15ecb12e3SWarner Losh.\" Copyright (C) 1998 Matthew Dillon. All rights reserved. 25ecb12e3SWarner Losh.\" 35ecb12e3SWarner Losh.\" Redistribution and use in source and binary forms, with or without 45ecb12e3SWarner Losh.\" modification, are permitted provided that the following conditions 55ecb12e3SWarner Losh.\" are met: 65ecb12e3SWarner Losh.\" 1. Redistributions of source code must retain the above copyright 75ecb12e3SWarner Losh.\" notice, this list of conditions and the following disclaimer. 85ecb12e3SWarner Losh.\" 2. Redistributions in binary form must reproduce the above copyright 95ecb12e3SWarner Losh.\" notice, this list of conditions and the following disclaimer in the 105ecb12e3SWarner Losh.\" documentation and/or other materials provided with the distribution. 115ecb12e3SWarner Losh.\" 125ecb12e3SWarner Losh.\" THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND 135ecb12e3SWarner Losh.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 145ecb12e3SWarner Losh.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 155ecb12e3SWarner Losh.\" ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE 165ecb12e3SWarner Losh.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 175ecb12e3SWarner Losh.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 185ecb12e3SWarner Losh.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 195ecb12e3SWarner Losh.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 205ecb12e3SWarner Losh.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 215ecb12e3SWarner Losh.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 225ecb12e3SWarner Losh.\" SUCH DAMAGE. 23f063d76aSMatthew Dillon.\" 247f3dea24SPeter Wemm.\" $FreeBSD$ 25f063d76aSMatthew Dillon.\" 26e354922cSRuslan Ermilov.Dd November 29, 2004 27f063d76aSMatthew Dillon.Dt SECURITY 7 283d45e180SRuslan Ermilov.Os 29f063d76aSMatthew Dillon.Sh NAME 30f063d76aSMatthew Dillon.Nm security 3152fc88b5SGiorgos Keramidas.Nd introduction to security under FreeBSD 32f063d76aSMatthew Dillon.Sh DESCRIPTION 33f063d76aSMatthew DillonSecurity is a function that begins and ends with the system administrator. 34f063d76aSMatthew DillonWhile all 35f063d76aSMatthew Dillon.Bx 36d93b26d6SMatthew Dillonmulti-user systems have some inherent security, the job of building and 37992e4638SRobert Watsonmaintaining additional security mechanisms to keep users 38454ba768SRuslan Ermilov.Dq honest 39568e4cbbSGuy Helmeris probably 40454ba768SRuslan Ermilovone of the single largest undertakings of the sysadmin. 41454ba768SRuslan ErmilovMachines are 42f063d76aSMatthew Dillononly as secure as you make them, and security concerns are ever competing 43568e4cbbSGuy Helmerwith the human necessity for convenience. 44568e4cbbSGuy Helmer.Ux 45568e4cbbSGuy Helmersystems, 466ac7e896SDavid E. O'Brienin general, are capable of running a huge number of simultaneous processes 47454ba768SRuslan Ermilovand many of these processes operate as servers \(em meaning that external 48454ba768SRuslan Ermiloventities can connect and talk to them. 49454ba768SRuslan ErmilovAs yesterday's mini-computers and mainframes 50f063d76aSMatthew Dillonbecome today's desktops, and as computers become networked and internetworked, 51f063d76aSMatthew Dillonsecurity becomes an ever bigger issue. 52f063d76aSMatthew Dillon.Pp 53454ba768SRuslan ErmilovSecurity is best implemented through a layered onion approach. 54454ba768SRuslan ErmilovIn a nutshell, 55d93b26d6SMatthew Dillonwhat you want to do is to create as many layers of security as are convenient 56454ba768SRuslan Ermilovand then carefully monitor the system for intrusions. 57454ba768SRuslan ErmilovYou do not want to 587c86a74bSMike Pritchardoverbuild your security or you will interfere with the detection side, and 59d93b26d6SMatthew Dillondetection is one of the single most important aspects of any security 60454ba768SRuslan Ermilovmechanism. 61454ba768SRuslan ErmilovFor example, it makes little sense to set the 62454ba768SRuslan Ermilov.Cm schg 63d93b26d6SMatthew Dillonflags 64c4d9468eSRuslan Ermilov(see 65c4d9468eSRuslan Ermilov.Xr chflags 1 ) 66d93b26d6SMatthew Dillonon every system binary because while this may temporarily protect the 6747afd1f8SDaniel Harrisbinaries, it prevents an attacker who has broken in from making an 68d93b26d6SMatthew Dilloneasily detectable change that may result in your security mechanisms not 6947afd1f8SDaniel Harrisdetecting the attacker at all. 70d93b26d6SMatthew Dillon.Pp 71454ba768SRuslan ErmilovSystem security also pertains to dealing with various forms of attacks, 72d93b26d6SMatthew Dillonincluding attacks that attempt to crash or otherwise make a system unusable 73454ba768SRuslan Ermilovbut do not attempt to break root. 74454ba768SRuslan ErmilovSecurity concerns can be split up into 75d93b26d6SMatthew Dillonseveral categories: 76f063d76aSMatthew Dillon.Bl -enum -offset indent 77f063d76aSMatthew Dillon.It 78454ba768SRuslan ErmilovDenial of Service attacks (DoS) 79f063d76aSMatthew Dillon.It 80f063d76aSMatthew DillonUser account compromises 81f063d76aSMatthew Dillon.It 826ac7e896SDavid E. O'BrienRoot compromise through accessible servers 83f063d76aSMatthew Dillon.It 846ac7e896SDavid E. O'BrienRoot compromise via user accounts 85d93b26d6SMatthew Dillon.It 86d93b26d6SMatthew DillonBackdoor creation 87f063d76aSMatthew Dillon.El 88f063d76aSMatthew Dillon.Pp 89f063d76aSMatthew DillonA denial of service attack is an action that deprives the machine of needed 90454ba768SRuslan Ermilovresources. 91454ba768SRuslan ErmilovTypically, DoS attacks are brute-force mechanisms that attempt 92f063d76aSMatthew Dillonto crash or otherwise make a machine unusable by overwhelming its servers or 93454ba768SRuslan Ermilovnetwork stack. 94454ba768SRuslan ErmilovSome DoS attacks try to take advantages of bugs in the 95454ba768SRuslan Ermilovnetworking stack to crash a machine with a single packet. 96454ba768SRuslan ErmilovThe latter can 97454ba768SRuslan Ermilovonly be fixed by applying a bug fix to the kernel. 98454ba768SRuslan ErmilovAttacks on servers can 99d93b26d6SMatthew Dillonoften be fixed by properly specifying options to limit the load the servers 100454ba768SRuslan Ermilovincur on the system under adverse conditions. 101454ba768SRuslan ErmilovBrute-force network attacks are harder to deal with. 102454ba768SRuslan ErmilovA spoofed-packet attack, for example, is 1037c86a74bSMike Pritchardnearly impossible to stop short of cutting your system off from the Internet. 1047c86a74bSMike PritchardIt may not be able to take your machine down, but it can fill up Internet 105d93b26d6SMatthew Dillonpipe. 106f063d76aSMatthew Dillon.Pp 107454ba768SRuslan ErmilovA user account compromise is even more common than a DoS attack. 108454ba768SRuslan ErmilovMany 109454ba768SRuslan Ermilovsysadmins still run standard 110454ba768SRuslan Ermilov.Xr telnetd 8 , 111454ba768SRuslan Ermilov.Xr rlogind 8 , 112454ba768SRuslan Ermilov.Xr rshd 8 , 113454ba768SRuslan Ermilovand 114454ba768SRuslan Ermilov.Xr ftpd 8 115454ba768SRuslan Ermilovservers on their machines. 116454ba768SRuslan ErmilovThese servers, by default, do not operate over encrypted 117454ba768SRuslan Ermilovconnections. 118454ba768SRuslan ErmilovThe result is that if you have any moderate-sized user base, 119f063d76aSMatthew Dillonone or more of your users logging into your system from a remote location 120c4d9468eSRuslan Ermilov(which is the most common and convenient way to log in to a system) 121454ba768SRuslan Ermilovwill have his or her password sniffed. 