1.\" Copyright (C) 1998 Matthew Dillon. All rights reserved. 2.\" 3.\" Redistribution and use in source and binary forms, with or without 4.\" modification, are permitted provided that the following conditions 5.\" are met: 6.\" 1. Redistributions of source code must retain the above copyright 7.\" notice, this list of conditions and the following disclaimer. 8.\" 2. Redistributions in binary form must reproduce the above copyright 9.\" notice, this list of conditions and the following disclaimer in the 10.\" documentation and/or other materials provided with the distribution. 11.\" 12.\" THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND 13.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 14.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 15.\" ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE 16.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 17.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 18.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 19.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 20.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 21.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 22.\" SUCH DAMAGE. 23.\" 24.\" $FreeBSD$ 25.\" 26.Dd September 18, 1999 27.Dt SECURITY 7 28.Os 29.Sh NAME 30.Nm security 31.Nd introduction to security under 32.Fx 33.Sh DESCRIPTION 34Security is a function that begins and ends with the system administrator. 35While all 36.Bx 37multi-user systems have some inherent security, the job of building and 38maintaining additional security mechanisms to keep users 39.Dq honest 40is probably 41one of the single largest undertakings of the sysadmin. 42Machines are 43only as secure as you make them, and security concerns are ever competing 44with the human necessity for convenience. 45.Ux 46systems, 47in general, are capable of running a huge number of simultaneous processes 48and many of these processes operate as servers \(em meaning that external 49entities can connect and talk to them. 50As yesterday's mini-computers and mainframes 51become today's desktops, and as computers become networked and internetworked, 52security becomes an ever bigger issue. 53.Pp 54Security is best implemented through a layered onion approach. 55In a nutshell, 56what you want to do is to create as many layers of security as are convenient 57and then carefully monitor the system for intrusions. 58You do not want to 59overbuild your security or you will interfere with the detection side, and 60detection is one of the single most important aspects of any security 61mechanism. 62For example, it makes little sense to set the 63.Cm schg 64flags 65(see 66.Xr chflags 1 ) 67on every system binary because while this may temporarily protect the 68binaries, it prevents an attacker who has broken in from making an 69easily detectable change that may result in your security mechanisms not 70detecting the attacker at all. 71.Pp 72System security also pertains to dealing with various forms of attacks, 73including attacks that attempt to crash or otherwise make a system unusable 74but do not attempt to break root. 75Security concerns can be split up into 76several categories: 77.Bl -enum -offset indent 78.It 79Denial of Service attacks (DoS) 80.It 81User account compromises 82.It 83Root compromise through accessible servers 84.It 85Root compromise via user accounts 86.It 87Backdoor creation 88.El 89.Pp 90A denial of service attack is an action that deprives the machine of needed 91resources. 92Typically, DoS attacks are brute-force mechanisms that attempt 93to crash or otherwise make a machine unusable by overwhelming its servers or 94network stack. 95Some DoS attacks try to take advantages of bugs in the 96networking stack to crash a machine with a single packet. 97The latter can 98only be fixed by applying a bug fix to the kernel. 99Attacks on servers can 100often be fixed by properly specifying options to limit the load the servers 101incur on the system under adverse conditions. 102Brute-force network attacks are harder to deal with. 103A spoofed-packet attack, for example, is 104nearly impossible to stop short of cutting your system off from the Internet. 105It may not be able to take your machine down, but it can fill up Internet 106pipe. 107.Pp 108A user account compromise is even more common than a DoS attack. 109Many 110sysadmins still run standard 111.Xr telnetd 8 , 112.Xr rlogind 8 , 113.Xr rshd 8 , 114and 115.Xr ftpd 8 116servers on their machines. 