xref: /freebsd/share/man/man7/security.7 (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1.\" Copyright (C) 1998 Matthew Dillon. All rights reserved.
2.\"
3.\" Redistribution and use in source and binary forms, with or without
4.\" modification, are permitted provided that the following conditions
5.\" are met:
6.\" 1. Redistributions of source code must retain the above copyright
7.\"    notice, this list of conditions and the following disclaimer.
8.\" 2. Redistributions in binary form must reproduce the above copyright
9.\"    notice, this list of conditions and the following disclaimer in the
10.\"    documentation and/or other materials provided with the distribution.
11.\"
12.\" THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND
13.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
14.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
15.\" ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
16.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
17.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
18.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
19.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
20.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
21.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
22.\" SUCH DAMAGE.
23.\"
24.\" $FreeBSD$
25.\"
26.Dd September 8, 2006
27.Dt SECURITY 7
28.Os
29.Sh NAME
30.Nm security
31.Nd introduction to security under FreeBSD
32.Sh DESCRIPTION
33Security is a function that begins and ends with the system administrator.
34While all
35.Bx
36multi-user systems have some inherent security, the job of building and
37maintaining additional security mechanisms to keep users
38.Dq honest
39is probably
40one of the single largest undertakings of the sysadmin.
41Machines are
42only as secure as you make them, and security concerns are ever competing
43with the human necessity for convenience.
44.Ux
45systems,
46in general, are capable of running a huge number of simultaneous processes
47and many of these processes operate as servers \(em meaning that external
48entities can connect and talk to them.
49As yesterday's mini-computers and mainframes
50become today's desktops, and as computers become networked and internetworked,
51security becomes an ever bigger issue.
52.Pp
53Security is best implemented through a layered onion approach.
54In a nutshell,
55what you want to do is to create as many layers of security as are convenient
56and then carefully monitor the system for intrusions.
57.Pp
58System security also pertains to dealing with various forms of attacks,
59including attacks that attempt to crash or otherwise make a system unusable
60but do not attempt to break root.
61Security concerns can be split up into
62several categories:
63.Bl -enum -offset indent
64.It
65Denial of Service attacks (DoS)
66.It
67User account compromises
68.It
69Root compromise through accessible servers
70.It
71Root compromise via user accounts
72.It
73Backdoor creation
74.El
75.Pp
76A denial of service attack is an action that deprives the machine of needed
77resources.
78Typically, DoS attacks are brute-force mechanisms that attempt
79to crash or otherwise make a machine unusable by overwhelming its servers or
80network stack.
81Some DoS attacks try to take advantages of bugs in the
82networking stack to crash a machine with a single packet.
83The latter can
84only be fixed by applying a bug fix to the kernel.
85Attacks on servers can
86often be fixed by properly specifying options to limit the load the servers
87incur on the system under adverse conditions.
88Brute-force network attacks are harder to deal with.
89A spoofed-packet attack, for example, is
90nearly impossible to stop short of cutting your system off from the Internet.
91It may not be able to take your machine down, but it can fill up Internet
92pipe.
93.Pp
94A user account compromise is even more common than a DoS attack.
95Many
96sysadmins still run standard
97.Xr telnetd 8 ,
98.Xr rlogind 8 ,
99.Xr rshd 8 ,
100and
101.Xr ftpd 8
102servers on their machines.
103These servers, by default, do not operate over encrypted
104connections.
105The result is that if you have any moderate-sized user base,
106one or more of your users logging into your system from a remote location
107(which is the most common and convenient way to log in to a system)
108will have his or her password sniffed.
109The attentive system administrator will analyze
110his remote access logs looking for suspicious source addresses
111even for successful logins.
112.Pp
113One must always assume that once an attacker has access to a user account,
114the attacker can break root.
115However, the reality is that in a well secured
116and maintained system, access to a user account does not necessarily give the
117attacker access to root.
118The distinction is important because without access
119to root the attacker cannot generally hide his tracks and may, at best, be
120able to do nothing more than mess with the user's files or crash the machine.
121User account compromises are very common because users tend not to take the
122precautions that sysadmins take.
