1.\" Copyright (C) 1998 Matthew Dillon. All rights reserved. 2.\" 3.\" Redistribution and use in source and binary forms, with or without 4.\" modification, are permitted provided that the following conditions 5.\" are met: 6.\" 1. Redistributions of source code must retain the above copyright 7.\" notice, this list of conditions and the following disclaimer. 8.\" 2. Redistributions in binary form must reproduce the above copyright 9.\" notice, this list of conditions and the following disclaimer in the 10.\" documentation and/or other materials provided with the distribution. 11.\" 12.\" THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND 13.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 14.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 15.\" ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE 16.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 17.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 18.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 19.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 20.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 21.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 22.\" SUCH DAMAGE. 23.\" 24.\" $FreeBSD$ 25.\" 26.Dd November 29, 2004 27.Dt SECURITY 7 28.Os 29.Sh NAME 30.Nm security 31.Nd introduction to security under 32.Fx 33.Sh DESCRIPTION 34Security is a function that begins and ends with the system administrator. 35While all 36.Bx 37multi-user systems have some inherent security, the job of building and 38maintaining additional security mechanisms to keep users 39.Dq honest 40is probably 41one of the single largest undertakings of the sysadmin. 42Machines are 43only as secure as you make them, and security concerns are ever competing 44with the human necessity for convenience. 45.Ux 46systems, 47in general, are capable of running a huge number of simultaneous processes 48and many of these processes operate as servers \(em meaning that external 49entities can connect and talk to them. 50As yesterday's mini-computers and mainframes 51become today's desktops, and as computers become networked and internetworked, 52security becomes an ever bigger issue. 53.Pp 54Security is best implemented through a layered onion approach. 55In a nutshell, 56what you want to do is to create as many layers of security as are convenient 57and then carefully monitor the system for intrusions. 58You do not want to 59overbuild your security or you will interfere with the detection side, and 60detection is one of the single most important aspects of any security 61mechanism. 62For example, it makes little sense to set the 63.Cm schg 64flags 65(see 66.Xr chflags 1 ) 67on every system binary because while this may temporarily protect the 68binaries, it prevents an attacker who has broken in from making an 69easily detectable change that may result in your security mechanisms not 70detecting the attacker at all. 71.Pp 72System security also pertains to dealing with various forms of attacks, 73including attacks that attempt to crash or otherwise make a system unusable 74but do not attempt to break root. 75Security concerns can be split up into 76several categories: 77.Bl -enum -offset indent 78.It 79Denial of Service attacks (DoS) 80.It 81User account compromises 82.It 83Root compromise through accessible servers 84.It 85Root compromise via user accounts 86.It 87Backdoor creation 88.El 89.Pp 90A denial of service attack is an action that deprives the machine of needed 91resources. 92Typically, DoS attacks are brute-force mechanisms that attempt 93to crash or otherwise make a machine unusable by overwhelming its servers or 94network stack. 95Some DoS attacks try to take advantages of bugs in the 96networking stack to crash a machine with a single packet. 97The latter can 98only be fixed by applying a bug fix to the kernel. 99Attacks on servers can 100often be fixed by properly specifying options to limit the load the servers 101incur on the system under adverse conditions. 102Brute-force network attacks are harder to deal with. 103A spoofed-packet attack, for example, is 104nearly impossible to stop short of cutting your system off from the Internet. 105It may not be able to take your machine down, but it can fill up Internet 106pipe. 107.Pp 108A user account compromise is even more common than a DoS attack. 109Many 110sysadmins still run standard 111.Xr telnetd 8 , 112.Xr rlogind 8 , 113.Xr rshd 8 , 114and 115.Xr ftpd 8 116servers on their machines. 117These servers, by default, do not operate over encrypted 118connections. 