xref: /freebsd/share/man/man7/security.7 (revision 8e3e3a7ae841ccf6f6ac30a2eeab85df5d7f04bc)
1.\" Copyright (C) 1998 Matthew Dillon. All rights reserved.
2.\"
3.\" Redistribution and use in source and binary forms, with or without
4.\" modification, are permitted provided that the following conditions
5.\" are met:
6.\" 1. Redistributions of source code must retain the above copyright
7.\"    notice, this list of conditions and the following disclaimer.
8.\" 2. Redistributions in binary form must reproduce the above copyright
9.\"    notice, this list of conditions and the following disclaimer in the
10.\"    documentation and/or other materials provided with the distribution.
11.\"
12.\" THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND
13.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
14.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
15.\" ARE DISCLAIMED.  IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
16.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
17.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
18.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
19.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
20.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
21.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
22.\" SUCH DAMAGE.
23.\"
24.\" $FreeBSD$
25.\"
26.Dd December 25, 2013
27.Dt SECURITY 7
28.Os
29.Sh NAME
30.Nm security
31.Nd introduction to security under FreeBSD
32.Sh DESCRIPTION
33Security is a function that begins and ends with the system administrator.
34While all
35.Bx
36multi-user systems have some inherent security, the job of building and
37maintaining additional security mechanisms to keep users
38.Dq honest
39is probably
40one of the single largest undertakings of the sysadmin.
41Machines are
42only as secure as you make them, and security concerns are ever competing
43with the human necessity for convenience.
44.Ux
45systems,
46in general, are capable of running a huge number of simultaneous processes
47and many of these processes operate as servers \(em meaning that external
48entities can connect and talk to them.
49As yesterday's mini-computers and mainframes
50become today's desktops, and as computers become networked and internetworked,
51security becomes an ever bigger issue.
52.Pp
53Security is best implemented through a layered onion approach.
54In a nutshell,
55what you want to do is to create as many layers of security as are convenient
56and then carefully monitor the system for intrusions.
57.Pp
58System security also pertains to dealing with various forms of attacks,
59including attacks that attempt to crash or otherwise make a system unusable
60but do not attempt to break root.
61Security concerns can be split up into
62several categories:
63.Bl -enum -offset indent
64.It
65Denial of Service attacks (DoS)
66.It
67User account compromises
68.It
69Root compromise through accessible servers
70.It
71Root compromise via user accounts
72.It
73Backdoor creation
74.El
75.Pp
76A denial of service attack is an action that deprives the machine of needed
77resources.
78Typically, DoS attacks are brute-force mechanisms that attempt
79to crash or otherwise make a machine unusable by overwhelming its servers or
80network stack.
81Some DoS attacks try to take advantages of bugs in the
82networking stack to crash a machine with a single packet.
83The latter can
84only be fixed by applying a bug fix to the kernel.
85Attacks on servers can
86often be fixed by properly specifying options to limit the load the servers
87incur on the system under adverse conditions.
88Brute-force network attacks are harder to deal with.
89A spoofed-packet attack, for example, is
90nearly impossible to stop short of cutting your system off from the Internet.
91It may not be able to take your machine down, but it can fill up your Internet
92pipe.
93.Pp
94A user account compromise is even more common than a DoS attack.
95Many
96sysadmins still run standard
97.Xr telnetd 8 ,
98.Xr rlogind 8 ,
99.Xr rshd 8 ,
100and
101.Xr ftpd 8
102servers on their machines.
103These servers, by default, do not operate over encrypted
104connections.
105The result is that if you have any moderate-sized user base,
106one or more of your users logging into your system from a remote location
107(which is the most common and convenient way to log in to a system)
108will have his or her password sniffed.
109The attentive system administrator will analyze
110his remote access logs looking for suspicious source addresses
111even for successful logins.
112.Pp
113One must always assume that once an attacker has access to a user account,
114the attacker can break root.
115However, the reality is that in a well secured
116and maintained system, access to a user account does not necessarily give the
117attacker access to root.
