1.\" Copyright (C) 1998 Matthew Dillon. All rights reserved. 2.\" 3.\" Redistribution and use in source and binary forms, with or without 4.\" modification, are permitted provided that the following conditions 5.\" are met: 6.\" 1. Redistributions of source code must retain the above copyright 7.\" notice, this list of conditions and the following disclaimer. 8.\" 2. Redistributions in binary form must reproduce the above copyright 9.\" notice, this list of conditions and the following disclaimer in the 10.\" documentation and/or other materials provided with the distribution. 11.\" 12.\" THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND 13.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 14.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 15.\" ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE 16.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 17.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 18.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 19.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 20.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 21.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 22.\" SUCH DAMAGE. 23.\" 24.\" $FreeBSD$ 25.\" 26.Dd November 29, 2004 27.Dt SECURITY 7 28.Os 29.Sh NAME 30.Nm security 31.Nd introduction to security under 32.Fx 33.Sh DESCRIPTION 34Security is a function that begins and ends with the system administrator. 35While all 36.Bx 37multi-user systems have some inherent security, the job of building and 38maintaining additional security mechanisms to keep users 39.Dq honest 40is probably 41one of the single largest undertakings of the sysadmin. 42Machines are 43only as secure as you make them, and security concerns are ever competing 44with the human necessity for convenience. 45.Ux 46systems, 47in general, are capable of running a huge number of simultaneous processes 48and many of these processes operate as servers \(em meaning that external 49entities can connect and talk to them. 50As yesterday's mini-computers and mainframes 51become today's desktops, and as computers become networked and internetworked, 52security becomes an ever bigger issue. 53.Pp 54Security is best implemented through a layered onion approach. 55In a nutshell, 56what you want to do is to create as many layers of security as are convenient 57and then carefully monitor the system for intrusions. 58You do not want to 59overbuild your security or you will interfere with the detection side, and 60detection is one of the single most important aspects of any security 61mechanism. 62For example, it makes little sense to set the 63.Cm schg 64flags 65(see 66.Xr chflags 1 ) 67on every system binary because while this may temporarily protect the 68binaries, it prevents an attacker who has broken in from making an 69easily detectable change that may result in your security mechanisms not 70detecting the attacker at all. 71.Pp 72System security also pertains to dealing with various forms of attacks, 73including attacks that attempt to crash or otherwise make a system unusable 74but do not attempt to break root. 75Security concerns can be split up into 76several categories: 77.Bl -enum -offset indent 78.It 79Denial of Service attacks (DoS) 80.It 81User account compromises 82.It 83Root compromise through accessible servers 84.It 85Root compromise via user accounts 86.It 87Backdoor creation 88.El 89.Pp 90A denial of service attack is an action that deprives the machine of needed 91resources. 92Typically, DoS attacks are brute-force mechanisms that attempt 93to crash or otherwise make a machine unusable by overwhelming its servers or 94network stack. 95Some DoS attacks try to take advantages of bugs in the 96networking stack to crash a machine with a single packet. 97The latter can 98only be fixed by applying a bug fix to the kernel. 99Attacks on servers can 100often be fixed by properly specifying options to limit the load the servers 101incur on the system under adverse conditions. 102Brute-force network attacks are harder to deal with. 103A spoofed-packet attack, for example, is 104nearly impossible to stop short of cutting your system off from the Internet. 105It may not be able to take your machine down, but it can fill up Internet 106pipe. 107.Pp 108A user account compromise is even more common than a DoS attack. 109Many 110sysadmins still run standard 111.Xr telnetd 8 , 112.Xr rlogind 8 , 113.Xr rshd 8 , 114and 115.Xr ftpd 8 116servers on their machines. 