123.Pp
124System administrators must keep in mind that there are potentially many ways
125to break root on a machine.
126The attacker may know the root password,
127the attacker
128may find a bug in a root-run server and be able to break root over a network
129connection to that server, or the attacker may know of a bug in an SUID-root
130program that allows the attacker to break root once he has broken into a
131user's account.
132If an attacker has found a way to break root on a machine,
133the attacker may not have a need to install a backdoor.
134Many of the root holes found and closed to date involve a considerable amount
135of work by the attacker to clean up after himself, so most attackers do install
136backdoors.
137This gives you a convenient way to detect the attacker.
138Making
139it impossible for an attacker to install a backdoor may actually be detrimental
140to your security because it will not close off the hole the attacker used to
141break in in the first place.
142.Pp
143Security remedies should always be implemented with a multi-layered
144.Dq onion peel
145approach and can be categorized as follows:
146.Bl -enum -offset indent
147.It
148Securing root and staff accounts
149.It
150Securing root \(em root-run servers and SUID/SGID binaries
151.It
152Securing user accounts
153.It
154Securing the password file
155.It
156Securing the kernel core, raw devices, and file systems
157.It
158Quick detection of inappropriate changes made to the system
159.It
160Paranoia
161.El
162.Sh SECURING THE ROOT ACCOUNT AND SECURING STAFF ACCOUNTS
163Do not bother securing staff accounts if you have not secured the root
164account.
165Most systems have a password assigned to the root account.
166The
167first thing you do is assume that the password is
168.Em always
169compromised.
170This does not mean that you should remove the password.
171The
172password is almost always necessary for console access to the machine.
173What it does mean is that you should not make it possible to use the password
174outside of the console or possibly even with a
175.Xr su 1
176utility.
177For example, make sure that your PTYs are specified as being
178.Dq Li unsecure
179in the
180.Pa /etc/ttys
181file
182so that direct root logins via
183.Xr telnet 1
184or
185.Xr rlogin 1
186are disallowed.
187If using
188other login services such as
189.Xr sshd 8 ,
190make sure that direct root logins are
191disabled there as well.
192Consider every access method \(em services such as
193.Xr ftp 1
194often fall through the cracks.
195Direct root logins should only be allowed
196via the system console.
197.Pp
198Of course, as a sysadmin you have to be able to get to root, so we open up
199a few holes.
200But we make sure these holes require additional password
201verification to operate.
202One way to make root accessible is to add appropriate
203staff accounts to the
204.Dq Li wheel
205group (in
206.Pa /etc/group ) .
207The staff members placed in the
208.Li wheel
209group are allowed to
210.Xr su 1
211to root.
212You should never give staff
213members native
214.Li wheel
215access by putting them in the
216.Li wheel
217group in their password entry.
218Staff accounts should be placed in a
219.Dq Li staff
220group, and then added to the
221.Li wheel
222group via the
223.Pa /etc/group
224file.
225Only those staff members who actually need to have root access
226should be placed in the
227.Li wheel
228group.
229It is also possible, when using an
230authentication method such as Kerberos, to use Kerberos's
231.Pa .k5login
232file in the root account to allow a
233.Xr ksu 1
234to root without having to place anyone at all in the
235.Li wheel
236group.
237This
238may be the better solution since the
239.Li wheel
240mechanism still allows an
241intruder to break root if the intruder has gotten hold of your password
242file and can break into a staff account.
243While having the
244.Li wheel
245mechanism
246is better than having nothing at all, it is not necessarily the safest
247option.
248.Pp
249An indirect way to secure the root account is to secure your staff accounts
250by using an alternative login access method and *'ing out the crypted password
251for the staff accounts.
252This way an intruder may be able to steal the password
253file but will not be able to break into any staff accounts or root, even if
254root has a crypted password associated with it (assuming, of course, that
255you have limited root access to the console).
256Staff members
257get into their staff accounts through a secure login mechanism such as
258.Xr kerberos 8
259or
260.Xr ssh 1
261using a private/public
262key pair.
263When you use something like Kerberos you generally must secure
264the machines which run the Kerberos servers and your desktop workstation.
