• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
bh-us-02-murphey-freebsd
 

bh-us-02-murphey-freebsd

on

  • 904 views

 

Statistics

Views

Total Views
904
Views on SlideShare
904
Embed Views
0

Actions

Likes
0
Downloads
12
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

bh-us-02-murphey-freebsd bh-us-02-murphey-freebsd Presentation Transcript

  • Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey
  • Locking Down Your FreeBSD Install
  • Locking Down Your FreeBSD Install
    • Establish a Security Policy
  • Security Management Policy Harden Access Control Monitor Audit React Act Plan
  • Security Policy
    • A high-level overall plan embracing the general goals and acceptable procedures.
  • Formulating Policy
    • What are the goals?
    • What are the procedures?
    • What is the impact?
  • Formulating Policy
    • What are the goals?
      • What, Why, Who.
    • What are the procedures?
      • Roles and Responsibilities.
    • What is the impact?
      • Network, applications, users.
  • Policy Example
    • How does one define a firewall policy…
  • Policy Example
    • "Don't talk to strangers."
    • "In God we trust.
    • All else we monitor.“
  • Policy Example
    • "Don't talk to strangers."
        • Authenticate Everything.
    • "In God we trust.
    • All else we monitor.“
        • Log All Exceptions.
  • Policy Example
    • How do we lock down FreeBSD?
    • Default Deny
    • Authenticate Everything
    • Log All Exceptions
  • Default Deny
    • Block non-routable, spoofs and source routed IP.
    • Allow TCP only from specific subnets to specific ports.
  • Authenticate Everything
    • Narrow anonymous services
      • Tftp, Ftp, Http.
    • Disable clear text authentication
      • Telnet, ftp, http.
    • Enforce strong authentication
      • SSH, SSL/Http.
    • Audit (Log) all authentication.
  • Log All Exceptions
    • Spoofing
    • Denied Access
    • plus, run Snort.
  • Elements of Security Policy
    • Act:
      • Harden
      • Control access
    • React:
      • Assess
      • Monitor
  • Hardening the Network
    • IP Stack
    • Firewall rules
    • Inetd/TCP Wrappers
    • Control access
  • IP Stack
    • Log connection attempts to nonexistent servers:
    • # sysctl -w net.inet.tcp.log_in_vain=1
    • # sysctl -w net.inet.udp.log_in_vain=1
  • IPFW Firewall
    • In /etc/rc.conf:
    • firewall_enable="YES"
    • firewall_type="SIMPLE"
    • firewall_logging="YES"
  • inetd
    • inetd uses TCP Wrappers by default.
    • IPSec policy in inetd.conf:
    • #@in ipsec ah/transport//require
    • #@out ipsec esp/tunnel/10.1.1.2-10.1.1.1/use
  • inetd
    • /etc/hosts.deny:
    • ALL: ALL
    • /etc/hosts.allow:
    • ALL: LOCAL @some_netgroup
    • ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
    • % tcpdchk -v To verify rules.
  • IPSec
    • Key distribution
    • Authentication
  • Hardening FreeBSD
    • Hardening the Host
  • Hardening the Host
    • Known Vulnerabilities
    • Install Options
    • Configuration
  • Known Vulnerabilities
    • zlib – decompress crash
    • Squid - DNS response crash
    • mod_frontpage - fpexec overflow
    • Netscape - JavaScript in GIF
    • OpenSSH - root buffer overflow
  • Fixing Known Vulnerabilities
    • pkg_add the latest version
    • ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable
  • Secure Level
    • Can be raised but not lowered, even by root.
    • /etc/rc.conf:
      • kern_securelevel_enable="YES"
      • kern_securelevel="3"
    • If kern.securelevel > 0, even root within a jail cannot set file flags.
    • Only rebooting lowers it. Dropping to single user mode doesn’t.