117These servers, by default, do not operate over encrypted 118connections. 119The result is that if you have any moderate-sized user base, 120one or more of your users logging into your system from a remote location 121(which is the most common and convenient way to log in to a system) 122will have his or her password sniffed. 123The attentive system administrator will analyze 124his remote access logs looking for suspicious source addresses 125even for successful logins. 126.Pp 127One must always assume that once an attacker has access to a user account, 128the attacker can break root. 129However, the reality is that in a well secured 130and maintained system, access to a user account does not necessarily give the 131attacker access to root. 132The distinction is important because without access 133to root the attacker cannot generally hide his tracks and may, at best, be 134able to do nothing more than mess with the user's files or crash the machine. 135User account compromises are very common because users tend not to take the 136precautions that sysadmins take. 137.Pp 138System administrators must keep in mind that there are potentially many ways 139to break root on a machine. 140The attacker may know the root password, 141the attacker 142may find a bug in a root-run server and be able to break root over a network 143connection to that server, or the attacker may know of a bug in an SUID-root 144program that allows the attacker to break root once he has broken into a 145user's account. 146If an attacker has found a way to break root on a machine, 147the attacker may not have a need to install a backdoor. 148Many of the root holes found and closed to date involve a considerable amount 149of work by the attacker to clean up after himself, so most attackers do install 150backdoors. 151This gives you a convenient way to detect the attacker. 152Making 153it impossible for an attacker to install a backdoor may actually be detrimental 154to your security because it will not close off the hole the attacker used to 155break in in the first place. 156.Pp 157Security remedies should always be implemented with a multi-layered 158.Dq onion peel 159approach and can be categorized as follows: 160.Bl -enum -offset indent 161.It 162Securing root and staff accounts 163.It 164Securing root \(em root-run servers and SUID/SGID binaries 165.It 166Securing user accounts 167.It 168Securing the password file 169.It 170Securing the kernel core, raw devices, and file systems 171.It 172Quick detection of inappropriate changes made to the system 173.It 174Paranoia 175.El 176.Sh SECURING THE ROOT ACCOUNT AND SECURING STAFF ACCOUNTS 177Do not bother securing staff accounts if you have not secured the root 178account. 179Most systems have a password assigned to the root account. 180The 181first thing you do is assume that the password is 182.Em always 183compromised. 184This does not mean that you should remove the password. 185The 186password is almost always necessary for console access to the machine. 187What it does mean is that you should not make it possible to use the password 188outside of the console or possibly even with a 189.Xr su 1 190utility. 191For example, make sure that your PTYs are specified as being 192.Dq Li unsecure 193in the 194.Pa /etc/ttys 195file 196so that direct root logins via 197.Xr telnet 1 198or 199.Xr rlogin 1 200are disallowed. 201If using 202other login services such as 203.Xr sshd 8 , 204make sure that direct root logins are 205disabled there as well. 206Consider every access method \(em services such as 207.Xr ftp 1 208often fall through the cracks. 209Direct root logins should only be allowed 210via the system console. 211.Pp 212Of course, as a sysadmin you have to be able to get to root, so we open up 213a few holes. 214But we make sure these holes require additional password 215verification to operate. 216One way to make root accessible is to add appropriate 217staff accounts to the 218.Dq Li wheel 219group (in 220.Pa /etc/group ) . 221The staff members placed in the 222.Li wheel 223group are allowed to 224.Xr su 1 225to root. 226You should never give staff 227members native 228.Li wheel 229access by putting them in the 230.Li wheel 231group in their password entry. 