122454ba768SRuslan ErmilovThe attentive system administrator will analyze 123d93b26d6SMatthew Dillonhis remote access logs looking for suspicious source addresses 124f063d76aSMatthew Dilloneven for successful logins. 125f063d76aSMatthew Dillon.Pp 126f063d76aSMatthew DillonOne must always assume that once an attacker has access to a user account, 127454ba768SRuslan Ermilovthe attacker can break root. 128454ba768SRuslan ErmilovHowever, the reality is that in a well secured 129f063d76aSMatthew Dillonand maintained system, access to a user account does not necessarily give the 130454ba768SRuslan Ermilovattacker access to root. 131454ba768SRuslan ErmilovThe distinction is important because without access 132f063d76aSMatthew Dillonto root the attacker cannot generally hide his tracks and may, at best, be 133b94231daSDima Dorfmanable to do nothing more than mess with the user's files or crash the machine. 134d93b26d6SMatthew DillonUser account compromises are very common because users tend not to take the 1357c86a74bSMike Pritchardprecautions that sysadmins take. 136f063d76aSMatthew Dillon.Pp 137d93b26d6SMatthew DillonSystem administrators must keep in mind that there are potentially many ways 138454ba768SRuslan Ermilovto break root on a machine. 139454ba768SRuslan ErmilovThe attacker may know the root password, 140d93b26d6SMatthew Dillonthe attacker 141f063d76aSMatthew Dillonmay find a bug in a root-run server and be able to break root over a network 142454ba768SRuslan Ermilovconnection to that server, or the attacker may know of a bug in an SUID-root 143f063d76aSMatthew Dillonprogram that allows the attacker to break root once he has broken into a 144454ba768SRuslan Ermilovuser's account. 145454ba768SRuslan ErmilovIf an attacker has found a way to break root on a machine, 146f167d7fbSSheldon Hearnthe attacker may not have a need to install a backdoor. 147d93b26d6SMatthew DillonMany of the root holes found and closed to date involve a considerable amount 14847afd1f8SDaniel Harrisof work by the attacker to clean up after himself, so most attackers do install 149454ba768SRuslan Ermilovbackdoors. 150454ba768SRuslan ErmilovThis gives you a convenient way to detect the attacker. 151454ba768SRuslan ErmilovMaking 15247afd1f8SDaniel Harrisit impossible for an attacker to install a backdoor may actually be detrimental 1534c0d8029SDaniel Harristo your security because it will not close off the hole the attacker used to 1544c0d8029SDaniel Harrisbreak in in the first place. 155f063d76aSMatthew Dillon.Pp 156d93b26d6SMatthew DillonSecurity remedies should always be implemented with a multi-layered 157454ba768SRuslan Ermilov.Dq onion peel 158f063d76aSMatthew Dillonapproach and can be categorized as follows: 159f063d76aSMatthew Dillon.Bl -enum -offset indent 160f063d76aSMatthew Dillon.It 161f063d76aSMatthew DillonSecuring root and staff accounts 162f063d76aSMatthew Dillon.It 163454ba768SRuslan ErmilovSecuring root \(em root-run servers and SUID/SGID binaries 164f063d76aSMatthew Dillon.It 165f063d76aSMatthew DillonSecuring user accounts 166f063d76aSMatthew Dillon.It 167f063d76aSMatthew DillonSecuring the password file 168f063d76aSMatthew Dillon.It 169f063d76aSMatthew DillonSecuring the kernel core, raw devices, and file systems 170f063d76aSMatthew Dillon.It 171d93b26d6SMatthew DillonQuick detection of inappropriate changes made to the system 172f063d76aSMatthew Dillon.It 173f063d76aSMatthew DillonParanoia 174f063d76aSMatthew Dillon.El 175f063d76aSMatthew Dillon.Sh SECURING THE ROOT ACCOUNT AND SECURING STAFF ACCOUNTS 176454ba768SRuslan ErmilovDo not bother securing staff accounts if you have not secured the root 177454ba768SRuslan Ermilovaccount. 178454ba768SRuslan ErmilovMost systems have a password assigned to the root account. 179454ba768SRuslan ErmilovThe 180568e4cbbSGuy Helmerfirst thing you do is assume that the password is 181454ba768SRuslan Ermilov.Em always 182454ba768SRuslan Ermilovcompromised. 183454ba768SRuslan ErmilovThis does not mean that you should remove the password. 184454ba768SRuslan ErmilovThe 185d93b26d6SMatthew Dillonpassword is almost always necessary for console access to the machine. 186d93b26d6SMatthew DillonWhat it does mean is that you should not make it possible to use the password 187d93b26d6SMatthew Dillonoutside of the console or possibly even with a 188d93b26d6SMatthew Dillon.Xr su 1 189454ba768SRuslan Ermilovutility. 190454ba768SRuslan ErmilovFor example, make sure that your PTYs are specified as being 191454ba768SRuslan Ermilov.Dq Li unsecure 192d93b26d6SMatthew Dillonin the 193454ba768SRuslan Ermilov.Pa /etc/ttys 194d93b26d6SMatthew Dillonfile 195454ba768SRuslan Ermilovso that direct root logins via 196454ba768SRuslan Ermilov.Xr telnet 1 197454ba768SRuslan Ermilovor 198454ba768SRuslan Ermilov.Xr rlogin 1 199454ba768SRuslan Ermilovare disallowed. 200454ba768SRuslan ErmilovIf using 201454ba768SRuslan Ermilovother login services such as 202454ba768SRuslan Ermilov.Xr sshd 8 , 203454ba768SRuslan Ermilovmake sure that direct root logins are 204454ba768SRuslan Ermilovdisabled there as well. 205454ba768SRuslan ErmilovConsider every access method \(em services such as 206454ba768SRuslan Ermilov.Xr ftp 1 207454ba768SRuslan Ermilovoften fall through the cracks. 208454ba768SRuslan ErmilovDirect root logins should only be allowed 209d93b26d6SMatthew Dillonvia the system console. 210f063d76aSMatthew Dillon.Pp 2117626ae52SMatthew DillonOf course, as a sysadmin you have to be able to get to root, so we open up 212454ba768SRuslan Ermilova few holes. 213454ba768SRuslan ErmilovBut we make sure these holes require additional password 214454ba768SRuslan Ermilovverification to operate. 215454ba768SRuslan ErmilovOne way to make root accessible is to add appropriate 216454ba768SRuslan Ermilovstaff accounts to the 217454ba768SRuslan Ermilov.Dq Li wheel 218454ba768SRuslan Ermilovgroup (in 219c4d9468eSRuslan Ermilov.Pa /etc/group ) . 220454ba768SRuslan ErmilovThe staff members placed in the 221454ba768SRuslan Ermilov.Li wheel 222454ba768SRuslan Ermilovgroup are allowed to 223454ba768SRuslan Ermilov.Xr su 1 224454ba768SRuslan Ermilovto root. 225454ba768SRuslan ErmilovYou should never give staff 226454ba768SRuslan Ermilovmembers native 227454ba768SRuslan Ermilov.Li wheel 228454ba768SRuslan Ermilovaccess by putting them in the 229454ba768SRuslan Ermilov.Li wheel 230454ba768SRuslan Ermilovgroup in their password entry. 231454ba768SRuslan ErmilovStaff accounts should be placed in a 232454ba768SRuslan Ermilov.Dq Li staff 233454ba768SRuslan Ermilovgroup, and then added to the 234454ba768SRuslan Ermilov.Li wheel 235454ba768SRuslan Ermilovgroup via the 236454ba768SRuslan Ermilov.Pa /etc/group 237454ba768SRuslan Ermilovfile. 238454ba768SRuslan ErmilovOnly those staff members who actually need to have root access 239454ba768SRuslan Ermilovshould be placed in the 240454ba768SRuslan Ermilov.Li wheel 241454ba768SRuslan Ermilovgroup. 242454ba768SRuslan ErmilovIt is also possible, when using an 243454ba768SRuslan Ermilovauthentication method such as Kerberos, to use Kerberos's 244454ba768SRuslan Ermilov.Pa .k5login 245d93b26d6SMatthew Dillonfile in the root account to allow a 246d93b26d6SMatthew Dillon.Xr ksu 1 247454ba768SRuslan Ermilovto root without having to place anyone at all in the 248454ba768SRuslan Ermilov.Li wheel 249454ba768SRuslan Ermilovgroup. 250454ba768SRuslan ErmilovThis 251454ba768SRuslan Ermilovmay be the better solution since the 252454ba768SRuslan Ermilov.Li wheel 253454ba768SRuslan Ermilovmechanism still allows an 254d93b26d6SMatthew Dillonintruder to break root if the intruder has gotten hold of your password 255454ba768SRuslan Ermilovfile and can break into a staff account. 