265When you use a public/private key pair with SSH, you must generally secure
266the machine you are logging in
267.Em from
268(typically your workstation),
269but you can
270also add an additional layer of protection to the key pair by password
271protecting the keypair when you create it with
272.Xr ssh-keygen 1 .
273Being able
274to *-out the passwords for staff accounts also guarantees that staff members
275can only log in through secure access methods that you have set up.
276You can
277thus force all staff members to use secure, encrypted connections for
278all their sessions which closes an important hole used by many intruders: that
279of sniffing the network from an unrelated, less secure machine.
280.Pp
281The more indirect security mechanisms also assume that you are logging in
282from a more restrictive server to a less restrictive server.
283For example,
284if your main box is running all sorts of servers, your workstation should not
285be running any.
286In order for your workstation to be reasonably secure
287you should run as few servers as possible, up to and including no servers
288at all, and you should run a password-protected screen blanker.
289Of course, given physical access to
290a workstation, an attacker can break any sort of security you put on it.
291This is definitely a problem that you should consider but you should also
292consider the fact that the vast majority of break-ins occur remotely, over
293a network, from people who do not have physical access to your workstation or
294servers.
295.Pp
296Using something like Kerberos also gives you the ability to disable or
297change the password for a staff account in one place and have it immediately
298affect all the machines the staff member may have an account on.
299If a staff
300member's account gets compromised, the ability to instantly change his
301password on all machines should not be underrated.
302With discrete passwords, changing a password on N machines can be a mess.
303You can also impose
304re-passwording restrictions with Kerberos: not only can a Kerberos ticket
305be made to timeout after a while, but the Kerberos system can require that
306the user choose a new password after a certain period of time
307(say, once a month).
308.Sh SECURING ROOT \(em ROOT-RUN SERVERS AND SUID/SGID BINARIES
309The prudent sysadmin only runs the servers he needs to, no more, no less.
310Be aware that third party servers are often the most bug-prone.
311For example,
312running an old version of
313.Xr imapd 8
314or
315.Xr popper 8 Pq Pa ports/mail/popper
316is like giving a universal root
317ticket out to the entire world.
318Never run a server that you have not checked
319out carefully.
320Many servers do not need to be run as root.
321For example,
322the
323.Xr talkd 8 ,
324.Xr comsat 8 ,
325and
326.Xr fingerd 8
327daemons can be run in special user
328.Dq sandboxes .
329A sandbox is not perfect unless you go to a large amount of trouble, but the
330onion approach to security still stands: if someone is able to break in
331through a server running in a sandbox, they still have to break out of the
332sandbox.
333The more layers the attacker must break through, the lower the
334likelihood of his success.
335Root holes have historically been found in
336virtually every server ever run as root, including basic system servers.
337If you are running a machine through which people only log in via
338.Xr sshd 8
339and never log in via
340.Xr telnetd 8 ,
341.Xr rshd 8 ,
342or
343.Xr rlogind 8 ,
344then turn off those services!
345.Pp
346.Fx
347now defaults to running
348.Xr talkd 8 ,
349.Xr comsat 8 ,
350and
351.Xr fingerd 8
352in a sandbox.
353Another program which may be a candidate for running in a sandbox is
354.Xr named 8 .
355The default
356.Pa rc.conf
357includes the arguments necessary to run
358.Xr named 8
359in a sandbox in a commented-out form.
360Depending on whether you
361are installing a new system or upgrading an existing system, the special
362user accounts used by these sandboxes may not be installed.
363The prudent
364sysadmin would research and implement sandboxes for servers whenever possible.
365.Pp
366There are a number of other servers that typically do not run in sandboxes:
367.Xr sendmail 8 ,
368.Xr popper 8 ,
369.Xr imapd 8 ,
370.Xr ftpd 8 ,
371and others.
372There are alternatives to
373some of these, but installing them may require more work than you are willing
374to put
375(the convenience factor strikes again).
376You may have to run these
377servers as root and rely on other mechanisms to detect break-ins that might
378occur through them.
379.Pp
380The other big potential root hole in a system are the SUID-root and SGID
381binaries installed on the system.
