DNS SERVER SECURITY HARDENING

DNS Server
Security / Hardening
Linux OS - Fedora 14 / RHEL

Copyright Erwin L. Carrow This work is the intellectual property of the author. Permission is granted for this material to be shared for
non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is
given that the copying is by permission of the author and other identified entities. To disseminate otherwise or to republish requires
written permission from the author. Videos and specific graphics presented are not for public distribution.
9/3/2011 Cyber Defense Security Presentation 1

Session Guide
 Erwin Carrow
IT Audit Director; M.Div., MSIS, CISSP, INFOSEC, CCAI, CCNP, CCSP,
CQS, CCNA, LCP, LCI, OCM, MCSE, MCP+I, LSS Green Belt, etc.
Board of Regents, University System of Georgia; Office of Internal Audit
and Compliance
270 Washington Street S.W., Ste. 7087 Atlanta, GA 30334
(404)657-9890 Office, (678)644-3526 Cell, (404)463-0699 Fax
Email: ecarrow@google.com erwin.carrow@usg.edu
ecarrow@gmail.com
http://www.linkedin.com/in/ecarrow
http://twitter.com/ecarrow
Skype: erwin.louis.carrow


Session Agenda
 DNS Server Security & Hardening: “Down and Dirty”(4 slides)
 Other DNS information included for
your review (not elaborated on)
 Internet threats & associated risks (2
slides)
 DNS Service (3 slides)
 Connecting hosts to services:
protocols, transmission, network
topology, & service request resolution
 Controls to mitigate DNS service
disruption (3 slides)
 DNS “How-to” (7 slides)
 Installation & configuration
 DNS Hardening - local file system,
application, managing access control
 Network topology, architecture, &
exchange
 Helpful Hints (4 Slides)


Key Takeaways
 Understand what “High-level” requirements are needed
to secure a DNS server and access to service (lectures focus)
 Slides for Individual Review (not elaborated on, but “How-to” provided)
 Recognize common DNS services threats
 Recognize the basic components & network topology for
the implementation of a secure DNS service
 Understand how to install, configure, secure, &
administrate DNS service
 Helpful hints that apply to any network service
implementation


DNS Security & Hardening – Local System (1 of 4)
Define, Discuss, Demonstrate, & Do
 Configuring Service
 Partitioning, Quotas, & ACLs
 chroot / Jail application
 tcpwrappers
 PAM (Pluggable Authentication Modules)
 SELinux http://fedoraproject.org/wiki/SELinux
 IPTables (local Firewall)
 Key Setup, Exchange, & Management
 Local User Account Management
 Limit remote service admin access
 File permissions / mitigate escalation
 Limit service access
 Manage interdepend services e.g., at & cron
 Patch Management
 Manage DNS Service Logs
 Audit System Activity

DNS Security & Hardening - Network (2 of 4)
 Manage User Identity & Access Control
 Limit “Other” Services
 NIC / routing: edit /etc/sysctl.conf
 Run-levels / interactive boot
 Uninstall or disable all services not needed
 Configure & Secure NTP Exchanges
 Define Server “Role & Responsibility” within
Network Topology
 DNS Zone & Records Management
 Deployment, Queries, & Replication
 In-band versus Out-of-band
 Manage Key Exchange
 TSIG – Update Exchanges
 DNSSEC – Validate Sites & SOA

 Network Proxy, Firewall, & IDS / IPS
 Manage Service(s) Logs

DNS Security & Hardening: Network Topology (3 of 4)


Summary: DNS Security & Hardening (4 of 4)
 Local System Configuration
 Fence in the DNS playground
 Limit ownership & access
 Monitor Activity
 Network Deployment & Topology
 Security Threat Gateway (Firewall, Proxy, IDS /IPS,
etc.)
 Limit services, access, & disable routing functions
 Manage Request & Responses (Internal & External –
Server to Client)
 Zone or Record corruption
 IP Spoofing
 Cache Poisoning
 Buffer Overflow – patch
 Data interception / Impersonation
 Track & Manage the Bouncing Bits & Bytes!
 Vulnerability Matrix & Security Advisories
https://www.isc.org/software/bind/security/matrix
https://www.isc.org/advisories

Thank You for Your Patience & Participation -
Any Questions?
Gain a basic understanding of the requirements
for securing and hardening a DNS server