256454ba768SRuslan ErmilovWhile having the 257454ba768SRuslan Ermilov.Li wheel 258454ba768SRuslan Ermilovmechanism 259454ba768SRuslan Ermilovis better than having nothing at all, it is not necessarily the safest 260d93b26d6SMatthew Dillonoption. 261f063d76aSMatthew Dillon.Pp 262f063d76aSMatthew DillonAn indirect way to secure the root account is to secure your staff accounts 263f063d76aSMatthew Dillonby using an alternative login access method and *'ing out the crypted password 264454ba768SRuslan Ermilovfor the staff accounts. 265454ba768SRuslan ErmilovThis way an intruder may be able to steal the password 26647afd1f8SDaniel Harrisfile but will not be able to break into any staff accounts or root, even if 26747afd1f8SDaniel Harrisroot has a crypted password associated with it (assuming, of course, that 268454ba768SRuslan Ermilovyou have limited root access to the console). 269454ba768SRuslan ErmilovStaff members 270f063d76aSMatthew Dillonget into their staff accounts through a secure login mechanism such as 271a3f9c9fcSRuslan Ermilov.Xr kerberos 8 272568e4cbbSGuy Helmeror 273568e4cbbSGuy Helmer.Xr ssh 1 274568e4cbbSGuy Helmerusing a private/public 275454ba768SRuslan Ermilovkey pair. 276454ba768SRuslan ErmilovWhen you use something like Kerberos you generally must secure 277454ba768SRuslan Ermilovthe machines which run the Kerberos servers and your desktop workstation. 278454ba768SRuslan ErmilovWhen you use a public/private key pair with SSH, you must generally secure 279454ba768SRuslan Ermilovthe machine you are logging in 280454ba768SRuslan Ermilov.Em from 281c4d9468eSRuslan Ermilov(typically your workstation), 282568e4cbbSGuy Helmerbut you can 283f063d76aSMatthew Dillonalso add an additional layer of protection to the key pair by password 284568e4cbbSGuy Helmerprotecting the keypair when you create it with 285568e4cbbSGuy Helmer.Xr ssh-keygen 1 . 286568e4cbbSGuy HelmerBeing able 2876ac7e896SDavid E. O'Briento *-out the passwords for staff accounts also guarantees that staff members 288454ba768SRuslan Ermilovcan only log in through secure access methods that you have set up. 289454ba768SRuslan ErmilovYou can 290f063d76aSMatthew Dillonthus force all staff members to use secure, encrypted connections for 291454ba768SRuslan Ermilovall their sessions which closes an important hole used by many intruders: that 292f063d76aSMatthew Dillonof sniffing the network from an unrelated, less secure machine. 293f063d76aSMatthew Dillon.Pp 294f063d76aSMatthew DillonThe more indirect security mechanisms also assume that you are logging in 295454ba768SRuslan Ermilovfrom a more restrictive server to a less restrictive server. 296454ba768SRuslan ErmilovFor example, 297454ba768SRuslan Ermilovif your main box is running all sorts of servers, your workstation should not 298454ba768SRuslan Ermilovbe running any. 299454ba768SRuslan ErmilovIn order for your workstation to be reasonably secure 300f063d76aSMatthew Dillonyou should run as few servers as possible, up to and including no servers 301f063d76aSMatthew Dillonat all, and you should run a password-protected screen blanker. 302f063d76aSMatthew DillonOf course, given physical access to 303454ba768SRuslan Ermilova workstation, an attacker can break any sort of security you put on it. 304f063d76aSMatthew DillonThis is definitely a problem that you should consider but you should also 3056ac7e896SDavid E. O'Brienconsider the fact that the vast majority of break-ins occur remotely, over 3067626ae52SMatthew Dillona network, from people who do not have physical access to your workstation or 307f063d76aSMatthew Dillonservers. 308f063d76aSMatthew Dillon.Pp 309454ba768SRuslan ErmilovUsing something like Kerberos also gives you the ability to disable or 310f063d76aSMatthew Dillonchange the password for a staff account in one place and have it immediately 311454ba768SRuslan Ermilovaffect all the machines the staff member may have an account on. 312454ba768SRuslan ErmilovIf a staff 313f063d76aSMatthew Dillonmember's account gets compromised, the ability to instantly change his 314454ba768SRuslan Ermilovpassword on all machines should not be underrated. 315454ba768SRuslan ErmilovWith discrete passwords, changing a password on N machines can be a mess. 316454ba768SRuslan ErmilovYou can also impose 317454ba768SRuslan Ermilovre-passwording restrictions with Kerberos: not only can a Kerberos ticket 318454ba768SRuslan Ermilovbe made to timeout after a while, but the Kerberos system can require that 319568e4cbbSGuy Helmerthe user choose a new password after a certain period of time 320c4d9468eSRuslan Ermilov(say, once a month). 32147afd1f8SDaniel Harris.Sh SECURING ROOT \(em ROOT-RUN SERVERS AND SUID/SGID BINARIES 322454ba768SRuslan ErmilovThe prudent sysadmin only runs the servers he needs to, no more, no less. 323454ba768SRuslan ErmilovBe aware that third party servers are often the most bug-prone. 324454ba768SRuslan ErmilovFor example, 325454ba768SRuslan Ermilovrunning an old version of 326454ba768SRuslan Ermilov.Xr imapd 8 327454ba768SRuslan Ermilovor 328f0ea72a0SChristian Brueffer.Xr popper 8 Pq Pa ports/mail/popper 329454ba768SRuslan Ermilovis like giving a universal root 330454ba768SRuslan Ermilovticket out to the entire world. 331454ba768SRuslan ErmilovNever run a server that you have not checked 332454ba768SRuslan Ermilovout carefully. 333454ba768SRuslan ErmilovMany servers do not need to be run as root. 334454ba768SRuslan ErmilovFor example, 335454ba768SRuslan Ermilovthe 336454ba768SRuslan Ermilov.Xr talkd 8 , 337454ba768SRuslan Ermilov.Xr comsat 8 , 338454ba768SRuslan Ermilovand 339454ba768SRuslan Ermilov.Xr fingerd 8 340454ba768SRuslan Ermilovdaemons can be run in special user 341454ba768SRuslan Ermilov.Dq sandboxes . 342454ba768SRuslan ErmilovA sandbox is not perfect unless you go to a large amount of trouble, but the 343454ba768SRuslan Ermilovonion approach to security still stands: if someone is able to break in 344f063d76aSMatthew Dillonthrough a server running in a sandbox, they still have to break out of the 345454ba768SRuslan Ermilovsandbox. 346454ba768SRuslan ErmilovThe more layers the attacker must break through, the lower the 347454ba768SRuslan Ermilovlikelihood of his success. 348454ba768SRuslan ErmilovRoot holes have historically been found in 349f063d76aSMatthew Dillonvirtually every server ever run as root, including basic system servers. 350454ba768SRuslan ErmilovIf you are running a machine through which people only log in via 351454ba768SRuslan Ermilov.Xr sshd 8 352454ba768SRuslan Ermilovand never log in via 353454ba768SRuslan Ermilov.Xr telnetd 8 , 354454ba768SRuslan Ermilov.Xr rshd 8 , 355454ba768SRuslan Ermilovor 356454ba768SRuslan Ermilov.Xr rlogind 8 , 357454ba768SRuslan Ermilovthen turn off those services! 358f063d76aSMatthew Dillon.Pp 359f6f8f44dSAlexey Zelkin.Fx 360454ba768SRuslan Ermilovnow defaults to running 361454ba768SRuslan Ermilov.Xr talkd 8 , 362454ba768SRuslan Ermilov.Xr comsat 8 , 363454ba768SRuslan Ermilovand 364454ba768SRuslan Ermilov.Xr fingerd 8 365454ba768SRuslan Ermilovin a sandbox. 366f063d76aSMatthew DillonAnother program which may be a candidate for running in a sandbox is 367568e4cbbSGuy Helmer.Xr named 8 . 