注:写的不错,虽然只是提纲,看了会有所收获。
BSD security fundamentalsSean Lewis
sml@subterrain.net
http://www.subterrain.net
Scope and Scale
Focus: FreeBSD – enterprise hardware support + most ‘mainstream' ?
Security refresher + some new and interesting BSD security information.
Emphasis on host-based security, one of the first layers of the security ‘onion'.
The Basics
If modifying an existing system, MAKE BACKUPS!
Unnecessary services – prune /etc/inetd.conf and rc.conf – ‘explicit service enable'. 4.4-R = safer inetd.conf
Work with the latest version of the OS – tracking STABLE or the new RELEASE branch is recommended.
Encrypted communication
Immediately disable telnet and use SSH – OpenSSH is included in FreeBSD installation.
Use the sftp server function built into the ssh2 protocol rather than a standard ftpd.
Set up public key authentication with SSH to prevent password transmission.
File-system lockdown
Mount non /usr or / [for /sbin] filesystems with the ‘nosuid' argument, especially /tmp.
Search for and remove the suid bits off of non-used binaries [especially uucp – setgid]
Use the chflags to set variables such as sappnd on log files, schg on system binaries, etc.
Kernel Securelevels
Kernel securelevels allow variable security level increases on the fly.
Levels range from –1 -> 3, -1 and 0 being “insecure mode”.
Securelevels may only be raised, not lowered once the system is in multiuser mode.
Securelevels controlled via sysctl controls.
Securelevel 1 – sappnd and schg flags can not be disabled – LKMs may not be loaded / unloaded.
Securelevel 2 – securelevel 1 + no writing to disks except for mount(2). Time changes also clamped to 1sec.
Securelevel 3 – securelevel 2 + ipfw rules cannot be modified.
Schg on files in / for maximum effectiveness
Sysctl/rc.conf variables
net.inet.tcp.blackhole=2 and net.inet.udp.blackhole=1 – don't generate RSTs on portscan, replaces RESTRICT_RST.
kern_securelevel_enable=“YES” kern_securelevel=“X”
icmp_drop_redirect=“YES”
fsck_y_enable=“YES”
Secure your services
Start potentially dangerous programs such as bind in a chroot'd environment.
Log_in_vain=“YES” in rc.conf will show connections to tcp/udp ports with no service bound to them.
Use packet filtering software such as ipfw or ipfilter to restrict access to services.
Serving files with ftpd
FreeBSD powers large ftp software sites such as ftp.cdrom.com - securely!
Put individual users in the /etc/ftpchroot file to restrict them to their $HOME.
Start ftpd with –l –l [twice] to enable extended logging.
If running a large anonymous archive, use ftpd –A [only anonymous allowed] and –r [read-only mode for the server].
Serving web pages with apache
Why apache? Reliable, widely-used, runs in a relatively secure fashion.
Run httpd processes as non-root user, ‘nobody' is default, creating ‘www' user may offer more granularity.
Run apache in a jailed environment to limit access.
Use suEXEC to execute CGIs as a non-priveleged user.
Logging
Start syslogd with the ‘-s –s' flags to prevent it from opening 514/udp.
Add a /var/log/ftpd entry for ftp.* in syslog.conf.
Create a /var/log/security entry for security.* and auth.info syslog levels.
Enable ipfw logging to syslog.
Keeping people out.
Use tcp wrappers [/etc/hosts.allow] to allow/deny access to certain tcp-based services.
Use the AllowUsers/AllowGroups SSH configuration options to allow certain users and groups to connect via SSH.
Give users who only require ftp access the /sbin/nologin shell to prevent access to a real shell.
How to check your security
/usr/ports/security/nmap – port scan yourself to check for strange services.
/usr/ports/security/whisker – audit your web server for potential vulnerabilities.
/usr/ports/security/tripwire-1.31 – ASR of tripwire, file integrity assurance.
/usr/ports/security/snort – lightweight NIDS ex: http://www.subterrain.net/snort
Other tips + tricks.
Use ntpdate to synch your clock with a time server such as clock.isc.org. crontab it to keep it reliable.
In /etc/ttys change the ‘secure' flag to ‘insecure' on each local TTY to prevent direct root login.
Enable sudo for restrictive root-level access.
Remember – turn off / remove what you don't use – complexity does not compliment security.
Backporting sysctl stuff from –CURRENT to reduce the need for things like setgid kmem.
Links to related material.
This presentation: http://www.subterrain.net/
FreeBSD security advisories and info: http://www.freebsd.org/security
FreeBSD security how-to: http://people.freebsd.org/~jkb/howto.html