119The result is that if you have any moderate-sized user base, 120one or more of your users logging into your system from a remote location 121(which is the most common and convenient way to log in to a system) 122will have his or her password sniffed. 123The attentive system administrator will analyze 124his remote access logs looking for suspicious source addresses 125even for successful logins. 126.Pp 127One must always assume that once an attacker has access to a user account, 128the attacker can break root. 129However, the reality is that in a well secured 130and maintained system, access to a user account does not necessarily give the 131attacker access to root. 132The distinction is important because without access 133to root the attacker cannot generally hide his tracks and may, at best, be 134able to do nothing more than mess with the user's files or crash the machine. 135User account compromises are very common because users tend not to take the 136precautions that sysadmins take. 137.Pp 138System administrators must keep in mind that there are potentially many ways 139to break root on a machine. 140The attacker may know the root password, 141the attacker 142may find a bug in a root-run server and be able to break root over a network 143connection to that server, or the attacker may know of a bug in an SUID-root 144program that allows the attacker to break root once he has broken into a 145user's account. 146If an attacker has found a way to break root on a machine, 147the attacker may not have a need to install a backdoor. 148Many of the root holes found and closed to date involve a considerable amount 149of work by the attacker to clean up after himself, so most attackers do install 150backdoors. 151This gives you a convenient way to detect the attacker. 152Making 153it impossible for an attacker to install a backdoor may actually be detrimental 154to your security because it will not close off the hole the attacker used to 155break in in the first place. 156.Pp 157Security remedies should always be implemented with a multi-layered 158.Dq onion peel 159approach and can be categorized as follows: 160.Bl -enum -offset indent 161.It 162Securing root and staff accounts 163.It 164Securing root \(em root-run servers and SUID/SGID binaries 165.It 166Securing user accounts 167.It 168Securing the password file 169.It 170Securing the kernel core, raw devices, and file systems 171.It 172Quick detection of inappropriate changes made to the system 173.It 174Paranoia 175.El 176.Sh SECURING THE ROOT ACCOUNT AND SECURING STAFF ACCOUNTS 177Do not bother securing staff accounts if you have not secured the root 178account. 179Most systems have a password assigned to the root account. 180The 181first thing you do is assume that the password is 182.Em always 183compromised. 184This does not mean that you should remove the password. 185The 186password is almost always necessary for console access to the machine. 187What it does mean is that you should not make it possible to use the password 188outside of the console or possibly even with a 189.Xr su 1 190utility. 191For example, make sure that your PTYs are specified as being 192.Dq Li unsecure 193in the 194.Pa /etc/ttys 195file 196so that direct root logins via 197.Xr telnet 1 198or 199.Xr rlogin 1 200are disallowed. 201If using 202other login services such as 203.Xr sshd 8 , 204make sure that direct root logins are 205disabled there as well. 206Consider every access method \(em services such as 207.Xr ftp 1 208often fall through the cracks. 209Direct root logins should only be allowed 210via the system console. 211.Pp 212Of course, as a sysadmin you have to be able to get to root, so we open up 213a few holes. 214But we make sure these holes require additional password 215verification to operate. 216One way to make root accessible is to add appropriate 217staff accounts to the 218.Dq Li wheel 219group (in 220.Pa /etc/group ) . 221The staff members placed in the 222.Li wheel 223group are allowed to 224.Xr su 1 225to root. 226You should never give staff 227members native 228.Li wheel 229access by putting them in the 230.Li wheel 231group in their password entry. 232Staff accounts should be placed in a 233.Dq Li staff 234group, and then added to the 235.Li wheel 236group via the 237.Pa /etc/group 238file. 239Only those staff members who actually need to have root access 240should be placed in the 241.Li wheel 242group. 243It is also possible, when using an 244authentication method such as Kerberos, to use Kerberos's 245.Pa .k5login 246file in the root account to allow a 247.Xr ksu 1 248to root without having to place anyone at all in the 249.Li wheel 250group. 