117These servers, by default, do not operate over encrypted 118connections. 119The result is that if you have any moderate-sized user base, 120one or more of your users logging into your system from a remote location 121(which is the most common and convenient way to log in to a system) 122will have his or her password sniffed. 123The attentive system administrator will analyze 124his remote access logs looking for suspicious source addresses 125even for successful logins. 126.Pp 127One must always assume that once an attacker has access to a user account, 128the attacker can break root. 129However, the reality is that in a well secured 130and maintained system, access to a user account does not necessarily give the 131attacker access to root. 132The distinction is important because without access 133to root the attacker cannot generally hide his tracks and may, at best, be 134able to do nothing more than mess with the user's files or crash the machine. 135User account compromises are very common because users tend not to take the 136precautions that sysadmins take. 137.Pp 138System administrators must keep in mind that there are potentially many ways 139to break root on a machine. 140The attacker may know the root password, 141the attacker 142may find a bug in a root-run server and be able to break root over a network 143connection to that server, or the attacker may know of a bug in an SUID-root 144program that allows the attacker to break root once he has broken into a 145user's account. 146If an attacker has found a way to break root on a machine, 147the attacker may not have a need to install a backdoor. 148Many of the root holes found and closed to date involve a considerable amount 149of work by the attacker to clean up after himself, so most attackers do install 150backdoors. 151This gives you a convenient way to detect the attacker. 152Making 153it impossible for an attacker to install a backdoor may actually be detrimental 154to your security because it will not close off the hole the attacker used to 155break in in the first place. 156.Pp 157Security remedies should always be implemented with a multi-layered 158.Dq onion peel 159approach and can be categorized as follows: 160.Bl -enum -offset indent 161.It 162Securing root and staff accounts 163.It 164Securing root \(em root-run servers and SUID/SGID binaries 165.It 166Securing user accounts 167.It 168Securing the password file 169.It 170Securing the kernel core, raw devices, and file systems 171.It 172Quick detection of inappropriate changes made to the system 173.It 174Paranoia 175.El 176.Sh SECURING THE ROOT ACCOUNT AND SECURING STAFF ACCOUNTS 177Do not bother securing staff accounts if you have not secured the root 178account. 179Most systems have a password assigned to the root account. 180The 181first thing you do is assume that the password is 182.Em always 183compromised. 184This does not mean that you should remove the password. 185The 186password is almost always necessary for console access to the machine. 187What it does mean is that you should not make it possible to use the password 188outside of the console or possibly even with a 189.Xr su 1 190utility. 191For example, make sure that your PTYs are specified as being 192.Dq Li unsecure 193in the 194.Pa /etc/ttys 195file 196so that direct root logins via 197.Xr telnet 1 198or 199.Xr rlogin 1 200are disallowed. 201If using 202other login services such as 203.Xr sshd 8 , 204make sure that direct root logins are 205disabled there as well. 206Consider every access method \(em services such as 207.Xr ftp 1 208often fall through the cracks. 209Direct root logins should only be allowed 210via the system console. 211.Pp 212Of course, as a sysadmin you have to be able to get to root, so we open up 213a few holes. 214But we make sure these holes require additional password 215verification to operate. 216One way to make root accessible is to add appropriate 217staff accounts to the 218.Dq Li wheel 219group (in 220.Pa /etc/group ) . 221The staff members placed in the 222.Li wheel 223group are allowed to 224.Xr su 1 225to root. 226You should never give staff 227members native 228.Li wheel 229access by putting them in the 230.Li wheel 231group in their password entry. 