Helpful Resources
 Linux Server Security by Michael D. Bauer; O’Reilly
 DNS and BIND by Paul Albitz & Cricket Liu; O’Reilly
 Understanding Data Communications by Gilbert Held; Addison-
Wesley
 Local Area Network by David A Stamper; Prentice Hall
 Trouble shooting TCP/IP by Mark A. Miller; M&T Books
 TCP/IP – Running a Successful Network by Kevin Washburn & Jim
Evans; Addison-Wesley
 ISC BIND page on DNSSEC -
http://www.isc.org/software/bind/dnssec
 DNSSEC deployment at the root zone - http://www.root-
dnssec.org/
 DNSSEC information for .org - http://www.pir.org/dnssec/
 ENISA Good Practices Guide for Deploying DNSSEC -
http://www.enisa.europa.eu/act/res/technologies/tech/gpgdnssec

Appendix: Other Useful Information for Review
 Security Threat (2 slides)
 DNS Services (3 slides)
 Security and tools for hardening DNS (3 slides)
 Network Topology and Services
 DNS Server (8 slides)
 Installation
 Setup / Configuration
 Security & Administration
 Helpful Hints (4 slides)


Security Threat (1 of 2)
 Functional characteristic: security, monitor , & mitigate malicious
attempts to malign or disrupt network services
 There are four general categories of security threats to the network:
Unstructured threats, Structured threats, External threats, & Internal
threats
http://ptgmedia.pearsoncmg.com/images/1587131625/samplechapter/158
7131625content.pdf
 Classes of Attacks: Reconnaissance attacks, Access attacks, Denial of
service attacks, & Worms, Viruses, and Trojan horses
 All of the following can be used to compromise your system: packet
sniffers, IP weaknesses, password attacks, DoS or DDoS, man-in-the-
middle attacks, application layer attacks ,trust exploitation, port
redirection , virus, Trojan horse, operator error & worms


Security Threat - Attack vs. Knowledge (2 of 2)
Intruder Knowledge Attacks
High crimeware / SSL-evading malware APT
“stealth” / advanced scanning
distributed DOS
browser anti-forensics
sniffers attacks command & control
sweepers
S web attacks
automated probes/scans
K packet spoofing DOS
back doors worms
I disabling audits network attacks against DNS, SNMP, etc
L GUI tools
Trojans
L spoofing session hijacking
viruses exploiting known vulnerabilities
password cracking
self-replicating code
password guessing
Low
1980 1985 1990 1995 2000 2005 2010
Tool Capabilities and Ease of Use

DNS Services: Protocols, Topology, & Resolution
Define, Discuss, Demonstrate, & Do (1 of 3)
 Domain Name Service (DNS) provides IP address and Fully
Qualified Domain Name (FQDN) request information to host
 Type/Role: Authoritative, Recursive / Master (auth.), Slave (auth.,
load balancing & redundancy, Caching (no auth. – name to IP
resolution), Forwarding (no auth.)
 DHCP can dynamically populate DNS host records
 Dynamic Host Control Protocol (DHCP) provides IP address,
default router gateway, DNS, WINS, and other service information
requested by host to enable connectivity to various internal and
external resources
 Typically applied and configured to support organization intranet
 Can be implemented locally to a specific broadcast domain or
request forwarded through a relay agent
 Host broadcast request & responds to 1st DHCP server response
received
 Host leases information & requires a periodic renewal
 Renewal request sent to initial DHCP server via unicast, if no
response broadcast for service request


 Topology Structure
 Nodes & Zones
 Root Domains, Delegation of Authority, & Start of Authority,
 Authority is delegated to lower levels in the hierarchy, each layer in the
hierarchy may delegate the authoritative control to the next lower
level
 Domains (SOA) Start of Authority for FQDN, e.g., redhat.com where
one or more DNS server IP addresses are registered with Internet
Corporation for Assigned Numbers and Names (ICANN)
 Sub-domains – internally controlled DNS servers that segment
organization resources
 Naming convention (FQDN)
 Transmission methodology
 Host request / resolver: /etc/nsswitch.conf, /etc/resolv.conf,
/etc/hosts
 Server types & role: primary-master; secondary-slave; & caching-
only/forwarders
 DNS resolution service
 Iterative queries: sends FQDN and requests either IP Address of
Domain or FQDN of Authoritative DNS Server (typically host’s resolver
to primary DNS server and then DNS server to server exchanges until
resolution or invalid)
 Recursive queries - sends FQDN to DNS server and asks for IP Address
of domain (similar to above)
 Process: query, cache, & response
 FQDN  IP address
 IP address  FQDN (reverse lookup Domains)
 Creates dynamic entries in DNS tables
 Static entries DNS records for domain services
 DHCP can be dynamically linked to local DNS for internal hostname
resolution