251This 252may be the better solution since the 253.Li wheel 254mechanism still allows an 255intruder to break root if the intruder has gotten hold of your password 256file and can break into a staff account. 257While having the 258.Li wheel 259mechanism 260is better than having nothing at all, it is not necessarily the safest 261option. 262.Pp 263An indirect way to secure the root account is to secure your staff accounts 264by using an alternative login access method and *'ing out the crypted password 265for the staff accounts. 266This way an intruder may be able to steal the password 267file but will not be able to break into any staff accounts or root, even if 268root has a crypted password associated with it (assuming, of course, that 269you have limited root access to the console). 270Staff members 271get into their staff accounts through a secure login mechanism such as 272.Xr kerberos 8 273or 274.Xr ssh 1 275using a private/public 276key pair. 277When you use something like Kerberos you generally must secure 278the machines which run the Kerberos servers and your desktop workstation. 279When you use a public/private key pair with SSH, you must generally secure 280the machine you are logging in 281.Em from 282(typically your workstation), 283but you can 284also add an additional layer of protection to the key pair by password 285protecting the keypair when you create it with 286.Xr ssh-keygen 1 . 287Being able 288to *-out the passwords for staff accounts also guarantees that staff members 289can only log in through secure access methods that you have set up. 290You can 291thus force all staff members to use secure, encrypted connections for 292all their sessions which closes an important hole used by many intruders: that 293of sniffing the network from an unrelated, less secure machine. 294.Pp 295The more indirect security mechanisms also assume that you are logging in 296from a more restrictive server to a less restrictive server. 297For example, 298if your main box is running all sorts of servers, your workstation should not 299be running any. 300In order for your workstation to be reasonably secure 301you should run as few servers as possible, up to and including no servers 302at all, and you should run a password-protected screen blanker. 303Of course, given physical access to 304a workstation, an attacker can break any sort of security you put on it. 305This is definitely a problem that you should consider but you should also 306consider the fact that the vast majority of break-ins occur remotely, over 307a network, from people who do not have physical access to your workstation or 308servers. 309.Pp 310Using something like Kerberos also gives you the ability to disable or 311change the password for a staff account in one place and have it immediately 312affect all the machines the staff member may have an account on. 313If a staff 314member's account gets compromised, the ability to instantly change his 315password on all machines should not be underrated. 316With discrete passwords, changing a password on N machines can be a mess. 317You can also impose 318re-passwording restrictions with Kerberos: not only can a Kerberos ticket 319be made to timeout after a while, but the Kerberos system can require that 320the user choose a new password after a certain period of time 321(say, once a month). 322.Sh SECURING ROOT \(em ROOT-RUN SERVERS AND SUID/SGID BINARIES 323The prudent sysadmin only runs the servers he needs to, no more, no less. 324Be aware that third party servers are often the most bug-prone. 325For example, 326running an old version of 327.Xr imapd 8 328or 329.Xr popper 8 Pq Pa ports/mail/popper 330is like giving a universal root 331ticket out to the entire world. 332Never run a server that you have not checked 333out carefully. 334Many servers do not need to be run as root. 335For example, 336the 337.Xr talkd 8 , 338.Xr comsat 8 , 339and 340.Xr fingerd 8 341daemons can be run in special user 342.Dq sandboxes . 343A sandbox is not perfect unless you go to a large amount of trouble, but the 344onion approach to security still stands: if someone is able to break in 345through a server running in a sandbox, they still have to break out of the 346sandbox. 347The more layers the attacker must break through, the lower the 348likelihood of his success. 349Root holes have historically been found in 350virtually every server ever run as root, including basic system servers. 351If you are running a machine through which people only log in via 352.Xr sshd 8 353and never log in via 354.Xr telnetd 8 , 355.Xr rshd 8 , 356or 357.Xr rlogind 8 , 358then turn off those services! 