Dns Hardening   Linux Os
Upcoming SlideShare
Loading in...5
×
 

Dns Hardening Linux Os

on

  • 2,415 views

Hardening a Linux Red Hat DNS Server and similar services

Hardening a Linux Red Hat DNS Server and similar services

Statistics

Views

Total Views
2,415
Views on SlideShare
2,414
Embed Views
1

Actions

Likes
1
Downloads
54
Comments
0

1 Embed 1

http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Dns Hardening   Linux Os Dns Hardening Linux Os Presentation Transcript

  • DNS Server Security / Hardening Linux OS - Fedora 14 / RHELCopyright Erwin L. Carrow This work is the intellectual property of the author. Permission is granted for this material to be shared fornon-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice isgiven that the copying is by permission of the author and other identified entities. To disseminate otherwise or to republish requireswritten permission from the author. Videos and specific graphics presented are not for public distribution.9/3/2011 Cyber Defense Security Presentation 1
  • Session Guide  Erwin Carrow IT Audit Director; M.Div., MSIS, CISSP, INFOSEC, CCAI, CCNP, CCSP, CQS, CCNA, LCP, LCI, OCM, MCSE, MCP+I, LSS Green Belt, etc. Board of Regents, University System of Georgia; Office of Internal Audit and Compliance 270 Washington Street S.W., Ste. 7087 Atlanta, GA 30334 (404)657-9890 Office, (678)644-3526 Cell, (404)463-0699 Fax Email: ecarrow@google.com erwin.carrow@usg.edu ecarrow@gmail.com http://www.linkedin.com/in/ecarrow http://twitter.com/ecarrow Skype: erwin.louis.carrow9/3/2011 Cyber Defense Security Presentation 2
  • Session Agenda DNS Server Security & Hardening: “Down and Dirty”(4 slides) Other DNS information included for your review (not elaborated on)  Internet threats & associated risks (2 slides)  DNS Service (3 slides)  Connecting hosts to services: protocols, transmission, network topology, & service request resolution  Controls to mitigate DNS service disruption (3 slides)  DNS “How-to” (7 slides)  Installation & configuration  DNS Hardening - local file system, application, managing access control  Network topology, architecture, & exchange  Helpful Hints (4 Slides) 9/3/2011 Cyber Defense Security Presentation 3
  • Key Takeaways Understand what “High-level” requirements are needed to secure a DNS server and access to service (lectures focus) Slides for Individual Review (not elaborated on, but “How-to” provided)  Recognize common DNS services threats  Recognize the basic components & network topology for the implementation of a secure DNS service  Understand how to install, configure, secure, & administrate DNS service  Helpful hints that apply to any network service implementation9/3/2011 Cyber Defense Security Presentation 4
  • DNS Security & Hardening – Local System (1 of 4)Define, Discuss, Demonstrate, & Do Configuring Service  Partitioning, Quotas, & ACLs  chroot / Jail application  tcpwrappers  PAM (Pluggable Authentication Modules)  SELinux http://fedoraproject.org/wiki/SELinux  IPTables (local Firewall) Key Setup, Exchange, & Management Local User Account Management  Limit remote service admin access  File permissions / mitigate escalation  Limit service access  Manage interdepend services e.g., at & cron Patch Management Manage DNS Service Logs Audit System Activity 9/3/2011 Cyber Defense Security Presentation 5
  • DNS Security & Hardening - Network (2 of 4)Define, Discuss, Demonstrate, & Do Manage User Identity & Access Control Limit “Other” Services  NIC / routing: edit /etc/sysctl.conf  Run-levels / interactive boot  Uninstall or disable all services not needed Configure & Secure NTP Exchanges Define Server “Role & Responsibility” within Network Topology DNS Zone & Records Management Deployment, Queries, & Replication  In-band versus Out-of-band  Manage Key Exchange  TSIG – Update Exchanges  DNSSEC – Validate Sites & SOA Network Proxy, Firewall, & IDS / IPS Manage Service(s) Logs 9/3/2011 Cyber Defense Security Presentation 6
