ba768SRuslan Ermilovaffect all the machines the staff member may have an account on.
312454ba768SRuslan ErmilovIf a staff
313f063d76aSMatthew Dillonmember's account gets compromised, the ability to instantly change his
314454ba768SRuslan Ermilovpassword on all machines should not be underrated.
315454ba768SRuslan ErmilovWith discrete passwords, changing a password on N machines can be a mess.
316454ba768SRuslan ErmilovYou can also impose
317454ba768SRuslan Ermilovre-passwording restrictions with Kerberos: not only can a Kerberos ticket
318454ba768SRuslan Ermilovbe made to timeout after a while, but the Kerberos system can require that
319568e4cbbSGuy Helmerthe user choose a new password after a certain period of time
320c4d9468eSRuslan Ermilov(say, once a month).
32147afd1f8SDaniel Harris.Sh SECURING ROOT \(em ROOT-RUN SERVERS AND SUID/SGID BINARIES
322454ba768SRuslan ErmilovThe prudent sysadmin only runs the servers he needs to, no more, no less.
323454ba768SRuslan ErmilovBe aware that third party servers are often the most bug-prone.
324454ba768SRuslan ErmilovFor example,
325454ba768SRuslan Ermilovrunning an old version of
326454ba768SRuslan Ermilov.Xr imapd 8
327454ba768SRuslan Ermilovor
328f0ea72a0SChristian Brueffer.Xr popper 8 Pq Pa ports/mail/popper
329454ba768SRuslan Ermilovis like giving a universal root
330454ba768SRuslan Ermilovticket out to the entire world.
331454ba768SRuslan ErmilovNever run a server that you have not checked
332454ba768SRuslan Ermilovout carefully.
333454ba768SRuslan ErmilovMany servers do not need to be run as root.
334454ba768SRuslan ErmilovFor example,
335454ba768SRuslan Ermilovthe
336454ba768SRuslan Ermilov.Xr talkd 8 ,
337454ba768SRuslan Ermilov.Xr comsat 8 ,
338454ba768SRuslan Ermilovand
339454ba768SRuslan Ermilov.Xr fingerd 8
340454ba768SRuslan Ermilovdaemons can be run in special user
341454ba768SRuslan Ermilov.Dq sandboxes .
342454ba768SRuslan ErmilovA sandbox is not perfect unless you go to a large amount of trouble, but the
343454ba768SRuslan Ermilovonion approach to security still stands: if someone is able to break in
344f063d76aSMatthew Dillonthrough a server running in a sandbox, they still have to break out of the
345454ba768SRuslan Ermilovsandbox.
346454ba768SRuslan ErmilovThe more layers the attacker must break through, the lower the
347454ba768SRuslan Ermilovlikelihood of his success.
348454ba768SRuslan ErmilovRoot holes have historically been found in
349f063d76aSMatthew Dillonvirtually every server ever run as root, including basic system servers.
350454ba768SRuslan ErmilovIf you are running a machine through which people only log in via
351454ba768SRuslan Ermilov.Xr sshd 8
352454ba768SRuslan Ermilovand never log in via
353454ba768SRuslan Ermilov.Xr telnetd 8 ,
354454ba768SRuslan Ermilov.Xr rshd 8 ,
355454ba768SRuslan Ermilovor
356454ba768SRuslan Ermilov.Xr rlogind 8 ,
357454ba768SRuslan Ermilovthen turn off those services!
358f063d76aSMatthew Dillon.Pp
359f6f8f44dSAlexey Zelkin.Fx
360454ba768SRuslan Ermilovnow defaults to running
361454ba768SRuslan Ermilov.Xr talkd 8 ,
362454ba768SRuslan Ermilov.Xr comsat 8 ,
363454ba768SRuslan Ermilovand
364454ba768SRuslan Ermilov.Xr fingerd 8
365454ba768SRuslan Ermilovin a sandbox.
366f063d76aSMatthew DillonAnother program which may be a candidate for running in a sandbox is
367568e4cbbSGuy Helmer.Xr named 8 .
368454ba768SRuslan ErmilovThe default
369454ba768SRuslan Ermilov.Pa rc.conf
370454ba768SRuslan Ermilovincludes the arguments necessary to run
371454ba768SRuslan Ermilov.Xr named 8
372454ba768SRuslan Ermilovin a sandbox in a commented-out form.
373454ba768SRuslan ErmilovDepending on whether you
374f063d76aSMatthew Dillonare installing a new system or upgrading an existing system, the special
375454ba768SRuslan Ermilovuser accounts used by these sandboxes may not be installed.
376454ba768SRuslan ErmilovThe prudent
3777626ae52SMatthew Dillonsysadmin would research and implement sandboxes for servers whenever possible.
378f063d76aSMatthew Dillon.Pp
379f063d76aSMatthew DillonThere are a number of other servers that typically do not run in sandboxes:
380454ba768SRuslan Ermilov.Xr sendmail 8 ,
381454ba768SRuslan Ermilov.Xr popper 8 ,
382454ba768SRuslan Ermilov.Xr imapd 8 ,
383454ba768SRuslan Ermilov.Xr ftpd 8 ,
384454ba768SRuslan Ermilovand others.
385454ba768SRuslan ErmilovThere are alternatives to
3869518a247SJens Schweikhardtsome of these, but installing them may require more work than you are willing
387568e4cbbSGuy Helmerto put
388c4d9468eSRuslan Ermilov(the convenience factor strikes again).
389568e4cbbSGuy HelmerYou may have to run these
3906ac7e896SDavid E. O'Brienservers as root and rely on other mechanisms to detect break-ins that might
391f063d76aSMatthew Dillonoccur through them.
392f063d76aSMatthew Dillon.Pp
393454ba768SRuslan ErmilovThe other big potential root hole in a system are the SUID-root and SGID
394454ba768SRuslan Ermilovbinaries installed on the system.
395454ba768SRuslan ErmilovMost of these binaries, such as
396454ba768SRuslan Ermilov.Xr rlogin 1 ,
397568e4cbbSGuy Helmerreside in
398454ba768SRuslan Ermilov.Pa /bin , /sbin , /usr/bin ,
399568e4cbbSGuy Helmeror
400568e4cbbSGuy Helmer.Pa /usr/sbin .