359.Pp 360.Fx 361now defaults to running 362.Xr talkd 8 , 363.Xr comsat 8 , 364and 365.Xr fingerd 8 366in a sandbox. 367Another program which may be a candidate for running in a sandbox is 368.Xr named 8 . 369The default 370.Pa rc.conf 371includes the arguments necessary to run 372.Xr named 8 373in a sandbox in a commented-out form. 374Depending on whether you 375are installing a new system or upgrading an existing system, the special 376user accounts used by these sandboxes may not be installed. 377The prudent 378sysadmin would research and implement sandboxes for servers whenever possible. 379.Pp 380There are a number of other servers that typically do not run in sandboxes: 381.Xr sendmail 8 , 382.Xr popper 8 , 383.Xr imapd 8 , 384.Xr ftpd 8 , 385and others. 386There are alternatives to 387some of these, but installing them may require more work than you are willing 388to put 389(the convenience factor strikes again). 390You may have to run these 391servers as root and rely on other mechanisms to detect break-ins that might 392occur through them. 393.Pp 394The other big potential root hole in a system are the SUID-root and SGID 395binaries installed on the system. 396Most of these binaries, such as 397.Xr rlogin 1 , 398reside in 399.Pa /bin , /sbin , /usr/bin , 400or 401.Pa /usr/sbin . 402While nothing is 100% safe, 403the system-default SUID and SGID binaries can be considered reasonably safe. 404Still, root holes are occasionally found in these binaries. 405A root hole 406was found in Xlib in 1998 that made 407.Xr xterm 1 Pq Pa ports/x11/xterm 408(which is typically SUID) 409vulnerable. 410It is better to be safe than sorry and the prudent sysadmin will restrict SUID 411binaries that only staff should run to a special group that only staff can 412access, and get rid of 413.Pq Dq Li "chmod 000" 414any SUID binaries that nobody uses. 415A server with no display generally does not need an 416.Xr xterm 1 417binary. 418SGID binaries can be almost as dangerous. 419If an intruder can break an SGID-kmem binary the 420intruder might be able to read 421.Pa /dev/kmem 422and thus read the crypted password 423file, potentially compromising any passworded account. 424Alternatively an 425intruder who breaks group 426.Dq Li kmem 427can monitor keystrokes sent through PTYs, 428including PTYs used by users who log in through secure methods. 429An intruder 430that breaks the 431.Dq Li tty 432group can write to almost any user's TTY. 433If a user 434is running a terminal 435program or emulator with a keyboard-simulation feature, the intruder can 436potentially 437generate a data stream that causes the user's terminal to echo a command, which 438is then run as that user. 439.Sh SECURING USER ACCOUNTS 440User accounts are usually the most difficult to secure. 441While you can impose 442draconian access restrictions on your staff and *-out their passwords, you 443may not be able to do so with any general user accounts you might have. 444If 445you do have sufficient control then you may win out and be able to secure the 446user accounts properly. 447If not, you simply have to be more vigilant in your 448monitoring of those accounts. 449Use of SSH and Kerberos for user accounts is 450more problematic due to the extra administration and technical support 451required, but still a very good solution compared to a crypted password 452file. 453.Sh SECURING THE PASSWORD FILE 454The only sure fire way is to *-out as many passwords as you can and 455use SSH or Kerberos for access to those accounts. 456Even though the 457crypted password file 458.Pq Pa /etc/spwd.db 459can only be read by root, it may 460be possible for an intruder to obtain read access to that file even if the 461attacker cannot obtain root-write access. 462.Pp 463Your security scripts should always check for and report changes to 464the password file 465(see 466.Sx CHECKING FILE INTEGRITY 467below). 468.Sh SECURING THE KERNEL CORE, RAW DEVICES, AND FILE SYSTEMS 469If an attacker breaks root he can do just about anything, but there 470are certain conveniences. 471For example, most modern kernels have a packet sniffing device driver built in. 472Under 473.Fx 474it is called 475the 476.Xr bpf 4 477device. 478An intruder will commonly attempt to run a packet sniffer 479on a compromised machine. 480You do not need to give the intruder the 481capability and most systems should not have the 482.Xr bpf 4 483device compiled in. 484.Pp 485But even if you turn off the 486.Xr bpf 4 487device, you still have 488.Pa /dev/mem 489and 490.Pa /dev/kmem 491to worry about. 492For that matter, 493the intruder can still write to raw disk devices. 494Also, there is another kernel feature called the module loader, 495.Xr kldload 8 . 