118The distinction is important because without access
119to root the attacker cannot generally hide his tracks and may, at best, be
120able to do nothing more than mess with the user's files or crash the machine.
121User account compromises are very common because users tend not to take the
122precautions that sysadmins take.
123.Pp
124System administrators must keep in mind that there are potentially many ways
125to break root on a machine.
126The attacker may know the root password,
127the attacker
128may find a bug in a root-run server and be able to break root over a network
129connection to that server, or the attacker may know of a bug in an SUID-root
130program that allows the attacker to break root once he has broken into a
131user's account.
132If an attacker has found a way to break root on a machine,
133the attacker may not have a need to install a backdoor.
134Many of the root holes found and closed to date involve a considerable amount
135of work by the attacker to clean up after himself, so most attackers do install
136backdoors.
137This gives you a convenient way to detect the attacker.
138Making
139it impossible for an attacker to install a backdoor may actually be detrimental
140to your security because it will not close off the hole the attacker used to
141break in originally.
142.Pp
143Security remedies should always be implemented with a multi-layered
144.Dq onion peel
145approach and can be categorized as follows:
146.Bl -enum -offset indent
147.It
148Securing root and staff accounts
149.It
150Securing root \(em root-run servers and SUID/SGID binaries
151.It
152Securing user accounts
153.It
154Securing the password file
155.It
156Securing the kernel core, raw devices, and file systems
157.It
158Quick detection of inappropriate changes made to the system
159.It
160Paranoia
161.El
162.Sh SECURING THE ROOT ACCOUNT AND SECURING STAFF ACCOUNTS
163Do not bother securing staff accounts if you have not secured the root
164account.
165Most systems have a password assigned to the root account.
166The
167first thing you do is assume that the password is
168.Em always
169compromised.
170This does not mean that you should remove the password.
171The
172password is almost always necessary for console access to the machine.
173What it does mean is that you should not make it possible to use the password
174outside of the console or possibly even with a
175.Xr su 1
176utility.
177For example, make sure that your PTYs are specified as being
178.Dq Li insecure
179in the
180.Pa /etc/ttys
181file
182so that direct root logins via
183.Xr telnet 1
184or
185.Xr rlogin 1
186are disallowed.
187If using
188other login services such as
189.Xr sshd 8 ,
190make sure that direct root logins are
191disabled there as well.
192Consider every access method \(em services such as
193.Xr ftp 1
194often fall through the cracks.
195Direct root logins should only be allowed
196via the system console.
197.Pp
198Of course, as a sysadmin you have to be able to get to root, so we open up
199a few holes.
200But we make sure these holes require additional password
201verification to operate.
202One way to make root accessible is to add appropriate
203staff accounts to the
204.Dq Li wheel
205group (in
206.Pa /etc/group ) .
207The staff members placed in the
208.Li wheel
209group are allowed to
210.Xr su 1
211to root.
212You should never give staff
213members native
214.Li wheel
215access by putting them in the
216.Li wheel
217group in their password entry.
218Staff accounts should be placed in a
219.Dq Li staff
220group, and then added to the
221.Li wheel
222group via the
223.Pa /etc/group
224file.
225Only those staff members who actually need to have root access
226should be placed in the
227.Li wheel
228group.
229It is also possible, when using an
230authentication method such as Kerberos, to use Kerberos's
231.Pa .k5login
232file in the root account to allow a
233.Xr ksu 1
234to root without having to place anyone at all in the
235.Li wheel
236group.
237This
238may be the better solution since the
239.Li wheel
240mechanism still allows an
241intruder to break root if the intruder has gotten hold of your password
242file and can break into a staff account.
243While having the
244.Li wheel
245mechanism
246is better than having nothing at all, it is not necessarily the safest
247option.
248.Pp
249An indirect way to secure the root account is to secure your staff accounts
250by using an alternative login access method and *'ing out the crypted password
251for the staff accounts.
