This document has been published jointly by The Australian Computer Emergency Response Team (AusCERT) and the CERT® Coordination Center (CERT/CC) and details steps to improve the security of Unix Operating Systems. We encourage system administrators to review all sections of this document and if appropriate modify their systems accordingly to fix potential weaknesses.
The most current version of this document is available from:
http://www.auscert.org.au/Information/Auscert_info/papers.html
While this document details security procedures for UNIX based systems, it should not be used as a tool for recovering from a system compromise. For information regarding recovering from a system we encourage you to review the "Steps for Recovering from a UNIX or NT System Compromise" document, available from:
http://www.auscert.org.au/Information/Auscert_info/Papers/win-UNIX-system_compromise.html
It is our intention to continue to update this checklist. Any comments should be directed via email to auscert@auscert.org.au and cert@cert.org. Before using this document, ensure you have the latest version. New versions of this checklist will be placed in the same area and should be checked for periodically.
If possible, apply this checklist to a system before attaching it to a network. In addition, we recommend that you use the checklist on a regular basis as well as after you install any patches or new versions of the operating system, with consideration given to the appropriateness of each action to your particular situation.
AusCERT and CERT/CC advise that this information is provided without warranty - sites should ensure that actions and procedures taken from information in this document are verified and in accordance with security policies that are in place within their organisation. Listing of an application program or tool within this document does not constitute endorsement by AusCERT, The University of Queensland, or CERT/CC.
http://www.xinetd.org/
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2000.286
-:wheel:ALL EXCEPT LOCAL
2.13 PAM (Pluggable Authentication Modules)
/usr/bin/login: libutil.so.3 => /usr/lib/libutil.so.3 (0x28068000) libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x28072000) libpam.so.1 => /usr/lib/libpam.so.1 (0x28074000) libc.so.4 => /usr/lib/libc.so.4 (0x2807d000)Note the libpam.so.1, this is a PAM module.
http://www.kernel.org/pub/linux/libs/pam/
http://www.sun.com/solaris/pam/
ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2000.222
ftp://ftp.greatcircle.com/pub/majordomo/or via HTTP from:
http://www.greatcircle.com/majordomo/
NAME PORT/PROTOCOL NAME PORT/PROTOCOL tcpmux 1/tcp netbios-ns 137/udp echo 7/tcp netbios-dgm 138/tcp echo 7/udp netbios-dgm 138/udp discard 9/tcp netbios-ssn 139/tcp discard 9/udp netbios-ssn 139/udp systat 11/tcp imap 143/tcp daytime 13/tcp snmp 161/udp daytime 13/udp snmp-trap 162/udp netstat 15/tcp xdmcp 177/udp chargen 19/tcp exec 512/tcp chargen 19/udp biff 512/udp ftp 21/tcp login 513/tcp ssh 22/tcp who 513/udp telnet 23/tcp shell 514/tcp smtp 25/tcp syslog 514/udp domain (DNS) 53/tcp printer 515/tcp domain (DNS) 53/udp talk 517/udp bootps 67/tcp ntalk 518/udp bootps 67/udp route 520/udp bootpc 68/tcp klogind 543/tcp bootpc 68/udp socks 1080/tcp tftp 69/udp nfs 2049/tcp finger 79/tcp nfs 2049/udp http 80/tcp X11 6000 to 6000+n/tcp pop2 109/tcp pop3 110/tcp (n = maximum number of X servers) sunrpc 111/tcp netbios-ns 137/tcp
echo 0 > /proc/sys/net/ipv4/ip_forward
Firewalls and Internet Security B.1.6
Building Internet Firewalls B.1.7
Deploying Firewalls
http://www.cert.org/security-improvement/modules/m08.html
AusCERT Alert AL-98.01 - multiscan ('mscan') Tool
ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-98.01.mscanCERT/CC Advisory CA-1998-01 - Smurf IP Denial-of-Service Attacks
http://www.cert.org/advisories/CA-1998-01.htmlAusCERT Alert AL-1999.001 - "sscan" scanning tool
ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.001.sscanRFC2644/BCP34 - Changing the Default for Directed Broadcasts in Routers
http://rfc.net/rfc2644.htmlUNIX IP Stack Tuning Guide v2.7 (Rob Thomas)
http://www.cymru.com/~robt/Docs/Articles/ip-stack-tuning.html
CERT/CC Advisory CA-1998-01 - Smurf IP Denial of Service Attacks
http://www.cert.org/advisories/CA-1998-01.htmlRFC2827/BCP38 - Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
http://rfc.net/rfc2827.html
http://www.iana.org/assignments/ipv4-address-spaceMore information about address space allocated to private use can be found at:
RFC1918 - Address Allocation for Private Internets
http://rfc.net/rfc1918.html
Results of the Distributed-Systems Intruder Tools Workshop:
http://www.cert.org/reports/dsit_workshop-final.html
3.3 Encryption and Strong Authentication
http://www.sans.org/infosecFAQ/encryption/encryption_list.htm
4.2 Startup and Shutdown Scripts
4.3 External File Systems/Devices
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-95.07.Incorrect.Permissions.on.tmp.may.allow.root.access
We recommend that any script or binary to be executed by root should be owned by root and should not be world or group writable. Additionally, this file should only be located in a directory for which every parent directory is owned by root and is not group or world writable.
