Your SlideShare is downloading. ×
  • Like
bh-us-02-murphey-freebsd
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

bh-us-02-murphey-freebsd

  • 534 views
Published

 

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
534
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
13
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey
  • 2. Locking Down Your FreeBSD Install
  • 3. Locking Down Your FreeBSD Install
    • Establish a Security Policy
  • 4. Security Management Policy Harden Access Control Monitor Audit React Act Plan
  • 5. Security Policy
    • A high-level overall plan embracing the general goals and acceptable procedures.
  • 6. Formulating Policy
    • What are the goals?
    • What are the procedures?
    • What is the impact?
  • 7. Formulating Policy
    • What are the goals?
      • What, Why, Who.
    • What are the procedures?
      • Roles and Responsibilities.
    • What is the impact?
      • Network, applications, users.
  • 8. Policy Example
    • How does one define a firewall policy…
  • 9. Policy Example
    • "Don't talk to strangers."
    • "In God we trust.
    • All else we monitor.“
  • 10. Policy Example
    • "Don't talk to strangers."
        • Authenticate Everything.
    • "In God we trust.
    • All else we monitor.“
        • Log All Exceptions.
  • 11. Policy Example
    • How do we lock down FreeBSD?
    • Default Deny
    • Authenticate Everything
    • Log All Exceptions
  • 12. Default Deny
    • Block non-routable, spoofs and source routed IP.
    • Allow TCP only from specific subnets to specific ports.
  • 13. Authenticate Everything
    • Narrow anonymous services
      • Tftp, Ftp, Http.
    • Disable clear text authentication
      • Telnet, ftp, http.
    • Enforce strong authentication
      • SSH, SSL/Http.
    • Audit (Log) all authentication.
  • 14. Log All Exceptions
    • Spoofing
    • Denied Access
    • plus, run Snort.
  • 15. Elements of Security Policy
    • Act:
      • Harden
      • Control access
    • React:
      • Assess
      • Monitor
  • 16. Hardening the Network
    • IP Stack
    • Firewall rules
    • Inetd/TCP Wrappers
    • Control access
  • 17. IP Stack
    • Log connection attempts to nonexistent servers:
    • # sysctl -w net.inet.tcp.log_in_vain=1
    • # sysctl -w net.inet.udp.log_in_vain=1
  • 18. IPFW Firewall
    • In /etc/rc.conf:
    • firewall_enable="YES"
    • firewall_type="SIMPLE"
    • firewall_logging="YES"
  • 19. inetd
    • inetd uses TCP Wrappers by default.
    • IPSec policy in inetd.conf:
    • #@in ipsec ah/transport//require
    • #@out ipsec esp/tunnel/10.1.1.2-10.1.1.1/use
  • 20. inetd
    • /etc/hosts.deny:
    • ALL: ALL
    • /etc/hosts.allow:
    • ALL: LOCAL @some_netgroup
    • ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
    • % tcpdchk -v To verify rules.
  • 21. IPSec
    • Key distribution
    • Authentication
  • 22. Hardening FreeBSD
    • Hardening the Host
  • 23. Hardening the Host
    • Known Vulnerabilities
    • Install Options
    • Configuration
  • 24. Known Vulnerabilities
    • zlib – decompress crash
    • Squid - DNS response crash
    • mod_frontpage - fpexec overflow
    • Netscape - JavaScript in GIF
    • OpenSSH - root buffer overflow
  • 25. Fixing Known Vulnerabilities
    • pkg_add the latest version
    • ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable
  • 26. Secure Level
    • Can be raised but not lowered, even by root.
    • /etc/rc.conf:
      • kern_securelevel_enable="YES"
      • kern_securelevel="3"
    • If kern.securelevel > 0, even root within a jail cannot set file flags.
    • Only rebooting lowers it. Dropping to single user mode doesn’t.