232Staff accounts should be placed in a 233.Dq Li staff 234group, and then added to the 235.Li wheel 236group via the 237.Pa /etc/group 238file. 239Only those staff members who actually need to have root access 240should be placed in the 241.Li wheel 242group. 243It is also possible, when using an 244authentication method such as Kerberos, to use Kerberos's 245.Pa .k5login 246file in the root account to allow a 247.Xr ksu 1 248to root without having to place anyone at all in the 249.Li wheel 250group. 251This 252may be the better solution since the 253.Li wheel 254mechanism still allows an 255intruder to break root if the intruder has gotten hold of your password 256file and can break into a staff account. 257While having the 258.Li wheel 259mechanism 260is better than having nothing at all, it is not necessarily the safest 261option. 262.Pp 263An indirect way to secure the root account is to secure your staff accounts 264by using an alternative login access method and *'ing out the crypted password 265for the staff accounts. 266This way an intruder may be able to steal the password 267file but will not be able to break into any staff accounts or root, even if 268root has a crypted password associated with it (assuming, of course, that 269you have limited root access to the console). 270Staff members 271get into their staff accounts through a secure login mechanism such as 272.Xr kerberos 8 273or 274.Xr ssh 1 275using a private/public 276key pair. 277When you use something like Kerberos you generally must secure 278the machines which run the Kerberos servers and your desktop workstation. 279When you use a public/private key pair with SSH, you must generally secure 280the machine you are logging in 281.Em from 282(typically your workstation), 283but you can 284also add an additional layer of protection to the key pair by password 285protecting the keypair when you create it with 286.Xr ssh-keygen 1 . 287Being able 288to *-out the passwords for staff accounts also guarantees that staff members 289can only log in through secure access methods that you have set up. 290You can 291thus force all staff members to use secure, encrypted connections for 292all their sessions which closes an important hole used by many intruders: that 293of sniffing the network from an unrelated, less secure machine. 294.Pp 295The more indirect security mechanisms also assume that you are logging in 296from a more restrictive server to a less restrictive server. 297For example, 298if your main box is running all sorts of servers, your workstation should not 299be running any. 300In order for your workstation to be reasonably secure 301you should run as few servers as possible, up to and including no servers 302at all, and you should run a password-protected screen blanker. 303Of course, given physical access to 304a workstation, an attacker can break any sort of security you put on it. 305This is definitely a problem that you should consider but you should also 306consider the fact that the vast majority of break-ins occur remotely, over 307a network, from people who do not have physical access to your workstation or 308servers. 309.Pp 310Using something like Kerberos also gives you the ability to disable or 311change the password for a staff account in one place and have it immediately 312affect all the machines the staff member may have an account on. 313If a staff 314member's account gets compromised, the ability to instantly change his 315password on all machines should not be underrated. 316With discrete passwords, changing a password on N machines can be a mess. 317You can also impose 318re-passwording restrictions with Kerberos: not only can a Kerberos ticket 319be made to timeout after a while, but the Kerberos system can require that 320the user choose a new password after a certain period of time 321(say, once a month). 322.Sh SECURING ROOT \(em ROOT-RUN SERVERS AND SUID/SGID BINARIES 323The prudent sysadmin only runs the servers he needs to, no more, no less. 324Be aware that third party servers are often the most bug-prone. 325For example, 326running an old version of 327.Xr imapd 8 328or 329.Xr popper 8 330is like giving a universal root 331ticket out to the entire world. 332Never run a server that you have not checked 333out carefully. 334Many servers do not need to be run as root. 335For example, 336the 337.Xr talkd 8 , 338.Xr comsat 8 , 339and 340.Xr fingerd 8 341daemons can be run in special user 342.Dq sandboxes . 