Security Overview
Total Page:16
File Type:pdf, Size:1020Kb
Security Fundamentals and Practice Parts pre SANOG VI Workshop This presentation is split in to five parts: January 11, 2005 1.) Intro Thimphu, Bhutan 2.) Realistic first steps 3.) “Medium” or next steps Hervey Allen Network Startup Resource Center 4.) “Complex” steps 5.) Conclusion 1 2 Part I Core security concepts Top-level concepts In the end you want to: Steps to take ¡ Maintain confidentiality. ¡ Some resources Keep data safe from intruders. ¡ Integrity: protect from loss or change. ¡ Authentication Is this person who they claim to be? Is this person allowed access? ¡ Availability 3 4 Are our systems up and running? Maintain confidentiality Keep data safe from intruders To do this you need to have: Requires some effort: ¡ ¡ Correct user and file permissions. Keep people out who don't belong: ¢ ¡ Strong passwords. Trust your users. ¢ Strong passwords. ¡ Trust in your users. ¢ Limit services you run. ¢ ¡ Use of good cryptographic methods. Protect the services you do run. ¡ Encrypt data as needed. ¡ Backup data in case of intrusion or corruption. ¡ Remember physical security. 5 6 Integrity Authentication Protect your data against loss or change. How do you ensure?: ¡ ¡ Backup your data. Someone accessing your system is who they claim to be? ¡ Consider revision control. ¢ Trusted users. ¡ Intrusion detection systems (IDS). ¢ Strong passwords. ¢ Public/Private keys. ¡ The person is allowed access? In the end is your data unchanged by ¢ Maintain accounts properly. others? How can you tell? ¢ Correct user/group/file permissions. ¢ Scan and watch for SUID and SGID. 7 8 Authentication example: Host name Availability Can be “spoofed” by loading false DNS cache Make sure your server and services are up and information. detect attacks like Denial of Service (DoS). Slight protection by ensuring that reverse and Log what your services do and install log “watching” software. forward DNS matches: e.g. Connection received from 202.144.139.253 Setup notifications if there are problems. Lookup 202.144.139.253 -> noc.presanog.bt.org Scan for network attacks like spoofing Lookup noc.presanog.bt.org -> 202.144.139.253 (ARP), syn packet dumping, general packet This is why many sites won't let you connect source address spoofing, brute force unless your forward and reverse matches attacks (dictionary password crack attempts). 9 10 Steps to take Steps to take cont. ¡ ¡ Run only the services you plan on using. Restrict access to your box using IP ¡ firewall services (ipfw, ipf base system). Use only the services that are necessary. ¡ ¡ Buffer overflow attacks. Be aware of them. Stay up-to-date and patch ¡ services as needed. Log events and understand your logs. ¡ ¡ Use secure passwords and Install intrusion detection software. ¡ force your users to use them. ¡ Back up your server's data! ¡ Consider if you need quotas. ¡ Think about physical security. ¡ Restrict root access to services. ¡ Test your security model. Restrict access to services via ¡ Don't forget about your clients. 11 tcpwrappers if appropriate. 12 A few resources Part II The FreeBSD Handbook: Realistic first steps ¢ /usr/share/doc/en/books/handbook/index.html ¢ Getting started Chapter 14: Security Class reference book: Understand what you are doing ¢ Practical Unix & Internet Security, 3rd Edition Practical – implement first steps. ¢ http://www.oreilly.com/catalog/puis3/index.html Security repository with references and examples: ¢ http://nsrc.org/security/ 13 14 What's realistic to start What's realistic next steps Reduce number of services. “Medium” Install and use cryptographic methods to Restrict access with tcpwrappers (inetd). access services. Safeguard against DoS attacks. Require reasonable passwords. Install automated logging systems. Backup your data. Use file system quotas. Keep track of your logs – that is use them! Test your solutions (nmap, nessus). Keep services up-to-date. “Complex” Sign-up for and read security mailing lists. Configure and use an IDS. Consider physical security issues. 15 16 Use a firewall. Security from the start Understand what you are doing Make sure a server is secure before you connect A bad security solution is worse than no it to your network. security at all. False sense of security. Consider that you may experience some of these types of attacks: Know what you are doing: Passive attacks: ¡ - e.g. Packet sniffers, traffic analysis (ngrep, dsniff). Read all the documentation. Active attacks: ¡ Read sample configurations. - e.g. Connection hijacking, IP source spoofing, exploitation of weaknesses in IP stack or applications. ¡ Build test machines. Denial of Service attacks: e.g. Synflood. ¡ Ask questions (don't be shy!). “Man in the middle” attacks: Hijacking services. ¡ Join the announcements and/or security mailing Attacks against the network itself: e.g. smurf. list for your O/S and applications. 