232Staff accounts should be placed in a 233.Dq Li staff 234group, and then added to the 235.Li wheel 236group via the 237.Pa /etc/group 238file. 239Only those staff members who actually need to have root access 240should be placed in the 241.Li wheel 242group. 243It is also possible, when using an 244authentication method such as Kerberos, to use Kerberos's 245.Pa .k5login 246file in the root account to allow a 247.Xr ksu 1 248to root without having to place anyone at all in the 249.Li wheel 250group. 251This 252may be the better solution since the 253.Li wheel 254mechanism still allows an 255intruder to break root if the intruder has gotten hold of your password 256file and can break into a staff account. 257While having the 258.Li wheel 259mechanism 260is better than having nothing at all, it is not necessarily the safest 261option. 262.Pp 263An indirect way to secure the root account is to secure your staff accounts 264by using an alternative login access method and *'ing out the crypted password 265for the staff accounts. 266This way an intruder may be able to steal the password 267file but will not be able to break into any staff accounts or root, even if 268root has a crypted password associated with it (assuming, of course, that 269you have limited root access to the console). 270Staff members 271get into their staff accounts through a secure login mechanism such as 272.Xr kerberos 1 273or 274.Xr ssh 1 275using a private/public 276key pair. 277When you use something like Kerberos you generally must secure 278the machines which run the Kerberos servers and your desktop workstation. 279When you use a public/private key pair with SSH, you must generally secure 280the machine you are logging in 281.Em from 282(typically your workstation), 283but you can 284also add an additional layer of protection to the key pair by password 285protecting the keypair when you create it with 286.Xr ssh-keygen 1 . 287Being able 288to *-out the passwords for staff accounts also guarantees that staff members 289can only log in through secure access methods that you have set up. 290You can 291thus force all staff members to use secure, encrypted connections for 292all their sessions which closes an important hole used by many intruders: that 293of sniffing the network from an unrelated, less secure machine. 294.Pp 295The more indirect security mechanisms also assume that you are logging in 296from a more restrictive server to a less restrictive server. 297For example, 298if your main box is running all sorts of servers, your workstation should not 299be running any. 300In order for your workstation to be reasonably secure 301you should run as few servers as possible, up to and including no servers 302at all, and you should run a password-protected screen blanker. 303Of course, given physical access to 304a workstation, an attacker can break any sort of security you put on it. 305This is definitely a problem that you should consider but you should also 306consider the fact that the vast majority of break-ins occur remotely, over 307a network, from people who do not have physical access to your workstation or 308servers. 309.Pp 310Using something like Kerberos also gives you the ability to disable or 311change the password for a staff account in one place and have it immediately 312affect all the machines the staff member may have an account on. 313If a staff 314member's account gets compromised, the ability to instantly change his 315password on all machines should not be underrated. 316With discrete passwords, changing a password on N machines can be a mess. 317You can also impose 318re-passwording restrictions with Kerberos: not only can a Kerberos ticket 319be made to timeout after a while, but the Kerberos system can require that 320the user choose a new password after a certain period of time 321(say, once a month). 322.Sh SECURING ROOT \(em ROOT-RUN SERVERS AND SUID/SGID BINARIES 323The prudent sysadmin only runs the servers he needs to, no more, no less. 324Be aware that third party servers are often the most bug-prone. 325For example, 326running an old version of 327.Xr imapd 8 328or 329.Xr popper 8 330is like giving a universal root 331ticket out to the entire world. 332Never run a server that you have not checked 333out carefully. 334Many servers do not need to be run as root. 335For example, 336the 337.Xr talkd 8 , 338.Xr comsat 8 , 339and 340.Xr fingerd 8 341daemons can be run in special user 342.Dq sandboxes . 