401568e4cbbSGuy HelmerWhile nothing is 100% safe,
402454ba768SRuslan Ermilovthe system-default SUID and SGID binaries can be considered reasonably safe.
403454ba768SRuslan ErmilovStill, root holes are occasionally found in these binaries.
404454ba768SRuslan ErmilovA root hole
405454ba768SRuslan Ermilovwas found in Xlib in 1998 that made
406f0ea72a0SChristian Brueffer.Xr xterm 1 Pq Pa ports/x11/xterm
407454ba768SRuslan Ermilov(which is typically SUID)
408568e4cbbSGuy Helmervulnerable.
409454ba768SRuslan ErmilovIt is better to be safe than sorry and the prudent sysadmin will restrict SUID
410f063d76aSMatthew Dillonbinaries that only staff should run to a special group that only staff can
411568e4cbbSGuy Helmeraccess, and get rid of
412454ba768SRuslan Ermilov.Pq Dq Li "chmod 000"
413454ba768SRuslan Ermilovany SUID binaries that nobody uses.
414454ba768SRuslan ErmilovA server with no display generally does not need an
415454ba768SRuslan Ermilov.Xr xterm 1
416454ba768SRuslan Ermilovbinary.
417454ba768SRuslan ErmilovSGID binaries can be almost as dangerous.
418454ba768SRuslan ErmilovIf an intruder can break an SGID-kmem binary the
419568e4cbbSGuy Helmerintruder might be able to read
420568e4cbbSGuy Helmer.Pa /dev/kmem
421568e4cbbSGuy Helmerand thus read the crypted password
422454ba768SRuslan Ermilovfile, potentially compromising any passworded account.
423454ba768SRuslan ErmilovAlternatively an
424454ba768SRuslan Ermilovintruder who breaks group
425454ba768SRuslan Ermilov.Dq Li kmem
426454ba768SRuslan Ermilovcan monitor keystrokes sent through PTYs,
427454ba768SRuslan Ermilovincluding PTYs used by users who log in through secure methods.
428454ba768SRuslan ErmilovAn intruder
429454ba768SRuslan Ermilovthat breaks the
430454ba768SRuslan Ermilov.Dq Li tty
431454ba768SRuslan Ermilovgroup can write to almost any user's TTY.
432454ba768SRuslan ErmilovIf a user
433d93b26d6SMatthew Dillonis running a terminal
434d93b26d6SMatthew Dillonprogram or emulator with a keyboard-simulation feature, the intruder can
435d93b26d6SMatthew Dillonpotentially
436f063d76aSMatthew Dillongenerate a data stream that causes the user's terminal to echo a command, which
437f063d76aSMatthew Dillonis then run as that user.
438f063d76aSMatthew Dillon.Sh SECURING USER ACCOUNTS
439454ba768SRuslan ErmilovUser accounts are usually the most difficult to secure.
440454ba768SRuslan ErmilovWhile you can impose
441454ba768SRuslan Ermilovdraconian access restrictions on your staff and *-out their passwords, you
442454ba768SRuslan Ermilovmay not be able to do so with any general user accounts you might have.
443454ba768SRuslan ErmilovIf
444f063d76aSMatthew Dillonyou do have sufficient control then you may win out and be able to secure the
445454ba768SRuslan Ermilovuser accounts properly.
446454ba768SRuslan ErmilovIf not, you simply have to be more vigilant in your
447454ba768SRuslan Ermilovmonitoring of those accounts.
448454ba768SRuslan ErmilovUse of SSH and Kerberos for user accounts is
449d93b26d6SMatthew Dillonmore problematic due to the extra administration and technical support
450d93b26d6SMatthew Dillonrequired, but still a very good solution compared to a crypted password
451d93b26d6SMatthew Dillonfile.
452f063d76aSMatthew Dillon.Sh SECURING THE PASSWORD FILE
453f063d76aSMatthew DillonThe only sure fire way is to *-out as many passwords as you can and
454454ba768SRuslan Ermilovuse SSH or Kerberos for access to those accounts.
455454ba768SRuslan ErmilovEven though the
456568e4cbbSGuy Helmercrypted password file
457568e4cbbSGuy Helmer.Pq Pa /etc/spwd.db
458568e4cbbSGuy Helmercan only be read by root, it may
459568e4cbbSGuy Helmerbe possible for an intruder to obtain read access to that file even if the
460f063d76aSMatthew Dillonattacker cannot obtain root-write access.
461f063d76aSMatthew Dillon.Pp
462f063d76aSMatthew DillonYour security scripts should always check for and report changes to
463568e4cbbSGuy Helmerthe password file
464c4d9468eSRuslan Ermilov(see
465454ba768SRuslan Ermilov.Sx CHECKING FILE INTEGRITY
466c4d9468eSRuslan Ermilovbelow).
467f063d76aSMatthew Dillon.Sh SECURING THE KERNEL CORE, RAW DEVICES, AND FILE SYSTEMS
468f063d76aSMatthew DillonIf an attacker breaks root he can do just about anything, but there
469454ba768SRuslan Ermilovare certain conveniences.
470454ba768SRuslan ErmilovFor example, most modern kernels have a packet sniffing device driver built in.
471454ba768SRuslan ErmilovUnder
472f6f8f44dSAlexey Zelkin.Fx
473568e4cbbSGuy Helmerit is called
474568e4cbbSGuy Helmerthe
475454ba768SRuslan Ermilov.Xr bpf 4
476454ba768SRuslan Ermilovdevice.
477454ba768SRuslan ErmilovAn intruder will commonly attempt to run a packet sniffer
478454ba768SRuslan Ermilovon a compromised machine.
479454ba768SRuslan ErmilovYou do not need to give the intruder the
480454ba768SRuslan Ermilovcapability and most systems should not have the
481454ba768SRuslan Ermilov.Xr bpf 4
482454ba768SRuslan Ermilovdevice compiled in.
