0672328755_Bonus_Overview.qxd 6/27/06 5:09 PM Page 1 FreeBSD 6 Unleashed Michael Urban Brian Tiemann ISBN: 0-672-32875-5 Copyright © 2006 by Sams Publishing www.samspublishing.com BONUS CONTENT Chapter 30 Network Security PDF:799 Chapter 31 Virtual Private Networks (VPNs) PDF:845 Chapter 32 The Domain Name Server PDF:861 Chapter 33 The Network Filesystem (NFS) PDF:883 Chapter 34 File and Print Sharing with Microsoft Windows PDF:895 Chapter 35 Dynamic Host Configuration Protocol (DHCP) PDF:911 Appendix A Command Reference and Configuration File Reference PDF:921 Appendix B Hardware Compatibility Lists PDF:929 Appendix C Troubleshooting Installation and Boot Problems PDF:945 Appendix D Sources for More Information PDF:951 36_0672328755_ch30.qxd 5/9/06 4:51 PM Page 799 CHAPTER 30 IN THIS CHAPTER • Choosing a Security Model Network Security Based on Your Security Risks • Security Models • The Security Risks You Face System security is arguably the most important part of any administrator’s job, whether it applies to a Windows • Password Policies server, a commercial UNIX system, Linux, or FreeBSD. More • Avoiding Problems with books have probably been written about security issues Clear-Text Services than about any other topic—and with good reason. It’s an immensely complex subject, but one that’s crucially impor- • Securing Terminal Traffic (SSH) tant to the success of a networked system. Although this • Securing Email Services (POP3 chapter can’t cover every facet of system security, it offers a good, general overview of the topic and includes informa- and IMAP) tion on all critical aspects of the topic. • Securing FTP This chapter helps you develop a security policy for your • Securing Apache FreeBSD system based on the risk factors it faces in its role as a server or workstation. This chapter will give you the • System Security Profiles and tools you need to monitor your system’s perimeter, keep on Kernel Security (Securelevels) top of alerts that are raised in the field, patch your system • Using a Firewall in response to those alerts, and make sure the services you provide to your users are not opening your system up to • Preventing Intrusions and attack. It also gives you some idea of what you can do to Compromises recover when—not if—your machine is hacked. • Denial of Service (DOS) Choosing a Security Model Based on Attacks Your Security Risks • Physical Security The Internet today is not an especially friendly place for • Other Security Resources servers, and as an administrator you must always fear and prepare for the worst. The proliferation of “rootkit” tools— prepackaged weapons that attackers can use to gain super- user access to your system—and published attack scripts provides unfortunate fodder for countless individuals with nothing better to do than pursue destructive hobbies. You must assume that your system is being probed for security weaknesses at all times and expect the situation to grow more dangerous with each new published exploit. Your 36_0672328755_ch30.qxd 5/9/06 4:51 PM Page 800 800 CHAPTER 30 Network Security only defense is to keep your system as up to date as possible, act on new security advi- sories as soon as they’re released, run only what services are necessary, and be educated about the real dangers that threaten your system and where the greatest risks lie. Security Models You can adopt one of several models of security for your system, based on your system’s setup and use patterns and your philosophy toward the security needs the system presents. The security model you choose will dictate how careful you must be about certain administrative duties, such as password policies, open services, encrypted traffic, and so on. Here’s a short list of some security models, each defined by a general statement that sums up the administrator’s assessment of security risks: • I trust everybody on the Internet. Most certainly an inadvisable model under any circumstances, this is nonetheless the philosophy that guides the lack of security safeguards surrounding many amateur servers, and the administrators of those systems—who seldom maintain them properly—ultimately pay the price for it. Often found on university systems, especially those that have been around since before the Internet became so rich in hacker activity, systems administered with this philosophy have many open services, don’t require encrypted logins, have loose account and password policies, and are easy targets for hack attacks. • I trust anybody on my system’s network. This philosophy is common in small enter- prise networks where the server is protected from the general Internet by a firewall or NAT router, and the internal network is made up of employees of a single company or department at a university. In this model, malicious users on the inter- nal network are rare, especially if the organization is small, so the system can afford to provide unencrypted services, give