Many systems ship files and directories owned by bin (or sys). This varies from system to system and may have serious security implications.
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-93.04.Password.Policy.Guidelinesfor guidelines on developing password policies.
http://www.courtesan.com/sudo/
http://www.stikman.com/sudo/
http://www.openldap.org/
http://www.umich.edu/~dirsvcs/ldap/
http://www.isc.org/products/BIND
Secure BIND Template
By Rob Thomas
http://www.cymru.com/~robt/Docs/Articles/secure-bind-template.htmlSecuring an Internet Name Server
By Cricket Liu
http://www.acmebw.com/resources/papers/securing.pdfChroot-BIND HOWTO
By Scott Wunsch
http://www.linuxsecurity.com/docs/HOWTO/Chroot-BIND-HOWTO/Chroot-BIND-HOWTO.html
http://cr.yp.to/djbdns.html
http://www.sendmail.org/
NOTE: If you don't already run the current version of sendmail, then it may take you some time to build, install, and configure the system to your needs. For example, other sendmail configuration files may not be compatible with the latest version of sendmail.
8.2 Alternatives (qmail and postfix)
http://cr.yp.to/qmail.html
http://cr.yp.to/ucspi-tcp.html
http://www.postfix.org/ftp-sites.html
http://www.postfix.org
http://www.apache.org/
http://cr.yp.to/publicfile.html
http://www.wu-ftpd.org
ftp://www.wu-ftpd.org
10.1 General Server Configuration
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2000.02
ftp:*:400:400:Anonymous FTP:/home/ftp:/bin/falsewhere /home/ftp is the anonymous FTP area.
root:*:0:0:Ftp maintainer::
ftp:*:400:400:Anonymous ftp::
The password file is used only to provide uid to username mapping for ls(1) listings.
http://www.wu-ftpd.org
http://www.proftpd.net/
http://cr.yp.to/publicfile.html
When using NFS, you implicitly trust the security of the NFS server to maintain the integrity of the mounted files.
ftp://ftp.cs.vu.nl/pub/leendert/nfsbug.shar
NOTE: A "web of trust" is created between hosts connected to each other via NFS. That is, you are trusting the security of any NFS server you use.
The Samba service provides filesystem shares to clients that are running other operating systems, usually a version of Microsoft Windows.
security = userparameter in smb.conf.
hosts allow =
hosts deny =
Samba sources and documentation are available from:
http://www.samba.org/
AFS is a distributed filesystem that makes use of Kerberos to authenticate users. It allows the use of access control lists (ACLs). It is available from the Transarc Corporation.
Information is available from:
ftp://ftp.transarc.com/pub/afs-contrib/doc/faq/afs-faq.html
http://www.transarc.ibm.com/Product/EFS/AFS/index.html
DFS is a distributed filesystem, also available from the Transarc Corporation. Information is available from:
http://www.transarc.ibm.com/Product/EFS/DFS/index.html
Access to your X server may be controlled through either a host-based or user-based method. The former is left to the discretion of the Systems Administrator at your site and is useful as long as all hosts registered in the /etc/Xn.hosts file have users that can be trusted, where "n" represents your X server's number.