  • DNS Security & Hardening: Network Topology (3 of 4)Define, Discuss, Demonstrate, & Do 9/3/2011 Cyber Defense Security Presentation 7
  • Summary: DNS Security & Hardening (4 of 4)Define, Discuss, Demonstrate, & Do Local System Configuration  Fence in the DNS playground  Limit ownership & access  Monitor Activity Network Deployment & Topology  Security Threat Gateway (Firewall, Proxy, IDS /IPS, etc.)  Limit services, access, & disable routing functions  Manage Request & Responses (Internal & External – Server to Client)  Zone or Record corruption  IP Spoofing  Cache Poisoning  Buffer Overflow – patch  Data interception / Impersonation Track & Manage the Bouncing Bits & Bytes! Vulnerability Matrix & Security Advisorieshttps://www.isc.org/software/bind/security/matrixhttps://www.isc.org/advisories 9/3/2011 Cyber Defense Security Presentation 8
  • Thank You for Your Patience & Participation -Any Questions? Gain a basic understanding of the requirements for securing and hardening a DNS server 9/3/2011 Cyber Defense Security Presentation 9
  • Helpful Resources Linux Server Security by Michael D. Bauer; O’Reilly DNS and BIND by Paul Albitz & Cricket Liu; O’Reilly Understanding Data Communications by Gilbert Held; Addison- Wesley Local Area Network by David A Stamper; Prentice Hall Trouble shooting TCP/IP by Mark A. Miller; M&T Books TCP/IP – Running a Successful Network by Kevin Washburn & Jim Evans; Addison-Wesley ISC BIND page on DNSSEC - http://www.isc.org/software/bind/dnssec DNSSEC deployment at the root zone - http://www.root- dnssec.org/ DNSSEC information for .org - http://www.pir.org/dnssec/ ENISA Good Practices Guide for Deploying DNSSEC - http://www.enisa.europa.eu/act/res/technologies/tech/gpgdnssec9/3/2011 Cyber Defense Security Presentation 10
  • Appendix: Other Useful Information for Review Security Threat (2 slides) DNS Services (3 slides) Security and tools for hardening DNS (3 slides) Network Topology and Services DNS Server (8 slides)  Installation  Setup / Configuration  Security & Administration Helpful Hints (4 slides)9/3/2011 Cyber Defense Security Presentation 11
  • Security Threat (1 of 2)Define, Discuss, Demonstrate, & Do Functional characteristic: security, monitor , & mitigate malicious attempts to malign or disrupt network services  There are four general categories of security threats to the network: Unstructured threats, Structured threats, External threats, & Internal threats http://ptgmedia.pearsoncmg.com/images/1587131625/samplechapter/158 7131625content.pdf  Classes of Attacks: Reconnaissance attacks, Access attacks, Denial of service attacks, & Worms, Viruses, and Trojan horses  All of the following can be used to compromise your system: packet sniffers, IP weaknesses, password attacks, DoS or DDoS, man-in-the- middle attacks, application layer attacks ,trust exploitation, port redirection , virus, Trojan horse, operator error & worms 9/3/2011 Cyber Defense Security Presentation 12
  • Security Threat - Attack vs. Knowledge (2 of 2)Define, Discuss, Demonstrate, & Do Intruder Knowledge AttacksHigh crimeware / SSL-evading malware APT “stealth” / advanced scanning distributed DOS browser anti-forensics sniffers attacks command & control sweepers S web attacks automated probes/scans K packet spoofing DOS back doors worms I disabling audits network attacks against DNS, SNMP, etc L GUI tools Trojans L spoofing session hijacking viruses exploiting known vulnerabilities password cracking self-replicating code password guessingLow 1980 1985 1990 1995 2000 2005 2010 Tool Capabilities and Ease of Use9/3/2011 Cyber Defense Security Presentation 13
