Your SlideShare is downloading. ×
bh-us-02-murphey-freebsd
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

bh-us-02-murphey-freebsd

557
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
557
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Transcript

    • 1. Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey
    • 2. Locking Down Your FreeBSD Install
    • 3. Locking Down Your FreeBSD Install
      • Establish a Security Policy
    • 4. Security Management Policy Harden Access Control Monitor Audit React Act Plan
    • 5. Security Policy
      • A high-level overall plan embracing the general goals and acceptable procedures.
    • 6. Formulating Policy
      • What are the goals?
      • What are the procedures?
      • What is the impact?
    • 7. Formulating Policy
      • What are the goals?
        • What, Why, Who.
      • What are the procedures?
        • Roles and Responsibilities.
      • What is the impact?
        • Network, applications, users.
    • 8. Policy Example
      • How does one define a firewall policy…
    • 9. Policy Example
      • "Don't talk to strangers."
      • "In God we trust.
      • All else we monitor.“
    • 10. Policy Example
      • "Don't talk to strangers."
          • Authenticate Everything.
      • "In God we trust.
      • All else we monitor.“
          • Log All Exceptions.
    • 11. Policy Example
      • How do we lock down FreeBSD?
      • Default Deny
      • Authenticate Everything
      • Log All Exceptions
    • 12. Default Deny
      • Block non-routable, spoofs and source routed IP.
      • Allow TCP only from specific subnets to specific ports.
    • 13. Authenticate Everything
      • Narrow anonymous services
        • Tftp, Ftp, Http.
      • Disable clear text authentication
        • Telnet, ftp, http.
      • Enforce strong authentication
        • SSH, SSL/Http.
      • Audit (Log) all authentication.
    • 14. Log All Exceptions
      • Spoofing
      • Denied Access
      • plus, run Snort.
    • 15. Elements of Security Policy
      • Act:
        • Harden
        • Control access
      • React:
        • Assess
        • Monitor
    • 16. Hardening the Network
      • IP Stack
      • Firewall rules
      • Inetd/TCP Wrappers
      • Control access
    • 17. IP Stack
      • Log connection attempts to nonexistent servers:
      • # sysctl -w net.inet.tcp.log_in_vain=1
      • # sysctl -w net.inet.udp.log_in_vain=1
    • 18. IPFW Firewall
      • In /etc/rc.conf:
      • firewall_enable="YES"
      • firewall_type="SIMPLE"
      • firewall_logging="YES"
    • 19. inetd
      • inetd uses TCP Wrappers by default.
      • IPSec policy in inetd.conf:
      • #@in ipsec ah/transport//require
      • #@out ipsec esp/tunnel/10.1.1.2-10.1.1.1/use
    • 20. inetd
      • /etc/hosts.deny:
      • ALL: ALL
      • /etc/hosts.allow:
      • ALL: LOCAL @some_netgroup
      • ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
      • % tcpdchk -v To verify rules.
    • 21. IPSec
      • Key distribution
      • Authentication
    • 22. Hardening FreeBSD
      • Hardening the Host
    • 23. Hardening the Host
      • Known Vulnerabilities
      • Install Options
      • Configuration
    • 24. Known Vulnerabilities
      • zlib – decompress crash
      • Squid - DNS response crash
      • mod_frontpage - fpexec overflow
      • Netscape - JavaScript in GIF
      • OpenSSH - root buffer overflow
    • 25. Fixing Known Vulnerabilities
      • pkg_add the latest version
      • ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable
    • 26. Secure Level
      • Can be raised but not lowered, even by root.
      • /etc/rc.conf:
        • kern_securelevel_enable="YES"
        • kern_securelevel="3"
      • If kern.securelevel > 0, even root within a jail cannot set file flags.
      • Only rebooting lowers it. Dropping to single user mode doesn’t.
    • 27. Secure Level 1