 Answer the question: “How will a server fit  Content Management
into the big picture for the network?”  Zones - created to distinguish domains and
catalogue host records
 DNS Server Service Role & Types of  DB file / records characteristics:
Exchanges  Name -
 Master: (SOA) authoritative  TTL – Time to live (how long the record is
 Slave: (SOA?) authoritative (replicate cached)
Master) or non-authoritative (partitioned  Class - IN for Internet only record class
out or partial load-balancing) supported in DNS
 Caching: non-authoritative; static or  Type – Per listing below
dynamic updates  Data - content specific to record type
 Forwarding: non-authoritative  Record Types:
 Network Topology Location  Start of Authority (SOA) - information
 Service query response service support for: that identifies the top of the zone and
External (Internet), DMZ, Internal other general properties
(Intranet), host based (Caching)  Address (A or AAAA) IPv4/IPv6
 http://www.dnsbl.info/dnsbl-list.php  Canonical name (CNAME) - Alias
 Host information (HINFO)
 Mail exchange (MX) - mail server
 Name server (NS) – DNS servers
 Pointer (PTR) - reverse lookup IP to
FQDN
 Text (TXT)
 Well-known services (WKS)


DNS Service: Security Considerations
 Where will the application physically reside on the local OS?
 Partition type, quotas, & ACLs
 Manage space allocation
 Prevent hard links programs; facilitate precise control over mount options
 limits user access or influence
 Allow minimal privileges via mount options
 Chroot Jail DNS application
 If service compromised, limits user rights & privileges escalation - If local user
compromised limits influence on application
 Function?
 Runs a process with root directory other than /
 $ /usr/sbin/chroot /home/user_name/existing_directory
 Challenge is to include interdependent binaries / libraries files into the “Jail” environment
 Once setup, change to location and start service or application
 How will you manage DNS’s local functional influence? Must manages
applications ability to influence overall system functionality!
 SELinux (Alt. AppArmor)
 http://web.mit.edu/rhel-doc/5/RHEL-5-manual/Deployment_Guide-en-US/ch-
selinux.html http://www.nsa.gov/research/selinux/index.shtml
 http://hackinglinux.blogspot.com/2007/05/selinux-tutorial.html
 PAM – Pluggable Authentication Modules (Access Control)
 http://www.linuxdocs.org/HOWTOs/User-Authentication-HOWTO/x101.html
 How will you manage access to the service ?
 TCPWrappers: /etc/hosts.allow & /etc/host.deny;
daemon_list:client_list:[:command]
 Firewall local and remote settings: IPTables
 Disable all on unneeded services!
 Enable application auditing
 Log Management – monitor activity and events types!

 DNS Service Access Control: Sample exploit
http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html
 Access Control Lists (ACLs)
 TSIG Transactions – shared hashed key
 DNSSEC: Relies on public/private key authentication. DNSSEC
specifications (RFC 4033, RFC 4034and RFC 4035 augmented with
others) answer three questions: Authentication - the DNS
responding really is the DNS that the request was sent to. Integrity -
the response is complete and nothing is missing or changed. Proof
of non-existence - if the DNS returns a status that the name does
not exist (NXDOMAIN) this response can be proven to have come
from the authoritative server. RHEL # dns-keygen  edit
/etc/rndc.key [insert key] or RHEL/Fedora # rndc-confgen >
/etc/rndc.conf; rndc status
 Use DNSSEC to verify recursive DNS results
 Default DNS BIND configuration in RHEL 6
options {
dnssec-enable yes;
dnssec-validate yes;
};
 In /etc/named.conf will set a “trust anchor” trust the root DNSKEY
managed-keys {
/* not the real root key */
“.” initial-key 257 3 5 “BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEf
K3clRbGaTwSJxrGkxJWoZu6I7PzJu/E9
gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9
mZhkdUpd1Vso/HAdjNe8L”;
};
 Testing the validating recursive DNS server
# dig www.example.com +dnssec


