Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey
Locking Down Your FreeBSD Install
Locking Down Your FreeBSD Install <ul><li>Establish a Security Policy </li></ul>
Security Management Policy Harden Access  Control Monitor Audit React Act Plan
Security Policy <ul><li>A high-level overall plan embracing the general goals and acceptable procedures. </li></ul>
Formulating Policy <ul><li>What are the goals? </li></ul><ul><li>What are the procedures? </li></ul><ul><li>What is the im...
Formulating Policy <ul><li>What are the goals? </li></ul><ul><ul><li>What, Why, Who. </li></ul></ul><ul><li>What are the p...
Policy Example <ul><li>How does one define a firewall policy… </li></ul>
Policy Example <ul><li>&quot;Don't talk to strangers.&quot; </li></ul><ul><li>&quot;In God we trust. </li></ul><ul><li>All...
Policy Example <ul><li>&quot;Don't talk to strangers.&quot; </li></ul><ul><ul><ul><li>Authenticate Everything. </li></ul><...
Policy Example <ul><li>How do we lock down FreeBSD? </li></ul><ul><li>Default Deny  </li></ul><ul><li>Authenticate Everyth...
Default Deny <ul><li>Block non-routable, spoofs and source routed IP. </li></ul><ul><li>Allow TCP only from specific subne...
Authenticate Everything <ul><li>Narrow anonymous services </li></ul><ul><ul><li>Tftp, Ftp, Http. </li></ul></ul><ul><li>Di...
Log All Exceptions <ul><li>Spoofing  </li></ul><ul><li>Denied Access </li></ul><ul><li>plus, run Snort. </li></ul>
Elements of  Security Policy <ul><li>Act: </li></ul><ul><ul><li>Harden </li></ul></ul><ul><ul><li>Control access </li></ul...
Hardening the Network <ul><li>IP Stack </li></ul><ul><li>Firewall rules </li></ul><ul><li>Inetd/TCP Wrappers </li></ul><ul...
IP Stack <ul><li>Log connection attempts to nonexistent servers: </li></ul><ul><li># sysctl -w net.inet.tcp.log_in_vain=1 ...
IPFW Firewall <ul><li>In /etc/rc.conf: </li></ul><ul><li>firewall_enable=&quot;YES&quot; </li></ul><ul><li>firewall_type=&...
inetd <ul><li>inetd uses TCP Wrappers by default. </li></ul><ul><li>IPSec policy in inetd.conf: </li></ul><ul><li>#@in ips...
inetd <ul><li>/etc/hosts.deny: </li></ul><ul><li>ALL: ALL </li></ul><ul><li>/etc/hosts.allow: </li></ul><ul><li>ALL: LOCAL...
IPSec <ul><li>Key distribution </li></ul><ul><li>Authentication </li></ul>
Hardening FreeBSD <ul><li>Hardening the Host </li></ul>
Hardening the Host <ul><li>Known Vulnerabilities  </li></ul><ul><li>Install Options </li></ul><ul><li>Configuration </li><...
Known Vulnerabilities <ul><li>zlib – decompress crash </li></ul><ul><li>Squid - DNS response crash </li></ul><ul><li>mod_f...
Fixing Known Vulnerabilities <ul><li>pkg_add the latest version </li></ul><ul><li>ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/...
Secure Level <ul><li>Can be raised but not lowered, even by root. </li></ul><ul><li>/etc/rc.conf: </li></ul><ul><ul><li>ke...
Secure Level 1 <ul><li>Cannot remove immutable and append-only flags. </li></ul><ul><li>Cannot mount file systems </li></u...
Secure Level 2 <ul><li>Only `mount' may open disks for writing. </li></ul><ul><li>Time changes are limited to one second. ...
Caveats <ul><li>One must still harden the boot process (loader, autoconfig) because securelevel is set late in the boot pr...
Harden User Land <ul><li>Protect against free space exhaustion in rc.conf: </li></ul><ul><ul><li>check_quotas =&quot;YES“ ...
Hardening User Land <ul><li>Block Broad/Multicast pings: </li></ul><ul><ul><li>/etc/sysctl.conf: </li></ul></ul><ul><ul><u...
Harden the executables <ul><li>chflags -F schg /kernel </li></ul><ul><li>chflags -F schg /bin /sbin </li></ul>
Hardening  Services <ul><li>DNS – restrict zone transfers </li></ul><ul><li>HTTP – disable CGI </li></ul><ul><li>Samba – I...
SSH - Secure Shell <ul><li>host.allow </li></ul><ul><li>RSA authentication </li></ul><ul><li>Listen on a non-standard port...
Auditing <ul><li>Authentication for: </li></ul><ul><li>HTTP </li></ul><ul><li>FTP </li></ul><ul><li>Samba </li></ul><ul><l...