343A sandbox is not perfect unless you go to a large amount of trouble, but the 344onion approach to security still stands: if someone is able to break in 345through a server running in a sandbox, they still have to break out of the 346sandbox. 347The more layers the attacker must break through, the lower the 348likelihood of his success. 349Root holes have historically been found in 350virtually every server ever run as root, including basic system servers. 351If you are running a machine through which people only log in via 352.Xr sshd 8 353and never log in via 354.Xr telnetd 8 , 355.Xr rshd 8 , 356or 357.Xr rlogind 8 , 358then turn off those services! 359.Pp 360.Fx 361now defaults to running 362.Xr talkd 8 , 363.Xr comsat 8 , 364and 365.Xr fingerd 8 366in a sandbox. 367Another program which may be a candidate for running in a sandbox is 368.Xr named 8 . 369The default 370.Pa rc.conf 371includes the arguments necessary to run 372.Xr named 8 373in a sandbox in a commented-out form. 374Depending on whether you 375are installing a new system or upgrading an existing system, the special 376user accounts used by these sandboxes may not be installed. 377The prudent 378sysadmin would research and implement sandboxes for servers whenever possible. 379.Pp 380There are a number of other servers that typically do not run in sandboxes: 381.Xr sendmail 8 , 382.Xr popper 8 , 383.Xr imapd 8 , 384.Xr ftpd 8 , 385and others. 386There are alternatives to 387some of these, but installing them may require more work then you are willing 388to put 389(the convenience factor strikes again). 390You may have to run these 391servers as root and rely on other mechanisms to detect break-ins that might 392occur through them. 393.Pp 394The other big potential root hole in a system are the SUID-root and SGID 395binaries installed on the system. 396Most of these binaries, such as 397.Xr rlogin 1 , 398reside in 399.Pa /bin , /sbin , /usr/bin , 400or 401.Pa /usr/sbin . 402While nothing is 100% safe, 403the system-default SUID and SGID binaries can be considered reasonably safe. 404Still, root holes are occasionally found in these binaries. 405A root hole 406was found in Xlib in 1998 that made 407.Xr xterm 1 408(which is typically SUID) 409vulnerable. 410It is better to be safe than sorry and the prudent sysadmin will restrict SUID 411binaries that only staff should run to a special group that only staff can 412access, and get rid of 413.Pq Dq Li "chmod 000" 414any SUID binaries that nobody uses. 415A server with no display generally does not need an 416.Xr xterm 1 417binary. 418SGID binaries can be almost as dangerous. 419If an intruder can break an SGID-kmem binary the 420intruder might be able to read 421.Pa /dev/kmem 422and thus read the crypted password 423file, potentially compromising any passworded account. 424Alternatively an 425intruder who breaks group 426.Dq Li kmem 427can monitor keystrokes sent through PTYs, 428including PTYs used by users who log in through secure methods. 429An intruder 430that breaks the 431.Dq Li tty 432group can write to almost any user's TTY. 433If a user 434is running a terminal 435program or emulator with a keyboard-simulation feature, the intruder can 436potentially 437generate a data stream that causes the user's terminal to echo a command, which 438is then run as that user. 439.Sh SECURING USER ACCOUNTS 440User accounts are usually the most difficult to secure. 441While you can impose 442draconian access restrictions on your staff and *-out their passwords, you 443may not be able to do so with any general user accounts you might have. 444If 445you do have sufficient control then you may win out and be able to secure the 446user accounts properly. 447If not, you simply have to be more vigilant in your 448monitoring of those accounts. 449Use of SSH and Kerberos for user accounts is 450more problematic due to the extra administration and technical support 451required, but still a very good solution compared to a crypted password 452file. 453.Sh SECURING THE PASSWORD FILE 454The only sure fire way is to *-out as many passwords as you can and 455use SSH or Kerberos for access to those accounts. 456Even though the 457crypted password file 458.Pq Pa /etc/spwd.db 459can only be read by root, it may 460be possible for an intruder to obtain read access to that file even if the 461attacker cannot obtain root-write access. 462.Pp 463Your security scripts should always check for and report changes to 464the password file 465(see 466.Sx CHECKING FILE INTEGRITY 467below). 