252This way an intruder may be able to steal the password
253file but will not be able to break into any staff accounts or root, even if
254root has a crypted password associated with it (assuming, of course, that
255you have limited root access to the console).
256Staff members
257get into their staff accounts through a secure login mechanism such as
258.Xr kerberos 8
259or
260.Xr ssh 1
261using a private/public
262key pair.
263When you use something like Kerberos you generally must secure
264the machines which run the Kerberos servers and your desktop workstation.
265When you use a public/private key pair with SSH, you must generally secure
266the machine you are logging in
267.Em from
268(typically your workstation),
269but you can
270also add an additional layer of protection to the key pair by password
271protecting the keypair when you create it with
272.Xr ssh-keygen 1 .
273Being able
274to *-out the passwords for staff accounts also guarantees that staff members
275can only log in through secure access methods that you have set up.
276You can
277thus force all staff members to use secure, encrypted connections for
278all their sessions which closes an important hole used by many intruders: that
279of sniffing the network from an unrelated, less secure machine.
280.Pp
281The more indirect security mechanisms also assume that you are logging in
282from a more restrictive server to a less restrictive server.
283For example,
284if your main box is running all sorts of servers, your workstation should not
285be running any.
286In order for your workstation to be reasonably secure
287you should run as few servers as possible, up to and including no servers
288at all, and you should run a password-protected screen blanker.
289Of course, given physical access to
290a workstation, an attacker can break any sort of security you put on it.
291This is definitely a problem that you should consider but you should also
292consider the fact that the vast majority of break-ins occur remotely, over
293a network, from people who do not have physical access to your workstation or
294servers.
295.Pp
296Using something like Kerberos also gives you the ability to disable or
297change the password for a staff account in one place and have it immediately
298affect all the machines the staff member may have an account on.
299If a staff
300member's account gets compromised, the ability to instantly change his
301password on all machines should not be underrated.
302With discrete passwords, changing a password on N machines can be a mess.
303You can also impose
304re-passwording restrictions with Kerberos: not only can a Kerberos ticket
305be made to timeout after a while, but the Kerberos system can require that
306the user choose a new password after a certain period of time
307(say, once a month).
308.Sh SECURING ROOT \(em ROOT-RUN SERVERS AND SUID/SGID BINARIES
309The prudent sysadmin only runs the servers he needs to, no more, no less.
310Be aware that third party servers are often the most bug-prone.
311For example,
312running an old version of
313.Xr imapd 8
314or
315.Xr popper 8 Pq Pa ports/mail/popper
316is like giving a universal root
317ticket out to the entire world.
318Never run a server that you have not checked
319out carefully.
320Many servers do not need to be run as root.
321For example,
322the
323.Xr talkd 8 ,
324.Xr comsat 8 ,
325and
326.Xr fingerd 8
327daemons can be run in special user
328.Dq sandboxes .
329A sandbox is not perfect unless you go to a large amount of trouble, but the
330onion approach to security still stands: if someone is able to break in
331through a server running in a sandbox, they still have to break out of the
332sandbox.
333The more layers the attacker must break through, the lower the
334likelihood of his success.
335Root holes have historically been found in
336virtually every server ever run as root, including basic system servers.
337If you are running a machine through which people only log in via
338.Xr sshd 8
339and never log in via
340.Xr telnetd 8 ,
341.Xr rshd 8 ,
342or
343.Xr rlogind 8 ,
344then turn off those services!
345.Pp
346.Fx
347now defaults to running
348.Xr talkd 8 ,
349.Xr comsat 8 ,
350and
351.Xr fingerd 8
352in a sandbox.
353Depending on whether you
354are installing a new system or upgrading an existing system, the special
355user accounts used by these sandboxes may not be installed.
356The prudent
357sysadmin would research and implement sandboxes for servers whenever possible.
358.Pp
359There are a number of other servers that typically do not run in sandboxes:
360.Xr sendmail 8 ,
361.Xr popper 8 ,
362.Xr imapd 8 ,
363.Xr ftpd 8 ,
364and others.