483f063d76aSMatthew Dillon.Pp
484454ba768SRuslan ErmilovBut even if you turn off the
485454ba768SRuslan Ermilov.Xr bpf 4
486454ba768SRuslan Ermilovdevice, you still have
487568e4cbbSGuy Helmer.Pa /dev/mem
488568e4cbbSGuy Helmerand
489568e4cbbSGuy Helmer.Pa /dev/kmem
490454ba768SRuslan Ermilovto worry about.
491454ba768SRuslan ErmilovFor that matter,
492d93b26d6SMatthew Dillonthe intruder can still write to raw disk devices.
493d93b26d6SMatthew DillonAlso, there is another kernel feature called the module loader,
494568e4cbbSGuy Helmer.Xr kldload 8 .
495568e4cbbSGuy HelmerAn enterprising intruder can use a KLD module to install
496454ba768SRuslan Ermilovhis own
497454ba768SRuslan Ermilov.Xr bpf 4
498454ba768SRuslan Ermilovdevice or other sniffing device on a running kernel.
499568e4cbbSGuy HelmerTo avoid these problems you have to run
500e17c0e32SGary W. Swearingenthe kernel at a higher security level, at least level 1.
501e17c0e32SGary W. SwearingenThe security level can be set with a
502454ba768SRuslan Ermilov.Xr sysctl 8
503454ba768SRuslan Ermilovon the
504454ba768SRuslan Ermilov.Va kern.securelevel
505454ba768SRuslan Ermilovvariable.
506454ba768SRuslan ErmilovOnce you have
507e17c0e32SGary W. Swearingenset the security level to 1, write access to raw devices will be denied and
508454ba768SRuslan Ermilovspecial
509454ba768SRuslan Ermilov.Xr chflags 1
510454ba768SRuslan Ermilovflags, such as
511454ba768SRuslan Ermilov.Cm schg ,
512454ba768SRuslan Ermilovwill be enforced.
513454ba768SRuslan ErmilovYou must also ensure
514568e4cbbSGuy Helmerthat the
515454ba768SRuslan Ermilov.Cm schg
516568e4cbbSGuy Helmerflag is set on critical startup binaries, directories, and
517e17c0e32SGary W. Swearingenscript files \(em everything that gets run
518e17c0e32SGary W. Swearingenup to the point where the security level is set.
519454ba768SRuslan ErmilovThis might be overdoing it, and upgrading the system is much more
520e17c0e32SGary W. Swearingendifficult when you operate at a higher security level.
521454ba768SRuslan ErmilovYou may compromise and
522e17c0e32SGary W. Swearingenrun the system at a higher security level but not set the
523454ba768SRuslan Ermilov.Cm schg
524454ba768SRuslan Ermilovflag for every
525454ba768SRuslan Ermilovsystem file and directory under the sun.
526454ba768SRuslan ErmilovAnother possibility is to simply
527454ba768SRuslan Ermilovmount
528454ba768SRuslan Ermilov.Pa /
529454ba768SRuslan Ermilovand
530454ba768SRuslan Ermilov.Pa /usr
531454ba768SRuslan Ermilovread-only.
532454ba768SRuslan ErmilovIt should be noted that being too draconian in
533d93b26d6SMatthew Dillonwhat you attempt to protect may prevent the all-important detection of an
534d93b26d6SMatthew Dillonintrusion.
535e17c0e32SGary W. Swearingen.Pp
536e17c0e32SGary W. SwearingenThe kernel runs with five different security levels.
537e17c0e32SGary W. SwearingenAny super-user process can raise the level, but no process
538e17c0e32SGary W. Swearingencan lower it.
539e17c0e32SGary W. SwearingenThe security levels are:
540e17c0e32SGary W. Swearingen.Bl -tag -width flag
541e17c0e32SGary W. Swearingen.It Ic -1
542e17c0e32SGary W. SwearingenPermanently insecure mode \- always run the system in insecure mode.
543e17c0e32SGary W. SwearingenThis is the default initial value.
544e17c0e32SGary W. Swearingen.It Ic 0
545e17c0e32SGary W. SwearingenInsecure mode \- immutable and append-only flags may be turned off.
546e17c0e32SGary W. SwearingenAll devices may be read or written subject to their permissions.
547e17c0e32SGary W. Swearingen.It Ic 1
548e17c0e32SGary W. SwearingenSecure mode \- the system immutable and system append-only flags may not
549e17c0e32SGary W. Swearingenbe turned off;
550e17c0e32SGary W. Swearingendisks for mounted file systems,
551e17c0e32SGary W. Swearingen.Pa /dev/mem ,
552e17c0e32SGary W. Swearingen.Pa /dev/kmem
553e17c0e32SGary W. Swearingenand
554e17c0e32SGary W. Swearingen.Pa /dev/io
555e17c0e32SGary W. Swearingen(if your platform has it) may not be opened for writing;
556e17c0e32SGary W. Swearingenkernel modules (see
557e17c0e32SGary W. Swearingen.Xr kld 4 )
558e17c0e32SGary W. Swearingenmay not be loaded or unloaded.
559e17c0e32SGary W. Swearingen.It Ic 2
560e17c0e32SGary W. SwearingenHighly secure mode \- same as secure mode, plus disks may not be
561e17c0e32SGary W. Swearingenopened for writing (except by
562e17c0e32SGary W. Swearingen.Xr mount 2 )
563e17c0e32SGary W. Swearingenwhether mounted or not.
564e17c0e32SGary W. SwearingenThis level precludes tampering with file systems by unmounting them,
565e17c0e32SGary W. Swearingenbut also inhibits running
566e17c0e32SGary W. Swearingen.Xr newfs 8
567e17c0e32SGary W. Swearingenwhile the system is multi-user.
568e17c0e32SGary W. Swearingen.Pp
569e17c0e32SGary W. SwearingenIn addition, kernel time changes are restricted to less than or equal to one
570e17c0e32SGary W. Swearingensecond.
571e17c0e32SGary W. SwearingenAttempts to change the time by more than this will log the message
572e17c0e32SGary W. Swearingen.Dq Time adjustment clamped to +1 second .