468.Sh SECURING THE KERNEL CORE, RAW DEVICES, AND FILE SYSTEMS 469If an attacker breaks root he can do just about anything, but there 470are certain conveniences. 471For example, most modern kernels have a packet sniffing device driver built in. 472Under 473.Fx 474it is called 475the 476.Xr bpf 4 477device. 478An intruder will commonly attempt to run a packet sniffer 479on a compromised machine. 480You do not need to give the intruder the 481capability and most systems should not have the 482.Xr bpf 4 483device compiled in. 484.Pp 485But even if you turn off the 486.Xr bpf 4 487device, you still have 488.Pa /dev/mem 489and 490.Pa /dev/kmem 491to worry about. 492For that matter, 493the intruder can still write to raw disk devices. 494Also, there is another kernel feature called the module loader, 495.Xr kldload 8 . 496An enterprising intruder can use a KLD module to install 497his own 498.Xr bpf 4 499device or other sniffing device on a running kernel. 500To avoid these problems you have to run 501the kernel at a higher secure level, at least securelevel 1. 502The securelevel can be set with a 503.Xr sysctl 8 504on the 505.Va kern.securelevel 506variable. 507Once you have 508set the securelevel to 1, write access to raw devices will be denied and 509special 510.Xr chflags 1 511flags, such as 512.Cm schg , 513will be enforced. 514You must also ensure 515that the 516.Cm schg 517flag is set on critical startup binaries, directories, and 518script files \(em everything that gets run up to the point where the securelevel 519is set. 520This might be overdoing it, and upgrading the system is much more 521difficult when you operate at a higher secure level. 522You may compromise and 523run the system at a higher secure level but not set the 524.Cm schg 525flag for every 526system file and directory under the sun. 527Another possibility is to simply 528mount 529.Pa / 530and 531.Pa /usr 532read-only. 533It should be noted that being too draconian in 534what you attempt to protect may prevent the all-important detection of an 535intrusion. 536.Sh CHECKING FILE INTEGRITY: BINARIES, CONFIG FILES, ETC 537When it comes right down to it, you can only protect your core system 538configuration and control files so much before the convenience factor 539rears its ugly head. 540For example, using 541.Xr chflags 1 542to set the 543.Cm schg 544bit on most of the files in 545.Pa / 546and 547.Pa /usr 548is probably counterproductive because 549while it may protect the files, it also closes a detection window. 550The 551last layer of your security onion is perhaps the most important \(em detection. 552The rest of your security is pretty much useless (or, worse, presents you with 553a false sense of safety) if you cannot detect potential incursions. 554Half 555the job of the onion is to slow down the attacker rather than stop him 556in order to give the detection layer a chance to catch him in 557the act. 558.Pp 559The best way to detect an incursion is to look for modified, missing, or 560unexpected files. 561The best 562way to look for modified files is from another (often centralized) 563limited-access system. 564Writing your security scripts on the extra-secure limited-access system 565makes them mostly invisible to potential attackers, and this is important. 566In order to take maximum advantage you generally have to give the 567limited-access box significant access to the other machines in the business, 568usually either by doing a read-only NFS export of the other machines to the 569limited-access box, or by setting up SSH keypairs to allow the limit-access 570box to SSH to the other machines. 571Except for its network traffic, NFS is 572the least visible method \(em allowing you to monitor the file systems on each 573client box virtually undetected. 574If your 575limited-access server is connected to the client boxes through a switch, 576the NFS method is often the better choice. 577If your limited-access server 578is connected to the client boxes through a hub or through several layers 579of routing, the NFS method may be too insecure (network-wise) and using SSH 580may be the better choice even with the audit-trail tracks that SSH lays. 581.Pp 582Once you give a limit-access box at least read access to the client systems 583it is supposed to monitor, you must write scripts to do the actual 584monitoring. 