This may not be possible at every site, so a better method is to educate each and every user about the security implications (see references below). Better still, when setting up a user, give them a set of X security related template files, such as .xserverrc and .xinitrc. These are located in the users home directory.
You are strongly advised to read the section on X window system security referred to in the X Window System Administrators Guide (B.1.4).
DO not use any version of X11 prior to release 6 as it resolved security problems that existed in earlier versions. If necessary, obtain the source for X11R6 and compile and install it on your system. This may be obtained from:
http://www.x11.org
Patches for the BSDI Internet Server and Internet Super Server can be found at:
http://www.bsdi.com/services/support/patches/
Security Advisories for the BSDI Internet Server and Internet Super Server can be found at:
http://www.bsdi.com/services/support/
Patches for the FreeBSD operating system (choose your platform) can be found at:
ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386
ftp://ftp.freebsd.org/pub/FreeBSD/releases/alpha
http://www.freebsd.org/security/
Security patches for the NetBSD operating system can be found at:
http://www.netbsd.org/Security/
http://www.netbsd.org/Security/
Patches for OpenBSD can be found at:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/
http://openbsd.org/errata.html
Updates for specific versions of the OpenLinux product can be found at:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/
http://www.calderasystems.com/support/security/
Security information for Debian GNU/Linux, including links to security bulletins, patches and updates can be found at:
http://www.debian.org/security/
Security information for Mandrake Linux, including links to advisories, patches, and updates can be found at:
http://www.linux-mandrake.com/en/security/
The Bastille Hardening System attempts to "harden" or "tighten" the Linux operating system. It currently supports RedHat and Mandrake systems. Additional information can be found at:
http://bastille-linux.sourceforge.net
Security information for RedHat Linux, including links to advisories, patches, and updates can be found at:
http://www.redhat.com/support/errata/
The Bastille Hardening System attempts to "harden" or "tighten" the Linux operating system. It currently supports RedHat and Mandrake systems. Additional information can be found at:
http://bastille-linux.sourceforge.net
Security patches are incorporated into the latest stable version release as well as in the slackware-current release:
ftp://ftp.slackware.com/pub/slackware/
ftp://ftp.slackware.com/pub/slackware/slackware-current/
Information about security patches is made available via mailing list and is documented in the ChangeLog:
http://www.slackware.com/lists/
http://www.slackware.com/changelog/
SAStk, the Slackware Administrators Security tool kit, provides a simple scripted interface that aids in securing Slackware Linux. Additional information can be found at:
http://www.sastk.org/
Security information for SuSE Linux, including links to advisories, patches, and updates can be found at:
http://www.suse.com/us/support/security/index.html
Security information for TurboLinux, including links to advisories, patches, and updates can be found at:
http://www.turbolinux.com/security/
For other distributions of Linux, please refer to your vendor's website. A useful starting point for finding Linux distribution vendor's sites is:
http://www.linux.org/dist/index.html
ftp://sunsolve1.sun.com/pub/patches/
http://sunsolve1.sun.com/
15.2 IP Forwarding and Source Routing
This is particularly relevant if you are using your Sun server as a bastion host or dual homed system.
ndd -set /dev/ip ip_forwarding 0
ndd -set /dev/ip ip_ip_forward_src_routed 0
For the changes to take effect you will then need to reboot.
set noexec_user_stack=1
set noexec_user_stack_log=1
Note that this may go against the SPARC and Intel ABIs and can be bypassed as required in programs with mprotect(2). For the changes to take effect you will then need to reboot.
set nfs:nfs_portmon = 1 set nfssrv:nfs_portmon = 1
See also 11.1.