573e17c0e32SGary W. Swearingen.It Ic 3
574e17c0e32SGary W. SwearingenNetwork secure mode \- same as highly secure mode, plus
575e17c0e32SGary W. SwearingenIP packet filter rules (see
576e17c0e32SGary W. Swearingen.Xr ipfw 8 ,
577e17c0e32SGary W. Swearingen.Xr ipfirewall 4
578e17c0e32SGary W. Swearingenand
579e17c0e32SGary W. Swearingen.Xr pfctl 8 )
580e17c0e32SGary W. Swearingencannot be changed and
581e17c0e32SGary W. Swearingen.Xr dummynet 4
582e17c0e32SGary W. Swearingenor
583e17c0e32SGary W. Swearingen.Xr pf 4
584e17c0e32SGary W. Swearingenconfiguration cannot be adjusted.
585e17c0e32SGary W. Swearingen.El
586e17c0e32SGary W. Swearingen.Pp
5870ebb41beSCeri DaviesThe security level can be configured with variables documented in
588e17c0e32SGary W. Swearingen.Xr rc.conf 8 .
589f063d76aSMatthew Dillon.Sh CHECKING FILE INTEGRITY: BINARIES, CONFIG FILES, ETC
590f063d76aSMatthew DillonWhen it comes right down to it, you can only protect your core system
591f063d76aSMatthew Dillonconfiguration and control files so much before the convenience factor
592454ba768SRuslan Ermilovrears its ugly head.
593454ba768SRuslan ErmilovFor example, using
594454ba768SRuslan Ermilov.Xr chflags 1
595454ba768SRuslan Ermilovto set the
596454ba768SRuslan Ermilov.Cm schg
597454ba768SRuslan Ermilovbit on most of the files in
598454ba768SRuslan Ermilov.Pa /
599454ba768SRuslan Ermilovand
600454ba768SRuslan Ermilov.Pa /usr
601454ba768SRuslan Ermilovis probably counterproductive because
602454ba768SRuslan Ermilovwhile it may protect the files, it also closes a detection window.
603454ba768SRuslan ErmilovThe
60447afd1f8SDaniel Harrislast layer of your security onion is perhaps the most important \(em detection.
605d93b26d6SMatthew DillonThe rest of your security is pretty much useless (or, worse, presents you with
606454ba768SRuslan Ermilova false sense of safety) if you cannot detect potential incursions.
607454ba768SRuslan ErmilovHalf
608074ad115SRuslan Ermilovthe job of the onion is to slow down the attacker rather than stop him
6094c0d8029SDaniel Harrisin order to give the detection layer a chance to catch him in
610d93b26d6SMatthew Dillonthe act.
611f063d76aSMatthew Dillon.Pp
612d93b26d6SMatthew DillonThe best way to detect an incursion is to look for modified, missing, or
613454ba768SRuslan Ermilovunexpected files.
614454ba768SRuslan ErmilovThe best
615d93b26d6SMatthew Dillonway to look for modified files is from another (often centralized)
616d93b26d6SMatthew Dillonlimited-access system.
617d93b26d6SMatthew DillonWriting your security scripts on the extra-secure limited-access system
61847afd1f8SDaniel Harrismakes them mostly invisible to potential attackers, and this is important.
619d93b26d6SMatthew DillonIn order to take maximum advantage you generally have to give the
620d93b26d6SMatthew Dillonlimited-access box significant access to the other machines in the business,
621d93b26d6SMatthew Dillonusually either by doing a read-only NFS export of the other machines to the
622454ba768SRuslan Ermilovlimited-access box, or by setting up SSH keypairs to allow the limit-access
623454ba768SRuslan Ermilovbox to SSH to the other machines.
624454ba768SRuslan ErmilovExcept for its network traffic, NFS is
62547afd1f8SDaniel Harristhe least visible method \(em allowing you to monitor the file systems on each
626454ba768SRuslan Ermilovclient box virtually undetected.
627454ba768SRuslan ErmilovIf your
628d93b26d6SMatthew Dillonlimited-access server is connected to the client boxes through a switch,
629454ba768SRuslan Ermilovthe NFS method is often the better choice.
630454ba768SRuslan ErmilovIf your limited-access server
631d93b26d6SMatthew Dillonis connected to the client boxes through a hub or through several layers
632454ba768SRuslan Ermilovof routing, the NFS method may be too insecure (network-wise) and using SSH
633454ba768SRuslan Ermilovmay be the better choice even with the audit-trail tracks that SSH lays.
634d93b26d6SMatthew Dillon.Pp
635d93b26d6SMatthew DillonOnce you give a limit-access box at least read access to the client systems
636d93b26d6SMatthew Dillonit is supposed to monitor, you must write scripts to do the actual
637454ba768SRuslan Ermilovmonitoring.
638454ba768SRuslan ErmilovGiven an NFS mount, you can write scripts out of simple system
639d93b26d6SMatthew Dillonutilities such as
640d93b26d6SMatthew Dillon.Xr find 1
641d93b26d6SMatthew Dillonand
642454ba768SRuslan Ermilov.Xr md5 1 .
643454ba768SRuslan ErmilovIt is best to physically
644d93b26d6SMatthew Dillon.Xr md5 1
645454ba768SRuslan Ermilovthe client-box files boxes at least once a
646ad27d066SMatthew Dillonday, and to test control files such as those found in
647ad27d066SMatthew Dillon.Pa /etc
648ad27d066SMatthew Dillonand
649ad27d066SMatthew Dillon.Pa /usr/local/etc
650454ba768SRuslan Ermiloveven more often.
651454ba768SRuslan ErmilovWhen mismatches are found relative to the base MD5
652d93b26d6SMatthew Dilloninformation the limited-access machine knows is valid, it should scream at
653454ba768SRuslan Ermilova sysadmin to go check it out.
654454ba768SRuslan ErmilovA good security script will also check for
655454ba768SRuslan Ermilovinappropriate SUID binaries and for new or deleted files on system partitions
656d93b26d6SMatthew Dillonsuch as
657d93b26d6SMatthew Dillon.Pa /
658568e4cbbSGuy Helmerand
659454ba768SRuslan Ermilov.Pa /usr .
660f063d76aSMatthew Dillon.Pp
661454ba768SRuslan ErmilovWhen using SSH rather than NFS, writing the security script is much more
662454ba768SRuslan Ermilovdifficult.