382Most of these binaries, such as
383.Xr rlogin 1 ,
384reside in
385.Pa /bin , /sbin , /usr/bin ,
386or
387.Pa /usr/sbin .
388While nothing is 100% safe,
389the system-default SUID and SGID binaries can be considered reasonably safe.
390Still, root holes are occasionally found in these binaries.
391A root hole
392was found in Xlib in 1998 that made
393.Xr xterm 1 Pq Pa ports/x11/xterm
394(which is typically SUID)
395vulnerable.
396It is better to be safe than sorry and the prudent sysadmin will restrict SUID
397binaries that only staff should run to a special group that only staff can
398access, and get rid of
399.Pq Dq Li "chmod 000"
400any SUID binaries that nobody uses.
401A server with no display generally does not need an
402.Xr xterm 1
403binary.
404SGID binaries can be almost as dangerous.
405If an intruder can break an SGID-kmem binary the
406intruder might be able to read
407.Pa /dev/kmem
408and thus read the crypted password
409file, potentially compromising any passworded account.
410Alternatively an
411intruder who breaks group
412.Dq Li kmem
413can monitor keystrokes sent through PTYs,
414including PTYs used by users who log in through secure methods.
415An intruder
416that breaks the
417.Dq Li tty
418group can write to almost any user's TTY.
419If a user
420is running a terminal
421program or emulator with a keyboard-simulation feature, the intruder can
422potentially
423generate a data stream that causes the user's terminal to echo a command, which
424is then run as that user.
425.Sh SECURING USER ACCOUNTS
426User accounts are usually the most difficult to secure.
427While you can impose
428draconian access restrictions on your staff and *-out their passwords, you
429may not be able to do so with any general user accounts you might have.
430If
431you do have sufficient control then you may win out and be able to secure the
432user accounts properly.
433If not, you simply have to be more vigilant in your
434monitoring of those accounts.
435Use of SSH and Kerberos for user accounts is
436more problematic due to the extra administration and technical support
437required, but still a very good solution compared to a crypted password
438file.
439.Sh SECURING THE PASSWORD FILE
440The only sure fire way is to *-out as many passwords as you can and
441use SSH or Kerberos for access to those accounts.
442Even though the
443crypted password file
444.Pq Pa /etc/spwd.db
445can only be read by root, it may
446be possible for an intruder to obtain read access to that file even if the
447attacker cannot obtain root-write access.
448.Pp
449Your security scripts should always check for and report changes to
450the password file
451(see
452.Sx CHECKING FILE INTEGRITY
453below).
454.Sh SECURING THE KERNEL CORE, RAW DEVICES, AND FILE SYSTEMS
455If an attacker breaks root he can do just about anything, but there
456are certain conveniences.
457For example, most modern kernels have a packet sniffing device driver built in.
458Under
459.Fx
460it is called
461the
462.Xr bpf 4
463device.
464An intruder will commonly attempt to run a packet sniffer
465on a compromised machine.
466You do not need to give the intruder the
467capability and most systems should not have the
468.Xr bpf 4
469device compiled in.
470.Pp
471But even if you turn off the
472.Xr bpf 4
473device, you still have
474.Pa /dev/mem
475and
476.Pa /dev/kmem
477to worry about.
478For that matter,
479the intruder can still write to raw disk devices.
480Also, there is another kernel feature called the module loader,
481.Xr kldload 8 .
482An enterprising intruder can use a KLD module to install
483his own
484.Xr bpf 4
485device or other sniffing device on a running kernel.
486To avoid these problems you have to run
487the kernel at a higher security level, at least level 1.
488The security level can be set with a
489.Xr sysctl 8
490on the
491.Va kern.securelevel
492variable.
493Once you have
494set the security level to 1, write access to raw devices will be denied and
495special
496.Xr chflags 1
497flags, such as
498.Cm schg ,
499will be enforced.
500You must also ensure
501that the
502.Cm schg
503flag is set on critical startup binaries, directories, and
504script files \(em everything that gets run
505up to the point where the security level is set.
506This might be overdoing it, and upgrading the system is much more
507difficult when you operate at a higher security level.