  • DNS Services: Protocols, Topology, & ResolutionDefine, Discuss, Demonstrate, & Do (1 of 3) Domain Name Service (DNS) provides IP address and Fully Qualified Domain Name (FQDN) request information to host  Type/Role: Authoritative, Recursive / Master (auth.), Slave (auth., load balancing & redundancy, Caching (no auth. – name to IP resolution), Forwarding (no auth.)  DHCP can dynamically populate DNS host records Dynamic Host Control Protocol (DHCP) provides IP address, default router gateway, DNS, WINS, and other service information requested by host to enable connectivity to various internal and external resources  Typically applied and configured to support organization intranet  Can be implemented locally to a specific broadcast domain or request forwarded through a relay agent  Host broadcast request & responds to 1st DHCP server response received  Host leases information & requires a periodic renewal  Renewal request sent to initial DHCP server via unicast, if no response broadcast for service request 9/3/2011 Cyber Defense Security Presentation 14
  • DNS Services: Protocols, Topology, & ResolutionDefine, Discuss, Demonstrate, & Do (2 of 3) Topology Structure  Nodes & Zones  Root Domains, Delegation of Authority, & Start of Authority,  Authority is delegated to lower levels in the hierarchy, each layer in the hierarchy may delegate the authoritative control to the next lower level  Domains (SOA) Start of Authority for FQDN, e.g., redhat.com where one or more DNS server IP addresses are registered with Internet Corporation for Assigned Numbers and Names (ICANN)  Sub-domains – internally controlled DNS servers that segment organization resources  Naming convention (FQDN) Transmission methodology  Host request / resolver: /etc/nsswitch.conf, /etc/resolv.conf, /etc/hosts  Server types & role: primary-master; secondary-slave; & caching- only/forwarders  DNS resolution service  Iterative queries: sends FQDN and requests either IP Address of Domain or FQDN of Authoritative DNS Server (typically host’s resolver to primary DNS server and then DNS server to server exchanges until resolution or invalid)  Recursive queries - sends FQDN to DNS server and asks for IP Address of domain (similar to above)  Process: query, cache, & response  FQDN  IP address  IP address  FQDN (reverse lookup Domains)  Creates dynamic entries in DNS tables  Static entries DNS records for domain services  DHCP can be dynamically linked to local DNS for internal hostname resolution 9/3/2011 Cyber Defense Security Presentation 15
  • DNS Services: Protocols, Topology, & ResolutionDefine, Discuss, Demonstrate, & Do (3 of 3)  Answer the question: “How will a server fit  Content Management into the big picture for the network?”  Zones - created to distinguish domains and catalogue host records  DNS Server Service Role & Types of  DB file / records characteristics: Exchanges  Name -  Master: (SOA) authoritative  TTL – Time to live (how long the record is  Slave: (SOA?) authoritative (replicate cached) Master) or non-authoritative (partitioned  Class - IN for Internet only record class out or partial load-balancing) supported in DNS  Caching: non-authoritative; static or  Type – Per listing below dynamic updates  Data - content specific to record type  Forwarding: non-authoritative  Record Types:  Network Topology Location  Start of Authority (SOA) - information  Service query response service support for: that identifies the top of the zone and External (Internet), DMZ, Internal other general properties (Intranet), host based (Caching)  Address (A or AAAA) IPv4/IPv6  http://www.dnsbl.info/dnsbl-list.php  Canonical name (CNAME) - Alias  Host information (HINFO)  Mail exchange (MX) - mail server  Name server (NS) – DNS servers  Pointer (PTR) - reverse lookup IP to FQDN  Text (TXT)  Well-known services (WKS) 9/3/2011 Cyber Defense Security Presentation 16