343A sandbox is not perfect unless you go to a large amount of trouble, but the 344onion approach to security still stands: if someone is able to break in 345through a server running in a sandbox, they still have to break out of the 346sandbox. 347The more layers the attacker must break through, the lower the 348likelihood of his success. 349Root holes have historically been found in 350virtually every server ever run as root, including basic system servers. 351If you are running a machine through which people only log in via 352.Xr sshd 8 353and never log in via 354.Xr telnetd 8 , 355.Xr rshd 8 , 356or 357.Xr rlogind 8 , 358then turn off those services! 359.Pp 360.Fx 361now defaults to running 362.Xr talkd 8 , 363.Xr comsat 8 , 364and 365.Xr fingerd 8 366in a sandbox. 367Another program which may be a candidate for running in a sandbox is 368.Xr named 8 . 369The default 370.Pa rc.conf 371includes the arguments necessary to run 372.Xr named 8 373in a sandbox in a commented-out form. 374Depending on whether you 375are installing a new system or upgrading an existing system, the special 376user accounts used by these sandboxes may not be installed. 377The prudent 378sysadmin would research and implement sandboxes for servers whenever possible. 379.Pp 380There are a number of other servers that typically do not run in sandboxes: 381.Xr sendmail 8 , 382.Xr popper 8 , 383.Xr imapd 8 , 384.Xr ftpd 8 , 385and others. 386There are alternatives to 387some of these, but installing them may require more work then you are willing 388to put 389(the convenience factor strikes again). 390You may have to run these 391servers as root and rely on other mechanisms to detect break-ins that might 392occur through them. 393.Pp 394The other big potential root hole in a system are the SUID-root and SGID 395binaries installed on the system. 396Most of these binaries, such as 397.Xr rlogin 1 , 398reside in 399.Pa /bin , /sbin , /usr/bin , 400or 401.Pa /usr/sbin . 402While nothing is 100% safe, 403the system-default SUID and SGID binaries can be considered reasonably safe. 404Still, root holes are occasionally found in these binaries. 405A root hole 406was found in Xlib in 1998 that made 407.Xr xterm 1 408(which is typically SUID) 409vulnerable. 410It is better to be safe than sorry and the prudent sysadmin will restrict SUID 411binaries that only staff should run to a special group that only staff can 412access, and get rid of 413.Pq Dq Li "chmod 000" 414any SUID binaries that nobody uses. 415A server with no display generally does not need an 416.Xr xterm 1 417binary. 418SGID binaries can be almost as dangerous. 419If an intruder can break an SGID-kmem binary the 420intruder might be able to read 421.Pa /dev/kmem 422and thus read the crypted password 423file, potentially compromising any passworded account. 424Alternatively an 425intruder who breaks group 426.Dq Li kmem 427can monitor keystrokes sent through PTYs, 428including PTYs used by users who log in through secure methods. 429An intruder 430that breaks the 431.Dq Li tty 432group can write to almost any user's TTY. 433If a user 434is running a terminal 435program or emulator with a keyboard-simulation feature, the intruder can 436potentially 437generate a data stream that causes the user's terminal to echo a command, which 438is then run as that user. 439.Sh SECURING USER ACCOUNTS 440User accounts are usually the most difficult to secure. 441While you can impose 442draconian access restrictions on your staff and *-out their passwords, you 443may not be able to do so with any general user accounts you might have. 444If 445you do have sufficient control then you may win out and be able to secure the 446user accounts properly. 447If not, you simply have to be more vigilant in your 448monitoring of those accounts. 449Use of SSH and Kerberos for user accounts is 450more problematic due to the extra administration and technical support 451required, but still a very good solution compared to a crypted password 452file. 453.Sh SECURING THE PASSWORD FILE 454The only sure fire way is to *-out as many passwords as you can and 455use SSH or Kerberos for access to those accounts. 456Even though the 457crypted password file 458.Pq Pa /etc/spwd.db 459can only be read by root, it may 460be possible for an intruder to obtain read access to that file even if the 461attacker cannot obtain root-write access. 