663454ba768SRuslan ErmilovYou essentially have to
664454ba768SRuslan Ermilov.Xr scp 1
665d93b26d6SMatthew Dillonthe scripts to the client box in order to run them, making them visible, and
666454ba768SRuslan Ermilovfor safety you also need to
667454ba768SRuslan Ermilov.Xr scp 1
668454ba768SRuslan Ermilovthe binaries (such as
669454ba768SRuslan Ermilov.Xr find 1 )
670454ba768SRuslan Ermilovthat those scripts use.
671454ba768SRuslan ErmilovThe
672454ba768SRuslan Ermilov.Xr sshd 8
673454ba768SRuslan Ermilovdaemon on the client box may already be compromised.
674454ba768SRuslan ErmilovAll in all,
675454ba768SRuslan Ermilovusing SSH may be necessary when running over unsecure links, but it is also a
676d93b26d6SMatthew Dillonlot harder to deal with.
677f063d76aSMatthew Dillon.Pp
678f063d76aSMatthew DillonA good security script will also check for changes to user and staff members
679ad27d066SMatthew Dillonaccess configuration files:
680454ba768SRuslan Ermilov.Pa .rhosts , .shosts , .ssh/authorized_keys
6815203edcdSRuslan Ermilovand so forth, files that might fall outside the purview of the MD5 check.
682f063d76aSMatthew Dillon.Pp
683d93b26d6SMatthew DillonIf you have a huge amount of user disk space it may take too long to run
684454ba768SRuslan Ermilovthrough every file on those partitions.
685454ba768SRuslan ErmilovIn this case, setting mount
686e354922cSRuslan Ermilovflags to disallow SUID binaries on those partitions is a good
687454ba768SRuslan Ermilovidea.
688454ba768SRuslan ErmilovThe
689454ba768SRuslan Ermilov.Cm nosuid
690e354922cSRuslan Ermilovoption
691c4d9468eSRuslan Ermilov(see
692c4d9468eSRuslan Ermilov.Xr mount 8 )
693e354922cSRuslan Ermilovis what you want to look into.
694454ba768SRuslan ErmilovI would scan them anyway at least once a
695d93b26d6SMatthew Dillonweek, since the object of this layer is to detect a break-in whether or
696a30de06bSCeri Daviesnot the break-in is effective.
697f063d76aSMatthew Dillon.Pp
698568e4cbbSGuy HelmerProcess accounting
699c4d9468eSRuslan Ermilov(see
700c4d9468eSRuslan Ermilov.Xr accton 8 )
701568e4cbbSGuy Helmeris a relatively low-overhead feature of
7026ac7e896SDavid E. O'Brienthe operating system which I recommend using as a post-break-in evaluation
703454ba768SRuslan Ermilovmechanism.
704454ba768SRuslan ErmilovIt is especially useful in tracking down how an intruder has
705d93b26d6SMatthew Dillonactually broken into a system, assuming the file is still intact after
7066ac7e896SDavid E. O'Brienthe break-in occurs.
707f063d76aSMatthew Dillon.Pp
708f063d76aSMatthew DillonFinally, security scripts should process the log files and the logs themselves
70947afd1f8SDaniel Harrisshould be generated in as secure a manner as possible \(em remote syslog can be
710454ba768SRuslan Ermilovvery useful.
711454ba768SRuslan ErmilovAn intruder tries to cover his tracks, and log files are critical
712d93b26d6SMatthew Dillonto the sysadmin trying to track down the time and method of the initial
713454ba768SRuslan Ermilovbreak-in.
714454ba768SRuslan ErmilovOne way to keep a permanent record of the log files is to run
715d93b26d6SMatthew Dillonthe system console to a serial port and collect the information on a
716d93b26d6SMatthew Dilloncontinuing basis through a secure machine monitoring the consoles.
717f063d76aSMatthew Dillon.Sh PARANOIA
718454ba768SRuslan ErmilovA little paranoia never hurts.
719454ba768SRuslan ErmilovAs a rule, a sysadmin can add any number
72047afd1f8SDaniel Harrisof security features as long as they do not affect convenience, and
72147afd1f8SDaniel Harriscan add security features that do affect convenience with some added
722454ba768SRuslan Ermilovthought.
723454ba768SRuslan ErmilovEven more importantly, a security administrator should mix it up
72447afd1f8SDaniel Harrisa bit \(em if you use recommendations such as those given by this manual
725d93b26d6SMatthew Dillonpage verbatim, you give away your methodologies to the prospective
72647afd1f8SDaniel Harrisattacker who also has access to this manual page.
727454ba768SRuslan Ermilov.Sh SPECIAL SECTION ON DoS ATTACKS
728454ba768SRuslan ErmilovThis section covers Denial of Service attacks.
729454ba768SRuslan ErmilovA DoS attack is typically a packet attack.
730454ba768SRuslan ErmilovWhile there is not much you can do about modern spoofed
731f063d76aSMatthew Dillonpacket attacks that saturate your network, you can generally limit the damage
732f063d76aSMatthew Dillonby ensuring that the attacks cannot take down your servers.
733f063d76aSMatthew Dillon.Bl -enum -offset indent
734f063d76aSMatthew Dillon.It
735f063d76aSMatthew DillonLimiting server forks
736f063d76aSMatthew Dillon.It
737454ba768SRuslan ErmilovLimiting springboard attacks (ICMP response attacks, ping broadcast, etc.)
738f063d76aSMatthew Dillon.It
739f063d76aSMatthew DillonKernel Route Cache
740f063d76aSMatthew Dillon.El
741f063d76aSMatthew Dillon.Pp
742454ba768SRuslan ErmilovA common DoS attack is against a forking server that attempts to cause the
7436ac7e896SDavid E. O'Brienserver to eat processes, file descriptors, and memory until the machine
744454ba768SRuslan Ermilovdies.
745454ba768SRuslan ErmilovThe
746454ba768SRuslan Ermilov.Xr inetd 8
747454ba768SRuslan Ermilovserver
748568e4cbbSGuy Helmerhas several options to limit this sort of attack.
749f063d76aSMatthew DillonIt should be noted that while it is possible to prevent a machine from going
750f063d76aSMatthew Dillondown it is not generally possible to prevent a service from being disrupted
751454ba768SRuslan Ermilovby the attack.