Log Monitoring <ul><li>Use regexp to match 'interesting' log entries and email a periodic report to an administrator. </li...
Log Monitoring <ul><li>Syslog-ng w/regex </li></ul><ul><li>Swatch - perl </li></ul><ul><li>LogSurfer </li></ul><ul><li>Log...
Host-Based Intrusion Detection <ul><li>Tripwire/AIDE </li></ul><ul><li>Systrace </li></ul>
Tripwire/Aide <ul><ul><li>File adds,deletes,modifications </li></ul></ul><ul><ul><li>File permissions </li></ul></ul><ul><...
SysTrace <ul><ul><li>A BlackHat Zero Day Tool! </li></ul></ul><ul><ul><li>Like tcpwrappers but for syscalls. </li></ul></u...
SysTrace <ul><li>Policy: /usr/libexec/ftpd, Emulation: native </li></ul><ul><li>native-open: filename eq &quot;$HOME&quot;...
Network-Based Intrusion Detection <ul><li>Snort </li></ul><ul><li>ACID </li></ul>
Honeypots <ul><li>Use inetd.conf to provide honeypot services. </li></ul><ul><li>Use hosts.allow to log each connection to...
Countermeasures <ul><li>Trace route </li></ul><ul><li>Firewall rules </li></ul><ul><li>/etc/hosts.deny: </li></ul><ul><li>...
Monitoring <ul><li>In /etc/syslog.conf: </li></ul><ul><li>auth.*,authpriv.*/var/log/authlog </li></ul>
Keeping Abreast  of Vulnerabilities <ul><li>CERT announcements: </li></ul><ul><ul><li>echo &quot;subscribe freebsd-securit...
Future <ul><li>ACLs - finer grained access controls. </li></ul><ul><li>Robert Watson’s ACLs for VFS, still need UFS suppor...
Upcoming SlideShare
Loading in...5
×

bh-us-02-murphey-freebsd

577

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
577
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • bh-us-02-murphey-freebsd

    1. 1. Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey
    2. 2. Locking Down Your FreeBSD Install
    3. 3. Locking Down Your FreeBSD Install <ul><li>Establish a Security Policy </li></ul>
    4. 4. Security Management Policy Harden Access Control Monitor Audit React Act Plan
    5. 5. Security Policy <ul><li>A high-level overall plan embracing the general goals and acceptable procedures. </li></ul>
    6. 6. Formulating Policy <ul><li>What are the goals? </li></ul><ul><li>What are the procedures? </li></ul><ul><li>What is the impact? </li></ul>
    7. 7. Formulating Policy <ul><li>What are the goals? </li></ul><ul><ul><li>What, Why, Who. </li></ul></ul><ul><li>What are the procedures? </li></ul><ul><ul><li>Roles and Responsibilities. </li></ul></ul><ul><li>What is the impact? </li></ul><ul><ul><li>Network, applications, users. </li></ul></ul>
    8. 8. Policy Example <ul><li>How does one define a firewall policy… </li></ul>
    9. 9. Policy Example <ul><li>&quot;Don't talk to strangers.&quot; </li></ul><ul><li>&quot;In God we trust. </li></ul><ul><li>All else we monitor.“ </li></ul>
    10. 10. Policy Example <ul><li>&quot;Don't talk to strangers.&quot; </li></ul><ul><ul><ul><li>Authenticate Everything. </li></ul></ul></ul><ul><li>&quot;In God we trust. </li></ul><ul><li>All else we monitor.“ </li></ul><ul><ul><ul><li>Log All Exceptions. </li></ul></ul></ul>
    11. 11. Policy Example <ul><li>How do we lock down FreeBSD? </li></ul><ul><li>Default Deny </li></ul><ul><li>Authenticate Everything </li></ul><ul><li>Log All Exceptions </li></ul>
    12. 12. Default Deny <ul><li>Block non-routable, spoofs and source routed IP. </li></ul><ul><li>Allow TCP only from specific subnets to specific ports. </li></ul>
    13. 13. Authenticate Everything <ul><li>Narrow anonymous services </li></ul><ul><ul><li>Tftp, Ftp, Http. </li></ul></ul><ul><li>Disable clear text authentication </li></ul><ul><ul><li>Telnet, ftp, http. </li></ul></ul><ul><li>Enforce strong authentication </li></ul><ul><ul><li>SSH, SSL/Http. </li></ul></ul><ul><li>Audit (Log) all authentication. </li></ul>
    14. 14. Log All Exceptions <ul><li>Spoofing </li></ul><ul><li>Denied Access </li></ul><ul><li>plus, run Snort. </li></ul>