  • DNS Service: Security ConsiderationsDefine, Discuss, Demonstrate, & Do (1 of 3) Where will the application physically reside on the local OS?  Partition type, quotas, & ACLs  Manage space allocation  Prevent hard links programs; facilitate precise control over mount options  limits user access or influence  Allow minimal privileges via mount options  Chroot Jail DNS application  If service compromised, limits user rights & privileges escalation - If local user compromised limits influence on application  Function?  Runs a process with root directory other than /  $ /usr/sbin/chroot /home/user_name/existing_directory  Challenge is to include interdependent binaries / libraries files into the “Jail” environment  Once setup, change to location and start service or application How will you manage DNS’s local functional influence? Must manages applications ability to influence overall system functionality!  SELinux (Alt. AppArmor)  http://web.mit.edu/rhel-doc/5/RHEL-5-manual/Deployment_Guide-en-US/ch- selinux.html http://www.nsa.gov/research/selinux/index.shtml  http://hackinglinux.blogspot.com/2007/05/selinux-tutorial.html  PAM – Pluggable Authentication Modules (Access Control)  http://www.linuxdocs.org/HOWTOs/User-Authentication-HOWTO/x101.html How will you manage access to the service ?  TCPWrappers: /etc/hosts.allow & /etc/host.deny; daemon_list:client_list:[:command]  Firewall local and remote settings: IPTables Disable all on unneeded services! Enable application auditing Log Management – monitor activity and events types! 9/3/2011 Cyber Defense Security Presentation 17
  • DNS Service: Security ConsiderationsDefine, Discuss, Demonstrate, & Do (2 of 3) DNS Service Access Control: Sample exploit http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html  Access Control Lists (ACLs)  TSIG Transactions – shared hashed key  DNSSEC: Relies on public/private key authentication. DNSSEC specifications (RFC 4033, RFC 4034and RFC 4035 augmented with others) answer three questions: Authentication - the DNS responding really is the DNS that the request was sent to. Integrity - the response is complete and nothing is missing or changed. Proof of non-existence - if the DNS returns a status that the name does not exist (NXDOMAIN) this response can be proven to have come from the authoritative server. RHEL # dns-keygen  edit /etc/rndc.key [insert key] or RHEL/Fedora # rndc-confgen > /etc/rndc.conf; rndc status Use DNSSEC to verify recursive DNS results  Default DNS BIND configuration in RHEL 6 options { dnssec-enable yes; dnssec-validate yes; };  In /etc/named.conf will set a “trust anchor” trust the root DNSKEY managed-keys { /* not the real root key */ “.” initial-key 257 3 5 “BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEf K3clRbGaTwSJxrGkxJWoZu6I7PzJu/E9 gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9 mZhkdUpd1Vso/HAdjNe8L”; };  Testing the validating recursive DNS server # dig www.example.com +dnssec 9/3/2011 Cyber Defense Security Presentation 18
  • DNS Service: Security ConsiderationsDefine, Discuss, Demonstrate, & Do (3 of 3) Authoritative Server: Configuration Overview  (4) Manually sign the zone file  Create a normal DNS zone file (1)  Sign the zone manually:  Generate the zone-signing key and key-signing key (2)  dnssec-signzone example.com  Add DNSKEY records for both keys to the zone file (3)  Add -3 option if you want NSEC3 records  Sign the zone (creates RRSIG and NSEC/NSEC3) (4)  Active keys in the zone are automatically used  Point /etc/named.conf at the signed zone file (5)  Creates example.com.signed file  Reload the zone (6)  BIND 9.7 has a number of new features to support  Provide DS record for zones KSK to your parent zone automatic signing on dynamic update, key rotation (7) management, and so on...see the documentation in (1) Set up DNSSEC with each signed zone having its /usr/share/doc/bind-9.7*/arm/ own directory, and zone file has same name as zone  (5) Update zone directive and reload zone  /var/named/example.com/example.com would be the  Zone directive in /etc/named.conf needs to be pointed at zone file for the zone example.com the signed file zone “example.com” IN {  Directory and zone file needs to be readable by group type master; named, have SELinux type named_zone_t file “example.com/example.com.signed”; (2) Generating the ZSK and