  • Secure Level 1
    • Cannot remove immutable and append-only flags.
    • Cannot mount file systems
    • Cannot write to /dev/mem,kmem.
      • Breaks XFree86!!!
    • Cannot load kernel modules.
  • Secure Level 2
    • Only `mount' may open disks for writing.
    • Time changes are limited to one second.
    • Level 3:
    • ipfw and dummynet configuration are fixed.
  • Caveats
    • One must still harden the boot process (loader, autoconfig) because securelevel is set late in the boot process.
  • Harden User Land
    • Protect against free space exhaustion in rc.conf:
      • check_quotas ="YES“
    • Protect against set-uid files in /home and /var:
    • /dev/ad… /home ufs rw, nosuid , userquota
  • Hardening User Land
    • Block Broad/Multicast pings:
      • /etc/sysctl.conf:
        • icmp.bmcastecho =0
    • Hide logs
      • /etc/newsyslog.conf:
    • /var/log/authlog root:wheel 600 3 100 * Z
  • Harden the executables
    • chflags -F schg /kernel
    • chflags -F schg /bin /sbin
  • Hardening Services
    • DNS – restrict zone transfers
    • HTTP – disable CGI
    • Samba – IP address ACLs
    • Email – spam, filtering
    • telnet, FTP, finger – don’t
  • SSH - Secure Shell
    • host.allow
    • RSA authentication
    • Listen on a non-standard port
  • Auditing
    • Authentication for:
    • HTTP
    • FTP
    • Samba
    • Telnet, Rlogin wrappers
  • Log Monitoring
    • Use regexp to match 'interesting' log entries and email a periodic report to an administrator.
    • 'Systems Under Siege', Chris Boyd, SANS
  • Log Monitoring
    • Syslog-ng w/regex
    • Swatch - perl
    • LogSurfer
    • LogSentry - tail logfile | grep | mail
  • Host-Based Intrusion Detection
    • Tripwire/AIDE
    • Systrace
  • Tripwire/Aide
      • File adds,deletes,modifications
      • File permissions
      • Inode number, number of links
      • User id of owner,group id of owner
      • File type, file size
      • Device number that stores the inode.
      • Device number that the inode points to.
      • Number of blocks allocated
      • Modification timestamp
      • Inode creation/modification timestamp
      • Access timestamp
  • SysTrace
      • A BlackHat Zero Day Tool!
      • Like tcpwrappers but for syscalls.
      • Filters:
        • specific routines: open(), fork(), exec(), etc.
        • specific arguments: filename, file mode, etc.
      • FreeBSD version on the conference CDROM!
      • More details at Defcon Talks:
        • “ FreeBSD Exploits and Remedies”
        • “ Intrusion Prevention with SysTrace for FreeBSD
  • SysTrace
    • Policy: /usr/libexec/ftpd, Emulation: native
    • native-open: filename eq "$HOME" and oflags sub "ro" then permit
    • native-open: filename eq "/etc" then deny[eperm], if group != wheel
    • native-fchdir: permit
    • native-stat: permit
  • Network-Based Intrusion Detection
    • Snort
    • ACID
  • Honeypots
    • Use inetd.conf to provide honeypot services.
    • Use hosts.allow to log each connection to them.
  • Countermeasures
    • Trace route
    • Firewall rules
    • /etc/hosts.deny:
    • in.tftpd: ALL: (finger -l @%h | /usr/ucb/mail -s %d-%h root) &
  • Monitoring
    • In /etc/syslog.conf:
    • auth.*,authpriv.*/var/log/authlog
  • Keeping Abreast of Vulnerabilities
    • CERT announcements:
      • echo "subscribe freebsd-security-notifications"
      • | mail majordomo@FreeBSD.org
    • Archive of announcements:
      • ftp://ftp.freebsd.org/
        • pub/FreeBSD/CERT/advisories
  • Future
    • ACLs - finer grained access controls.
    • Robert Watson’s ACLs for VFS, still need UFS support.