462.Pp 463Your security scripts should always check for and report changes to 464the password file 465(see 466.Sx CHECKING FILE INTEGRITY 467below). 468.Sh SECURING THE KERNEL CORE, RAW DEVICES, AND FILE SYSTEMS 469If an attacker breaks root he can do just about anything, but there 470are certain conveniences. 471For example, most modern kernels have a packet sniffing device driver built in. 472Under 473.Fx 474it is called 475the 476.Xr bpf 4 477device. 478An intruder will commonly attempt to run a packet sniffer 479on a compromised machine. 480You do not need to give the intruder the 481capability and most systems should not have the 482.Xr bpf 4 483device compiled in. 484.Pp 485But even if you turn off the 486.Xr bpf 4 487device, you still have 488.Pa /dev/mem 489and 490.Pa /dev/kmem 491to worry about. 492For that matter, 493the intruder can still write to raw disk devices. 494Also, there is another kernel feature called the module loader, 495.Xr kldload 8 . 496An enterprising intruder can use a KLD module to install 497his own 498.Xr bpf 4 499device or other sniffing device on a running kernel. 500To avoid these problems you have to run 501the kernel at a higher secure level, at least securelevel 1. 502The securelevel can be set with a 503.Xr sysctl 8 504on the 505.Va kern.securelevel 506variable. 507Once you have 508set the securelevel to 1, write access to raw devices will be denied and 509special 510.Xr chflags 1 511flags, such as 512.Cm schg , 513will be enforced. 514You must also ensure 515that the 516.Cm schg 517flag is set on critical startup binaries, directories, and 518script files \(em everything that gets run up to the point where the securelevel 519is set. 520This might be overdoing it, and upgrading the system is much more 521difficult when you operate at a higher secure level. 522You may compromise and 523run the system at a higher secure level but not set the 524.Cm schg 525flag for every 526system file and directory under the sun. 527Another possibility is to simply 528mount 529.Pa / 530and 531.Pa /usr 532read-only. 533It should be noted that being too draconian in 534what you attempt to protect may prevent the all-important detection of an 535intrusion. 536.Sh CHECKING FILE INTEGRITY: BINARIES, CONFIG FILES, ETC 537When it comes right down to it, you can only protect your core system 538configuration and control files so much before the convenience factor 539rears its ugly head. 540For example, using 541.Xr chflags 1 542to set the 543.Cm schg 544bit on most of the files in 545.Pa / 546and 547.Pa /usr 548is probably counterproductive because 549while it may protect the files, it also closes a detection window. 550The 551last layer of your security onion is perhaps the most important \(em detection. 552The rest of your security is pretty much useless (or, worse, presents you with 553a false sense of safety) if you cannot detect potential incursions. 554Half 555the job of the onion is to slow down the attacker rather than stop him 556in order to give the detection layer a chance to catch him in 557the act. 558.Pp 559The best way to detect an incursion is to look for modified, missing, or 560unexpected files. 561The best 562way to look for modified files is from another (often centralized) 563limited-access system. 564Writing your security scripts on the extra-secure limited-access system 565makes them mostly invisible to potential attackers, and this is important. 566In order to take maximum advantage you generally have to give the 567limited-access box significant access to the other machines in the business, 568usually either by doing a read-only NFS export of the other machines to the 569limited-access box, or by setting up SSH keypairs to allow the limit-access 570box to SSH to the other machines. 571Except for its network traffic, NFS is 572the least visible method \(em allowing you to monitor the file systems on each 573client box virtually undetected. 574If your 575limited-access server is connected to the client boxes through a switch, 576the NFS method is often the better choice. 577If your limited-access server 578is connected to the client boxes through a hub or through several layers 579of routing, the NFS method may be too insecure (network-wise) and using SSH 580may be the better choice even with the audit-trail tracks that SSH lays. 581.Pp 582Once you give a limit-access box at least read access to the client systems 583it is supposed to monitor, you must write scripts to do the actual 584monitoring. 