accounts to anybody who asks for them, and even have disabled login security and passwords. Unfortunately, in large organizations, it has become the case that attacks on servers maintained under this model—attacks from within the network, by people who are supposed to be trustworthy—are more frequent than attacks from outside. If your organization is large, you must assume that you cannot trust everybody on your system’s network, and instead choose a different security model. • I trust my local users. Administrators who maintain this philosophy tend to be more paranoid than administrators of the systems described previously in this list’s first two models. This security model is characterized by a tight network security policy: screening of users before new accounts are granted, encrypted network services (either required or encouraged), unnecessary services turned off, and crack-resistant passwords. However, local users are allowed to access internal services and see sensi- tive information (such as encrypted password strings). The idea is that once users are approved and given accounts, they can have the run of the system, and betrayal of that trust is grounds for removal from the system. This model is appropriate for hobbyist systems that serve a “low-risk” audience (for example, a fan website or community email service), or for high-profile commercial Internet servers where only a few trusted people actually have user accounts. 36_0672328755_ch30.qxd 5/9/06 4:51 PM Page 801 The Security Risks You Face 801 • I trust only myself and other administrators. The model favored by the most paranoid system administrators, this model not only has tight network security as in the preceding model, but tight local security as well. Regular users are denied access to system configuration files and server-side program code through carefully crafted permissions, Access Control Lists, and even Mandatory Access Control (MAC) labels (an advanced mechanism for controlling user access to files, sockets, and processes throughout the system). The administrator must watch each user carefully to make sure nothing unauthorized is being done, and special measures (such as custom shells, chroot jails, and the disabling of certain commands) are often taken to restrict each user’s access to the system’s resources. This model is useful for high- profile servers that provide email or web hosting services to hundreds or thousands of users from indeterminate or anonymous backgrounds. After you’ve decided what model is appropriate for you and your system for network and user-level security, you need to decide where the risk areas are for that model and what you can do to combat the exploitability of those areas. The Security Risks You Face “Perfect security” is a myth; only superhuman effort can keep a system so completely buttoned up that no attack can ever get through. The next best thing, however, is to know which areas of your system are at greatest risk and how those risks can be combated. Security risks for a network server can be grouped into three major categories: • Root compromise—An attacker takes advantage of unencrypted transmissions or known programming weaknesses in server software (most commonly buffer overflows, or weaknesses in input boundary checking in server software) to gain super-user access to the system. He then installs tools of his own to conceal his pres- ence from your system-monitoring tools (such as last and ps) and can steal any of your critical data or use your system as a base point for further hacking activities. • Privacy compromise—If network traffic to and from your system is not encrypted (scrambled), an attacker can view any of it, including passwords (potentially leading to root compromise) or any user’s critical or private communications. • Denial of service—An attacker (or a widespread network of attackers, often comprised of unwitting “zombies”) uses brute-force methods such as flooding your server with large amounts of legitimately constructed traffic, thus swamping its ability to serve 30 traffic to normal clients and potentially crashing the system. Within each of these categories of security risks, the most common threats result from these specific security weaknesses: • Insecure (weak) passwords—Passwords that can be guessed by software using common words and sequences. 36_0672328755_ch30.qxd 5/9/06 4:51 PM Page 802 802 CHAPTER 30 Network Security • Clear-text services—Services in which passwords and other sensitive information can be obtained just by “sniffing” the unencrypted data packets on the wire. • Unnecessary and exploit-prone services—If you don’t need to provide a service, don’t. It can only cost you in the end. • Open SMTP relaying—Allowing spammers to use your SMTP server as an open relay for broadcasting junk mail. • Unfiltered network access—Run a firewall to prevent unauthorized or undesirable traffic from getting to your machine.