585Given an NFS mount, you can write scripts out of simple system 586utilities such as 587.Xr find 1 588and 589.Xr md5 1 . 590It is best to physically 591.Xr md5 1 592the client-box files boxes at least once a 593day, and to test control files such as those found in 594.Pa /etc 595and 596.Pa /usr/local/etc 597even more often. 598When mismatches are found relative to the base MD5 599information the limited-access machine knows is valid, it should scream at 600a sysadmin to go check it out. 601A good security script will also check for 602inappropriate SUID binaries and for new or deleted files on system partitions 603such as 604.Pa / 605and 606.Pa /usr . 607.Pp 608When using SSH rather than NFS, writing the security script is much more 609difficult. 610You essentially have to 611.Xr scp 1 612the scripts to the client box in order to run them, making them visible, and 613for safety you also need to 614.Xr scp 1 615the binaries (such as 616.Xr find 1 ) 617that those scripts use. 618The 619.Xr sshd 8 620daemon on the client box may already be compromised. 621All in all, 622using SSH may be necessary when running over unsecure links, but it is also a 623lot harder to deal with. 624.Pp 625A good security script will also check for changes to user and staff members 626access configuration files: 627.Pa .rhosts , .shosts , .ssh/authorized_keys 628and so forth, files that might fall outside the purview of the MD5 check. 629.Pp 630If you have a huge amount of user disk space it may take too long to run 631through every file on those partitions. 632In this case, setting mount 633flags to disallow SUID binaries and devices on those partitions is a good 634idea. 635The 636.Cm nodev 637and 638.Cm nosuid 639options 640(see 641.Xr mount 8 ) 642are what you want to look into. 643I would scan them anyway at least once a 644week, since the object of this layer is to detect a break-in whether or 645not the break-in is effective. 646.Pp 647Process accounting 648(see 649.Xr accton 8 ) 650is a relatively low-overhead feature of 651the operating system which I recommend using as a post-break-in evaluation 652mechanism. 653It is especially useful in tracking down how an intruder has 654actually broken into a system, assuming the file is still intact after 655the break-in occurs. 656.Pp 657Finally, security scripts should process the log files and the logs themselves 658should be generated in as secure a manner as possible \(em remote syslog can be 659very useful. 660An intruder tries to cover his tracks, and log files are critical 661to the sysadmin trying to track down the time and method of the initial 662break-in. 663One way to keep a permanent record of the log files is to run 664the system console to a serial port and collect the information on a 665continuing basis through a secure machine monitoring the consoles. 666.Sh PARANOIA 667A little paranoia never hurts. 668As a rule, a sysadmin can add any number 669of security features as long as they do not affect convenience, and 670can add security features that do affect convenience with some added 671thought. 672Even more importantly, a security administrator should mix it up 673a bit \(em if you use recommendations such as those given by this manual 674page verbatim, you give away your methodologies to the prospective 675attacker who also has access to this manual page. 676.Sh SPECIAL SECTION ON DoS ATTACKS 677This section covers Denial of Service attacks. 678A DoS attack is typically a packet attack. 679While there is not much you can do about modern spoofed 680packet attacks that saturate your network, you can generally limit the damage 681by ensuring that the attacks cannot take down your servers. 682.Bl -enum -offset indent 683.It 684Limiting server forks 685.It 686Limiting springboard attacks (ICMP response attacks, ping broadcast, etc.) 687.It 688Kernel Route Cache 689.El 690.Pp 691A common DoS attack is against a forking server that attempts to cause the 692server to eat processes, file descriptors, and memory until the machine 693dies. 694The 695.Xr inetd 8 696server 697has several options to limit this sort of attack. 698It should be noted that while it is possible to prevent a machine from going 699down it is not generally possible to prevent a service from being disrupted 700by the attack. 701Read the 702.Xr inetd 8 703manual page carefully and pay specific attention 704to the 705.Fl c , C , 706and 707.Fl R 708options. 