365There are alternatives to
366some of these, but installing them may require more work than you are willing
367to put
368(the convenience factor strikes again).
369You may have to run these
370servers as root and rely on other mechanisms to detect break-ins that might
371occur through them.
372.Pp
373The other big potential root hole in a system are the SUID-root and SGID
374binaries installed on the system.
375Most of these binaries, such as
376.Xr rlogin 1 ,
377reside in
378.Pa /bin , /sbin , /usr/bin ,
379or
380.Pa /usr/sbin .
381While nothing is 100% safe,
382the system-default SUID and SGID binaries can be considered reasonably safe.
383Still, root holes are occasionally found in these binaries.
384A root hole
385was found in Xlib in 1998 that made
386.Xr xterm 1 Pq Pa ports/x11/xterm
387(which is typically SUID)
388vulnerable.
389It is better to be safe than sorry and the prudent sysadmin will restrict SUID
390binaries that only staff should run to a special group that only staff can
391access, and get rid of
392.Pq Dq Li "chmod 000"
393any SUID binaries that nobody uses.
394A server with no display generally does not need an
395.Xr xterm 1
396binary.
397SGID binaries can be almost as dangerous.
398If an intruder can break an SGID-kmem binary the
399intruder might be able to read
400.Pa /dev/kmem
401and thus read the crypted password
402file, potentially compromising any passworded account.
403Alternatively an
404intruder who breaks group
405.Dq Li kmem
406can monitor keystrokes sent through PTYs,
407including PTYs used by users who log in through secure methods.
408An intruder
409that breaks the
410.Dq Li tty
411group can write to almost any user's TTY.
412If a user
413is running a terminal
414program or emulator with a keyboard-simulation feature, the intruder can
415potentially
416generate a data stream that causes the user's terminal to echo a command, which
417is then run as that user.
418.Sh SECURING USER ACCOUNTS
419User accounts are usually the most difficult to secure.
420While you can impose
421draconian access restrictions on your staff and *-out their passwords, you
422may not be able to do so with any general user accounts you might have.
423If
424you do have sufficient control then you may win out and be able to secure the
425user accounts properly.
426If not, you simply have to be more vigilant in your
427monitoring of those accounts.
428Use of SSH and Kerberos for user accounts is
429more problematic due to the extra administration and technical support
430required, but still a very good solution compared to a crypted password
431file.
432.Sh SECURING THE PASSWORD FILE
433The only sure fire way is to *-out as many passwords as you can and
434use SSH or Kerberos for access to those accounts.
435Even though the
436crypted password file
437.Pq Pa /etc/spwd.db
438can only be read by root, it may
439be possible for an intruder to obtain read access to that file even if the
440attacker cannot obtain root-write access.
441.Pp
442Your security scripts should always check for and report changes to
443the password file
444(see
445.Sx CHECKING FILE INTEGRITY
446below).
447.Sh SECURING THE KERNEL CORE, RAW DEVICES, AND FILE SYSTEMS
448If an attacker breaks root he can do just about anything, but there
449are certain conveniences.
450For example, most modern kernels have a packet sniffing device driver built in.
451Under
452.Fx
453it is called
454the
455.Xr bpf 4
456device.
457An intruder will commonly attempt to run a packet sniffer
458on a compromised machine.
459You do not need to give the intruder the
460capability and most systems should not have the
461.Xr bpf 4
462device compiled in.
463.Pp
464But even if you turn off the
465.Xr bpf 4
466device, you still have
467.Pa /dev/mem
468and
469.Pa /dev/kmem
470to worry about.
471For that matter,
472the intruder can still write to raw disk devices.
473Also, there is another kernel feature called the module loader,
474.Xr kldload 8 .
475An enterprising intruder can use a KLD module to install
476his own
477.Xr bpf 4
478device or other sniffing device on a running kernel.
479To avoid these problems you have to run
480the kernel at a higher security level, at least level 1.