752454ba768SRuslan ErmilovRead the
753454ba768SRuslan Ermilov.Xr inetd 8
754454ba768SRuslan Ermilovmanual page carefully and pay specific attention
755568e4cbbSGuy Helmerto the
756454ba768SRuslan Ermilov.Fl c , C ,
757568e4cbbSGuy Helmerand
758568e4cbbSGuy Helmer.Fl R
759454ba768SRuslan Ermilovoptions.
760454ba768SRuslan ErmilovNote that spoofed-IP attacks will circumvent
761568e4cbbSGuy Helmerthe
762568e4cbbSGuy Helmer.Fl C
763454ba768SRuslan Ermilovoption to
764454ba768SRuslan Ermilov.Xr inetd 8 ,
765454ba768SRuslan Ermilovso typically a combination of options must be used.
766f063d76aSMatthew DillonSome standalone servers have self-fork-limitation parameters.
767f063d76aSMatthew Dillon.Pp
768454ba768SRuslan ErmilovThe
769454ba768SRuslan Ermilov.Xr sendmail 8
770454ba768SRuslan Ermilovdaemon has its
771568e4cbbSGuy Helmer.Fl OMaxDaemonChildren
772568e4cbbSGuy Helmeroption which tends to work much
773454ba768SRuslan Ermilovbetter than trying to use
774454ba768SRuslan Ermilov.Xr sendmail 8 Ns 's
775454ba768SRuslan Ermilovload limiting options due to the
776454ba768SRuslan Ermilovload lag.
777454ba768SRuslan ErmilovYou should specify a
778454ba768SRuslan Ermilov.Va MaxDaemonChildren
779568e4cbbSGuy Helmerparameter when you start
780454ba768SRuslan Ermilov.Xr sendmail 8
781454ba768SRuslan Ermilovhigh enough to handle your expected load but not so high that the
782454ba768SRuslan Ermilovcomputer cannot handle that number of
783454ba768SRuslan Ermilov.Nm sendmail Ns 's
784454ba768SRuslan Ermilovwithout falling on its face.
785454ba768SRuslan ErmilovIt is also prudent to run
786454ba768SRuslan Ermilov.Xr sendmail 8
787454ba768SRuslan Ermilovin
788454ba768SRuslan Ermilov.Dq queued
789454ba768SRuslan Ermilovmode
790568e4cbbSGuy Helmer.Pq Fl ODeliveryMode=queued
791568e4cbbSGuy Helmerand to run the daemon
792454ba768SRuslan Ermilov.Pq Dq Nm sendmail Fl bd
793568e4cbbSGuy Helmerseparate from the queue-runs
794454ba768SRuslan Ermilov.Pq Dq Nm sendmail Fl q15m .
795454ba768SRuslan ErmilovIf you still want real-time delivery you can run the queue
796568e4cbbSGuy Helmerat a much lower interval, such as
797568e4cbbSGuy Helmer.Fl q1m ,
798568e4cbbSGuy Helmerbut be sure to specify a reasonable
799454ba768SRuslan Ermilov.Va MaxDaemonChildren
800454ba768SRuslan Ermilovoption for that
801454ba768SRuslan Ermilov.Xr sendmail 8
802454ba768SRuslan Ermilovto prevent cascade failures.
803f063d76aSMatthew Dillon.Pp
804454ba768SRuslan ErmilovThe
805454ba768SRuslan Ermilov.Xr syslogd 8
806454ba768SRuslan Ermilovdaemon can be attacked directly and it is strongly recommended that you use
807568e4cbbSGuy Helmerthe
808568e4cbbSGuy Helmer.Fl s
809568e4cbbSGuy Helmeroption whenever possible, and the
810568e4cbbSGuy Helmer.Fl a
811568e4cbbSGuy Helmeroption otherwise.
812f063d76aSMatthew Dillon.Pp
813f063d76aSMatthew DillonYou should also be fairly careful
814f063d76aSMatthew Dillonwith connect-back services such as tcpwrapper's reverse-identd, which can
815454ba768SRuslan Ermilovbe attacked directly.
816454ba768SRuslan ErmilovYou generally do not want to use the reverse-ident
817f063d76aSMatthew Dillonfeature of tcpwrappers for this reason.
818f063d76aSMatthew Dillon.Pp
819f063d76aSMatthew DillonIt is a very good idea to protect internal services from external access
820454ba768SRuslan Ermilovby firewalling them off at your border routers.
821454ba768SRuslan ErmilovThe idea here is to prevent
822f063d76aSMatthew Dillonsaturation attacks from outside your LAN, not so much to protect internal
823454ba768SRuslan Ermilovservices from network-based root compromise.
824454ba768SRuslan ErmilovAlways configure an exclusive
825454ba768SRuslan Ermilovfirewall, i.e.,
826568e4cbbSGuy Helmer.So
82747afd1f8SDaniel Harrisfirewall everything
82847afd1f8SDaniel Harris.Em except
82947afd1f8SDaniel Harrisports A, B, C, D, and M-Z
830568e4cbbSGuy Helmer.Sc .
831568e4cbbSGuy HelmerThis
832f063d76aSMatthew Dillonway you can firewall off all of your low ports except for certain specific
833454ba768SRuslan Ermilovservices such as
834454ba768SRuslan Ermilov.Xr named 8
835c4d9468eSRuslan Ermilov(if you are primary for a zone),
836454ba768SRuslan Ermilov.Xr talkd 8 ,
837454ba768SRuslan Ermilov.Xr sendmail 8 ,
838f063d76aSMatthew Dillonand other internet-accessible services.
839f063d76aSMatthew DillonIf you try to configure the firewall the other
84047afd1f8SDaniel Harrisway \(em as an inclusive or permissive firewall, there is a good chance that you
841568e4cbbSGuy Helmerwill forget to
842454ba768SRuslan Ermilov.Dq close
843568e4cbbSGuy Helmera couple of services or that you will add a new internal
844454ba768SRuslan Ermilovservice and forget to update the firewall.