KSK };  Change to the zone files directory in /var/named  (6) Reload the zone to make changes take effect  # cd /var/named/example.com/  # service named reload | rndc reload  Create the zone-signing key (ZSK)  (7) Provide DS record to parent zone operator  # dnssec-keygen example.com  If the parent zone is DNSSEC signed and ready,  Create the key-signing key (KSK) provide your zones DS record to your registrar  # dnssec-keygen -fk example.com  You can generate it from your zone file if necessary  Both dnssec-keygen commands should add the -3  # cd /var/named/example.com/ option if you want to use NSEC3 records  # dnssec-dsfromkey -f example.com (3) Add the keys to the zone file  Creates dsset-example.com. file containing DS records  Each command results in two key pair files  http://www.redhat.com/promo/summit/2010/  Kexample.com+005+00000.{key,private} presentations/taste_of_training/Summit_2010  Add the public key files to the zone file _DNSSEC.pdf  cat *.key >> /var/named/example.com/example.com 9/3/2011 Cyber Defense Security Presentation 19
  • Network Services: Protocols, Topology, & ResolutionDefine, Discuss, Demonstrate, & Do 9/3/2011 Cyber Defense Security Presentation 20
  • DNS Server – Install, Setup, & Administration (1 of 7)Define, Discuss, Demonstrate, & Do Client / Server: Resolver settings  How will queries be made?  Resolution priority & precedence search method - edit local system files /etc/nsswitch.conf; /etc/hosts; /etc/resolv.conf Consider who the DNS server will support (internal/external)  Only serve DNS for those types  Segregate support requirements – don’t do both in one server instance  Do not arbitrarily allow zone transfers or do recursion Partition and ACL setup:  Install & configure ACL  # yum install acl  Edit /etc/fstab  “/dev/dhc1 /var/named ext4 defaults,acl 1 2”  # mount –t ext –o acl, remount /dev/hdc1 /var/named  Apply security via getfacl & setfacl  # setfacl –m u:named:rwx /var/named  Prevent hard links to setuid programs  Specify precise control over mount options  Allow minimal privileges via mount options  Modify /etc/fstab: noexec on everything possible; nodev everywhere except / and chroot partitions; nosetuid everywhere except /  Consider making /var/tmp link to /tmp, or maybe mount –bind option GUI Management Utility - http://www.webmin.com/ 9/3/2011 Cyber Defense Security Presentation 21
  • DNS Server – Install, Setup, & Administration (2 of 7)Define, Discuss, Demonstrate, & Do Identify type of server and location  Master, Slave, Caching, or Forwarding Server setup:  Install – bind, bind-utils, bind-chroot [jail application], caching- nameserver [RHEL - install for cache server function], system- config-bind  Network interface configuration:  Define & apply static IP address to interface  Modify /etc/sysconfig/network-scripts/ifcfg-ethX; PEERDNS=no  Modify /etc/host; place host name to IP address of resources for DNS lookups [optional]  Modify /etc/resolv.conf; insert at beginning of file  nameserver 127.0.0.1  Security considerations  Chroot / Jail application due to ever changing & challenging security issues  # yum install bind-chroot  /var/named/chroot/etc/named.conf  Copy dependent binaries & libraries into chroot directory and manage links  Edit /etc/sysconfig/named directory and change it to /var/named/chroot  Modify /etc/sysconfig/named file and set ROOTDIR shell variable to /var/named/chroot, e.g., ROOTDIR=“/var/named/chroot”  Test - do inode comparison  # ls /var/named/chroot/var/named  # ls –ldi /var/named/chroot/var/named  # ls –ldi /var/named  # service named start  # ls –ldi /var/named/chroot/var/named [should now reflect the /var/named inode] 9/3/2011 Cyber Defense Security Presentation 22