496An enterprising intruder can use a KLD module to install 497his own 498.Xr bpf 4 499device or other sniffing device on a running kernel. 500To avoid these problems you have to run 501the kernel at a higher security level, at least level 1. 502The security level can be set with a 503.Xr sysctl 8 504on the 505.Va kern.securelevel 506variable. 507Once you have 508set the security level to 1, write access to raw devices will be denied and 509special 510.Xr chflags 1 511flags, such as 512.Cm schg , 513will be enforced. 514You must also ensure 515that the 516.Cm schg 517flag is set on critical startup binaries, directories, and 518script files \(em everything that gets run 519up to the point where the security level is set. 520This might be overdoing it, and upgrading the system is much more 521difficult when you operate at a higher security level. 522You may compromise and 523run the system at a higher security level but not set the 524.Cm schg 525flag for every 526system file and directory under the sun. 527Another possibility is to simply 528mount 529.Pa / 530and 531.Pa /usr 532read-only. 533It should be noted that being too draconian in 534what you attempt to protect may prevent the all-important detection of an 535intrusion. 536.Pp 537The kernel runs with five different security levels. 538Any super-user process can raise the level, but no process 539can lower it. 540The security levels are: 541.Bl -tag -width flag 542.It Ic -1 543Permanently insecure mode \- always run the system in insecure mode. 544This is the default initial value. 545.It Ic 0 546Insecure mode \- immutable and append-only flags may be turned off. 547All devices may be read or written subject to their permissions. 548.It Ic 1 549Secure mode \- the system immutable and system append-only flags may not 550be turned off; 551disks for mounted file systems, 552.Pa /dev/mem , 553.Pa /dev/kmem 554and 555.Pa /dev/io 556(if your platform has it) may not be opened for writing; 557kernel modules (see 558.Xr kld 4 ) 559may not be loaded or unloaded. 560.It Ic 2 561Highly secure mode \- same as secure mode, plus disks may not be 562opened for writing (except by 563.Xr mount 2 ) 564whether mounted or not. 565This level precludes tampering with file systems by unmounting them, 566but also inhibits running 567.Xr newfs 8 568while the system is multi-user. 569.Pp 570In addition, kernel time changes are restricted to less than or equal to one 571second. 572Attempts to change the time by more than this will log the message 573.Dq Time adjustment clamped to +1 second . 574.It Ic 3 575Network secure mode \- same as highly secure mode, plus 576IP packet filter rules (see 577.Xr ipfw 8 , 578.Xr ipfirewall 4 579and 580.Xr pfctl 8 ) 581cannot be changed and 582.Xr dummynet 4 583or 584.Xr pf 4 585configuration cannot be adjusted. 586.El 587.Pp 588The security level is discussed further in 589.Xr init 8 590and can be configured with variables documented in 591.Xr rc.conf 8 . 592.Sh CHECKING FILE INTEGRITY: BINARIES, CONFIG FILES, ETC 593When it comes right down to it, you can only protect your core system 594configuration and control files so much before the convenience factor 595rears its ugly head. 596For example, using 597.Xr chflags 1 598to set the 599.Cm schg 600bit on most of the files in 601.Pa / 602and 603.Pa /usr 604is probably counterproductive because 605while it may protect the files, it also closes a detection window. 606The 607last layer of your security onion is perhaps the most important \(em detection. 608The rest of your security is pretty much useless (or, worse, presents you with 609a false sense of safety) if you cannot detect potential incursions. 610Half 611the job of the onion is to slow down the attacker rather than stop him 612in order to give the detection layer a chance to catch him in 613the act. 614.Pp 615The best way to detect an incursion is to look for modified, missing, or 616unexpected files. 617The best 618way to look for modified files is from another (often centralized) 619limited-access system. 620Writing your security scripts on the extra-secure limited-access system 621makes them mostly invisible to potential attackers, and this is important. 622In order to take maximum advantage you generally have to give the 623limited-access box significant access to the other machines in the business, 624usually either by doing a read-only NFS export of the other machines to the 625limited-access box, or by setting up SSH keypairs to allow the limit-access 626box to SSH to the other machines. 