845454ba768SRuslan ErmilovYou can still open up the
846f063d76aSMatthew Dillonhigh-numbered port range on the firewall to allow permissive-like operation
847454ba768SRuslan Ermilovwithout compromising your low ports.
848454ba768SRuslan ErmilovAlso take note that
849f6f8f44dSAlexey Zelkin.Fx
850568e4cbbSGuy Helmerallows you to
851f063d76aSMatthew Dilloncontrol the range of port numbers used for dynamic binding via the various
852454ba768SRuslan Ermilov.Va net.inet.ip.portrange
853454ba768SRuslan Ermilovsysctl's
854454ba768SRuslan Ermilov.Pq Dq Li "sysctl net.inet.ip.portrange" ,
855568e4cbbSGuy Helmerwhich can also
856454ba768SRuslan Ermilovease the complexity of your firewall's configuration.
857454ba768SRuslan ErmilovI usually use a normal
858f063d76aSMatthew Dillonfirst/last range of 4000 to 5000, and a hiport range of 49152 to 65535, then
859568e4cbbSGuy Helmerblock everything under 4000 off in my firewall
860c4d9468eSRuslan Ermilov(except for certain specific
861c4d9468eSRuslan Ermilovinternet-accessible ports, of course).
862f063d76aSMatthew Dillon.Pp
863454ba768SRuslan ErmilovAnother common DoS attack is called a springboard attack \(em to attack a server
864f063d76aSMatthew Dillonin a manner that causes the server to generate responses which then overload
865454ba768SRuslan Ermilovthe server, the local network, or some other machine.
866454ba768SRuslan ErmilovThe most common attack
867454ba768SRuslan Ermilovof this nature is the ICMP PING BROADCAST attack.
868454ba768SRuslan ErmilovThe attacker spoofs ping
869f063d76aSMatthew Dillonpackets sent to your LAN's broadcast address with the source IP address set
870454ba768SRuslan Ermilovto the actual machine they wish to attack.
871454ba768SRuslan ErmilovIf your border routers are not
872f063d76aSMatthew Dillonconfigured to stomp on ping's to broadcast addresses, your LAN winds up
873f063d76aSMatthew Dillongenerating sufficient responses to the spoofed source address to saturate the
874f063d76aSMatthew Dillonvictim, especially when the attacker uses the same trick on several dozen
875454ba768SRuslan Ermilovbroadcast addresses over several dozen different networks at once.
876454ba768SRuslan ErmilovBroadcast attacks of over a hundred and twenty megabits have been measured.
877454ba768SRuslan ErmilovA second common springboard attack is against the ICMP error reporting system.
878454ba768SRuslan ErmilovBy
879f063d76aSMatthew Dillonconstructing packets that generate ICMP error responses, an attacker can
880f063d76aSMatthew Dillonsaturate a server's incoming network and cause the server to saturate its
881454ba768SRuslan Ermilovoutgoing network with ICMP responses.
882454ba768SRuslan ErmilovThis type of attack can also crash the
883454ba768SRuslan Ermilovserver by running it out of
884454ba768SRuslan Ermilov.Vt mbuf Ns 's ,
885454ba768SRuslan Ermilovespecially if the server cannot drain the
886454ba768SRuslan ErmilovICMP responses it generates fast enough.
887454ba768SRuslan ErmilovThe
888f6f8f44dSAlexey Zelkin.Fx
889568e4cbbSGuy Helmerkernel has a new kernel
890454ba768SRuslan Ermilovcompile option called
891454ba768SRuslan Ermilov.Dv ICMP_BANDLIM
892454ba768SRuslan Ermilovwhich limits the effectiveness of these
893454ba768SRuslan Ermilovsorts of attacks.
894454ba768SRuslan ErmilovThe last major class of springboard attacks is related to
895454ba768SRuslan Ermilovcertain internal
896454ba768SRuslan Ermilov.Xr inetd 8
897454ba768SRuslan Ermilovservices such as the UDP echo service.
898454ba768SRuslan ErmilovAn attacker
899f063d76aSMatthew Dillonsimply spoofs a UDP packet with the source address being server A's echo port,
900f063d76aSMatthew Dillonand the destination address being server B's echo port, where server A and B
901454ba768SRuslan Ermilovare both on your LAN.
902454ba768SRuslan ErmilovThe two servers then bounce this one packet back and
903454ba768SRuslan Ermilovforth between each other.
904454ba768SRuslan ErmilovThe attacker can overload both servers and their
905454ba768SRuslan ErmilovLANs simply by injecting a few packets in this manner.
906454ba768SRuslan ErmilovSimilar problems
907454ba768SRuslan Ermilovexist with the internal chargen port.
908454ba768SRuslan ErmilovA competent sysadmin will turn off all
909454ba768SRuslan Ermilovof these
910454ba768SRuslan Ermilov.Xr inetd 8 Ns -internal
911454ba768SRuslan Ermilovtest services.
912f063d76aSMatthew Dillon.Pp
913f063d76aSMatthew DillonSpoofed packet attacks may also be used to overload the kernel route cache.
914454ba768SRuslan ErmilovRefer to the
915454ba768SRuslan Ermilov.Va net.inet.ip.rtexpire , net.inet.ip.rtminexpire ,
916454ba768SRuslan Ermilovand
917454ba768SRuslan Ermilov.Va net.inet.ip.rtmaxcache
918454ba768SRuslan Ermilov.Xr sysctl 8
919454ba768SRuslan Ermilovvariables.
920454ba768SRuslan ErmilovA spoofed packet attack that uses a random source IP will cause
921f063d76aSMatthew Dillonthe kernel to generate a temporary cached route in the route table, viewable
922568e4cbbSGuy Helmerwith
923454ba768SRuslan Ermilov.Dq Li "netstat -rna | fgrep W3" .
924568e4cbbSGuy HelmerThese routes typically timeout in 1600
925454ba768SRuslan Ermilovseconds or so.
926454ba768SRuslan ErmilovIf the kernel detects that the cached route table has gotten
927454ba768SRuslan Ermilovtoo big it will dynamically reduce the
928454ba768SRuslan Ermilov.Va rtexpire
929454ba768SRuslan Ermilovbut will never decrease it to
930454ba768SRuslan Ermilovless than
931454ba768SRuslan Ermilov.Va rtminexpire .