# # File: /etc/logindevperm # Purpose: Specifies that upon login to /dev/console, the # owner, group and permissions of all supported # devices, including the framebuffer, will be set to # the user's username, the user's group and 0600. # Comments: SunOS specific. # Note: You cannot use \ to continue a line. # # Format: # Device Permission Colon separated device list. # /dev/console 0600 /dev/kbd:/dev/mouse /dev/console 0600 /dev/sound/* # audio devices /dev/console 0600 /dev/fbs/* # frame buffers
Read the man page for logindevperm(4) for more information.
http://sunsolve.sun.com/
http://www.sun.com/security/
http://www.sun.com/blueprints/
The security section of the BluePrints archive is available from:
http://www.sun.com/blueprints/browsesubject.html#security
http://www.sun.com/blueprints/0401/security-updt1.pdf
http://www.sun.com/blueprints/1200/network-updt1.pdf
http://www.sun.com/blueprints/1100/minimize-updt1.pdf
15.8 Solaris Security Toolkit (JASS)
http://www.sun.com/security/jass/
http://www.sgi.com/support/security/
http://www-viz.tamu.edu/~sgi-faq/faq/html-1/security.html
http://www.protomatter.com/rscan/
Other accounts may be added with known passwords. Here is a partial list of accounts known to have easily guessed passwords.
http://www.sgi.com/support/security/advisories.html
http://us-support.external.hp.com/
http://ftp.support.compaq.com/patches/.new/unix.shtml
http://techsupport.services.ibm.com/rs6000/fixes
http://techsupport.services.ibm.com/rs6000/notification
There are many freely available tools that provide a good mechanism for checking the security of your system. The list below is not a complete list, and you should NOT rely on these to do ALL of your work for you. They are intended to be only a guide. It is envisaged that you may write some site specific tools to supplement these. It is also envisaged that you may look around on HTTP or FTP servers for other useful tools.
AusCERT and CERT/CC have not formally reviewed, evaluated or endorsed the tools described herein. The decision to use these tools is the responsibility of each user or organisation.
Analog is a utility for the analysis of web server log files. It is available from:
http://www.analog.org/loganalysis/download.html
anlpasswd is a pro-active password checker and can replace the standard /bin/passwd. It is available from:
ftp://coast.cs.purdue.edu/pub/tools/unix/pwdutils/anlpasswd/
Big Brother is a real-time network and system monitoring tool with a web browser interface. It is available at:
http://bb4.com/
CheckWtmp is a tool to check for overwritten information in /var/adm/wtmp on SunOS 4.x systems. It is available via anonymous FTP from:
ftp://coast.cs.purdue.edu/pub/tools/unix/logutils/chkwtmp/
CheckXusers is a script that checks for people logged on to a host from insecure X servers.
ftp://coast.cs.purdue.edu/pub/tools/unix/sysutils/checkXusers/
Chkacct is a tool to help with checking permissions. It can automatically correct file permissions or output a list of changes that need to be made. It is available via anonymous FTP from:
ftp://coast.cs.purdue.edu/pub/tools/unix/sysutils/chkacct/
Chklastlog is a tool to check for overwritten information in /var/adm/lastlogin on SunOS 4.x systems. It is available via anonymous FTP from:
ftp://coast.cs.purdue.edu/pub/tools/unix/logutils/chklastlog/
The Coroners Toolkit (TCT) is a collection of software tools that provide a System Administrator with a framework for performing computer forensic analysis. TCT aims to automate the task of low-level forensic examination. It is available from:
http://www.fish.com/tct/
PortSentry is a program designed to detect and respond to port scans against a target host in real-time. It is available from:
http://www.psionic.com/abacus/portsentry/
Swatch, the Simple WATCHer program, is an easily configurable log file filter/monitor. Swatch monitors log files and acts to filter out unwanted data and take one or more user-specified actions based on patterns in the log. Swatch is available from
ftp://coast.cs.purdue.edu/pub/tools/unix/logutils/swatch/
tcpdump is a protocol packet capture and dumper and capture program. It is available via anonymous FTP from:
ftp://coast.cs.purdue.edu/pub/tools/unix/netutils/tcpdump/
tcptrace allows for analysis of TCP dump files as produced by programs such as tcpdump, snoop etc. It is available from:
http://masaka.cs.ohiou.edu/tcptrace/tcptrace_new/
This software gives logging and access control to most network services. It is available via anonymous FTP from:
ftp://ftp.porcupine.org/pub/security/
This package identifies common security and configuration problems. It also checks for common signs of intrusion. It is available via anonymous FTP.