 Authoritative Server: Configuration Overview  (4) Manually sign the zone file
 Create a normal DNS zone file (1)  Sign the zone manually:
 Generate the zone-signing key and key-signing key (2)  dnssec-signzone example.com
 Add DNSKEY records for both keys to the zone file (3)  Add -3 option if you want NSEC3 records
 Sign the zone (creates RRSIG and NSEC/NSEC3) (4)  Active keys in the zone are automatically used
 Point /etc/named.conf at the signed zone file (5)  Creates example.com.signed file
 Reload the zone (6)  BIND 9.7 has a number of new features to support
 Provide DS record for zone's KSK to your parent zone automatic signing on dynamic update, key rotation
(7) management, and so on...see the documentation in
 (1) Set up DNSSEC with each signed zone having its /usr/share/doc/bind-9.7*/arm/
own directory, and zone file has same name as zone  (5) Update zone directive and reload zone
 /var/named/example.com/example.com would be the  Zone directive in /etc/named.conf needs to be pointed at
zone file for the zone example.com the signed file
zone “example.com” IN {
 Directory and zone file needs to be readable by group type master;
named, have SELinux type named_zone_t file “example.com/example.com.signed”;
 (2) Generating the ZSK and KSK };
 Change to the zone file's directory in /var/named  (6) Reload the zone to make changes take effect
 # cd /var/named/example.com/  # service named reload | rndc reload
 Create the zone-signing key (ZSK)  (7) Provide DS record to parent zone operator
 # dnssec-keygen example.com  If the parent zone is DNSSEC signed and ready,
 Create the key-signing key (KSK) provide your zone's DS record to your registrar
 # dnssec-keygen -fk example.com  You can generate it from your zone file if necessary
 Both dnssec-keygen commands should add the -3  # cd /var/named/example.com/
option if you want to use NSEC3 records  # dnssec-dsfromkey -f example.com
 (3) Add the keys to the zone file  Creates dsset-example.com. file containing DS records
 Each command results in two key pair files  http://www.redhat.com/promo/summit/2010/
 Kexample.com+005+00000.{key,private} presentations/taste_of_training/Summit_2010
 Add the public key files to the zone file _DNSSEC.pdf
 cat *.key >> /var/named/example.com/example.com


Network Services: Protocols, Topology, & Resolution


DNS Server – Install, Setup, & Administration (1 of 7)
 Client / Server: Resolver settings
 How will queries be made?
 Resolution priority & precedence search method - edit local system
files /etc/nsswitch.conf; /etc/hosts; /etc/resolv.conf
 Consider who the DNS server will support (internal/external)
 Only serve DNS for those types
 Segregate support requirements – don’t do both in one server
instance
 Do not arbitrarily allow zone transfers or do recursion
 Partition and ACL setup:
 Install & configure ACL
 # yum install acl
 Edit /etc/fstab
 “/dev/dhc1 /var/named ext4 defaults,acl 1 2”
 # mount –t ext –o acl, remount /dev/hdc1 /var/named
 Apply security via getfacl & setfacl
 # setfacl –m u:named:rwx /var/named

 Prevent hard links to setuid programs
 Specify precise control over mount options
 Allow minimal privileges via mount options
 Modify /etc/fstab: noexec on everything possible; nodev
everywhere except / and chroot partitions; nosetuid everywhere
except /
 Consider making /var/tmp link to /tmp, or maybe mount –bind
option
 GUI Management Utility - http://www.webmin.com/


 Identify type of server and location
 Master, Slave, Caching, or Forwarding
 Server setup:
 Install – bind, bind-utils, bind-chroot [jail application], caching-
nameserver [RHEL - install for cache server function], system-
config-bind
 Network interface configuration:
 Define & apply static IP address to interface
 Modify /etc/sysconfig/network-scripts/ifcfg-ethX; PEERDNS=no
 Modify /etc/host; place host name to IP address of resources for DNS
lookups [optional]
 Modify /etc/resolv.conf; insert at beginning of file  nameserver 127.0.0.1
 Security considerations
 Chroot / Jail application due to ever changing & challenging security issues
 # yum install bind-chroot  /var/named/chroot/etc/named.conf
 Copy dependent binaries & libraries into chroot directory and manage links
 Edit /etc/sysconfig/named directory and change it to /var/named/chroot
 Modify /etc/sysconfig/named file and set ROOTDIR shell variable to
/var/named/chroot, e.g., ROOTDIR=“/var/named/chroot”
 Test - do inode comparison
 # ls /var/named/chroot/var/named
 # ls –ldi /var/named/chroot/var/named
 # ls –ldi /var/named
 # service named start
 # ls –ldi /var/named/chroot/var/named [should now reflect the
/var/named inode]