      • Cannot remove immutable and append-only flags.
      • Cannot mount file systems
      • Cannot write to /dev/mem,kmem.
        • Breaks XFree86!!!
      • Cannot load kernel modules.
    • 28. Secure Level 2
      • Only `mount' may open disks for writing.
      • Time changes are limited to one second.
      • Level 3:
      • ipfw and dummynet configuration are fixed.
    • 29. Caveats
      • One must still harden the boot process (loader, autoconfig) because securelevel is set late in the boot process.
    • 30. Harden User Land
      • Protect against free space exhaustion in rc.conf:
        • check_quotas ="YES“
      • Protect against set-uid files in /home and /var:
      • /dev/ad… /home ufs rw, nosuid , userquota
    • 31. Hardening User Land
      • Block Broad/Multicast pings:
        • /etc/sysctl.conf:
          • icmp.bmcastecho =0
      • Hide logs
        • /etc/newsyslog.conf:
      • /var/log/authlog root:wheel 600 3 100 * Z
    • 32. Harden the executables
      • chflags -F schg /kernel
      • chflags -F schg /bin /sbin
    • 33. Hardening Services
      • DNS – restrict zone transfers
      • HTTP – disable CGI
      • Samba – IP address ACLs
      • Email – spam, filtering
      • telnet, FTP, finger – don’t
    • 34. SSH - Secure Shell
      • host.allow
      • RSA authentication
      • Listen on a non-standard port
    • 35. Auditing
      • Authentication for:
      • HTTP
      • FTP
      • Samba
      • Telnet, Rlogin wrappers
    • 36. Log Monitoring
      • Use regexp to match 'interesting' log entries and email a periodic report to an administrator.
      • 'Systems Under Siege', Chris Boyd, SANS
    • 37. Log Monitoring
      • Syslog-ng w/regex
      • Swatch - perl
      • LogSurfer
      • LogSentry - tail logfile | grep | mail
    • 38. Host-Based Intrusion Detection
      • Tripwire/AIDE
      • Systrace
    • 39. Tripwire/Aide
        • File adds,deletes,modifications
        • File permissions
        • Inode number, number of links
        • User id of owner,group id of owner
        • File type, file size
        • Device number that stores the inode.
        • Device number that the inode points to.
        • Number of blocks allocated
        • Modification timestamp
        • Inode creation/modification timestamp
        • Access timestamp
    • 40. SysTrace
        • A BlackHat Zero Day Tool!
        • Like tcpwrappers but for syscalls.
        • Filters:
          • specific routines: open(), fork(), exec(), etc.
          • specific arguments: filename, file mode, etc.
        • FreeBSD version on the conference CDROM!
        • More details at Defcon Talks:
          • “ FreeBSD Exploits and Remedies”
          • “ Intrusion Prevention with SysTrace for FreeBSD
    • 41. SysTrace
      • Policy: /usr/libexec/ftpd, Emulation: native
      • native-open: filename eq "$HOME" and oflags sub "ro" then permit
      • native-open: filename eq "/etc" then deny[eperm], if group != wheel
      • native-fchdir: permit
      • native-stat: permit
    • 42. Network-Based Intrusion Detection
      • Snort
      • ACID
    • 43. Honeypots
      • Use inetd.conf to provide honeypot services.
      • Use hosts.allow to log each connection to them.
    • 44. Countermeasures
      • Trace route
      • Firewall rules
      • /etc/hosts.deny:
      • in.tftpd: ALL: (finger -l @%h | /usr/ucb/mail -s %d-%h root) &
    • 45. Monitoring
      • In /etc/syslog.conf:
      • auth.*,authpriv.*/var/log/authlog
    • 46. Keeping Abreast of Vulnerabilities
      • CERT announcements:
        • echo "subscribe freebsd-security-notifications"
        • | mail majordomo@FreeBSD.org
      • Archive of announcements:
        • ftp://ftp.freebsd.org/
          • pub/FreeBSD/CERT/advisories
    • 47. Future
      • ACLs - finer grained access controls.
      • Robert Watson’s ACLs for VFS, still need UFS support.

    ×