627Except for its network traffic, NFS is 628the least visible method \(em allowing you to monitor the file systems on each 629client box virtually undetected. 630If your 631limited-access server is connected to the client boxes through a switch, 632the NFS method is often the better choice. 633If your limited-access server 634is connected to the client boxes through a hub or through several layers 635of routing, the NFS method may be too insecure (network-wise) and using SSH 636may be the better choice even with the audit-trail tracks that SSH lays. 637.Pp 638Once you give a limit-access box at least read access to the client systems 639it is supposed to monitor, you must write scripts to do the actual 640monitoring. 641Given an NFS mount, you can write scripts out of simple system 642utilities such as 643.Xr find 1 644and 645.Xr md5 1 . 646It is best to physically 647.Xr md5 1 648the client-box files boxes at least once a 649day, and to test control files such as those found in 650.Pa /etc 651and 652.Pa /usr/local/etc 653even more often. 654When mismatches are found relative to the base MD5 655information the limited-access machine knows is valid, it should scream at 656a sysadmin to go check it out. 657A good security script will also check for 658inappropriate SUID binaries and for new or deleted files on system partitions 659such as 660.Pa / 661and 662.Pa /usr . 663.Pp 664When using SSH rather than NFS, writing the security script is much more 665difficult. 666You essentially have to 667.Xr scp 1 668the scripts to the client box in order to run them, making them visible, and 669for safety you also need to 670.Xr scp 1 671the binaries (such as 672.Xr find 1 ) 673that those scripts use. 674The 675.Xr sshd 8 676daemon on the client box may already be compromised. 677All in all, 678using SSH may be necessary when running over unsecure links, but it is also a 679lot harder to deal with. 680.Pp 681A good security script will also check for changes to user and staff members 682access configuration files: 683.Pa .rhosts , .shosts , .ssh/authorized_keys 684and so forth, files that might fall outside the purview of the MD5 check. 685.Pp 686If you have a huge amount of user disk space it may take too long to run 687through every file on those partitions. 688In this case, setting mount 689flags to disallow SUID binaries on those partitions is a good 690idea. 691The 692.Cm nosuid 693option 694(see 695.Xr mount 8 ) 696is what you want to look into. 697I would scan them anyway at least once a 698week, since the object of this layer is to detect a break-in whether or 699not the break-in is effective. 700.Pp 701Process accounting 702(see 703.Xr accton 8 ) 704is a relatively low-overhead feature of 705the operating system which I recommend using as a post-break-in evaluation 706mechanism. 707It is especially useful in tracking down how an intruder has 708actually broken into a system, assuming the file is still intact after 709the break-in occurs. 710.Pp 711Finally, security scripts should process the log files and the logs themselves 712should be generated in as secure a manner as possible \(em remote syslog can be 713very useful. 714An intruder tries to cover his tracks, and log files are critical 715to the sysadmin trying to track down the time and method of the initial 716break-in. 717One way to keep a permanent record of the log files is to run 718the system console to a serial port and collect the information on a 719continuing basis through a secure machine monitoring the consoles. 720.Sh PARANOIA 721A little paranoia never hurts. 722As a rule, a sysadmin can add any number 723of security features as long as they do not affect convenience, and 724can add security features that do affect convenience with some added 725thought. 726Even more importantly, a security administrator should mix it up 727a bit \(em if you use recommendations such as those given by this manual 728page verbatim, you give away your methodologies to the prospective 729attacker who also has access to this manual page. 730.Sh SPECIAL SECTION ON DoS ATTACKS 731This section covers Denial of Service attacks. 732A DoS attack is typically a packet attack. 733While there is not much you can do about modern spoofed 734packet attacks that saturate your network, you can generally limit the damage 735by ensuring that the attacks cannot take down your servers. 736.Bl -enum -offset indent 737.It 738Limiting server forks 739.It 740Limiting springboard attacks (ICMP response attacks, ping broadcast, etc.) 741.It 742Kernel Route Cache 743.El 744.Pp 745A common DoS attack is against a forking server that attempts to cause the 746server to eat processes, file descriptors, and memory until the machine 747dies. 748The 749.Xr inetd 8 750server 751has several options to limit this sort of attack. 