508You may compromise and
509run the system at a higher security level but not set the
510.Cm schg
511flag for every
512system file and directory under the sun.
513Another possibility is to simply
514mount
515.Pa /
516and
517.Pa /usr
518read-only.
519It should be noted that being too draconian in
520what you attempt to protect may prevent the all-important detection of an
521intrusion.
522.Pp
523The kernel runs with five different security levels.
524Any super-user process can raise the level, but no process
525can lower it.
526The security levels are:
527.Bl -tag -width flag
528.It Ic -1
529Permanently insecure mode \- always run the system in insecure mode.
530This is the default initial value.
531.It Ic 0
532Insecure mode \- immutable and append-only flags may be turned off.
533All devices may be read or written subject to their permissions.
534.It Ic 1
535Secure mode \- the system immutable and system append-only flags may not
536be turned off;
537disks for mounted file systems,
538.Pa /dev/mem
539and
540.Pa /dev/kmem
541may not be opened for writing;
542.Pa /dev/io
543(if your platform has it) may not be opened at all;
544kernel modules (see
545.Xr kld 4 )
546may not be loaded or unloaded.
547.It Ic 2
548Highly secure mode \- same as secure mode, plus disks may not be
549opened for writing (except by
550.Xr mount 2 )
551whether mounted or not.
552This level precludes tampering with file systems by unmounting them,
553but also inhibits running
554.Xr newfs 8
555while the system is multi-user.
556.Pp
557In addition, kernel time changes are restricted to less than or equal to one
558second.
559Attempts to change the time by more than this will log the message
560.Dq Time adjustment clamped to +1 second .
561.It Ic 3
562Network secure mode \- same as highly secure mode, plus
563IP packet filter rules (see
564.Xr ipfw 8 ,
565.Xr ipfirewall 4
566and
567.Xr pfctl 8 )
568cannot be changed and
569.Xr dummynet 4
570or
571.Xr pf 4
572configuration cannot be adjusted.
573.El
574.Pp
575The security level can be configured with variables documented in
576.Xr rc.conf 8 .
577.Sh CHECKING FILE INTEGRITY: BINARIES, CONFIG FILES, ETC
578When it comes right down to it, you can only protect your core system
579configuration and control files so much before the convenience factor
580rears its ugly head.
581For example, using
582.Xr chflags 1
583to set the
584.Cm schg
585bit on most of the files in
586.Pa /
587and
588.Pa /usr
589is probably counterproductive because
590while it may protect the files, it also closes a detection window.
591The
592last layer of your security onion is perhaps the most important \(em detection.
593The rest of your security is pretty much useless (or, worse, presents you with
594a false sense of safety) if you cannot detect potential incursions.
595Half
596the job of the onion is to slow down the attacker rather than stop him
597in order to give the detection layer a chance to catch him in
598the act.
599.Pp
600The best way to detect an incursion is to look for modified, missing, or
601unexpected files.
602The best
603way to look for modified files is from another (often centralized)
604limited-access system.
605Writing your security scripts on the extra-secure limited-access system
606makes them mostly invisible to potential attackers, and this is important.
607In order to take maximum advantage you generally have to give the
608limited-access box significant access to the other machines in the business,
609usually either by doing a read-only NFS export of the other machines to the
610limited-access box, or by setting up SSH keypairs to allow the limit-access
611box to SSH to the other machines.
612Except for its network traffic, NFS is
613the least visible method \(em allowing you to monitor the file systems on each
614client box virtually undetected.
615If your
616limited-access server is connected to the client boxes through a switch,
617the NFS method is often the better choice.
618If your limited-access server
619is connected to the client boxes through a hub or through several layers
620of routing, the NFS method may be too insecure (network-wise) and using SSH
621may be the better choice even with the audit-trail tracks that SSH lays.
622.Pp
623Once you give a limit-access box at least read access to the client systems
624it is supposed to monitor, you must write scripts to do the actual
625monitoring.
626Given an NFS mount, you can write scripts out of simple system
627utilities such as
628.Xr find 1
629and
630.Xr md5 1 .