 More security considerations http://www.puschitz.com/SecuringLinux.shtml
 Modify / edit Firewall & SELinux settings: allow TCP & UDP port 53
 Secure transaction exchange:
 TSIGs signatures – hashed key exchange to support secure record exchange / replication
 Time synchronization is critical –if TSIG exchange fails check time
 Split Horizon server / Proxy Server  place in DMZ; internal versus external name
resolution can support two different query types, not recommended
 Logs  /var/log/messages [assume DNS chroot]
 # mk /var/named/chroot/var/log
 # chmod 744 /var/named/chroot/var/log/bind
 # chown named /var/named/chroot/var/log/bind
 # ls –ld /var/named/chroot/var/log/bind
 NTP Time services must be properly configured and secured


 Server Service
 Init & start – # chkconfig named on; service named start
 Service modification – # service network [stop | start | restart ]
 RHEL configuration test - # service named configtest
 Documentation –
 http://www.zytrax.com/books/dns/
 file:///usr/share/doc/bind-9.7.2/arm/Bv9ARM.html
 Server configuration:
 Edit/etc/named.conf
 See /usr/share/doc/bind*/sample/ for example named configuration
files
 RHEL and Fedora have distinctions [see page 786 for details]
 Determine type/role of DNS server(s) per topology design or
requirements  Master, Slave, or Caching
 Modify settings
 Create Zones: root domains, local global domains, & reverse lookup
domain
 Configure security – exchange methods & keys
 Populate domains with appropriate static records, e.g., name
server (NS), mail server (MX), host records (A/AAAA), services
records (IP and service port specific), reverse loop up record
(PTR) etc.
 Restart services
 Zones information located in /var/named


DNS: Server – Install, Setup, & Administration (5 of 7)
 Only common references below, e.g., change below files system locations to jailed DNS file
locations
 Caching-Only Server  yum install –y caching-nameserver
 # cp /etc/named.caching-nameserver.conf /etc/named.conf
 Slave zone files  # ls /var/named/slaves
 Manually pull Master file to Slave  # dig –t axfr zone_name.com @servername
 RHEL6 /var/named not writable  zone modifications /var/named/dynamic and then update
/etc/named.conf
 Local System Security Settings
 ACL
 Define an ACL directive  acl “local-net” { 127.0.0.1; 192.168.1.0/24; };
 Place in named.conf  allow-transfer { local-net; }; allow-query { local-net; };
 User Access
 DNS files owned by application “named user” and not root!
 # chown root:named /etc/named/*; chown root:named /var/named/*;
 IPTables – Firewall security settings – general settings provided
 # iptables –I INPUT 5 –p udp –m udp –dport 53 –j ACCEPT
 # iptables –I INPUT 5 –p tcp –m tcp –dport 53 –j ACCEPT
 # iptables –I INPUT 5 –p udp –m udp –dport 953 –j ACCEPT [rndc key exchange]
 # service iptables save; service iptables restart
 SELinux
 # getsebool –a | grep named_dis
 # setsebool –P named_disable_trans=1
 # chcon –t named_conf_t /etc/named.conf
 # ls –Z /etc | grep named.conf