585Given an NFS mount, you can write scripts out of simple system 586utilities such as 587.Xr find 1 588and 589.Xr md5 1 . 590It is best to physically 591.Xr md5 1 592the client-box files boxes at least once a 593day, and to test control files such as those found in 594.Pa /etc 595and 596.Pa /usr/local/etc 597even more often. 598When mismatches are found relative to the base MD5 599information the limited-access machine knows is valid, it should scream at 600a sysadmin to go check it out. 601A good security script will also check for 602inappropriate SUID binaries and for new or deleted files on system partitions 603such as 604.Pa / 605and 606.Pa /usr . 607.Pp 608When using SSH rather than NFS, writing the security script is much more 609difficult. 610You essentially have to 611.Xr scp 1 612the scripts to the client box in order to run them, making them visible, and 613for safety you also need to 614.Xr scp 1 615the binaries (such as 616.Xr find 1 ) 617that those scripts use. 618The 619.Xr sshd 8 620daemon on the client box may already be compromised. 621All in all, 622using SSH may be necessary when running over unsecure links, but it is also a 623lot harder to deal with. 624.Pp 625A good security script will also check for changes to user and staff members 626access configuration files: 627.Pa .rhosts , .shosts , .ssh/authorized_keys 628and so forth, files that might fall outside the purview of the MD5 check. 629.Pp 630If you have a huge amount of user disk space it may take too long to run 631through every file on those partitions. 632In this case, setting mount 633flags to disallow SUID binaries on those partitions is a good 634idea. 635The 636.Cm nosuid 637option 638(see 639.Xr mount 8 ) 640is what you want to look into. 641I would scan them anyway at least once a 642week, since the object of this layer is to detect a break-in whether or 643not the break-in is effective. 644.Pp 645Process accounting 646(see 647.Xr accton 8 ) 648is a relatively low-overhead feature of 649the operating system which I recommend using as a post-break-in evaluation 650mechanism. 651It is especially useful in tracking down how an intruder has 652actually broken into a system, assuming the file is still intact after 653the break-in occurs. 654.Pp 655Finally, security scripts should process the log files and the logs themselves 656should be generated in as secure a manner as possible \(em remote syslog can be 657very useful. 658An intruder tries to cover his tracks, and log files are critical 659to the sysadmin trying to track down the time and method of the initial 660break-in. 661One way to keep a permanent record of the log files is to run 662the system console to a serial port and collect the information on a 663continuing basis through a secure machine monitoring the consoles. 664.Sh PARANOIA 665A little paranoia never hurts. 666As a rule, a sysadmin can add any number 667of security features as long as they do not affect convenience, and 668can add security features that do affect convenience with some added 669thought. 670Even more importantly, a security administrator should mix it up 671a bit \(em if you use recommendations such as those given by this manual 672page verbatim, you give away your methodologies to the prospective 673attacker who also has access to this manual page. 674.Sh SPECIAL SECTION ON DoS ATTACKS 675This section covers Denial of Service attacks. 676A DoS attack is typically a packet attack. 677While there is not much you can do about modern spoofed 678packet attacks that saturate your network, you can generally limit the damage 679by ensuring that the attacks cannot take down your servers. 680.Bl -enum -offset indent 681.It 682Limiting server forks 683.It 684Limiting springboard attacks (ICMP response attacks, ping broadcast, etc.) 685.It 686Kernel Route Cache 687.El 688.Pp 689A common DoS attack is against a forking server that attempts to cause the 690server to eat processes, file descriptors, and memory until the machine 691dies. 692The 693.Xr inetd 8 694server 695has several options to limit this sort of attack. 696It should be noted that while it is possible to prevent a machine from going 697down it is not generally possible to prevent a service from being disrupted 698by the attack. 699Read the 700.Xr inetd 8 701manual page carefully and pay specific attention 702to the 703.Fl c , C , 704and 705.Fl R 706options. 