631It is best to physically
632.Xr md5 1
633the client-box files boxes at least once a
634day, and to test control files such as those found in
635.Pa /etc
636and
637.Pa /usr/local/etc
638even more often.
639When mismatches are found relative to the base MD5
640information the limited-access machine knows is valid, it should scream at
641a sysadmin to go check it out.
642A good security script will also check for
643inappropriate SUID binaries and for new or deleted files on system partitions
644such as
645.Pa /
646and
647.Pa /usr .
648.Pp
649When using SSH rather than NFS, writing the security script is much more
650difficult.
651You essentially have to
652.Xr scp 1
653the scripts to the client box in order to run them, making them visible, and
654for safety you also need to
655.Xr scp 1
656the binaries (such as
657.Xr find 1 )
658that those scripts use.
659The
660.Xr sshd 8
661daemon on the client box may already be compromised.
662All in all,
663using SSH may be necessary when running over unsecure links, but it is also a
664lot harder to deal with.
665.Pp
666A good security script will also check for changes to user and staff members
667access configuration files:
668.Pa .rhosts , .shosts , .ssh/authorized_keys
669and so forth, files that might fall outside the purview of the MD5 check.
670.Pp
671If you have a huge amount of user disk space it may take too long to run
672through every file on those partitions.
673In this case, setting mount
674flags to disallow SUID binaries on those partitions is a good
675idea.
676The
677.Cm nosuid
678option
679(see
680.Xr mount 8 )
681is what you want to look into.
682I would scan them anyway at least once a
683week, since the object of this layer is to detect a break-in whether or
684not the break-in is effective.
685.Pp
686Process accounting
687(see
688.Xr accton 8 )
689is a relatively low-overhead feature of
690the operating system which I recommend using as a post-break-in evaluation
691mechanism.
692It is especially useful in tracking down how an intruder has
693actually broken into a system, assuming the file is still intact after
694the break-in occurs.
695.Pp
696Finally, security scripts should process the log files and the logs themselves
697should be generated in as secure a manner as possible \(em remote syslog can be
698very useful.
699An intruder tries to cover his tracks, and log files are critical
700to the sysadmin trying to track down the time and method of the initial
701break-in.
702One way to keep a permanent record of the log files is to run
703the system console to a serial port and collect the information on a
704continuing basis through a secure machine monitoring the consoles.
705.Sh PARANOIA
706A little paranoia never hurts.
707As a rule, a sysadmin can add any number
708of security features as long as they do not affect convenience, and
709can add security features that do affect convenience with some added
710thought.
711Even more importantly, a security administrator should mix it up
712a bit \(em if you use recommendations such as those given by this manual
713page verbatim, you give away your methodologies to the prospective
714attacker who also has access to this manual page.
715.Sh SPECIAL SECTION ON DoS ATTACKS
716This section covers Denial of Service attacks.
717A DoS attack is typically a packet attack.
718While there is not much you can do about modern spoofed
719packet attacks that saturate your network, you can generally limit the damage
720by ensuring that the attacks cannot take down your servers.
721.Bl -enum -offset indent
722.It
723Limiting server forks
724.It
725Limiting springboard attacks (ICMP response attacks, ping broadcast, etc.)
726.It
727Kernel Route Cache
728.El
729.Pp
730A common DoS attack is against a forking server that attempts to cause the
731server to eat processes, file descriptors, and memory until the machine
732dies.
733The
734.Xr inetd 8
735server
736has several options to limit this sort of attack.
737It should be noted that while it is possible to prevent a machine from going
738down it is not generally possible to prevent a service from being disrupted
739by the attack.
740Read the
741.Xr inetd 8
742manual page carefully and pay specific attention
743to the
744.Fl c , C ,
745and
746.Fl R
747options.
748Note that spoofed-IP attacks will circumvent
749the
750.Fl C
751option to
752.Xr inetd 8 ,
753so typically a combination of options must be used.
754Some standalone servers have self-fork-limitation parameters.
755.Pp
756The
757.Xr sendmail 8
758daemon has its
759.Fl OMaxDaemonChildren
760option which tends to work much
761better than trying to use
762.Xr sendmail 8 Ns 's
763load limiting options due to the
764load lag.