932454ba768SRuslan ErmilovThere are two problems: (1) The kernel does not react
933f063d76aSMatthew Dillonquickly enough when a lightly loaded server is suddenly attacked, and (2) The
934454ba768SRuslan Ermilov.Va rtminexpire
935454ba768SRuslan Ermilovis not low enough for the kernel to survive a sustained attack.
936f063d76aSMatthew DillonIf your servers are connected to the internet via a T3 or better it may be
937454ba768SRuslan Ermilovprudent to manually override both
938454ba768SRuslan Ermilov.Va rtexpire
939454ba768SRuslan Ermilovand
940454ba768SRuslan Ermilov.Va rtminexpire
941454ba768SRuslan Ermilovvia
94285752545SGuy Helmer.Xr sysctl 8 .
943568e4cbbSGuy HelmerNever set either parameter to zero
944c4d9468eSRuslan Ermilov(unless you want to crash the machine :-)).
945f063d76aSMatthew DillonSetting both parameters to 2 seconds should be sufficient to protect the route
946f063d76aSMatthew Dillontable from attack.
947d93b26d6SMatthew Dillon.Sh ACCESS ISSUES WITH KERBEROS AND SSH
948454ba768SRuslan ErmilovThere are a few issues with both Kerberos and SSH that need to be addressed
949454ba768SRuslan Ermilovif you intend to use them.
950454ba768SRuslan ErmilovKerberos5 is an excellent authentication
951454ba768SRuslan Ermilovprotocol but the kerberized
952454ba768SRuslan Ermilov.Xr telnet 1
953454ba768SRuslan Ermilovand
954454ba768SRuslan Ermilov.Xr rlogin 1
955454ba768SRuslan Ermilovsuck rocks.
956454ba768SRuslan ErmilovThere are bugs that make them unsuitable for dealing with binary streams.
957454ba768SRuslan ErmilovAlso, by default
958454ba768SRuslan ErmilovKerberos does not encrypt a session unless you use the
959d93b26d6SMatthew Dillon.Fl x
960454ba768SRuslan Ermilovoption.
961454ba768SRuslan ErmilovSSH encrypts everything by default.
962d93b26d6SMatthew Dillon.Pp
963454ba768SRuslan ErmilovSSH works quite well in every respect except when it is set up to
9649baaab27SDima Dorfmanforward encryption keys.
9659baaab27SDima DorfmanWhat this means is that if you have a secure workstation holding
966454ba768SRuslan Ermilovkeys that give you access to the rest of the system, and you
967454ba768SRuslan Ermilov.Xr ssh 1
968454ba768SRuslan Ermilovto an
969454ba768SRuslan Ermilovunsecure machine, your keys become exposed.
970454ba768SRuslan ErmilovThe actual keys themselves are
971454ba768SRuslan Ermilovnot exposed, but
972454ba768SRuslan Ermilov.Xr ssh 1
973454ba768SRuslan Ermilovinstalls a forwarding port for the duration of your
97447afd1f8SDaniel Harrislogin and if an attacker has broken root on the unsecure machine he can utilize
975d93b26d6SMatthew Dillonthat port to use your keys to gain access to any other machine that your
976d93b26d6SMatthew Dillonkeys unlock.
977d93b26d6SMatthew Dillon.Pp
978454ba768SRuslan ErmilovWe recommend that you use SSH in combination with Kerberos whenever possible
979454ba768SRuslan Ermilovfor staff logins.
980454ba768SRuslan ErmilovSSH can be compiled with Kerberos support.
981454ba768SRuslan ErmilovThis reduces
982454ba768SRuslan Ermilovyour reliance on potentially exposable SSH keys while at the same time
983454ba768SRuslan Ermilovprotecting passwords via Kerberos.
984454ba768SRuslan ErmilovSSH keys
985d93b26d6SMatthew Dillonshould only be used for automated tasks from secure machines (something
986454ba768SRuslan Ermilovthat Kerberos is unsuited to).
987454ba768SRuslan ErmilovWe also recommend that you either turn off
988454ba768SRuslan Ermilovkey-forwarding in the SSH configuration, or that you make use of the
989454ba768SRuslan Ermilov.Va from Ns = Ns Ar IP/DOMAIN
990454ba768SRuslan Ermilovoption that SSH allows in its
991d93b26d6SMatthew Dillon.Pa authorized_keys
9927c86a74bSMike Pritchardfile to make the key only usable to entities logging in from specific
993d93b26d6SMatthew Dillonmachines.
994f063d76aSMatthew Dillon.Sh SEE ALSO
995f063d76aSMatthew Dillon.Xr chflags 1 ,
996f063d76aSMatthew Dillon.Xr find 1 ,
997f063d76aSMatthew Dillon.Xr md5 1 ,
998f6f8f44dSAlexey Zelkin.Xr netstat 1 ,
9998596de53SNik Clayton.Xr openssl 1 ,
10005521ff5aSRuslan Ermilov.Xr ssh 1 ,
1001f0ea72a0SChristian Brueffer.Xr xdm 1 Pq Pa ports/x11/xorg-clients ,
1002d93b26d6SMatthew Dillon.Xr group 5 ,
1003ad27d066SMatthew Dillon.Xr ttys 5 ,
10048596de53SNik Clayton.Xr accton 8 ,
1005d93b26d6SMatthew Dillon.Xr init 8 ,
10068596de53SNik Clayton.Xr sshd 8 ,
1007ad27d066SMatthew Dillon.Xr sysctl 8 ,
10088596de53SNik Clayton.Xr syslogd 8 ,
1009ad27d066SMatthew Dillon.Xr vipw 8
1010f063d76aSMatthew Dillon.Sh HISTORY
1011f063d76aSMatthew DillonThe
1012f063d76aSMatthew Dillon.Nm
1013568e4cbbSGuy Helmermanual page was originally written by
1014568e4cbbSGuy Helmer.An Matthew Dillon
1015568e4cbbSGuy Helmerand first appeared
1016568e4cbbSGuy Helmerin
101785752545SGuy Helmer.Fx 3.1 ,
1018568e4cbbSGuy HelmerDecember 1998.
1019