    15. 15. Elements of Security Policy <ul><li>Act: </li></ul><ul><ul><li>Harden </li></ul></ul><ul><ul><li>Control access </li></ul></ul><ul><li>React: </li></ul><ul><ul><li>Assess </li></ul></ul><ul><ul><li>Monitor </li></ul></ul>
    16. 16. Hardening the Network <ul><li>IP Stack </li></ul><ul><li>Firewall rules </li></ul><ul><li>Inetd/TCP Wrappers </li></ul><ul><li>Control access </li></ul>
    17. 17. IP Stack <ul><li>Log connection attempts to nonexistent servers: </li></ul><ul><li># sysctl -w net.inet.tcp.log_in_vain=1 </li></ul><ul><li># sysctl -w net.inet.udp.log_in_vain=1 </li></ul>
    18. 18. IPFW Firewall <ul><li>In /etc/rc.conf: </li></ul><ul><li>firewall_enable=&quot;YES&quot; </li></ul><ul><li>firewall_type=&quot;SIMPLE&quot; </li></ul><ul><li>firewall_logging=&quot;YES&quot; </li></ul>
    19. 19. inetd <ul><li>inetd uses TCP Wrappers by default. </li></ul><ul><li>IPSec policy in inetd.conf: </li></ul><ul><li>#@in ipsec ah/transport//require </li></ul><ul><li>#@out ipsec esp/tunnel/10.1.1.2-10.1.1.1/use </li></ul>
    20. 20. inetd <ul><li>/etc/hosts.deny: </li></ul><ul><li>ALL: ALL </li></ul><ul><li>/etc/hosts.allow: </li></ul><ul><li>ALL: LOCAL @some_netgroup </li></ul><ul><li>ALL: .foobar.edu EXCEPT terminalserver.foobar.edu </li></ul><ul><li>% tcpdchk -v To verify rules. </li></ul>
    21. 21. IPSec <ul><li>Key distribution </li></ul><ul><li>Authentication </li></ul>
    22. 22. Hardening FreeBSD <ul><li>Hardening the Host </li></ul>
    23. 23. Hardening the Host <ul><li>Known Vulnerabilities </li></ul><ul><li>Install Options </li></ul><ul><li>Configuration </li></ul>
    24. 24. Known Vulnerabilities <ul><li>zlib – decompress crash </li></ul><ul><li>Squid - DNS response crash </li></ul><ul><li>mod_frontpage - fpexec overflow </li></ul><ul><li>Netscape - JavaScript in GIF </li></ul><ul><li>OpenSSH - root buffer overflow </li></ul>
    25. 25. Fixing Known Vulnerabilities <ul><li>pkg_add the latest version </li></ul><ul><li>ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable </li></ul>
    26. 26. Secure Level <ul><li>Can be raised but not lowered, even by root. </li></ul><ul><li>/etc/rc.conf: </li></ul><ul><ul><li>kern_securelevel_enable=&quot;YES&quot; </li></ul></ul><ul><ul><li>kern_securelevel=&quot;3&quot; </li></ul></ul><ul><li>If kern.securelevel > 0, even root within a jail cannot set file flags. </li></ul><ul><li>Only rebooting lowers it. Dropping to single user mode doesn’t. </li></ul>
    27. 27. Secure Level 1 <ul><li>Cannot remove immutable and append-only flags. </li></ul><ul><li>Cannot mount file systems </li></ul><ul><li>Cannot write to /dev/mem,kmem. </li></ul><ul><ul><li>Breaks XFree86!!! </li></ul></ul><ul><li>Cannot load kernel modules. </li></ul>
    28. 28. Secure Level 2 <ul><li>Only `mount' may open disks for writing. </li></ul><ul><li>Time changes are limited to one second. </li></ul><ul><li>Level 3: </li></ul><ul><li>ipfw and dummynet configuration are fixed. </li></ul>
    29. 29. Caveats <ul><li>One must still harden the boot process (loader, autoconfig) because securelevel is set late in the boot process. </li></ul>
    30. 30. Harden User Land <ul><li>Protect against free space exhaustion in rc.conf: </li></ul><ul><ul><li>check_quotas =&quot;YES“ </li></ul></ul><ul><li>Protect against set-uid files in /home and /var: </li></ul><ul><li>/dev/ad… /home ufs rw, nosuid , userquota </li></ul>
    31. 31. Hardening User Land <ul><li>Block Broad/Multicast pings: </li></ul><ul><ul><li>/etc/sysctl.conf: </li></ul></ul><ul><ul><ul><li>icmp.bmcastecho =0 </li></ul></ul></ul><ul><li>Hide logs </li></ul><ul><ul><li>/etc/newsyslog.conf: </li></ul></ul><ul><li>/var/log/authlog root:wheel 600 3 100 * Z </li></ul>
    32. 32. Harden the executables <ul><li>chflags -F schg /kernel </li></ul><ul><li>chflags -F schg /bin /sbin </li></ul>