707Note that spoofed-IP attacks will circumvent 708the 709.Fl C 710option to 711.Xr inetd 8 , 712so typically a combination of options must be used. 713Some standalone servers have self-fork-limitation parameters. 714.Pp 715The 716.Xr sendmail 8 717daemon has its 718.Fl OMaxDaemonChildren 719option which tends to work much 720better than trying to use 721.Xr sendmail 8 Ns 's 722load limiting options due to the 723load lag. 724You should specify a 725.Va MaxDaemonChildren 726parameter when you start 727.Xr sendmail 8 728high enough to handle your expected load but not so high that the 729computer cannot handle that number of 730.Nm sendmail Ns 's 731without falling on its face. 732It is also prudent to run 733.Xr sendmail 8 734in 735.Dq queued 736mode 737.Pq Fl ODeliveryMode=queued 738and to run the daemon 739.Pq Dq Nm sendmail Fl bd 740separate from the queue-runs 741.Pq Dq Nm sendmail Fl q15m . 742If you still want real-time delivery you can run the queue 743at a much lower interval, such as 744.Fl q1m , 745but be sure to specify a reasonable 746.Va MaxDaemonChildren 747option for that 748.Xr sendmail 8 749to prevent cascade failures. 750.Pp 751The 752.Xr syslogd 8 753daemon can be attacked directly and it is strongly recommended that you use 754the 755.Fl s 756option whenever possible, and the 757.Fl a 758option otherwise. 759.Pp 760You should also be fairly careful 761with connect-back services such as tcpwrapper's reverse-identd, which can 762be attacked directly. 763You generally do not want to use the reverse-ident 764feature of tcpwrappers for this reason. 765.Pp 766It is a very good idea to protect internal services from external access 767by firewalling them off at your border routers. 768The idea here is to prevent 769saturation attacks from outside your LAN, not so much to protect internal 770services from network-based root compromise. 771Always configure an exclusive 772firewall, i.e., 773.So 774firewall everything 775.Em except 776ports A, B, C, D, and M-Z 777.Sc . 778This 779way you can firewall off all of your low ports except for certain specific 780services such as 781.Xr named 8 782(if you are primary for a zone), 783.Xr talkd 8 , 784.Xr sendmail 8 , 785and other internet-accessible services. 786If you try to configure the firewall the other 787way \(em as an inclusive or permissive firewall, there is a good chance that you 788will forget to 789.Dq close 790a couple of services or that you will add a new internal 791service and forget to update the firewall. 792You can still open up the 793high-numbered port range on the firewall to allow permissive-like operation 794without compromising your low ports. 795Also take note that 796.Fx 797allows you to 798control the range of port numbers used for dynamic binding via the various 799.Va net.inet.ip.portrange 800sysctl's 801.Pq Dq Li "sysctl net.inet.ip.portrange" , 802which can also 803ease the complexity of your firewall's configuration. 804I usually use a normal 805first/last range of 4000 to 5000, and a hiport range of 49152 to 65535, then 806block everything under 4000 off in my firewall 807(except for certain specific 808internet-accessible ports, of course). 809.Pp 810Another common DoS attack is called a springboard attack \(em to attack a server 811in a manner that causes the server to generate responses which then overload 812the server, the local network, or some other machine. 813The most common attack 814of this nature is the ICMP PING BROADCAST attack. 815The attacker spoofs ping 816packets sent to your LAN's broadcast address with the source IP address set 817to the actual machine they wish to attack. 818If your border routers are not 819configured to stomp on ping's to broadcast addresses, your LAN winds up 820generating sufficient responses to the spoofed source address to saturate the 821victim, especially when the attacker uses the same trick on several dozen 822broadcast addresses over several dozen different networks at once. 823Broadcast attacks of over a hundred and twenty megabits have been measured. 824A second common springboard attack is against the ICMP error reporting system. 825By 826constructing packets that generate ICMP error responses, an attacker can 827saturate a server's incoming network and cause the server to saturate its 828outgoing network with ICMP responses. 