752It should be noted that while it is possible to prevent a machine from going 753down it is not generally possible to prevent a service from being disrupted 754by the attack. 755Read the 756.Xr inetd 8 757manual page carefully and pay specific attention 758to the 759.Fl c , C , 760and 761.Fl R 762options. 763Note that spoofed-IP attacks will circumvent 764the 765.Fl C 766option to 767.Xr inetd 8 , 768so typically a combination of options must be used. 769Some standalone servers have self-fork-limitation parameters. 770.Pp 771The 772.Xr sendmail 8 773daemon has its 774.Fl OMaxDaemonChildren 775option which tends to work much 776better than trying to use 777.Xr sendmail 8 Ns 's 778load limiting options due to the 779load lag. 780You should specify a 781.Va MaxDaemonChildren 782parameter when you start 783.Xr sendmail 8 784high enough to handle your expected load but not so high that the 785computer cannot handle that number of 786.Nm sendmail Ns 's 787without falling on its face. 788It is also prudent to run 789.Xr sendmail 8 790in 791.Dq queued 792mode 793.Pq Fl ODeliveryMode=queued 794and to run the daemon 795.Pq Dq Nm sendmail Fl bd 796separate from the queue-runs 797.Pq Dq Nm sendmail Fl q15m . 798If you still want real-time delivery you can run the queue 799at a much lower interval, such as 800.Fl q1m , 801but be sure to specify a reasonable 802.Va MaxDaemonChildren 803option for that 804.Xr sendmail 8 805to prevent cascade failures. 806.Pp 807The 808.Xr syslogd 8 809daemon can be attacked directly and it is strongly recommended that you use 810the 811.Fl s 812option whenever possible, and the 813.Fl a 814option otherwise. 815.Pp 816You should also be fairly careful 817with connect-back services such as tcpwrapper's reverse-identd, which can 818be attacked directly. 819You generally do not want to use the reverse-ident 820feature of tcpwrappers for this reason. 821.Pp 822It is a very good idea to protect internal services from external access 823by firewalling them off at your border routers. 824The idea here is to prevent 825saturation attacks from outside your LAN, not so much to protect internal 826services from network-based root compromise. 827Always configure an exclusive 828firewall, i.e., 829.So 830firewall everything 831.Em except 832ports A, B, C, D, and M-Z 833.Sc . 834This 835way you can firewall off all of your low ports except for certain specific 836services such as 837.Xr named 8 838(if you are primary for a zone), 839.Xr talkd 8 , 840.Xr sendmail 8 , 841and other internet-accessible services. 842If you try to configure the firewall the other 843way \(em as an inclusive or permissive firewall, there is a good chance that you 844will forget to 845.Dq close 846a couple of services or that you will add a new internal 847service and forget to update the firewall. 848You can still open up the 849high-numbered port range on the firewall to allow permissive-like operation 850without compromising your low ports. 851Also take note that 852.Fx 853allows you to 854control the range of port numbers used for dynamic binding via the various 855.Va net.inet.ip.portrange 856sysctl's 857.Pq Dq Li "sysctl net.inet.ip.portrange" , 858which can also 859ease the complexity of your firewall's configuration. 860I usually use a normal 861first/last range of 4000 to 5000, and a hiport range of 49152 to 65535, then 862block everything under 4000 off in my firewall 863(except for certain specific 864internet-accessible ports, of course). 865.Pp 866Another common DoS attack is called a springboard attack \(em to attack a server 867in a manner that causes the server to generate responses which then overload 868the server, the local network, or some other machine. 869The most common attack 870of this nature is the ICMP PING BROADCAST attack. 871The attacker spoofs ping 872packets sent to your LAN's broadcast address with the source IP address set 873to the actual machine they wish to attack. 874If your border routers are not 875configured to stomp on ping's to broadcast addresses, your LAN winds up 876generating sufficient responses to the spoofed source address to saturate the 877victim, especially when the attacker uses the same trick on several dozen 878broadcast addresses over several dozen different networks at once. 879Broadcast attacks of over a hundred and twenty megabits have been measured. 880A second common springboard attack is against the ICMP error reporting system. 881By 882constructing packets that generate ICMP error responses, an attacker can 883saturate a server's incoming network and cause the server to saturate its 884outgoing network with ICMP responses. 