ftp://coast.cs.purdue.edu/pub/tools/unix/scanners/tiger/
This package maintains a checksum database of important system files. It can serve as an early intrusion detection system. It is freely available via anonymous FTP from:
ftp://coast.cs.purdue.edu/pub/tools/unix/ids/tripwire/
or via HTTP from:
http://www.tripwire.com/downloads/tripwire_asr/
Tripwire is also available as a commercial software package from the following web site:
http://www.tripwire.com
TTY-Watcher is a utility to monitor and control users on a single system. TTY-Watcher is available via anonymous FTP from:
ftp://coast.cs.purdue.edu/pub/tools/unix/sysutils/ttywatcher/
Allows chroot functionality. It is available from:
ftp://ftp.porcupine.org/pub/security/
Crack is a fast password cracking program designed to assist site administrators in ensuring that users use effective passwords. Available via anonymous FTP from:
ftp://coast.cs.purdue.edu/pub/tools/unix/pwdutils/
John the Ripper is a password cracker, designed to detect weak Unix passwords. It is available from:
http://www.openwall.com/john/
The FixModes scripts run on Solaris and remove group and world write permissions on specific system files and directories. The new permissions make it harder for non-root users to become root, and for non-root users to modify system files. FixModes is available from:
http://www.sun.com/blueprints/tools/
Written by Wietse Venema, this package includes replacements for rsh and rlogin daemons. By default these versions do not accept wild cards in host.equiv or .rhost files. They also have an option to disable user .rhost files. logdaemon is available via anonymous FTP from:
ftp://ftp.porcupine.org/pub/security/
lsof reports files open by a process, files open on a partition as well as processes listening on a port/socket and processes which have a file open. Available via anonymous FTP from:
ftp://coast.cs.purdue.edu/pub/tools/unix/sysutils/lsof/
MD5 is a message digest algorithm. Tools to verify MD5 checksums are included with many current operating systems, for example md5(1) (FreeBSD) or md5sum (Linux). Otherwise, an implementation of MD5 is available via anonymous FTP from:
ftp://coast.cs.purdue.edu/pub/tools/unix/crypto/md5/
This program is designed to provide the system administrator with additional information about who is logging into disabled accounts. It is used as a replacement shell, to be specified in the login shell entry for the account in the unix password file. It is available from:
http://www.fish.com/titan/src1/noshell.c
Detailed instructions on installing and usage of noshell are available from:
http://www.cert.org/security-improvement/implementations/i049.02.html
The S/KEY one-time password system provides authentication over networks that are subject to eavesdropping/reply attacks. This system has several advantages compared with other one-time or multi-use authentication systems. The user's secret password never crosses the network during login. This directory contains information, the latest version and patches. It is available via anonymous FTP from:
ftp://ftp.cert.dfn.de/pub/tools/password/SKey/
OPIE is an implementation of the One-Time Password (OTP) standard specified in RFC 1938. Available via anonymous FTP from:
http://www.inner.net/pub/opie/
AusCERT designed this wrapper to limit exploitation of programs which have command line argument buffer overflow vulnerabilities. It is available via anonymous FTP from:
ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/overflow_wrapper.c
PGP Pretty Good Privacy implements encryption and authentication. GnuPG is a similar utility released under the GNU public licence.