368454ba768SRuslan ErmilovThe default 369454ba768SRuslan Ermilov.Pa rc.conf 370454ba768SRuslan Ermilovincludes the arguments necessary to run 371454ba768SRuslan Ermilov.Xr named 8 372454ba768SRuslan Ermilovin a sandbox in a commented-out form. 373454ba768SRuslan ErmilovDepending on whether you 374f063d76aSMatthew Dillonare installing a new system or upgrading an existing system, the special 375454ba768SRuslan Ermilovuser accounts used by these sandboxes may not be installed. 376454ba768SRuslan ErmilovThe prudent 3777626ae52SMatthew Dillonsysadmin would research and implement sandboxes for servers whenever possible. 378f063d76aSMatthew Dillon.Pp 379f063d76aSMatthew DillonThere are a number of other servers that typically do not run in sandboxes: 380454ba768SRuslan Ermilov.Xr sendmail 8 , 381454ba768SRuslan Ermilov.Xr popper 8 , 382454ba768SRuslan Ermilov.Xr imapd 8 , 383454ba768SRuslan Ermilov.Xr ftpd 8 , 384454ba768SRuslan Ermilovand others. 385454ba768SRuslan ErmilovThere are alternatives to 3869518a247SJens Schweikhardtsome of these, but installing them may require more work than you are willing 387568e4cbbSGuy Helmerto put 388c4d9468eSRuslan Ermilov(the convenience factor strikes again). 389568e4cbbSGuy HelmerYou may have to run these 3906ac7e896SDavid E. O'Brienservers as root and rely on other mechanisms to detect break-ins that might 391f063d76aSMatthew Dillonoccur through them. 392f063d76aSMatthew Dillon.Pp 393454ba768SRuslan ErmilovThe other big potential root hole in a system are the SUID-root and SGID 394454ba768SRuslan Ermilovbinaries installed on the system. 395454ba768SRuslan ErmilovMost of these binaries, such as 396454ba768SRuslan Ermilov.Xr rlogin 1 , 397568e4cbbSGuy Helmerreside in 398454ba768SRuslan Ermilov.Pa /bin , /sbin , /usr/bin , 399568e4cbbSGuy Helmeror 400568e4cbbSGuy Helmer.Pa /usr/sbin . 401568e4cbbSGuy HelmerWhile nothing is 100% safe, 402454ba768SRuslan Ermilovthe system-default SUID and SGID binaries can be considered reasonably safe. 403454ba768SRuslan ErmilovStill, root holes are occasionally found in these binaries. 404454ba768SRuslan ErmilovA root hole 405454ba768SRuslan Ermilovwas found in Xlib in 1998 that made 406f0ea72a0SChristian Brueffer.Xr xterm 1 Pq Pa ports/x11/xterm 407454ba768SRuslan Ermilov(which is typically SUID) 408568e4cbbSGuy Helmervulnerable. 409454ba768SRuslan ErmilovIt is better to be safe than sorry and the prudent sysadmin will restrict SUID 410f063d76aSMatthew Dillonbinaries that only staff should run to a special group that only staff can 411568e4cbbSGuy Helmeraccess, and get rid of 412454ba768SRuslan Ermilov.Pq Dq Li "chmod 000" 413454ba768SRuslan Ermilovany SUID binaries that nobody uses. 414454ba768SRuslan ErmilovA server with no display generally does not need an 415454ba768SRuslan Ermilov.Xr xterm 1 416454ba768SRuslan Ermilovbinary. 417454ba768SRuslan ErmilovSGID binaries can be almost as dangerous. 418454ba768SRuslan ErmilovIf an intruder can break an SGID-kmem binary the 419568e4cbbSGuy Helmerintruder might be able to read 420568e4cbbSGuy Helmer.Pa /dev/kmem 421568e4cbbSGuy Helmerand thus read the crypted password 422454ba768SRuslan Ermilovfile, potentially compromising any passworded account. 423454ba768SRuslan ErmilovAlternatively an 424454ba768SRuslan Ermilovintruder who breaks group 425454ba768SRuslan Ermilov.Dq Li kmem 426454ba768SRuslan Ermilovcan monitor keystrokes sent through PTYs, 427454ba768SRuslan Ermilovincluding PTYs used by users who log in through secure methods. 428454ba768SRuslan ErmilovAn intruder 429454ba768SRuslan Ermilovthat breaks the 430454ba768SRuslan Ermilov.Dq Li tty 431454ba768SRuslan Ermilovgroup can write to almost any user's TTY. 432454ba768SRuslan ErmilovIf a user 433d93b26d6SMatthew Dillonis running a terminal 434d93b26d6SMatthew Dillonprogram or emulator with a keyboard-simulation feature, the intruder can 435d93b26d6SMatthew Dillonpotentially 436f063d76aSMatthew Dillongenerate a data stream that causes the user's terminal to echo a command, which 437f063d76aSMatthew Dillonis then run as that user. 438f063d76aSMatthew Dillon.Sh SECURING USER ACCOUNTS 439454ba768SRuslan ErmilovUser accounts are usually the most difficult to secure. 440454ba768SRuslan ErmilovWhile you can impose 441454ba768SRuslan Ermilovdraconian access restrictions on your staff and *-out their passwords, you 442454ba768SRuslan Ermilovmay not be able to do so with any general user accounts you might have. 443454ba768SRuslan ErmilovIf 444f063d76aSMatthew Dillonyou do have sufficient control then you may win out and be able to secure the 445454ba768SRuslan Ermilovuser accounts properly. 446454ba768SRuslan ErmilovIf not, you simply have to be more vigilant in your 447454ba768SRuslan Ermilovmonitoring of those accounts. 448454ba768SRuslan ErmilovUse of SSH and Kerberos for user accounts is 449d93b26d6SMatthew Dillonmore problematic due to the extra administration and technical support 450d93b26d6SMatthew Dillonrequired, but still a very good solution compared to a crypted password 451d93b26d6SMatthew Dillonfile. 452f063d76aSMatthew Dillon.Sh SECURING THE PASSWORD FILE 453f063d76aSMatthew DillonThe only sure fire way is to *-out as many passwords as you can and 454454ba768SRuslan Ermilovuse SSH or Kerberos for access to those accounts. 455454ba768SRuslan ErmilovEven though the 456568e4cbbSGuy Helmercrypted password file 457568e4cbbSGuy Helmer.Pq Pa /etc/spwd.db 458568e4cbbSGuy Helmercan only be read by root, it may 459568e4cbbSGuy Helmerbe possible for an intruder to obtain read access to that file even if the 460f063d76aSMatthew Dillonattacker cannot obtain root-write access. 461f063d76aSMatthew Dillon.Pp 462f063d76aSMatthew DillonYour security scripts should always check for and report changes to 463568e4cbbSGuy Helmerthe password file 464c4d9468eSRuslan Ermilov(see 465454ba768SRuslan Ermilov.Sx CHECKING FILE INTEGRITY 466c4d9468eSRuslan Ermilovbelow). 467f063d76aSMatthew Dillon.Sh SECURING THE KERNEL CORE, RAW DEVICES, AND FILE SYSTEMS 468f063d76aSMatthew DillonIf an attacker breaks root he can do just about anything, but there 469454ba768SRuslan Ermilovare certain conveniences. 470454ba768SRuslan ErmilovFor example, most modern kernels have a packet sniffing device driver built in. 471454ba768SRuslan ErmilovUnder 472f6f8f44dSAlexey Zelkin.Fx 473568e4cbbSGuy Helmerit is called 474568e4cbbSGuy Helmerthe 475454ba768SRuslan Ermilov.Xr bpf 4 476454ba768SRuslan Ermilovdevice. 477454ba768SRuslan ErmilovAn intruder will commonly attempt to run a packet sniffer 478454ba768SRuslan Ermilovon a compromised machine. 479454ba768SRuslan ErmilovYou do not need to give the intruder the 480454ba768SRuslan Ermilovcapability and most systems should not have the 481454ba768SRuslan Ermilov.Xr bpf 4 482454ba768SRuslan Ermilovdevice compiled in. 483f063d76aSMatthew Dillon.Pp 484454ba768SRuslan ErmilovBut even if you turn off the 485454ba768SRuslan Ermilov.Xr bpf 4 486454ba768SRuslan Ermilovdevice, you still have 487568e4cbbSGuy Helmer.Pa /dev/mem 488568e4cbbSGuy Helmerand 489568e4cbbSGuy Helmer.Pa /dev/kmem 490454ba768SRuslan Ermilovto worry about. 491454ba768SRuslan ErmilovFor that matter, 492d93b26d6SMatthew Dillonthe intruder can still write to raw disk devices. 493d93b26d6SMatthew DillonAlso, there is another kernel feature called the module loader, 494568e4cbbSGuy Helmer.Xr kldload 8 . 495568e4cbbSGuy HelmerAn enterprising intruder can use a KLD module to install 496454ba768SRuslan Ermilovhis own 497454ba768SRuslan Ermilov.Xr bpf 4 498454ba768SRuslan Ermilovdevice or other sniffing device on a running kernel. 499568e4cbbSGuy HelmerTo avoid these problems you have to run 500e17c0e32SGary W. Swearingenthe kernel at a higher security level, at least level 1. 