481The security level can be set with a
482.Xr sysctl 8
483on the
484.Va kern.securelevel
485variable.
486Once you have
487set the security level to 1, write access to raw devices will be denied and
488special
489.Xr chflags 1
490flags, such as
491.Cm schg ,
492will be enforced.
493You must also ensure
494that the
495.Cm schg
496flag is set on critical startup binaries, directories, and
497script files \(em everything that gets run
498up to the point where the security level is set.
499This might be overdoing it, and upgrading the system is much more
500difficult when you operate at a higher security level.
501You may compromise and
502run the system at a higher security level but not set the
503.Cm schg
504flag for every
505system file and directory under the sun.
506Another possibility is to simply
507mount
508.Pa /
509and
510.Pa /usr
511read-only.
512It should be noted that being too draconian in
513what you attempt to protect may prevent the all-important detection of an
514intrusion.
515.Pp
516The kernel runs with five different security levels.
517Any super-user process can raise the level, but no process
518can lower it.
519The security levels are:
520.Bl -tag -width flag
521.It Ic -1
522Permanently insecure mode \- always run the system in insecure mode.
523This is the default initial value.
524.It Ic 0
525Insecure mode \- immutable and append-only flags may be turned off.
526All devices may be read or written subject to their permissions.
527.It Ic 1
528Secure mode \- the system immutable and system append-only flags may not
529be turned off;
530disks for mounted file systems,
531.Pa /dev/mem
532and
533.Pa /dev/kmem
534may not be opened for writing;
535.Pa /dev/io
536(if your platform has it) may not be opened at all;
537kernel modules (see
538.Xr kld 4 )
539may not be loaded or unloaded.
540The kernel debugger may not be entered using the
541.Va debug.kdb.enter
542sysctl.
543A panic or trap cannot be forced using the
544.Va debug.kdb.panic
545and other sysctl's.
546.It Ic 2
547Highly secure mode \- same as secure mode, plus disks may not be
548opened for writing (except by
549.Xr mount 2 )
550whether mounted or not.
551This level precludes tampering with file systems by unmounting them,
552but also inhibits running
553.Xr newfs 8
554while the system is multi-user.
555.Pp
556In addition, kernel time changes are restricted to less than or equal to one
557second.
558Attempts to change the time by more than this will log the message
559.Dq Time adjustment clamped to +1 second .
560.It Ic 3
561Network secure mode \- same as highly secure mode, plus
562IP packet filter rules (see
563.Xr ipfw 8 ,
564.Xr ipfirewall 4
565and
566.Xr pfctl 8 )
567cannot be changed and
568.Xr dummynet 4
569or
570.Xr pf 4
571configuration cannot be adjusted.
572.El
573.Pp
574The security level can be configured with variables documented in
575.Xr rc.conf 5 .
576.Sh CHECKING FILE INTEGRITY: BINARIES, CONFIG FILES, ETC
577When it comes right down to it, you can only protect your core system
578configuration and control files so much before the convenience factor
579rears its ugly head.
580For example, using
581.Xr chflags 1
582to set the
583.Cm schg
584bit on most of the files in
585.Pa /
586and
587.Pa /usr
588is probably counterproductive because
589while it may protect the files, it also closes a detection window.
590The
591last layer of your security onion is perhaps the most important \(em detection.
592The rest of your security is pretty much useless (or, worse, presents you with
593a false sense of safety) if you cannot detect potential incursions.
594Half
595the job of the onion is to slow down the attacker rather than stop him
596in order to give the detection layer a chance to catch him in
597the act.
598.Pp
599The best way to detect an incursion is to look for modified, missing, or
600unexpected files.
601The best
602way to look for modified files is from another (often centralized)
603limited-access system.
604Writing your security scripts on the extra-secure limited-access system
605makes them mostly invisible to potential attackers, and this is important.
606In order to take maximum advantage you generally have to give the
607limited-access box significant access to the other machines in the business,
608usually either by doing a read-only NFS export of the other machines to the
609limited-access box, or by setting up SSH keypairs to allow the limit-access
610box to SSH to the other machines.