PGP is available from:
http://www.pgpi.org/
GnuPG is available from:
http://www.gnupg.org/
These are portmapper/rpcbind replacements written by Wietse Venema that disallow proxy access to the mount daemon via the portmapper. Choose the one suitable for your system. They are available via anonymous FTP from:
ftp://ftp.porcupine.org/pub/security/
Role Based Access Control (RBAC) allows each user to be assigned one or more roles and each role is assigned one or more privileges that are permitted to users in that role. Security administration with RBAC consists of determining the operations that must be executed by persons in particular jobs, and assigning employees to the proper roles. Complexities introduced by mutually exclusive roles or role hierarchies are handled by the RBAC software, making security administration easier. Additional information and downloads are available from:
http://csrc.nist.gov/rbac/
Secure Shell (ssh) provides for encrypted remote communications between hosts. It can replace rsh, rlogin, and others. It is available from:
http://www.ssh.fi/
http://www.openssh.com/
http://www.ssh.com/
Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes. More information is available at:
http://www.snort.org/
Network Flight Recorder (NFR) is a customisable commercial IDS. More information is available at:
http://www.nfr.net/
RealSecure is a commercial IDS from Internet Security Systems (ISS). More information is available at:
http://www.iss.net/securing_e-business/security_products/intrusion_detection/
This package maintains a checksum database of important system files. It can serve as an early intrusion detection system. It is freely available via anonymous ftp from:
ftp://coast.cs.purdue.edu/pub/tools/unix/ids/tripwire/
or via HTTP from:
http://www.tripwire.com/downloads/tripwire_asr/
Tripwire is also available as a commercial software package from the following web site:
http://www.tripwire.com
The Cisco Secure Intrusion Detection System (IDS), formerly known as the Cisco NetRanger system, is a real-time, network-based IDS designed to detect, report, and terminate unauthorized activity throughout a network. Additional information is available from:
http://www.wheelgroup.com/warp/public/cc/pd/sqsw/sqidsz/
Nessus is a free, programmable graphical vulnerability assessment and scanning tool. It offers a number of features, such as a modular architecture, and its own scripting language. Nessus is available at:
http://www.nessus.org/
SAINT is a vulnerability assessment tool, similar to SATAN, which allows network administrators to scan their networks for known vulnerabilities in specific software packages. More information is available at:
http://www.wwdsi.com/saint
The Security Auditor's Research Assistant (SARA) is another vulnerability assessment and scanning tool. It supports the use of CVE nomenclature among other things. More information is available at:
http://www-arc.com/sara/
bv-Control from BindView is a cross-platform package that provides vulnerability assessments as well as assiting in routine system administration. More information is available at:
http://www.bindview.com/products/control/
Argus is an advanced IP network transaction auditing tool. Classified as a Real Time IP Flow Monitor, Argus generates a persistent audit of all network transactions and their performance, without the need for configuration.
The data that Argus generates can be used for a wide range of tasks that are traditionally benefited from audit, of particular interest are Network Security and Network Assurance and Performance Management. Argus is available at:
ftp://ftp.andrew.cmu.edu/pub/argus/
Ethereal is a free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. More information is available from:
http://www.ethereal.com/
ifstaus can be run on a UNIX system to check the network interfaces for any that are in debug or promiscuous mode. This may be the sign of an intruder performing network monitoring to steal passwords and the like (see CERT/CC Advisory CA-1994-01). ifstatus is available from:
ftp://coast.cs.purdue.edu/pub/tools/unix/sysutils/ifstatus/
AntiSniff is a tool which can scan a network and detect whether or not the network interfaces on any computers are in promiscuous mode, since this is often a sign that a computer has been compromised.
Antisniff was designed to detect compromised machines with IP stacks that a remote attacker could utilize to sniff network traffic. It was not designed to detect hardware based network probes or special purpose network analysers which an attacker would need physical access to install. More information is available from:
http://www.securitysoftwaretech.com/antisniff/
Network Operation Center On-Line (NOCOL) is a network monitoring package that runs on Unix platforms. It can monitor various network variables such as ICMP or RPC reachability, nameservers, ethernet load, port reachability, host performance, SNMP traps, modem line usage, appletalk & novell routes and services, BGP peers, etc. The software is extensible and allows new monitors to be added. NOCOL is available from:
ftp://ftp.netplex-tech.com/pub/
Additional information is available from:
http://www.netplex-tech.com/software/nocol/
Nmap is an open-sourced tool for port scanning large networks. It features a variety of modes of scanning and remote operating system identification. More information is available from:
http://www.nmap.org/
Proxy servers can be used to authenticate and forward specific service requests between networks. Typically, a proxy server replaces a regular system service and then arbitrates sessions between legitimate clients and servers. Proxy servers are often used in conjunction with packet filtering tools (See A.4.2) to enforce network security policies. Many commercial and non-commercial packages offer proxy server functionality. Below are pointers to several non-commercial software packages that perform proxy services.