829This type of attack can also crash the 830server by running it out of 831.Vt mbuf Ns 's , 832especially if the server cannot drain the 833ICMP responses it generates fast enough. 834The 835.Fx 836kernel has a new kernel 837compile option called 838.Dv ICMP_BANDLIM 839which limits the effectiveness of these 840sorts of attacks. 841The last major class of springboard attacks is related to 842certain internal 843.Xr inetd 8 844services such as the UDP echo service. 845An attacker 846simply spoofs a UDP packet with the source address being server A's echo port, 847and the destination address being server B's echo port, where server A and B 848are both on your LAN. 849The two servers then bounce this one packet back and 850forth between each other. 851The attacker can overload both servers and their 852LANs simply by injecting a few packets in this manner. 853Similar problems 854exist with the internal chargen port. 855A competent sysadmin will turn off all 856of these 857.Xr inetd 8 Ns -internal 858test services. 859.Pp 860Spoofed packet attacks may also be used to overload the kernel route cache. 861Refer to the 862.Va net.inet.ip.rtexpire , net.inet.ip.rtminexpire , 863and 864.Va net.inet.ip.rtmaxcache 865.Xr sysctl 8 866variables. 867A spoofed packet attack that uses a random source IP will cause 868the kernel to generate a temporary cached route in the route table, viewable 869with 870.Dq Li "netstat -rna | fgrep W3" . 871These routes typically timeout in 1600 872seconds or so. 873If the kernel detects that the cached route table has gotten 874too big it will dynamically reduce the 875.Va rtexpire 876but will never decrease it to 877less than 878.Va rtminexpire . 879There are two problems: (1) The kernel does not react 880quickly enough when a lightly loaded server is suddenly attacked, and (2) The 881.Va rtminexpire 882is not low enough for the kernel to survive a sustained attack. 883If your servers are connected to the internet via a T3 or better it may be 884prudent to manually override both 885.Va rtexpire 886and 887.Va rtminexpire 888via 889.Xr sysctl 8 . 890Never set either parameter to zero 891(unless you want to crash the machine :-)). 892Setting both parameters to 2 seconds should be sufficient to protect the route 893table from attack. 894.Sh ACCESS ISSUES WITH KERBEROS AND SSH 895There are a few issues with both Kerberos and SSH that need to be addressed 896if you intend to use them. 897Kerberos5 is an excellent authentication 898protocol but the kerberized 899.Xr telnet 1 900and 901.Xr rlogin 1 902suck rocks. 903There are bugs that make them unsuitable for dealing with binary streams. 904Also, by default 905Kerberos does not encrypt a session unless you use the 906.Fl x 907option. 908SSH encrypts everything by default. 909.Pp 910SSH works quite well in every respect except when it is set up to 911forward encryption keys. 912What this means is that if you have a secure workstation holding 913keys that give you access to the rest of the system, and you 914.Xr ssh 1 915to an 916unsecure machine, your keys become exposed. 917The actual keys themselves are 918not exposed, but 919.Xr ssh 1 920installs a forwarding port for the duration of your 921login and if an attacker has broken root on the unsecure machine he can utilize 922that port to use your keys to gain access to any other machine that your 923keys unlock. 924.Pp 925We recommend that you use SSH in combination with Kerberos whenever possible 926for staff logins. 927SSH can be compiled with Kerberos support. 928This reduces 929your reliance on potentially exposable SSH keys while at the same time 930protecting passwords via Kerberos. 931SSH keys 932should only be used for automated tasks from secure machines (something 933that Kerberos is unsuited to). 934We also recommend that you either turn off 935key-forwarding in the SSH configuration, or that you make use of the 936.Va from Ns = Ns Ar IP/DOMAIN 937option that SSH allows in its 938.Pa authorized_keys 939file to make the key only usable to entities logging in from specific 940machines. 941.Sh SEE ALSO 942.Xr chflags 1 , 943.Xr find 1 , 944.Xr md5 1 , 945.Xr netstat 1 , 946.Xr openssl 1 , 947.Xr ssh 1 , 948.Xr xdm 1 , 949.Xr group 5 , 950.Xr ttys 5 , 951.Xr accton 8 , 952.Xr init 8 , 953.Xr sshd 8 , 954.Xr sysctl 8 , 955.Xr syslogd 8 , 956.Xr vipw 8 957.Sh HISTORY 958The 959.Nm 960manual page was originally written by 961.An Matthew Dillon 962and first appeared 963in 964.Fx 3.1 , 965December 1998. 966