  • DNS Server – Install, Setup, & Administration (3 of 7)Define, Discuss, Demonstrate, & Do  More security considerations http://www.puschitz.com/SecuringLinux.shtml  Modify / edit Firewall & SELinux settings: allow TCP & UDP port 53  Secure transaction exchange:  TSIGs signatures – hashed key exchange to support secure record exchange / replication  Time synchronization is critical –if TSIG exchange fails check time  Split Horizon server / Proxy Server  place in DMZ; internal versus external name resolution can support two different query types, not recommended  Logs  /var/log/messages [assume DNS chroot]  # mk /var/named/chroot/var/log  # chmod 744 /var/named/chroot/var/log/bind  # chown named /var/named/chroot/var/log/bind  # ls –ld /var/named/chroot/var/log/bind  NTP Time services must be properly configured and secured 9/3/2011 Cyber Defense Security Presentation 23
  • DNS Server – Install, Setup, & Administration (4 of 7)Define, Discuss, Demonstrate, & Do Server Service  Init & start – # chkconfig named on; service named start  Service modification – # service network [stop | start | restart ]  RHEL configuration test - # service named configtest  Documentation –  http://www.zytrax.com/books/dns/  file:///usr/share/doc/bind-9.7.2/arm/Bv9ARM.html Server configuration:  Edit/etc/named.conf  See /usr/share/doc/bind*/sample/ for example named configuration files  RHEL and Fedora have distinctions [see page 786 for details]  Determine type/role of DNS server(s) per topology design or requirements  Master, Slave, or Caching  Modify settings  Create Zones: root domains, local global domains, & reverse lookup domain  Configure security – exchange methods & keys  Populate domains with appropriate static records, e.g., name server (NS), mail server (MX), host records (A/AAAA), services records (IP and service port specific), reverse loop up record (PTR) etc.  Restart services  Zones information located in /var/named 9/3/2011 Cyber Defense Security Presentation 24
  • DNS: Server – Install, Setup, & Administration (5 of 7)Define, Discuss, Demonstrate, & Do Only common references below, e.g., change below files system locations to jailed DNS file locations Caching-Only Server  yum install –y caching-nameserver  # cp /etc/named.caching-nameserver.conf /etc/named.conf Slave zone files  # ls /var/named/slaves Manually pull Master file to Slave  # dig –t axfr zone_name.com @servername RHEL6 /var/named not writable  zone modifications /var/named/dynamic and then update /etc/named.conf Local System Security Settings  ACL  Define an ACL directive  acl “local-net” { 127.0.0.1; 192.168.1.0/24; };  Place in named.conf  allow-transfer { local-net; }; allow-query { local-net; };  User Access  DNS files owned by application “named user” and not root!  # chown root:named /etc/named/*; chown root:named /var/named/*;  IPTables – Firewall security settings – general settings provided  # iptables –I INPUT 5 –p udp –m udp –dport 53 –j ACCEPT  # iptables –I INPUT 5 –p tcp –m tcp –dport 53 –j ACCEPT  # iptables –I INPUT 5 –p udp –m udp –dport 953 –j ACCEPT [rndc key exchange]  # service iptables save; service iptables restart  SELinux  # getsebool –a | grep named_dis  # setsebool –P named_disable_trans=1  # chcon –t named_conf_t /etc/named.conf  # ls –Z /etc | grep named.conf 9/3/2011 Cyber Defense Security Presentation 25
  • DNS: Server Key Exchange Setup (6 of 7)Define, Discuss, Demonstrate, & Do [RHEL]  Only common references below, e.g., change below files system locations to jailed DNS file locations  Modify named.conf and insert  include “/etc/rndc.key”;  Create key # dns-keygen  [Fedora  $ /usr/sbin/dnssec-keygen –a hmac –md5 –b 512 –n HOST keyname ] $ cat Kkeyname.+243+14321.private  similar as below see page 803  Create key file # vi /etc/rndc.key key “rndckey” { algorithm hmac-md5; secret “aresrntynratbYjhjdslo863eWEDvOVCmdvfvb”; [not a real key] };  Create config file # rndc-confgen > /etc/rndc.conf  Edit /etc/rndc.conf paste in key content listed above  Edit named.conf & add controls { inet 127.0.0.1 port 953 allow {127.0.0.1; } keys { “rndc.key”; }; }; include “etc/rndc.key  Change ownership of files  # chown root:named /etc/rndc.*  # chmod 400 /etc/rndc.*; service named configtest; service named restart; rndc status  # chcon –t named_conf_t rndc.key rndc.conf;  Logs  /var/log/bind; /var/log/messages 9/3/2011 Cyber Defense Security Presentation 26