611Except for its network traffic, NFS is
612the least visible method \(em allowing you to monitor the file systems on each
613client box virtually undetected.
614If your
615limited-access server is connected to the client boxes through a switch,
616the NFS method is often the better choice.
617If your limited-access server
618is connected to the client boxes through a hub or through several layers
619of routing, the NFS method may be too insecure (network-wise) and using SSH
620may be the better choice even with the audit-trail tracks that SSH lays.
621.Pp
622Once you give a limit-access box at least read access to the client systems
623it is supposed to monitor, you must write scripts to do the actual
624monitoring.
625Given an NFS mount, you can write scripts out of simple system
626utilities such as
627.Xr find 1
628and
629.Xr md5 1 .
630It is best to physically
631.Xr md5 1
632the client-box files boxes at least once a
633day, and to test control files such as those found in
634.Pa /etc
635and
636.Pa /usr/local/etc
637even more often.
638When mismatches are found relative to the base MD5
639information the limited-access machine knows is valid, it should scream at
640a sysadmin to go check it out.
641A good security script will also check for
642inappropriate SUID binaries and for new or deleted files on system partitions
643such as
644.Pa /
645and
646.Pa /usr .
647.Pp
648When using SSH rather than NFS, writing the security script is much more
649difficult.
650You essentially have to
651.Xr scp 1
652the scripts to the client box in order to run them, making them visible, and
653for safety you also need to
654.Xr scp 1
655the binaries (such as
656.Xr find 1 )
657that those scripts use.
658The
659.Xr sshd 8
660daemon on the client box may already be compromised.
661All in all,
662using SSH may be necessary when running over unsecure links, but it is also a
663lot harder to deal with.
664.Pp
665A good security script will also check for changes to user and staff members
666access configuration files:
667.Pa .rhosts , .shosts , .ssh/authorized_keys
668and so forth, files that might fall outside the purview of the MD5 check.
669.Pp
670If you have a huge amount of user disk space it may take too long to run
671through every file on those partitions.
672In this case, setting mount
673flags to disallow SUID binaries on those partitions is a good
674idea.
675The
676.Cm nosuid
677option
678(see
679.Xr mount 8 )
680is what you want to look into.
681I would scan them anyway at least once a
682week, since the object of this layer is to detect a break-in whether or
683not the break-in is effective.
684.Pp
685Process accounting
686(see
687.Xr accton 8 )
688is a relatively low-overhead feature of
689the operating system which I recommend using as a post-break-in evaluation
690mechanism.
691It is especially useful in tracking down how an intruder has
692actually broken into a system, assuming the file is still intact after
693the break-in occurs.
694.Pp
695Finally, security scripts should process the log files and the logs themselves
696should be generated in as secure a manner as possible \(em remote syslog can be
697very useful.
698An intruder tries to cover his tracks, and log files are critical
699to the sysadmin trying to track down the time and method of the initial
700break-in.
701One way to keep a permanent record of the log files is to run
702the system console to a serial port and collect the information on a
703continuing basis through a secure machine monitoring the consoles.
704.Sh PARANOIA
705A little paranoia never hurts.
706As a rule, a sysadmin can add any number
707of security features as long as they do not affect convenience, and
708can add security features that do affect convenience with some added
709thought.
710Even more importantly, a security administrator should mix it up
711a bit \(em if you use recommendations such as those given by this manual
712page verbatim, you give away your methodologies to the prospective
713attacker who also has access to this manual page.
714.Sh SPECIAL SECTION ON DoS ATTACKS
715This section covers Denial of Service attacks.
716A DoS attack is typically a packet attack.
717While there is not much you can do about modern spoofed
718packet attacks that saturate your network, you can generally limit the damage
719by ensuring that the attacks cannot take down your servers.
720.Bl -enum -offset indent
721.It
722Limiting server forks
723.It
724Limiting springboard attacks (ICMP response attacks, ping broadcast, etc.)