501e17c0e32SGary W. SwearingenThe security level can be set with a 502454ba768SRuslan Ermilov.Xr sysctl 8 503454ba768SRuslan Ermilovon the 504454ba768SRuslan Ermilov.Va kern.securelevel 505454ba768SRuslan Ermilovvariable. 506454ba768SRuslan ErmilovOnce you have 507e17c0e32SGary W. Swearingenset the security level to 1, write access to raw devices will be denied and 508454ba768SRuslan Ermilovspecial 509454ba768SRuslan Ermilov.Xr chflags 1 510454ba768SRuslan Ermilovflags, such as 511454ba768SRuslan Ermilov.Cm schg , 512454ba768SRuslan Ermilovwill be enforced. 513454ba768SRuslan ErmilovYou must also ensure 514568e4cbbSGuy Helmerthat the 515454ba768SRuslan Ermilov.Cm schg 516568e4cbbSGuy Helmerflag is set on critical startup binaries, directories, and 517e17c0e32SGary W. Swearingenscript files \(em everything that gets run 518e17c0e32SGary W. Swearingenup to the point where the security level is set. 519454ba768SRuslan ErmilovThis might be overdoing it, and upgrading the system is much more 520e17c0e32SGary W. Swearingendifficult when you operate at a higher security level. 521454ba768SRuslan ErmilovYou may compromise and 522e17c0e32SGary W. Swearingenrun the system at a higher security level but not set the 523454ba768SRuslan Ermilov.Cm schg 524454ba768SRuslan Ermilovflag for every 525454ba768SRuslan Ermilovsystem file and directory under the sun. 526454ba768SRuslan ErmilovAnother possibility is to simply 527454ba768SRuslan Ermilovmount 528454ba768SRuslan Ermilov.Pa / 529454ba768SRuslan Ermilovand 530454ba768SRuslan Ermilov.Pa /usr 531454ba768SRuslan Ermilovread-only. 532454ba768SRuslan ErmilovIt should be noted that being too draconian in 533d93b26d6SMatthew Dillonwhat you attempt to protect may prevent the all-important detection of an 534d93b26d6SMatthew Dillonintrusion. 535e17c0e32SGary W. Swearingen.Pp 536e17c0e32SGary W. SwearingenThe kernel runs with five different security levels. 537e17c0e32SGary W. SwearingenAny super-user process can raise the level, but no process 538e17c0e32SGary W. Swearingencan lower it. 539e17c0e32SGary W. SwearingenThe security levels are: 540e17c0e32SGary W. Swearingen.Bl -tag -width flag 541e17c0e32SGary W. Swearingen.It Ic -1 542e17c0e32SGary W. SwearingenPermanently insecure mode \- always run the system in insecure mode. 543e17c0e32SGary W. SwearingenThis is the default initial value. 544e17c0e32SGary W. Swearingen.It Ic 0 545e17c0e32SGary W. SwearingenInsecure mode \- immutable and append-only flags may be turned off. 546e17c0e32SGary W. SwearingenAll devices may be read or written subject to their permissions. 547e17c0e32SGary W. Swearingen.It Ic 1 548e17c0e32SGary W. SwearingenSecure mode \- the system immutable and system append-only flags may not 549e17c0e32SGary W. Swearingenbe turned off; 550e17c0e32SGary W. Swearingendisks for mounted file systems, 551e17c0e32SGary W. Swearingen.Pa /dev/mem , 552e17c0e32SGary W. Swearingen.Pa /dev/kmem 553e17c0e32SGary W. Swearingenand 554e17c0e32SGary W. Swearingen.Pa /dev/io 555e17c0e32SGary W. Swearingen(if your platform has it) may not be opened for writing; 556e17c0e32SGary W. Swearingenkernel modules (see 557e17c0e32SGary W. Swearingen.Xr kld 4 ) 558e17c0e32SGary W. Swearingenmay not be loaded or unloaded. 559e17c0e32SGary W. Swearingen.It Ic 2 560e17c0e32SGary W. SwearingenHighly secure mode \- same as secure mode, plus disks may not be 561e17c0e32SGary W. Swearingenopened for writing (except by 562e17c0e32SGary W. Swearingen.Xr mount 2 ) 563e17c0e32SGary W. Swearingenwhether mounted or not. 564e17c0e32SGary W. SwearingenThis level precludes tampering with file systems by unmounting them, 565e17c0e32SGary W. Swearingenbut also inhibits running 566e17c0e32SGary W. Swearingen.Xr newfs 8 567e17c0e32SGary W. Swearingenwhile the system is multi-user. 568e17c0e32SGary W. Swearingen.Pp 569e17c0e32SGary W. SwearingenIn addition, kernel time changes are restricted to less than or equal to one 570e17c0e32SGary W. Swearingensecond. 571e17c0e32SGary W. SwearingenAttempts to change the time by more than this will log the message 572e17c0e32SGary W. Swearingen.Dq Time adjustment clamped to +1 second . 573e17c0e32SGary W. Swearingen.It Ic 3 574e17c0e32SGary W. SwearingenNetwork secure mode \- same as highly secure mode, plus 575e17c0e32SGary W. SwearingenIP packet filter rules (see 576e17c0e32SGary W. Swearingen.Xr ipfw 8 , 577e17c0e32SGary W. Swearingen.Xr ipfirewall 4 578e17c0e32SGary W. Swearingenand 579e17c0e32SGary W. Swearingen.Xr pfctl 8 ) 580e17c0e32SGary W. Swearingencannot be changed and 581e17c0e32SGary W. Swearingen.Xr dummynet 4 582e17c0e32SGary W. Swearingenor 583e17c0e32SGary W. Swearingen.Xr pf 4 584e17c0e32SGary W. Swearingenconfiguration cannot be adjusted. 585e17c0e32SGary W. Swearingen.El 586e17c0e32SGary W. Swearingen.Pp 5870ebb41beSCeri DaviesThe security level can be configured with variables documented in 588e17c0e32SGary W. Swearingen.Xr rc.conf 8 . 589f063d76aSMatthew Dillon.Sh CHECKING FILE INTEGRITY: BINARIES, CONFIG FILES, ETC 590f063d76aSMatthew DillonWhen it comes right down to it, you can only protect your core system 591f063d76aSMatthew Dillonconfiguration and control files so much before the convenience factor 592454ba768SRuslan Ermilovrears its ugly head. 593454ba768SRuslan ErmilovFor example, using 594454ba768SRuslan Ermilov.Xr chflags 1 595454ba768SRuslan Ermilovto set the 596454ba768SRuslan Ermilov.Cm schg 597454ba768SRuslan Ermilovbit on most of the files in 598454ba768SRuslan Ermilov.Pa / 599454ba768SRuslan Ermilovand 600454ba768SRuslan Ermilov.Pa /usr 601454ba768SRuslan Ermilovis probably counterproductive because 602454ba768SRuslan Ermilovwhile it may protect the files, it also closes a detection window. 603454ba768SRuslan ErmilovThe 60447afd1f8SDaniel Harrislast layer of your security onion is perhaps the most important \(em detection. 605d93b26d6SMatthew DillonThe rest of your security is pretty much useless (or, worse, presents you with 606454ba768SRuslan Ermilova false sense of safety) if you cannot detect potential incursions. 607454ba768SRuslan ErmilovHalf 608074ad115SRuslan Ermilovthe job of the onion is to slow down the attacker rather than stop him 6094c0d8029SDaniel Harrisin order to give the detection layer a chance to catch him in 610d93b26d6SMatthew Dillonthe act. 611f063d76aSMatthew Dillon.Pp 612d93b26d6SMatthew DillonThe best way to detect an incursion is to look for modified, missing, or 613454ba768SRuslan Ermilovunexpected files. 614454ba768SRuslan ErmilovThe best 615d93b26d6SMatthew Dillonway to look for modified files is from another (often centralized) 616d93b26d6SMatthew Dillonlimited-access system. 617d93b26d6SMatthew DillonWriting your security scripts on the extra-secure limited-access system 61847afd1f8SDaniel Harrismakes them mostly invisible to potential attackers, and this is important. 619d93b26d6SMatthew DillonIn order to take maximum advantage you generally have to give the 620d93b26d6SMatthew Dillonlimited-access box significant access to the other machines in the business, 621d93b26d6SMatthew Dillonusually either by doing a read-only NFS export of the other machines to the 622454ba768SRuslan Ermilovlimited-access box, or by setting up SSH keypairs to allow the limit-access 623454ba768SRuslan Ermilovbox to SSH to the other machines. 624454ba768SRuslan ErmilovExcept for its network traffic, NFS is 62547afd1f8SDaniel Harristhe least visible method \(em allowing you to monitor the file systems on each 626454ba768SRuslan Ermilovclient box virtually undetected. 