    33. 33. Hardening Services <ul><li>DNS – restrict zone transfers </li></ul><ul><li>HTTP – disable CGI </li></ul><ul><li>Samba – IP address ACLs </li></ul><ul><li>Email – spam, filtering </li></ul><ul><li>telnet, FTP, finger – don’t </li></ul>
    34. 34. SSH - Secure Shell <ul><li>host.allow </li></ul><ul><li>RSA authentication </li></ul><ul><li>Listen on a non-standard port </li></ul>
    35. 35. Auditing <ul><li>Authentication for: </li></ul><ul><li>HTTP </li></ul><ul><li>FTP </li></ul><ul><li>Samba </li></ul><ul><li>Telnet, Rlogin wrappers </li></ul>
    36. 36. Log Monitoring <ul><li>Use regexp to match 'interesting' log entries and email a periodic report to an administrator. </li></ul><ul><li>'Systems Under Siege', Chris Boyd, SANS </li></ul>
    37. 37. Log Monitoring <ul><li>Syslog-ng w/regex </li></ul><ul><li>Swatch - perl </li></ul><ul><li>LogSurfer </li></ul><ul><li>LogSentry - tail logfile | grep | mail </li></ul>
    38. 38. Host-Based Intrusion Detection <ul><li>Tripwire/AIDE </li></ul><ul><li>Systrace </li></ul>
    39. 39. Tripwire/Aide <ul><ul><li>File adds,deletes,modifications </li></ul></ul><ul><ul><li>File permissions </li></ul></ul><ul><ul><li>Inode number, number of links </li></ul></ul><ul><ul><li>User id of owner,group id of owner </li></ul></ul><ul><ul><li>File type, file size </li></ul></ul><ul><ul><li>Device number that stores the inode. </li></ul></ul><ul><ul><li>Device number that the inode points to. </li></ul></ul><ul><ul><li>Number of blocks allocated </li></ul></ul><ul><ul><li>Modification timestamp </li></ul></ul><ul><ul><li>Inode creation/modification timestamp </li></ul></ul><ul><ul><li>Access timestamp </li></ul></ul>
    40. 40. SysTrace <ul><ul><li>A BlackHat Zero Day Tool! </li></ul></ul><ul><ul><li>Like tcpwrappers but for syscalls. </li></ul></ul><ul><ul><li>Filters: </li></ul></ul><ul><ul><ul><li>specific routines: open(), fork(), exec(), etc. </li></ul></ul></ul><ul><ul><ul><li>specific arguments: filename, file mode, etc. </li></ul></ul></ul><ul><ul><li>FreeBSD version on the conference CDROM! </li></ul></ul><ul><ul><li>More details at Defcon Talks: </li></ul></ul><ul><ul><ul><li>“ FreeBSD Exploits and Remedies” </li></ul></ul></ul><ul><ul><ul><li>“ Intrusion Prevention with SysTrace for FreeBSD </li></ul></ul></ul>
    41. 41. SysTrace <ul><li>Policy: /usr/libexec/ftpd, Emulation: native </li></ul><ul><li>native-open: filename eq &quot;$HOME&quot; and oflags sub &quot;ro&quot; then permit </li></ul><ul><li>native-open: filename eq &quot;/etc&quot; then deny[eperm], if group != wheel </li></ul><ul><li>native-fchdir: permit </li></ul><ul><li>native-stat: permit </li></ul>
    42. 42. Network-Based Intrusion Detection <ul><li>Snort </li></ul><ul><li>ACID </li></ul>
    43. 43. Honeypots <ul><li>Use inetd.conf to provide honeypot services. </li></ul><ul><li>Use hosts.allow to log each connection to them. </li></ul>
    44. 44. Countermeasures <ul><li>Trace route </li></ul><ul><li>Firewall rules </li></ul><ul><li>/etc/hosts.deny: </li></ul><ul><li>in.tftpd: ALL: (finger -l @%h | /usr/ucb/mail -s %d-%h root) & </li></ul>
    45. 45. Monitoring <ul><li>In /etc/syslog.conf: </li></ul><ul><li>auth.*,authpriv.*/var/log/authlog </li></ul>
    46. 46. Keeping Abreast of Vulnerabilities <ul><li>CERT announcements: </li></ul><ul><ul><li>echo &quot;subscribe freebsd-security-notifications&quot; </li></ul></ul><ul><ul><li> | mail majordomo@FreeBSD.org </li></ul></ul><ul><li>Archive of announcements: </li></ul><ul><ul><li>ftp://ftp.freebsd.org/ </li></ul></ul><ul><ul><ul><li>pub/FreeBSD/CERT/advisories </li></ul></ul></ul>
    47. 47. Future <ul><li>ACLs - finer grained access controls. </li></ul><ul><li>Robert Watson’s ACLs for VFS, still need UFS support. </li></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×