725.It
726Kernel Route Cache
727.El
728.Pp
729A common DoS attack is against a forking server that attempts to cause the
730server to eat processes, file descriptors, and memory until the machine
731dies.
732The
733.Xr inetd 8
734server
735has several options to limit this sort of attack.
736It should be noted that while it is possible to prevent a machine from going
737down it is not generally possible to prevent a service from being disrupted
738by the attack.
739Read the
740.Xr inetd 8
741manual page carefully and pay specific attention
742to the
743.Fl c , C ,
744and
745.Fl R
746options.
747Note that spoofed-IP attacks will circumvent
748the
749.Fl C
750option to
751.Xr inetd 8 ,
752so typically a combination of options must be used.
753Some standalone servers have self-fork-limitation parameters.
754.Pp
755The
756.Xr sendmail 8
757daemon has its
758.Fl OMaxDaemonChildren
759option which tends to work much
760better than trying to use
761.Xr sendmail 8 Ns 's
762load limiting options due to the
763load lag.
764You should specify a
765.Va MaxDaemonChildren
766parameter when you start
767.Xr sendmail 8
768high enough to handle your expected load but not so high that the
769computer cannot handle that number of
770.Nm sendmail Ns 's
771without falling on its face.
772It is also prudent to run
773.Xr sendmail 8
774in
775.Dq queued
776mode
777.Pq Fl ODeliveryMode=queued
778and to run the daemon
779.Pq Dq Nm sendmail Fl bd
780separate from the queue-runs
781.Pq Dq Nm sendmail Fl q15m .
782If you still want real-time delivery you can run the queue
783at a much lower interval, such as
784.Fl q1m ,
785but be sure to specify a reasonable
786.Va MaxDaemonChildren
787option for that
788.Xr sendmail 8
789to prevent cascade failures.
790.Pp
791The
792.Xr syslogd 8
793daemon can be attacked directly and it is strongly recommended that you use
794the
795.Fl s
796option whenever possible, and the
797.Fl a
798option otherwise.
799.Pp
800You should also be fairly careful
801with connect-back services such as tcpwrapper's reverse-identd, which can
802be attacked directly.
803You generally do not want to use the reverse-ident
804feature of tcpwrappers for this reason.
805.Pp
806It is a very good idea to protect internal services from external access
807by firewalling them off at your border routers.
808The idea here is to prevent
809saturation attacks from outside your LAN, not so much to protect internal
810services from network-based root compromise.
811Always configure an exclusive
812firewall, i.e.,
813.So
814firewall everything
815.Em except
816ports A, B, C, D, and M-Z
817.Sc .
818This
819way you can firewall off all of your low ports except for certain specific
820services such as
821.Xr talkd 8 ,
822.Xr sendmail 8 ,
823and other internet-accessible services.
824If you try to configure the firewall the other
825way \(em as an inclusive or permissive firewall, there is a good chance that you
826will forget to
827.Dq close
828a couple of services or that you will add a new internal
829service and forget to update the firewall.
830You can still open up the
831high-numbered port range on the firewall to allow permissive-like operation
832without compromising your low ports.
833Also take note that
834.Fx
835allows you to
836control the range of port numbers used for dynamic binding via the various
837.Va net.inet.ip.portrange
838sysctl's
839.Pq Dq Li "sysctl net.inet.ip.portrange" ,
840which can also
841ease the complexity of your firewall's configuration.
842I usually use a normal
843first/last range of 4000 to 5000, and a hiport range of 49152 to 65535, then
844block everything under 4000 off in my firewall
845(except for certain specific
846internet-accessible ports, of course).
847.Pp
848Another common DoS attack is called a springboard attack \(em to attack a server
849in a manner that causes the server to generate responses which then overload
850the server, the local network, or some other machine.
851The most common attack
852of this nature is the ICMP PING BROADCAST attack.