765You should specify a
766.Va MaxDaemonChildren
767parameter when you start
768.Xr sendmail 8
769high enough to handle your expected load but not so high that the
770computer cannot handle that number of
771.Nm sendmail Ns 's
772without falling on its face.
773It is also prudent to run
774.Xr sendmail 8
775in
776.Dq queued
777mode
778.Pq Fl ODeliveryMode=queued
779and to run the daemon
780.Pq Dq Nm sendmail Fl bd
781separate from the queue-runs
782.Pq Dq Nm sendmail Fl q15m .
783If you still want real-time delivery you can run the queue
784at a much lower interval, such as
785.Fl q1m ,
786but be sure to specify a reasonable
787.Va MaxDaemonChildren
788option for that
789.Xr sendmail 8
790to prevent cascade failures.
791.Pp
792The
793.Xr syslogd 8
794daemon can be attacked directly and it is strongly recommended that you use
795the
796.Fl s
797option whenever possible, and the
798.Fl a
799option otherwise.
800.Pp
801You should also be fairly careful
802with connect-back services such as tcpwrapper's reverse-identd, which can
803be attacked directly.
804You generally do not want to use the reverse-ident
805feature of tcpwrappers for this reason.
806.Pp
807It is a very good idea to protect internal services from external access
808by firewalling them off at your border routers.
809The idea here is to prevent
810saturation attacks from outside your LAN, not so much to protect internal
811services from network-based root compromise.
812Always configure an exclusive
813firewall, i.e.,
814.So
815firewall everything
816.Em except
817ports A, B, C, D, and M-Z
818.Sc .
819This
820way you can firewall off all of your low ports except for certain specific
821services such as
822.Xr named 8
823(if you are primary for a zone),
824.Xr talkd 8 ,
825.Xr sendmail 8 ,
826and other internet-accessible services.
827If you try to configure the firewall the other
828way \(em as an inclusive or permissive firewall, there is a good chance that you
829will forget to
830.Dq close
831a couple of services or that you will add a new internal
832service and forget to update the firewall.
833You can still open up the
834high-numbered port range on the firewall to allow permissive-like operation
835without compromising your low ports.
836Also take note that
837.Fx
838allows you to
839control the range of port numbers used for dynamic binding via the various
840.Va net.inet.ip.portrange
841sysctl's
842.Pq Dq Li "sysctl net.inet.ip.portrange" ,
843which can also
844ease the complexity of your firewall's configuration.
845I usually use a normal
846first/last range of 4000 to 5000, and a hiport range of 49152 to 65535, then
847block everything under 4000 off in my firewall
848(except for certain specific
849internet-accessible ports, of course).
850.Pp
851Another common DoS attack is called a springboard attack \(em to attack a server
852in a manner that causes the server to generate responses which then overload
853the server, the local network, or some other machine.
854The most common attack
855of this nature is the ICMP PING BROADCAST attack.
856The attacker spoofs ping
857packets sent to your LAN's broadcast address with the source IP address set
858to the actual machine they wish to attack.
859If your border routers are not
860configured to stomp on ping's to broadcast addresses, your LAN winds up
861generating sufficient responses to the spoofed source address to saturate the
862victim, especially when the attacker uses the same trick on several dozen
863broadcast addresses over several dozen different networks at once.
864Broadcast attacks of over a hundred and twenty megabits have been measured.
865A second common springboard attack is against the ICMP error reporting system.
866By
867constructing packets that generate ICMP error responses, an attacker can
868saturate a server's incoming network and cause the server to saturate its
869outgoing network with ICMP responses.
870This type of attack can also crash the
871server by running it out of
872.Vt mbuf Ns 's ,
873especially if the server cannot drain the
874ICMP responses it generates fast enough.
875The
876.Fx
877kernel has a new kernel
878compile option called
879.Dv ICMP_BANDLIM
880which limits the effectiveness of these
881sorts of attacks.
882The last major class of springboard attacks is related to
883certain internal
884.Xr inetd 8
885services such as the UDP echo service.