627454ba768SRuslan ErmilovIf your 628d93b26d6SMatthew Dillonlimited-access server is connected to the client boxes through a switch, 629454ba768SRuslan Ermilovthe NFS method is often the better choice. 630454ba768SRuslan ErmilovIf your limited-access server 631d93b26d6SMatthew Dillonis connected to the client boxes through a hub or through several layers 632454ba768SRuslan Ermilovof routing, the NFS method may be too insecure (network-wise) and using SSH 633454ba768SRuslan Ermilovmay be the better choice even with the audit-trail tracks that SSH lays. 634d93b26d6SMatthew Dillon.Pp 635d93b26d6SMatthew DillonOnce you give a limit-access box at least read access to the client systems 636d93b26d6SMatthew Dillonit is supposed to monitor, you must write scripts to do the actual 637454ba768SRuslan Ermilovmonitoring. 638454ba768SRuslan ErmilovGiven an NFS mount, you can write scripts out of simple system 639d93b26d6SMatthew Dillonutilities such as 640d93b26d6SMatthew Dillon.Xr find 1 641d93b26d6SMatthew Dillonand 642454ba768SRuslan Ermilov.Xr md5 1 . 643454ba768SRuslan ErmilovIt is best to physically 644d93b26d6SMatthew Dillon.Xr md5 1 645454ba768SRuslan Ermilovthe client-box files boxes at least once a 646ad27d066SMatthew Dillonday, and to test control files such as those found in 647ad27d066SMatthew Dillon.Pa /etc 648ad27d066SMatthew Dillonand 649ad27d066SMatthew Dillon.Pa /usr/local/etc 650454ba768SRuslan Ermiloveven more often. 651454ba768SRuslan ErmilovWhen mismatches are found relative to the base MD5 652d93b26d6SMatthew Dilloninformation the limited-access machine knows is valid, it should scream at 653454ba768SRuslan Ermilova sysadmin to go check it out. 654454ba768SRuslan ErmilovA good security script will also check for 655454ba768SRuslan Ermilovinappropriate SUID binaries and for new or deleted files on system partitions 656d93b26d6SMatthew Dillonsuch as 657d93b26d6SMatthew Dillon.Pa / 658568e4cbbSGuy Helmerand 659454ba768SRuslan Ermilov.Pa /usr . 660f063d76aSMatthew Dillon.Pp 661454ba768SRuslan ErmilovWhen using SSH rather than NFS, writing the security script is much more 662454ba768SRuslan Ermilovdifficult. 663454ba768SRuslan ErmilovYou essentially have to 664454ba768SRuslan Ermilov.Xr scp 1 665d93b26d6SMatthew Dillonthe scripts to the client box in order to run them, making them visible, and 666454ba768SRuslan Ermilovfor safety you also need to 667454ba768SRuslan Ermilov.Xr scp 1 668454ba768SRuslan Ermilovthe binaries (such as 669454ba768SRuslan Ermilov.Xr find 1 ) 670454ba768SRuslan Ermilovthat those scripts use. 671454ba768SRuslan ErmilovThe 672454ba768SRuslan Ermilov.Xr sshd 8 673454ba768SRuslan Ermilovdaemon on the client box may already be compromised. 674454ba768SRuslan ErmilovAll in all, 675454ba768SRuslan Ermilovusing SSH may be necessary when running over unsecure links, but it is also a 676d93b26d6SMatthew Dillonlot harder to deal with. 677f063d76aSMatthew Dillon.Pp 678f063d76aSMatthew DillonA good security script will also check for changes to user and staff members 679ad27d066SMatthew Dillonaccess configuration files: 680454ba768SRuslan Ermilov.Pa .rhosts , .shosts , .ssh/authorized_keys 6815203edcdSRuslan Ermilovand so forth, files that might fall outside the purview of the MD5 check. 682f063d76aSMatthew Dillon.Pp 683d93b26d6SMatthew DillonIf you have a huge amount of user disk space it may take too long to run 684454ba768SRuslan Ermilovthrough every file on those partitions. 685454ba768SRuslan ErmilovIn this case, setting mount 686e354922cSRuslan Ermilovflags to disallow SUID binaries on those partitions is a good 687454ba768SRuslan Ermilovidea. 688454ba768SRuslan ErmilovThe 689454ba768SRuslan Ermilov.Cm nosuid 690e354922cSRuslan Ermilovoption 691c4d9468eSRuslan Ermilov(see 692c4d9468eSRuslan Ermilov.Xr mount 8 ) 693e354922cSRuslan Ermilovis what you want to look into. 694454ba768SRuslan ErmilovI would scan them anyway at least once a 695d93b26d6SMatthew Dillonweek, since the object of this layer is to detect a break-in whether or 696a30de06bSCeri Daviesnot the break-in is effective. 697f063d76aSMatthew Dillon.Pp 698568e4cbbSGuy HelmerProcess accounting 699c4d9468eSRuslan Ermilov(see 700c4d9468eSRuslan Ermilov.Xr accton 8 ) 701568e4cbbSGuy Helmeris a relatively low-overhead feature of 7026ac7e896SDavid E. O'Brienthe operating system which I recommend using as a post-break-in evaluation 703454ba768SRuslan Ermilovmechanism. 704454ba768SRuslan ErmilovIt is especially useful in tracking down how an intruder has 705d93b26d6SMatthew Dillonactually broken into a system, assuming the file is still intact after 7066ac7e896SDavid E. O'Brienthe break-in occurs. 707f063d76aSMatthew Dillon.Pp 708f063d76aSMatthew DillonFinally, security scripts should process the log files and the logs themselves 70947afd1f8SDaniel Harrisshould be generated in as secure a manner as possible \(em remote syslog can be 710454ba768SRuslan Ermilovvery useful. 711454ba768SRuslan ErmilovAn intruder tries to cover his tracks, and log files are critical 712d93b26d6SMatthew Dillonto the sysadmin trying to track down the time and method of the initial 713454ba768SRuslan Ermilovbreak-in. 714454ba768SRuslan ErmilovOne way to keep a permanent record of the log files is to run 715d93b26d6SMatthew Dillonthe system console to a serial port and collect the information on a 716d93b26d6SMatthew Dilloncontinuing basis through a secure machine monitoring the consoles. 717f063d76aSMatthew Dillon.Sh PARANOIA 718454ba768SRuslan ErmilovA little paranoia never hurts. 719454ba768SRuslan ErmilovAs a rule, a sysadmin can add any number 72047afd1f8SDaniel Harrisof security features as long as they do not affect convenience, and 72147afd1f8SDaniel Harriscan add security features that do affect convenience with some added 722454ba768SRuslan Ermilovthought. 723454ba768SRuslan ErmilovEven more importantly, a security administrator should mix it up 72447afd1f8SDaniel Harrisa bit \(em if you use recommendations such as those given by this manual 725d93b26d6SMatthew Dillonpage verbatim, you give away your methodologies to the prospective 72647afd1f8SDaniel Harrisattacker who also has access to this manual page. 727454ba768SRuslan Ermilov.Sh SPECIAL SECTION ON DoS ATTACKS 728454ba768SRuslan ErmilovThis section covers Denial of Service attacks. 729454ba768SRuslan ErmilovA DoS attack is typically a packet attack. 730454ba768SRuslan ErmilovWhile there is not much you can do about modern spoofed 731f063d76aSMatthew Dillonpacket attacks that saturate your network, you can generally limit the damage 732f063d76aSMatthew Dillonby ensuring that the attacks cannot take down your servers. 733f063d76aSMatthew Dillon.Bl -enum -offset indent 734f063d76aSMatthew Dillon.It 735f063d76aSMatthew DillonLimiting server forks 736f063d76aSMatthew Dillon.It 737454ba768SRuslan ErmilovLimiting springboard attacks (ICMP response attacks, ping broadcast, etc.) 738f063d76aSMatthew Dillon.It 739f063d76aSMatthew DillonKernel Route Cache 740f063d76aSMatthew Dillon.El 741f063d76aSMatthew Dillon.Pp 742454ba768SRuslan ErmilovA common DoS attack is against a forking server that attempts to cause the 7436ac7e896SDavid E. O'Brienserver to eat processes, file descriptors, and memory until the machine 744454ba768SRuslan Ermilovdies. 745454ba768SRuslan ErmilovThe 746454ba768SRuslan Ermilov.Xr inetd 8 747454ba768SRuslan Ermilovserver 748568e4cbbSGuy Helmerhas several options to limit this sort of attack. 749f063d76aSMatthew DillonIt should be noted that while it is possible to prevent a machine from going 750f063d76aSMatthew Dillondown it is not generally possible to prevent a service from being disrupted 751454ba768SRuslan Ermilovby the attack. 