DNS: Server Key Exchange Setup (6 of 7)
Define, Discuss, Demonstrate, & Do [RHEL]
 Only common references below, e.g., change below files system locations to jailed DNS file locations
 Modify named.conf and insert  include “/etc/rndc.key”;
 Create key # dns-keygen
 [Fedora  $ /usr/sbin/dnssec-keygen –a hmac –md5 –b 512 –n HOST keyname ]
$ cat Kkeyname.+243+14321.private  similar as below see page 803
 Create key file # vi /etc/rndc.key
key “rndckey” {
algorithm hmac-md5;
secret
“aresrntynratbYjhjdslo863eWEDvOVCmdvfvb”; [not a real key]
};
 Create config file # rndc-confgen > /etc/rndc.conf
 Edit /etc/rndc.conf paste in key content listed above
 Edit named.conf & add
controls {
inet 127.0.0.1 port 953
allow {127.0.0.1; } keys { “rndc.key”; };
};
include “etc/rndc.key
 Change ownership of files
 # chown root:named /etc/rndc.*
 # chmod 400 /etc/rndc.*; service named configtest; service named restart; rndc status
 # chcon –t named_conf_t rndc.key rndc.conf;
 Logs  /var/log/bind; /var/log/messages


DNS Service Security: Topology ACLs / Key Exchange (7 of 7)


DNS Server – Helpful Hints for Setup & Administration (1 of 4)
 GUI - system-config-network; system-config-network-tui  CLI Configure Service & Status
 CLI Query Resolver  # service --status-all  state of service
on system
 $ dig fully_qualify_domain_hostname; dig –x
ip_address; dig –t MX  # service service_name [stop | start |
fully_qualify_domain_hostname restart| status]
 $ host ip_address; hostname; nslookup FQDN or  # chkconfig service_name [on | off]
IP_ADD; ping FQDN or IP_ADD; whois domain_name  # service service_name configtest
(lookup info for hostname or ip address)  # netstat -tupl (internet services on a
 CLI Configure Interface & Routes system); netstat –tup (active
 $ ifconfig interface up|down connections to/from system); netstat -
 Check out $ ethtool eth0  must be installed
tanp | grep LISTEN
 Server: static configuration per node w/ host FQDN, host IP,  Troubleshooting methodology: start
subnet mask, default gateway, & DNS server IP with local host  remote host or service
 $ ip  Check local interface (hostname,
 # ip addr add 1.2.3.4/24 brd + dev eth0 (add or delete IP & ifconfig, iwconfig, ping, netstat)
subnet mask)  Check local gateway, route or shout?
 # ip route add default via 1.2.3.254 (add or delete default (ping, route, traceroute)
gateway – change default to network address to create a static  Check local services ACLs, firewall,
route)
proxy, DNS, file share, etc. (netstat, dig,
 # ip link set dev eth0 up (bring interface up or down) hosts, nslookup)
 # ip addr show; ip -s link; ip route show; hostname –i;
 Check remote host services or resources
 ip or route commands (ping, finger, jwhois, lynx, nmap, mtr,
 # route add default gw 192.168.1.1 [destination address] eth0 browsers)
[interface on the same network as destination gateway
address]  Key file locations: /sbin;
 Edit related files: etc/sysconfig/network-scripts; /etc/sysconfig/network;
 http://lartc.org/howto/lartc.rpdb.multiple-links.html /etc/sysconfig/network-scripts;
 http://www.itsyourip.com/Linux/howto-add-a-persistent-
/etc/init.d/network “start, restart, or
static-route-in-redhat-enterprise-linux/ stop”


DNS Server – Helpful Hints for Network Settings (2 of 4)
 Disabling unnecessary daemons that are “Listening”  Edit /etc/sysctl.conf settings
 Locate the pid in the netstat command  Don't reply to broadcasts. Prevents joining a smurf
 cat /proc/<pid>/cmdline attack
 If not full path, run which or locate to find utility  net.ipv4.icmp_echo_ignore_broadcasts = 1
 rpm -qf full_path_of_daemon  Enable protection for bad icmp error messages
 net.ipv4.icmp_ignore_bogus_error_responses = 1
 rpm -e package_name
 Enable syncookies for SYN flood attack protection
 If difficult to remove due to dependencies:
 net.ipv4.tcp_syncookies = 1
 chkconfig <service> off  Log spoofed, source routed, and redirect packets
 tcp_wrappers  net.ipv4.conf.all.log_martians = 1
 Even if iptables is in use, configure this just in case  net.ipv4.conf.default.log_martians = 1
 Set /etc/hosts.deny to ALL: ALL  Don't allow source routed packets
 Many daemons compiled with support  net.ipv4.conf.all.accept_source_route = 0
 Find by using: egrep libwrap /usr/bin/* /usr/sbin/*  net.ipv4.conf.default.accept_source_route = 0
| sort  Turn on reverse path filtering
 For each program found, use its base name to set  net.ipv4.conf.all.rp_filter = 1
expected access rights (if there are any)Example:  net.ipv4.conf.default.rp_filter = 1
smbd: 192.168.1.  Don't allow outsiders to alter the routing tables
 http://linuxhelp.blogspot.com/2005/10/using-tcp-  net.ipv4.conf.all.accept_redirects = 0
wrappers-to-secure-linux.html
 net.ipv4.conf.default.accept_redirects = 0
 init  net.ipv4.conf.all.secure_redirects = 0
 Disable interactive boot by editing  net.ipv4.conf.default.secure_redirects = 0
/etc/sysconfig/init
 Don't pass traffic between networks or act as a
 Make PROMPT=no to disable router
 Also add password to single user mode. Edit  net.ipv4.ip_forward = 0
/etc/inittab  net.ipv4.conf.all.send_redirects = 0
 Add the following ~~:S:wait:/sbin/sulogin  net.ipv4.conf.default.send_redirects = 0