  • DNS Service Security: Topology ACLs / Key Exchange (7 of 7)Define, Discuss, Demonstrate, & Do 9/3/2011 Cyber Defense Security Presentation 27
  • DNS Server – Helpful Hints for Setup & Administration (1 of 4)Define, Discuss, Demonstrate, & Do GUI - system-config-network; system-config-network-tui  CLI Configure Service & Status CLI Query Resolver  # service --status-all  state of service on system  $ dig fully_qualify_domain_hostname; dig –x ip_address; dig –t MX  # service service_name [stop | start | fully_qualify_domain_hostname restart| status]  $ host ip_address; hostname; nslookup FQDN or  # chkconfig service_name [on | off] IP_ADD; ping FQDN or IP_ADD; whois domain_name  # service service_name configtest (lookup info for hostname or ip address)  # netstat -tupl (internet services on a CLI Configure Interface & Routes system); netstat –tup (active  $ ifconfig interface up|down connections to/from system); netstat -  Check out $ ethtool eth0  must be installed tanp | grep LISTEN  Server: static configuration per node w/ host FQDN, host IP,  Troubleshooting methodology: start subnet mask, default gateway, & DNS server IP with local host  remote host or service  $ ip  Check local interface (hostname,  # ip addr add 1.2.3.4/24 brd + dev eth0 (add or delete IP & ifconfig, iwconfig, ping, netstat) subnet mask)  Check local gateway, route or shout?  # ip route add default via 1.2.3.254 (add or delete default (ping, route, traceroute) gateway – change default to network address to create a static  Check local services ACLs, firewall, route) proxy, DNS, file share, etc. (netstat, dig,  # ip link set dev eth0 up (bring interface up or down) hosts, nslookup)  # ip addr show; ip -s link; ip route show; hostname –i;  Check remote host services or resources  ip or route commands (ping, finger, jwhois, lynx, nmap, mtr,  # route add default gw 192.168.1.1 [destination address] eth0 browsers) [interface on the same network as destination gateway address]  Key file locations: /sbin;  Edit related files: etc/sysconfig/network-scripts; /etc/sysconfig/network;  http://lartc.org/howto/lartc.rpdb.multiple-links.html /etc/sysconfig/network-scripts;  http://www.itsyourip.com/Linux/howto-add-a-persistent- /etc/init.d/network “start, restart, or static-route-in-redhat-enterprise-linux/ stop” 9/3/2011 Cyber Defense Security Presentation 28
  • DNS Server – Helpful Hints for Network Settings (2 of 4)Define, Discuss, Demonstrate, & Do Disabling unnecessary daemons that are “Listening”  Edit /etc/sysctl.conf settings  Locate the pid in the netstat command  Dont reply to broadcasts. Prevents joining a smurf  cat /proc/<pid>/cmdline attack  If not full path, run which or locate to find utility  net.ipv4.icmp_echo_ignore_broadcasts = 1  rpm -qf full_path_of_daemon  Enable protection for bad icmp error messages  net.ipv4.icmp_ignore_bogus_error_responses = 1  rpm -e package_name  Enable syncookies for SYN flood attack protection  If difficult to remove due to dependencies:  net.ipv4.tcp_syncookies = 1  chkconfig <service> off  Log spoofed, source routed, and redirect packets tcp_wrappers  net.ipv4.conf.all.log_martians = 1  Even if iptables is in use, configure this just in case  net.ipv4.conf.default.log_martians = 1  Set /etc/hosts.deny to ALL: ALL  Dont allow source routed packets  Many daemons compiled with support  net.ipv4.conf.all.accept_source_route = 0  Find by using: egrep libwrap /usr/bin/* /usr/sbin/*  net.ipv4.conf.default.accept_source_route = 0 | sort  Turn on reverse path filtering  For each program found, use its base name to set  net.ipv4.conf.all.rp_filter = 1 expected access rights (if there are any)Example:  net.ipv4.conf.default.rp_filter = 1 smbd: 192.168.1.  