17 18 Reduce the number of services Reduce number of services cont. What is being started at system startup? To see what is running you could use: ¡ grep YES /etc/defaults/rc.donf ¡ lsof -i ¡ grep YES /etc/rc.conf ¡ netstat -an -f inet ¡ ls /usr/local/etc/rc.d ¡ ps -auxw | more ¡ /etc/inetd.conf ¡ sockstat -4 Delete services you are not using. ¡ Change “YES” entries in rc.conf to Know what each and every item is. “NO” Simplify – remove any and all services ¡ Remove /usr/local/etc/rc.d start scripts. you are not using. ¡ Comment out services in /etc/inetd.conf 19 20 Run only the services you need Services you might remove What do we mean by this? Really this Some services that often run that you means, more or less, the following: might want to remove include: ¡ rpc, rpc.mountd, rpc.nfsd (nfs support) Think through what it is you are providing ¡ to your clients. smbd and nmbd (Samba Windows fileserver) ¡ automount (mount filesystems when accessed Is there some other way to provide a under Linux_) service that is more secure? ¡ named (DNS server) ¡ Should you separate out services to more inetd (old-style tcpwrappers) than one server? ¡ telnet rlogin, rexec, ftp (not encrypted!) ¡ ¢ finger, comsat, chargen, echo, identd (id cmds) NFS or Samba or shell access? FTP? ¡ sendmail 21 22 Use cryptographic methods to Require Reasonable Passwords access services ¡ POP/IMAP with SSL only. First, there are some issues to consider: ¡ Consider TLS-Enabled SMTP. ¡ “Bad” passwords can be guessed. ¡ Remove Telnet replace with SSH. ¡ If passwords become too complex, ¡ Remove FTP replace with SCP or SFTP. then users tend to write them down. ¡ ¡ Passwords sent unencrypted can be Anonymous FTP is OK, but be careful if “sniffed” from the network and you allow user uploads. reused (consider the case of dsniff). ¡ Require HTTPS (HTTP over SSL) for So, enforce strong passwords and don't sensitive information. run services that are unencrypted. 23 24 What is a “good” password How to enforce good passwords Combination of upper and lower-case You can use cracklib with Pluggable Authentication letters, numbers and symbols. Modules (PAM). ¡ Brute force attacker has to try many more Cracklib keeps a user from creating trivial passwords. combinations. You can find cracklib here: Not in any dictionary, including hackers ¡ /usr/ports/security/cracklib dictionaries. You should enable it here: Two samples of creating a good password: ¡ /etc/pam.d/passwd $40&yc4f Cracklib is not enabled by default in FreeBSD – it is in "Money for nothing and your chicks for free" many Linux distributions. wsR!vst? Requires installing cracklib and uncommenting one "workshop students aRe not very sleepy today ?" line in /etc/pam.d/passwd. 25 26 Cracklib More cracklib From “locate cracklib” under FreeBSD 5.3: Taken directly from the cracklib README file: /usr/local/libdata/cracklib 4) it's MIND-NUMBINGLY THOROUGH! /usr/local/libdata/cracklib/pw_dict.hwm /usr/local/libdata/cracklib/pw_dict.pwd (is this beginning to read like a B-movie flyer, or /usr/local/libdata/cracklib/pw_dict.pwi what?) /usr/local/man/man3/cracklib.3.gz CrackLib makes literally hundreds of tests to /var/db/pkg/cracklib-2.7_2 determine whether you've chosen a bad password. /var/db/pkg/cracklib-2.7_2/+COMMENT /var/db/pkg/cracklib-2.7_2/+CONTENTS It tries to generate words from your username and /var/db/pkg/cracklib-2.7_2/+DESC gecos entry to tries to match them against what /var/db/pkg/cracklib-2.7_2/+MTREE_DIRS you've chosen. As you can see cracklib is installed, a cracklib It checks for simplistic patterns. dictionary, and the PAM cracklib shared library. It then tries to reverse-engineer your password into a dictionary word, and searches for it in your dictionary. (> million entries!) - after all that, it's PROBABLY a safe(-ish) password. 8-) 27 28 Other password checkers Extra: More ways to control users Some tools you could run against /etc/master.passwd Look in to /etc/login.conf if you wish to after password generation for more thorough testing. define login classes for your users to control their access to resources. John the Ripper: http://www.openwall.com/john/ Crack: http://www.crypticide.org/users/alecm FreeBSD Handbook section 13.7 FreeBSD's built-in PAM module pam_passwdqc. /usr/share/doc/en/books/handbook/users-limiting.html You would create a cron entry to run a process against Consider file system quotas. some/all user passwords once every certain period. “Cracked” passwords would generate an email FreeBSD Handbook section 16.14 warning to the user asking them to change their /usr/share/doc/en/books/handbook/quotas.html password or be disabled. 29 30 Detailed considerations for backing Back up your server's data! up your server's data Pretty hard to stress this more. If your security What do you want to backup? What do you need to backup? is compromised what will you do without a How often must you backup:? backup? A few basic items to consider are: ¡ User data What needs to be backed up.