 at & cron  SELinux
 Only allow root and people with  Leave enabled and in enforcing mode
verified need to run cron jobs  Does not affect daemons it doesn't know
 Setup cron.allow and cron.deny about - unless they are started in a confined
 Setup equivalents if you have 'at' domain (note earlier suggestions for chroot
installed changes)
 sshd  Provides a behavioral model that known
 Enable only ssh2 protocol applications should be
 If multi-homed, consider if it needs to  following
listen on all addresses or just one  Can stop attacks before they become
 Do not allow root logins complete system breaches
 Consider adding group permission for  Use targeted policy
logins, AllowGroups wheel
 Strict and MLS should be used only if you
 MySQL
need that kind of protection
 If database is used internally to
machine, make it listen on localhost  Do boolean lockdown
 Change passwords  Review all booleans and set appropriately
 Apache getsebool -a
 Remove all unneeded modules  Generally, to secure the machine, look at

 Use mod_security to weed out
things that are set to “on” and change to
injection attacks “off” if they do not apply
 Set correct SE Linux Booleans to
maintain functionality and protection


 SELinux Boolean Lockdown  Access Control
 # getsebool -a | grep ' on'  Do not allow root logins
 allow_daemons_dump_core --> on  This messes up the audit system since root is a shared
account
 allow_daemons_use_tty --> on
 sshd and gdm have settings to disallow root login
 allow_execmem --> on
 allow_execstack --> on
 pam_tally2
 allow_gadmin_exec_content --> on  This is used to lockout an account for consecutive failed login
attempts
 allow_gssd_read_tmp --> on
 allow_kerberos --> on
 pam_access
 Used to forbid logins from certain locations, consoles, and
 allow_mounton_anydir --> on accounts
 allow_postfix_local_write_mail_spool --> on  /etc/security/access.conf controls its config
 allow_staff_exec_content --> on
 pam_time
 allow_sysadm_exec_content --> on
 Used to forbid logins during non-business hours
 allow_unconfined_exec_content --> on
 /etc/security/time.conf controls its config
 allow_unlabeled_packets --> on
 allow_user_exec_content --> on  pam_limits
 allow_xserver_execmem --> on  Used to limit maximum concurrent sessions and other user
restrictions
 allow_zebra_write_config --> on
 /etc/security/limits.conf controls its config
 browser_confine_xguest --> on
 httpd_builtin_scripting --> on
 pam_loginuid
 httpd_enable_cgi --> on  Used for all entry point daemons to set the task's loginuid
and session identifier. loginuid and session ID are inherited
 httpd_enable_homedirs --> on by all processes at fork Limit access to su command
 httpd_tty_comm --> on  Edit /etc/pam.d/su
 httpd_unified --> on  Uncomment the line saying require wheel to allow uid
 read_default_t --> on change “auth required pam_wheel.so use_uid”
 spamd_enable_home_dirs --> on  http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-
 user_ping --> on i731.pdf
 http://people.redhat.com/sgrubb/files/hardening-
rhel5.pdf

DNS SERVER SECURITY HARDENING

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to DNS SERVER SECURITY HARDENING

Similar to DNS SERVER SECURITY HARDENING (20)

More from ecarrow

More from ecarrow (6)

DNS SERVER SECURITY HARDENING