709Note that spoofed-IP attacks will circumvent 710the 711.Fl C 712option to 713.Xr inetd 8 , 714so typically a combination of options must be used. 715Some standalone servers have self-fork-limitation parameters. 716.Pp 717The 718.Xr sendmail 8 719daemon has its 720.Fl OMaxDaemonChildren 721option which tends to work much 722better than trying to use 723.Xr sendmail 8 Ns 's 724load limiting options due to the 725load lag. 726You should specify a 727.Va MaxDaemonChildren 728parameter when you start 729.Xr sendmail 8 730high enough to handle your expected load but not so high that the 731computer cannot handle that number of 732.Nm sendmail Ns 's 733without falling on its face. 734It is also prudent to run 735.Xr sendmail 8 736in 737.Dq queued 738mode 739.Pq Fl ODeliveryMode=queued 740and to run the daemon 741.Pq Dq Nm sendmail Fl bd 742separate from the queue-runs 743.Pq Dq Nm sendmail Fl q15m . 744If you still want real-time delivery you can run the queue 745at a much lower interval, such as 746.Fl q1m , 747but be sure to specify a reasonable 748.Va MaxDaemonChildren 749option for that 750.Xr sendmail 8 751to prevent cascade failures. 752.Pp 753The 754.Xr syslogd 8 755daemon can be attacked directly and it is strongly recommended that you use 756the 757.Fl s 758option whenever possible, and the 759.Fl a 760option otherwise. 761.Pp 762You should also be fairly careful 763with connect-back services such as tcpwrapper's reverse-identd, which can 764be attacked directly. 765You generally do not want to use the reverse-ident 766feature of tcpwrappers for this reason. 767.Pp 768It is a very good idea to protect internal services from external access 769by firewalling them off at your border routers. 770The idea here is to prevent 771saturation attacks from outside your LAN, not so much to protect internal 772services from network-based root compromise. 773Always configure an exclusive 774firewall, i.e., 775.So 776firewall everything 777.Em except 778ports A, B, C, D, and M-Z 779.Sc . 780This 781way you can firewall off all of your low ports except for certain specific 782services such as 783.Xr named 8 784(if you are primary for a zone), 785.Xr talkd 8 , 786.Xr sendmail 8 , 787and other internet-accessible services. 788If you try to configure the firewall the other 789way \(em as an inclusive or permissive firewall, there is a good chance that you 790will forget to 791.Dq close 792a couple of services or that you will add a new internal 793service and forget to update the firewall. 794You can still open up the 795high-numbered port range on the firewall to allow permissive-like operation 796without compromising your low ports. 797Also take note that 798.Fx 799allows you to 800control the range of port numbers used for dynamic binding via the various 801.Va net.inet.ip.portrange 802sysctl's 803.Pq Dq Li "sysctl net.inet.ip.portrange" , 804which can also 805ease the complexity of your firewall's configuration. 806I usually use a normal 807first/last range of 4000 to 5000, and a hiport range of 49152 to 65535, then 808block everything under 4000 off in my firewall 809(except for certain specific 810internet-accessible ports, of course). 811.Pp 812Another common DoS attack is called a springboard attack \(em to attack a server 813in a manner that causes the server to generate responses which then overload 814the server, the local network, or some other machine. 815The most common attack 816of this nature is the ICMP PING BROADCAST attack. 817The attacker spoofs ping 818packets sent to your LAN's broadcast address with the source IP address set 819to the actual machine they wish to attack. 820If your border routers are not 821configured to stomp on ping's to broadcast addresses, your LAN winds up 822generating sufficient responses to the spoofed source address to saturate the 823victim, especially when the attacker uses the same trick on several dozen 824broadcast addresses over several dozen different networks at once. 825Broadcast attacks of over a hundred and twenty megabits have been measured. 826A second common springboard attack is against the ICMP error reporting system. 827By 828constructing packets that generate ICMP error responses, an attacker can 829saturate a server's incoming network and cause the server to saturate its 830outgoing network with ICMP responses. 