853The attacker spoofs ping
854packets sent to your LAN's broadcast address with the source IP address set
855to the actual machine they wish to attack.
856If your border routers are not
857configured to stomp on ping's to broadcast addresses, your LAN winds up
858generating sufficient responses to the spoofed source address to saturate the
859victim, especially when the attacker uses the same trick on several dozen
860broadcast addresses over several dozen different networks at once.
861Broadcast attacks of over a hundred and twenty megabits have been measured.
862A second common springboard attack is against the ICMP error reporting system.
863By
864constructing packets that generate ICMP error responses, an attacker can
865saturate a server's incoming network and cause the server to saturate its
866outgoing network with ICMP responses.
867This type of attack can also crash the
868server by running it out of
869.Vt mbuf Ns 's ,
870especially if the server cannot drain the
871ICMP responses it generates fast enough.
872The
873.Fx
874kernel has a new kernel
875compile option called
876.Dv ICMP_BANDLIM
877which limits the effectiveness of these
878sorts of attacks.
879The last major class of springboard attacks is related to
880certain internal
881.Xr inetd 8
882services such as the UDP echo service.
883An attacker
884simply spoofs a UDP packet with the source address being server A's echo port,
885and the destination address being server B's echo port, where server A and B
886are both on your LAN.
887The two servers then bounce this one packet back and
888forth between each other.
889The attacker can overload both servers and their
890LANs simply by injecting a few packets in this manner.
891Similar problems
892exist with the internal chargen port.
893A competent sysadmin will turn off all
894of these
895.Xr inetd 8 Ns -internal
896test services.
897.Sh ACCESS ISSUES WITH KERBEROS AND SSH
898There are a few issues with both Kerberos and SSH that need to be addressed
899if you intend to use them.
900Kerberos5 is an excellent authentication
901protocol but the kerberized
902.Xr telnet 1
903and
904.Xr rlogin 1
905suck rocks.
906There are bugs that make them unsuitable for dealing with binary streams.
907Also, by default
908Kerberos does not encrypt a session unless you use the
909.Fl x
910option.
911SSH encrypts everything by default.
912.Pp
913SSH works quite well in every respect except when it is set up to
914forward encryption keys.
915What this means is that if you have a secure workstation holding
916keys that give you access to the rest of the system, and you
917.Xr ssh 1
918to an
919unsecure machine, your keys become exposed.
920The actual keys themselves are
921not exposed, but
922.Xr ssh 1
923installs a forwarding port for the duration of your
924login and if an attacker has broken root on the unsecure machine he can utilize
925that port to use your keys to gain access to any other machine that your
926keys unlock.
927.Pp
928We recommend that you use SSH in combination with Kerberos whenever possible
929for staff logins.
930SSH can be compiled with Kerberos support.
931This reduces
932your reliance on potentially exposable SSH keys while at the same time
933protecting passwords via Kerberos.
934SSH keys
935should only be used for automated tasks from secure machines (something
936that Kerberos is unsuited to).
937We also recommend that you either turn off
938key-forwarding in the SSH configuration, or that you make use of the
939.Va from Ns = Ns Ar IP/DOMAIN
940option that SSH allows in its
941.Pa authorized_keys
942file to make the key only usable to entities logging in from specific
943machines.
944.Sh SEE ALSO
945.Xr chflags 1 ,
946.Xr find 1 ,
947.Xr md5 1 ,
948.Xr netstat 1 ,
949.Xr openssl 1 ,
950.Xr ssh 1 ,
951.Xr xdm 1 Pq Pa ports/x11/xorg-clients ,
952.Xr group 5 ,
953.Xr ttys 5 ,
954.Xr accton 8 ,
955.Xr init 8 ,
956.Xr sshd 8 ,
957.Xr sysctl 8 ,
958.Xr syslogd 8 ,
959.Xr vipw 8
960.Sh HISTORY
961The
962.Nm
963manual page was originally written by
964.An Matthew Dillon
965and first appeared
966in
967.Fx 3.1 ,
968December 1998.
969