885This type of attack can also crash the 886server by running it out of 887.Vt mbuf Ns 's , 888especially if the server cannot drain the 889ICMP responses it generates fast enough. 890The 891.Fx 892kernel has a new kernel 893compile option called 894.Dv ICMP_BANDLIM 895which limits the effectiveness of these 896sorts of attacks. 897The last major class of springboard attacks is related to 898certain internal 899.Xr inetd 8 900services such as the UDP echo service. 901An attacker 902simply spoofs a UDP packet with the source address being server A's echo port, 903and the destination address being server B's echo port, where server A and B 904are both on your LAN. 905The two servers then bounce this one packet back and 906forth between each other. 907The attacker can overload both servers and their 908LANs simply by injecting a few packets in this manner. 909Similar problems 910exist with the internal chargen port. 911A competent sysadmin will turn off all 912of these 913.Xr inetd 8 Ns -internal 914test services. 915.Pp 916Spoofed packet attacks may also be used to overload the kernel route cache. 917Refer to the 918.Va net.inet.ip.rtexpire , net.inet.ip.rtminexpire , 919and 920.Va net.inet.ip.rtmaxcache 921.Xr sysctl 8 922variables. 923A spoofed packet attack that uses a random source IP will cause 924the kernel to generate a temporary cached route in the route table, viewable 925with 926.Dq Li "netstat -rna | fgrep W3" . 927These routes typically timeout in 1600 928seconds or so. 929If the kernel detects that the cached route table has gotten 930too big it will dynamically reduce the 931.Va rtexpire 932but will never decrease it to 933less than 934.Va rtminexpire . 935There are two problems: (1) The kernel does not react 936quickly enough when a lightly loaded server is suddenly attacked, and (2) The 937.Va rtminexpire 938is not low enough for the kernel to survive a sustained attack. 939If your servers are connected to the internet via a T3 or better it may be 940prudent to manually override both 941.Va rtexpire 942and 943.Va rtminexpire 944via 945.Xr sysctl 8 . 946Never set either parameter to zero 947(unless you want to crash the machine :-)). 948Setting both parameters to 2 seconds should be sufficient to protect the route 949table from attack. 950.Sh ACCESS ISSUES WITH KERBEROS AND SSH 951There are a few issues with both Kerberos and SSH that need to be addressed 952if you intend to use them. 953Kerberos5 is an excellent authentication 954protocol but the kerberized 955.Xr telnet 1 956and 957.Xr rlogin 1 958suck rocks. 959There are bugs that make them unsuitable for dealing with binary streams. 960Also, by default 961Kerberos does not encrypt a session unless you use the 962.Fl x 963option. 964SSH encrypts everything by default. 965.Pp 966SSH works quite well in every respect except when it is set up to 967forward encryption keys. 968What this means is that if you have a secure workstation holding 969keys that give you access to the rest of the system, and you 970.Xr ssh 1 971to an 972unsecure machine, your keys become exposed. 973The actual keys themselves are 974not exposed, but 975.Xr ssh 1 976installs a forwarding port for the duration of your 977login and if an attacker has broken root on the unsecure machine he can utilize 978that port to use your keys to gain access to any other machine that your 979keys unlock. 980.Pp 981We recommend that you use SSH in combination with Kerberos whenever possible 982for staff logins. 983SSH can be compiled with Kerberos support. 984This reduces 985your reliance on potentially exposable SSH keys while at the same time 986protecting passwords via Kerberos. 987SSH keys 988should only be used for automated tasks from secure machines (something 989that Kerberos is unsuited to). 990We also recommend that you either turn off 991key-forwarding in the SSH configuration, or that you make use of the 992.Va from Ns = Ns Ar IP/DOMAIN 993option that SSH allows in its 994.Pa authorized_keys 995file to make the key only usable to entities logging in from specific 996machines. 997.Sh SEE ALSO 998.Xr chflags 1 , 999.Xr find 1 , 1000.Xr md5 1 , 1001.Xr netstat 1 , 1002.Xr openssl 1 , 1003.Xr ssh 1 , 1004.Xr xdm 1 Pq Pa ports/x11/xorg-clients , 1005.Xr group 5 , 1006.Xr ttys 5 , 1007.Xr accton 8 , 1008.Xr init 8 , 1009.Xr sshd 8 , 1010.Xr sysctl 8 , 1011.Xr syslogd 8 , 1012.Xr vipw 8 1013.Sh HISTORY 1014The 1015.Nm 1016manual page was originally written by 1017.An Matthew Dillon 1018and first appeared 1019in 1020.Fx 3.1 , 1021December 1998. 1022