752454ba768SRuslan ErmilovRead the 753454ba768SRuslan Ermilov.Xr inetd 8 754454ba768SRuslan Ermilovmanual page carefully and pay specific attention 755568e4cbbSGuy Helmerto the 756454ba768SRuslan Ermilov.Fl c , C , 757568e4cbbSGuy Helmerand 758568e4cbbSGuy Helmer.Fl R 759454ba768SRuslan Ermilovoptions. 760454ba768SRuslan ErmilovNote that spoofed-IP attacks will circumvent 761568e4cbbSGuy Helmerthe 762568e4cbbSGuy Helmer.Fl C 763454ba768SRuslan Ermilovoption to 764454ba768SRuslan Ermilov.Xr inetd 8 , 765454ba768SRuslan Ermilovso typically a combination of options must be used. 766f063d76aSMatthew DillonSome standalone servers have self-fork-limitation parameters. 767f063d76aSMatthew Dillon.Pp 768454ba768SRuslan ErmilovThe 769454ba768SRuslan Ermilov.Xr sendmail 8 770454ba768SRuslan Ermilovdaemon has its 771568e4cbbSGuy Helmer.Fl OMaxDaemonChildren 772568e4cbbSGuy Helmeroption which tends to work much 773454ba768SRuslan Ermilovbetter than trying to use 774454ba768SRuslan Ermilov.Xr sendmail 8 Ns 's 775454ba768SRuslan Ermilovload limiting options due to the 776454ba768SRuslan Ermilovload lag. 777454ba768SRuslan ErmilovYou should specify a 778454ba768SRuslan Ermilov.Va MaxDaemonChildren 779568e4cbbSGuy Helmerparameter when you start 780454ba768SRuslan Ermilov.Xr sendmail 8 781454ba768SRuslan Ermilovhigh enough to handle your expected load but not so high that the 782454ba768SRuslan Ermilovcomputer cannot handle that number of 783454ba768SRuslan Ermilov.Nm sendmail Ns 's 784454ba768SRuslan Ermilovwithout falling on its face. 785454ba768SRuslan ErmilovIt is also prudent to run 786454ba768SRuslan Ermilov.Xr sendmail 8 787454ba768SRuslan Ermilovin 788454ba768SRuslan Ermilov.Dq queued 789454ba768SRuslan Ermilovmode 790568e4cbbSGuy Helmer.Pq Fl ODeliveryMode=queued 791568e4cbbSGuy Helmerand to run the daemon 792454ba768SRuslan Ermilov.Pq Dq Nm sendmail Fl bd 793568e4cbbSGuy Helmerseparate from the queue-runs 794454ba768SRuslan Ermilov.Pq Dq Nm sendmail Fl q15m . 795454ba768SRuslan ErmilovIf you still want real-time delivery you can run the queue 796568e4cbbSGuy Helmerat a much lower interval, such as 797568e4cbbSGuy Helmer.Fl q1m , 798568e4cbbSGuy Helmerbut be sure to specify a reasonable 799454ba768SRuslan Ermilov.Va MaxDaemonChildren 800454ba768SRuslan Ermilovoption for that 801454ba768SRuslan Ermilov.Xr sendmail 8 802454ba768SRuslan Ermilovto prevent cascade failures. 803f063d76aSMatthew Dillon.Pp 804454ba768SRuslan ErmilovThe 805454ba768SRuslan Ermilov.Xr syslogd 8 806454ba768SRuslan Ermilovdaemon can be attacked directly and it is strongly recommended that you use 807568e4cbbSGuy Helmerthe 808568e4cbbSGuy Helmer.Fl s 809568e4cbbSGuy Helmeroption whenever possible, and the 810568e4cbbSGuy Helmer.Fl a 811568e4cbbSGuy Helmeroption otherwise. 812f063d76aSMatthew Dillon.Pp 813f063d76aSMatthew DillonYou should also be fairly careful 814f063d76aSMatthew Dillonwith connect-back services such as tcpwrapper's reverse-identd, which can 815454ba768SRuslan Ermilovbe attacked directly. 816454ba768SRuslan ErmilovYou generally do not want to use the reverse-ident 817f063d76aSMatthew Dillonfeature of tcpwrappers for this reason. 818f063d76aSMatthew Dillon.Pp 819f063d76aSMatthew DillonIt is a very good idea to protect internal services from external access 820454ba768SRuslan Ermilovby firewalling them off at your border routers. 821454ba768SRuslan ErmilovThe idea here is to prevent 822f063d76aSMatthew Dillonsaturation attacks from outside your LAN, not so much to protect internal 823454ba768SRuslan Ermilovservices from network-based root compromise. 824454ba768SRuslan ErmilovAlways configure an exclusive 825454ba768SRuslan Ermilovfirewall, i.e., 826568e4cbbSGuy Helmer.So 82747afd1f8SDaniel Harrisfirewall everything 82847afd1f8SDaniel Harris.Em except 82947afd1f8SDaniel Harrisports A, B, C, D, and M-Z 830568e4cbbSGuy Helmer.Sc . 831568e4cbbSGuy HelmerThis 832f063d76aSMatthew Dillonway you can firewall off all of your low ports except for certain specific 833454ba768SRuslan Ermilovservices such as 834454ba768SRuslan Ermilov.Xr named 8 835c4d9468eSRuslan Ermilov(if you are primary for a zone), 836454ba768SRuslan Ermilov.Xr talkd 8 , 837454ba768SRuslan Ermilov.Xr sendmail 8 , 838f063d76aSMatthew Dillonand other internet-accessible services. 839f063d76aSMatthew DillonIf you try to configure the firewall the other 84047afd1f8SDaniel Harrisway \(em as an inclusive or permissive firewall, there is a good chance that you 841568e4cbbSGuy Helmerwill forget to 842454ba768SRuslan Ermilov.Dq close 843568e4cbbSGuy Helmera couple of services or that you will add a new internal 844454ba768SRuslan Ermilovservice and forget to update the firewall. 845454ba768SRuslan ErmilovYou can still open up the 846f063d76aSMatthew Dillonhigh-numbered port range on the firewall to allow permissive-like operation 847454ba768SRuslan Ermilovwithout compromising your low ports. 848454ba768SRuslan ErmilovAlso take note that 849f6f8f44dSAlexey Zelkin.Fx 850568e4cbbSGuy Helmerallows you to 851f063d76aSMatthew Dilloncontrol the range of port numbers used for dynamic binding via the various 852454ba768SRuslan Ermilov.Va net.inet.ip.portrange 853454ba768SRuslan Ermilovsysctl's 854454ba768SRuslan Ermilov.Pq Dq Li "sysctl net.inet.ip.portrange" , 855568e4cbbSGuy Helmerwhich can also 856454ba768SRuslan Ermilovease the complexity of your firewall's configuration. 857454ba768SRuslan ErmilovI usually use a normal 858f063d76aSMatthew Dillonfirst/last range of 4000 to 5000, and a hiport range of 49152 to 65535, then 859568e4cbbSGuy Helmerblock everything under 4000 off in my firewall 860c4d9468eSRuslan Ermilov(except for certain specific 861c4d9468eSRuslan Ermilovinternet-accessible ports, of course). 862f063d76aSMatthew Dillon.Pp 863454ba768SRuslan ErmilovAnother common DoS attack is called a springboard attack \(em to attack a server 864f063d76aSMatthew Dillonin a manner that causes the server to generate responses which then overload 865454ba768SRuslan Ermilovthe server, the local network, or some other machine. 866454ba768SRuslan ErmilovThe most common attack 867454ba768SRuslan Ermilovof this nature is the ICMP PING BROADCAST attack. 868454ba768SRuslan ErmilovThe attacker spoofs ping 869f063d76aSMatthew Dillonpackets sent to your LAN's broadcast address with the source IP address set 870454ba768SRuslan Ermilovto the actual machine they wish to attack. 871454ba768SRuslan ErmilovIf your border routers are not 872f063d76aSMatthew Dillonconfigured to stomp on ping's to broadcast addresses, your LAN winds up 873f063d76aSMatthew Dillongenerating sufficient responses to the spoofed source address to saturate the 874f063d76aSMatthew Dillonvictim, especially when the attacker uses the same trick on several dozen 875454ba768SRuslan Ermilovbroadcast addresses over several dozen different networks at once. 876454ba768SRuslan ErmilovBroadcast attacks of over a hundred and twenty megabits have been measured. 877454ba768SRuslan ErmilovA second common springboard attack is against the ICMP error reporting system. 878454ba768SRuslan ErmilovBy 879f063d76aSMatthew Dillonconstructing packets that generate ICMP error responses, an attacker can 880f063d76aSMatthew Dillonsaturate a server's incoming network and cause the server to saturate its 881454ba768SRuslan Ermilovoutgoing network with ICMP responses. 