886An attacker
887simply spoofs a UDP packet with the source address being server A's echo port,
888and the destination address being server B's echo port, where server A and B
889are both on your LAN.
890The two servers then bounce this one packet back and
891forth between each other.
892The attacker can overload both servers and their
893LANs simply by injecting a few packets in this manner.
894Similar problems
895exist with the internal chargen port.
896A competent sysadmin will turn off all
897of these
898.Xr inetd 8 Ns -internal
899test services.
900.Pp
901Spoofed packet attacks may also be used to overload the kernel route cache.
902Refer to the
903.Va net.inet.ip.rtexpire , net.inet.ip.rtminexpire ,
904and
905.Va net.inet.ip.rtmaxcache
906.Xr sysctl 8
907variables.
908A spoofed packet attack that uses a random source IP will cause
909the kernel to generate a temporary cached route in the route table, viewable
910with
911.Dq Li "netstat -rna | fgrep W3" .
912These routes typically timeout in 1600
913seconds or so.
914If the kernel detects that the cached route table has gotten
915too big it will dynamically reduce the
916.Va rtexpire
917but will never decrease it to
918less than
919.Va rtminexpire .
920There are two problems: (1) The kernel does not react
921quickly enough when a lightly loaded server is suddenly attacked, and (2) The
922.Va rtminexpire
923is not low enough for the kernel to survive a sustained attack.
924If your servers are connected to the internet via a T3 or better it may be
925prudent to manually override both
926.Va rtexpire
927and
928.Va rtminexpire
929via
930.Xr sysctl 8 .
931Never set either parameter to zero
932(unless you want to crash the machine :-)).
933Setting both parameters to 2 seconds should be sufficient to protect the route
934table from attack.
935.Sh ACCESS ISSUES WITH KERBEROS AND SSH
936There are a few issues with both Kerberos and SSH that need to be addressed
937if you intend to use them.
938Kerberos5 is an excellent authentication
939protocol but the kerberized
940.Xr telnet 1
941and
942.Xr rlogin 1
943suck rocks.
944There are bugs that make them unsuitable for dealing with binary streams.
945Also, by default
946Kerberos does not encrypt a session unless you use the
947.Fl x
948option.
949SSH encrypts everything by default.
950.Pp
951SSH works quite well in every respect except when it is set up to
952forward encryption keys.
953What this means is that if you have a secure workstation holding
954keys that give you access to the rest of the system, and you
955.Xr ssh 1
956to an
957unsecure machine, your keys become exposed.
958The actual keys themselves are
959not exposed, but
960.Xr ssh 1
961installs a forwarding port for the duration of your
962login and if an attacker has broken root on the unsecure machine he can utilize
963that port to use your keys to gain access to any other machine that your
964keys unlock.
965.Pp
966We recommend that you use SSH in combination with Kerberos whenever possible
967for staff logins.
968SSH can be compiled with Kerberos support.
969This reduces
970your reliance on potentially exposable SSH keys while at the same time
971protecting passwords via Kerberos.
972SSH keys
973should only be used for automated tasks from secure machines (something
974that Kerberos is unsuited to).
975We also recommend that you either turn off
976key-forwarding in the SSH configuration, or that you make use of the
977.Va from Ns = Ns Ar IP/DOMAIN
978option that SSH allows in its
979.Pa authorized_keys
980file to make the key only usable to entities logging in from specific
981machines.
982.Sh SEE ALSO
983.Xr chflags 1 ,
984.Xr find 1 ,
985.Xr md5 1 ,
986.Xr netstat 1 ,
987.Xr openssl 1 ,
988.Xr ssh 1 ,
989.Xr xdm 1 Pq Pa ports/x11/xorg-clients ,
990.Xr group 5 ,
991.Xr ttys 5 ,
992.Xr accton 8 ,
993.Xr init 8 ,
994.Xr sshd 8 ,
995.Xr sysctl 8 ,
996.Xr syslogd 8 ,
997.Xr vipw 8
998.Sh HISTORY
999The
1000.Nm
1001manual page was originally written by
1002.An Matthew Dillon
1003and first appeared
1004in
1005.Fx 3.1 ,
1006December 1998.
1007