831This type of attack can also crash the 832server by running it out of 833.Vt mbuf Ns 's , 834especially if the server cannot drain the 835ICMP responses it generates fast enough. 836The 837.Fx 838kernel has a new kernel 839compile option called 840.Dv ICMP_BANDLIM 841which limits the effectiveness of these 842sorts of attacks. 843The last major class of springboard attacks is related to 844certain internal 845.Xr inetd 8 846services such as the UDP echo service. 847An attacker 848simply spoofs a UDP packet with the source address being server A's echo port, 849and the destination address being server B's echo port, where server A and B 850are both on your LAN. 851The two servers then bounce this one packet back and 852forth between each other. 853The attacker can overload both servers and their 854LANs simply by injecting a few packets in this manner. 855Similar problems 856exist with the internal chargen port. 857A competent sysadmin will turn off all 858of these 859.Xr inetd 8 Ns -internal 860test services. 861.Pp 862Spoofed packet attacks may also be used to overload the kernel route cache. 863Refer to the 864.Va net.inet.ip.rtexpire , net.inet.ip.rtminexpire , 865and 866.Va net.inet.ip.rtmaxcache 867.Xr sysctl 8 868variables. 869A spoofed packet attack that uses a random source IP will cause 870the kernel to generate a temporary cached route in the route table, viewable 871with 872.Dq Li "netstat -rna | fgrep W3" . 873These routes typically timeout in 1600 874seconds or so. 875If the kernel detects that the cached route table has gotten 876too big it will dynamically reduce the 877.Va rtexpire 878but will never decrease it to 879less than 880.Va rtminexpire . 881There are two problems: (1) The kernel does not react 882quickly enough when a lightly loaded server is suddenly attacked, and (2) The 883.Va rtminexpire 884is not low enough for the kernel to survive a sustained attack. 885If your servers are connected to the internet via a T3 or better it may be 886prudent to manually override both 887.Va rtexpire 888and 889.Va rtminexpire 890via 891.Xr sysctl 8 . 892Never set either parameter to zero 893(unless you want to crash the machine :-)). 894Setting both parameters to 2 seconds should be sufficient to protect the route 895table from attack. 896.Sh ACCESS ISSUES WITH KERBEROS AND SSH 897There are a few issues with both Kerberos and SSH that need to be addressed 898if you intend to use them. 899Kerberos5 is an excellent authentication 900protocol but the kerberized 901.Xr telnet 1 902and 903.Xr rlogin 1 904suck rocks. 905There are bugs that make them unsuitable for dealing with binary streams. 906Also, by default 907Kerberos does not encrypt a session unless you use the 908.Fl x 909option. 910SSH encrypts everything by default. 911.Pp 912SSH works quite well in every respect except when it is set up to 913forward encryption keys. 914What this means is that if you have a secure workstation holding 915keys that give you access to the rest of the system, and you 916.Xr ssh 1 917to an 918unsecure machine, your keys become exposed. 919The actual keys themselves are 920not exposed, but 921.Xr ssh 1 922installs a forwarding port for the duration of your 923login and if an attacker has broken root on the unsecure machine he can utilize 924that port to use your keys to gain access to any other machine that your 925keys unlock. 926.Pp 927We recommend that you use SSH in combination with Kerberos whenever possible 928for staff logins. 929SSH can be compiled with Kerberos support. 930This reduces 931your reliance on potentially exposable SSH keys while at the same time 932protecting passwords via Kerberos. 933SSH keys 934should only be used for automated tasks from secure machines (something 935that Kerberos is unsuited to). 936We also recommend that you either turn off 937key-forwarding in the SSH configuration, or that you make use of the 938.Va from Ns = Ns Ar IP/DOMAIN 939option that SSH allows in its 940.Pa authorized_keys 941file to make the key only usable to entities logging in from specific 942machines. 943.Sh SEE ALSO 944.Xr chflags 1 , 945.Xr find 1 , 946.Xr md5 1 , 947.Xr netstat 1 , 948.Xr openssl 1 , 949.Xr ssh 1 , 950.Xr xdm 1 , 951.Xr group 5 , 952.Xr ttys 5 , 953.Xr accton 8 , 954.Xr init 8 , 955.Xr sshd 8 , 956.Xr sysctl 8 , 957.Xr syslogd 8 , 958.Xr vipw 8 959.Sh HISTORY 960The 961.Nm 962manual page was originally written by 963.An Matthew Dillon 964and first appeared 965in 966.Fx 3.1 , 967December 1998. 968