882454ba768SRuslan ErmilovThis type of attack can also crash the 883454ba768SRuslan Ermilovserver by running it out of 884454ba768SRuslan Ermilov.Vt mbuf Ns 's , 885454ba768SRuslan Ermilovespecially if the server cannot drain the 886454ba768SRuslan ErmilovICMP responses it generates fast enough. 887454ba768SRuslan ErmilovThe 888f6f8f44dSAlexey Zelkin.Fx 889568e4cbbSGuy Helmerkernel has a new kernel 890454ba768SRuslan Ermilovcompile option called 891454ba768SRuslan Ermilov.Dv ICMP_BANDLIM 892454ba768SRuslan Ermilovwhich limits the effectiveness of these 893454ba768SRuslan Ermilovsorts of attacks. 894454ba768SRuslan ErmilovThe last major class of springboard attacks is related to 895454ba768SRuslan Ermilovcertain internal 896454ba768SRuslan Ermilov.Xr inetd 8 897454ba768SRuslan Ermilovservices such as the UDP echo service. 898454ba768SRuslan ErmilovAn attacker 899f063d76aSMatthew Dillonsimply spoofs a UDP packet with the source address being server A's echo port, 900f063d76aSMatthew Dillonand the destination address being server B's echo port, where server A and B 901454ba768SRuslan Ermilovare both on your LAN. 902454ba768SRuslan ErmilovThe two servers then bounce this one packet back and 903454ba768SRuslan Ermilovforth between each other. 904454ba768SRuslan ErmilovThe attacker can overload both servers and their 905454ba768SRuslan ErmilovLANs simply by injecting a few packets in this manner. 906454ba768SRuslan ErmilovSimilar problems 907454ba768SRuslan Ermilovexist with the internal chargen port. 908454ba768SRuslan ErmilovA competent sysadmin will turn off all 909454ba768SRuslan Ermilovof these 910454ba768SRuslan Ermilov.Xr inetd 8 Ns -internal 911454ba768SRuslan Ermilovtest services. 912f063d76aSMatthew Dillon.Pp 913f063d76aSMatthew DillonSpoofed packet attacks may also be used to overload the kernel route cache. 914454ba768SRuslan ErmilovRefer to the 915454ba768SRuslan Ermilov.Va net.inet.ip.rtexpire , net.inet.ip.rtminexpire , 916454ba768SRuslan Ermilovand 917454ba768SRuslan Ermilov.Va net.inet.ip.rtmaxcache 918454ba768SRuslan Ermilov.Xr sysctl 8 919454ba768SRuslan Ermilovvariables. 920454ba768SRuslan ErmilovA spoofed packet attack that uses a random source IP will cause 921f063d76aSMatthew Dillonthe kernel to generate a temporary cached route in the route table, viewable 922568e4cbbSGuy Helmerwith 923454ba768SRuslan Ermilov.Dq Li "netstat -rna | fgrep W3" . 924568e4cbbSGuy HelmerThese routes typically timeout in 1600 925454ba768SRuslan Ermilovseconds or so. 926454ba768SRuslan ErmilovIf the kernel detects that the cached route table has gotten 927454ba768SRuslan Ermilovtoo big it will dynamically reduce the 928454ba768SRuslan Ermilov.Va rtexpire 929454ba768SRuslan Ermilovbut will never decrease it to 930454ba768SRuslan Ermilovless than 931454ba768SRuslan Ermilov.Va rtminexpire . 932454ba768SRuslan ErmilovThere are two problems: (1) The kernel does not react 933f063d76aSMatthew Dillonquickly enough when a lightly loaded server is suddenly attacked, and (2) The 934454ba768SRuslan Ermilov.Va rtminexpire 935454ba768SRuslan Ermilovis not low enough for the kernel to survive a sustained attack. 936f063d76aSMatthew DillonIf your servers are connected to the internet via a T3 or better it may be 937454ba768SRuslan Ermilovprudent to manually override both 938454ba768SRuslan Ermilov.Va rtexpire 939454ba768SRuslan Ermilovand 940454ba768SRuslan Ermilov.Va rtminexpire 941454ba768SRuslan Ermilovvia 94285752545SGuy Helmer.Xr sysctl 8 . 943568e4cbbSGuy HelmerNever set either parameter to zero 944c4d9468eSRuslan Ermilov(unless you want to crash the machine :-)). 945f063d76aSMatthew DillonSetting both parameters to 2 seconds should be sufficient to protect the route 946f063d76aSMatthew Dillontable from attack. 947d93b26d6SMatthew Dillon.Sh ACCESS ISSUES WITH KERBEROS AND SSH 948454ba768SRuslan ErmilovThere are a few issues with both Kerberos and SSH that need to be addressed 949454ba768SRuslan Ermilovif you intend to use them. 950454ba768SRuslan ErmilovKerberos5 is an excellent authentication 951454ba768SRuslan Ermilovprotocol but the kerberized 952454ba768SRuslan Ermilov.Xr telnet 1 953454ba768SRuslan Ermilovand 954454ba768SRuslan Ermilov.Xr rlogin 1 955454ba768SRuslan Ermilovsuck rocks. 956454ba768SRuslan ErmilovThere are bugs that make them unsuitable for dealing with binary streams. 957454ba768SRuslan ErmilovAlso, by default 958454ba768SRuslan ErmilovKerberos does not encrypt a session unless you use the 959d93b26d6SMatthew Dillon.Fl x 960454ba768SRuslan Ermilovoption. 961454ba768SRuslan ErmilovSSH encrypts everything by default. 962d93b26d6SMatthew Dillon.Pp 963454ba768SRuslan ErmilovSSH works quite well in every respect except when it is set up to 9649baaab27SDima Dorfmanforward encryption keys. 9659baaab27SDima DorfmanWhat this means is that if you have a secure workstation holding 966454ba768SRuslan Ermilovkeys that give you access to the rest of the system, and you 967454ba768SRuslan Ermilov.Xr ssh 1 968454ba768SRuslan Ermilovto an 969454ba768SRuslan Ermilovunsecure machine, your keys become exposed. 970454ba768SRuslan ErmilovThe actual keys themselves are 971454ba768SRuslan Ermilovnot exposed, but 972454ba768SRuslan Ermilov.Xr ssh 1 973454ba768SRuslan Ermilovinstalls a forwarding port for the duration of your 97447afd1f8SDaniel Harrislogin and if an attacker has broken root on the unsecure machine he can utilize 975d93b26d6SMatthew Dillonthat port to use your keys to gain access to any other machine that your 976d93b26d6SMatthew Dillonkeys unlock. 977d93b26d6SMatthew Dillon.Pp 978454ba768SRuslan ErmilovWe recommend that you use SSH in combination with Kerberos whenever possible 979454ba768SRuslan Ermilovfor staff logins. 980454ba768SRuslan ErmilovSSH can be compiled with Kerberos support. 981454ba768SRuslan ErmilovThis reduces 982454ba768SRuslan Ermilovyour reliance on potentially exposable SSH keys while at the same time 983454ba768SRuslan Ermilovprotecting passwords via Kerberos. 984454ba768SRuslan ErmilovSSH keys 985d93b26d6SMatthew Dillonshould only be used for automated tasks from secure machines (something 986454ba768SRuslan Ermilovthat Kerberos is unsuited to). 987454ba768SRuslan ErmilovWe also recommend that you either turn off 988454ba768SRuslan Ermilovkey-forwarding in the SSH configuration, or that you make use of the 989454ba768SRuslan Ermilov.Va from Ns = Ns Ar IP/DOMAIN 990454ba768SRuslan Ermilovoption that SSH allows in its 991d93b26d6SMatthew Dillon.Pa authorized_keys 9927c86a74bSMike Pritchardfile to make the key only usable to entities logging in from specific 993d93b26d6SMatthew Dillonmachines. 994f063d76aSMatthew Dillon.Sh SEE ALSO 995f063d76aSMatthew Dillon.Xr chflags 1 , 996f063d76aSMatthew Dillon.Xr find 1 , 997f063d76aSMatthew Dillon.Xr md5 1 , 998f6f8f44dSAlexey Zelkin.Xr netstat 1 , 9998596de53SNik Clayton.Xr openssl 1 , 10005521ff5aSRuslan Ermilov.Xr ssh 1 , 1001f0ea72a0SChristian Brueffer.Xr xdm 1 Pq Pa ports/x11/xorg-clients , 1002d93b26d6SMatthew Dillon.Xr group 5 , 1003ad27d066SMatthew Dillon.Xr ttys 5 , 10048596de53SNik Clayton.Xr accton 8 , 1005d93b26d6SMatthew Dillon.Xr init 8 , 10068596de53SNik Clayton.Xr sshd 8 , 1007ad27d066SMatthew Dillon.Xr sysctl 8 , 10088596de53SNik Clayton.Xr syslogd 8 , 1009ad27d066SMatthew Dillon.Xr vipw 8 1010f063d76aSMatthew Dillon.Sh HISTORY 1011f063d76aSMatthew DillonThe 1012f063d76aSMatthew Dillon.Nm 1013568e4cbbSGuy Helmermanual page was originally written by 1014568e4cbbSGuy Helmer.An Matthew Dillon 1015568e4cbbSGuy Helmerand first appeared 1016568e4cbbSGuy Helmerin 101785752545SGuy Helmer.Fx 3.1 , 1018568e4cbbSGuy HelmerDecember 1998. 1019