  • 27. Secure Level 1
    • Cannot remove immutable and append-only flags.
    • Cannot mount file systems
    • Cannot write to /dev/mem,kmem.
      • Breaks XFree86!!!
    • Cannot load kernel modules.
  • 28. Secure Level 2
    • Only `mount' may open disks for writing.
    • Time changes are limited to one second.
    • Level 3:
    • ipfw and dummynet configuration are fixed.
  • 29. Caveats
    • One must still harden the boot process (loader, autoconfig) because securelevel is set late in the boot process.
  • 30. Harden User Land
    • Protect against free space exhaustion in rc.conf:
      • check_quotas ="YES“
    • Protect against set-uid files in /home and /var:
    • /dev/ad… /home ufs rw, nosuid , userquota
  • 31. Hardening User Land
    • Block Broad/Multicast pings:
      • /etc/sysctl.conf:
        • icmp.bmcastecho =0
    • Hide logs
      • /etc/newsyslog.conf:
    • /var/log/authlog root:wheel 600 3 100 * Z
  • 32. Harden the executables
    • chflags -F schg /kernel
    • chflags -F schg /bin /sbin
  • 33. Hardening Services
    • DNS – restrict zone transfers
    • HTTP – disable CGI
    • Samba – IP address ACLs
    • Email – spam, filtering
    • telnet, FTP, finger – don’t
  • 34. SSH - Secure Shell
    • host.allow
    • RSA authentication
    • Listen on a non-standard port
  • 35. Auditing
    • Authentication for:
    • HTTP
    • FTP
    • Samba
    • Telnet, Rlogin wrappers
  • 36. Log Monitoring
    • Use regexp to match 'interesting' log entries and email a periodic report to an administrator.
    • 'Systems Under Siege', Chris Boyd, SANS
  • 37. Log Monitoring
    • Syslog-ng w/regex
    • Swatch - perl
    • LogSurfer
    • LogSentry - tail logfile | grep | mail
  • 38. Host-Based Intrusion Detection
    • Tripwire/AIDE
    • Systrace
  • 39. Tripwire/Aide
      • File adds,deletes,modifications
      • File permissions
      • Inode number, number of links
      • User id of owner,group id of owner
      • File type, file size
      • Device number that stores the inode.
      • Device number that the inode points to.
      • Number of blocks allocated
      • Modification timestamp
      • Inode creation/modification timestamp
      • Access timestamp
  • 40. SysTrace
      • A BlackHat Zero Day Tool!
      • Like tcpwrappers but for syscalls.
      • Filters:
        • specific routines: open(), fork(), exec(), etc.
        • specific arguments: filename, file mode, etc.
      • FreeBSD version on the conference CDROM!
      • More details at Defcon Talks:
        • “ FreeBSD Exploits and Remedies”
        • “ Intrusion Prevention with SysTrace for FreeBSD
  • 41. SysTrace
    • Policy: /usr/libexec/ftpd, Emulation: native
    • native-open: filename eq "$HOME" and oflags sub "ro" then permit
    • native-open: filename eq "/etc" then deny[eperm], if group != wheel
    • native-fchdir: permit
    • native-stat: permit
  • 42. Network-Based Intrusion Detection
    • Snort
    • ACID
  • 43. Honeypots
    • Use inetd.conf to provide honeypot services.
    • Use hosts.allow to log each connection to them.
  • 44. Countermeasures
    • Trace route
    • Firewall rules
    • /etc/hosts.deny:
    • in.tftpd: ALL: (finger -l @%h | /usr/ucb/mail -s %d-%h root) &
  • 45. Monitoring
    • In /etc/syslog.conf:
    • auth.*,authpriv.*/var/log/authlog
  • 46. Keeping Abreast of Vulnerabilities
    • CERT announcements:
      • echo "subscribe freebsd-security-notifications"
      • | mail majordomo@FreeBSD.org
    • Archive of announcements:
      • ftp://ftp.freebsd.org/
        • pub/FreeBSD/CERT/advisories
  • 47. Future
    • ACLs - finer grained access controls.
    • Robert Watson’s ACLs for VFS, still need UFS support.