Dont allow outsiders to alter the routing tables  http://linuxhelp.blogspot.com/2005/10/using-tcp-  net.ipv4.conf.all.accept_redirects = 0 wrappers-to-secure-linux.html  net.ipv4.conf.default.accept_redirects = 0 init  net.ipv4.conf.all.secure_redirects = 0  Disable interactive boot by editing  net.ipv4.conf.default.secure_redirects = 0 /etc/sysconfig/init  Dont pass traffic between networks or act as a  Make PROMPT=no to disable router  Also add password to single user mode. Edit  net.ipv4.ip_forward = 0 /etc/inittab  net.ipv4.conf.all.send_redirects = 0  Add the following ~~:S:wait:/sbin/sulogin  net.ipv4.conf.default.send_redirects = 0 9/3/2011 Cyber Defense Security Presentation 29
  • DNS Server – Helpful Hints for Network Settings (3 of 4)Define, Discuss, Demonstrate, & Do at & cron  SELinux  Only allow root and people with  Leave enabled and in enforcing mode verified need to run cron jobs  Does not affect daemons it doesnt know  Setup cron.allow and cron.deny about - unless they are started in a confined  Setup equivalents if you have at domain (note earlier suggestions for chroot installed changes) sshd  Provides a behavioral model that known  Enable only ssh2 protocol applications should be  If multi-homed, consider if it needs to  following listen on all addresses or just one  Can stop attacks before they become  Do not allow root logins complete system breaches  Consider adding group permission for  Use targeted policy logins, AllowGroups wheel  Strict and MLS should be used only if you MySQL need that kind of protection  If database is used internally to machine, make it listen on localhost  Do boolean lockdown  Change passwords  Review all booleans and set appropriately Apache getsebool -a  Remove all unneeded modules  Generally, to secure the machine, look at  Use mod_security to weed out things that are set to “on” and change to injection attacks “off” if they do not apply  Set correct SE Linux Booleans to maintain functionality and protection 9/3/2011 Cyber Defense Security Presentation 30
  • DNS Server – Helpful Hints for Network Settings (4 of 4)Define, Discuss, Demonstrate, & Do SELinux Boolean Lockdown  Access Control  # getsebool -a | grep on  Do not allow root logins  allow_daemons_dump_core --> on  This messes up the audit system since root is a shared account  allow_daemons_use_tty --> on  sshd and gdm have settings to disallow root login  allow_execmem --> on  allow_execstack --> on  pam_tally2  allow_gadmin_exec_content --> on  This is used to lockout an account for consecutive failed login attempts  allow_gssd_read_tmp --> on  allow_kerberos --> on  pam_access  Used to forbid logins from certain locations, consoles, and  allow_mounton_anydir --> on accounts  allow_postfix_local_write_mail_spool --> on  /etc/security/access.conf controls its config  allow_staff_exec_content --> on  pam_time  allow_sysadm_exec_content --> on  Used to forbid logins during non-business hours  allow_unconfined_exec_content --> on  /etc/security/time.conf controls its config  allow_unlabeled_packets --> on  allow_user_exec_content --> on  pam_limits  allow_xserver_execmem --> on  Used to limit maximum concurrent sessions and other user restrictions  allow_zebra_write_config --> on  /etc/security/limits.conf controls its config  browser_confine_xguest --> on  httpd_builtin_scripting --> on  pam_loginuid  httpd_enable_cgi --> on  Used for all entry point daemons to set the tasks loginuid and session identifier. loginuid and session ID are inherited  httpd_enable_homedirs --> on by all processes at fork Limit access to su command  httpd_tty_comm --> on  Edit /etc/pam.d/su  httpd_unified --> on  Uncomment the line saying require wheel to allow uid  read_default_t --> on change “auth required pam_wheel.so use_uid”  spamd_enable_home_dirs --> on  http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-  user_ping --> on i731.pdf  http://people.redhat.com/sgrubb/files/hardening- rhel5.pdf 9/3/2011 Cyber Defense Security Presentation 31