Packet filtering tools provide the ability to selectively control the forwarding TCP/IP packets through a device with two or more network interfaces. Packet filtering can be used to enforce network security policies through the construction and use of a series of packet filtering rules. Many commercial and non-commercial packages offer packet filtering functionality. Below are pointers to several non-commercial software packages that perform packet filtering.
ipfw is an older packet filtering tool distributed as a part of some BSD-based operating systems, particularly FreeBSD. Information about ipfw is available from the FreeBSD Handbook.
http://www.freebsd.org/handbook/firewalls.html
Ipfwadm is a packet filtering tool distributed as a part of some older Linux distributions. It is designed for use with older (e.g., prior to version 2.2.x) Linux kernels. Information about ipfwadm is available from the author's website:
http://www.xos.nl/linux/ipfwadm/
IP Filter, or ipf, is a packet filtering tool distributed as a part of BSD-based operating systems such as FreeBSD, OpenBSD, and NetBSD. It is also available for use on other platforms such as Solaris, SunOS, IRIX, and HP-UX. More information is available from:
http://coombs.anu.edu.au/~avalon/
Ipchains is a packet filtering tool distributed as a part of many current Linux distributions. It is designed for use with newer (e.g., version 2.2.x) kernels. Information about ipchains is available from one of several locations:
http://netfilter.filewatcher.org/ipchains/
http://www.samba.org/netfilter/ipchains/
http://netfilter.kernelnotes.org/ipchains/
Netfilter and iptables are packet filtering tools being developed in conjunction with newer (e.g., 2.3.x) Linux kernels for use in the 2.4.x series of Linux kernels. Information about netfilter and iptables is available from one of several locations.
http://netfilter.filewatcher.org/
http://netfilter.samba.org/
http://netfilter.kernelnotes.org/
SunScreen Lite offers high-speed, dynamic, stateful packet screening, and is designed to protect individual servers or small workgroups. It is available for no additional cost to users of Solaris 8. More information is available at:
http://www.sun.com/software/securenet/lite/
By Simson Garfinkel & Gene Spafford
2nd Edition April 1996
(C) 1996, 1991 O'Reilly & Associates, Inc.
ISBN: 1565921488
By Peter H. Gregory
(C) 1999 Prentice Hall PTR/Sun Microsystems Press
ISBN: 0130960535
By David A. Curry
(C) 1992 Addison-Wesley Professional Computing Series
ISBN: 0201606402
By Linda Mui & Eric Pearce
1st Edition October 1992
(C) 1992 O'Reilly & Associates, Inc.
ISBN: 0937175838
By Joel Scambray, Stuart McClure and George Kurtz
(C) 2000 McGraw-Hill Professional Publishing
ISBN: 0072127481
By William R. Cheswick & Steven M. Bellovin
(C) 1994 AT&T Bell Laboratories, Inc.
Addison-Wesley Professional Computing Series
ISBN: 0201633574
By Elizabeth D. Zwicky, Simon Cooper, & D. Brent Chapman
(C) 1995 O'Reilly & Associates, Inc.
ISBN: 1565928717
By Anonymous
(C) 1998 SAMS Publishing
ISBN: 0672313413
Evi Nemeth, Garth Snyder, Trent R. Hein and Scott Seebass
(C) 2001 Prentice-Hall PTR
ISBN: 0130206016
By Aeleen Frisch
2nd Edition September 1995
(C) 1995 O'Reilly & Associates, Inc.
ISBN: 1565921275
By Bob Toxen
(C) 2000 Prentice Hall PTR/Sun Microsystems Press
ISBN: 0130281875
By Hal Stern
2nd Edition June 2001
(C) 2001 O'Reilly & Associates, Inc.
ISBN: 1565925106
By Anne H. Carasik
(C) 1999 Osborne McGraw-Hill
ISBN: 0071349332
By Ryan Russell
(C) 2000 Syngress
ISBN: 1928994156
By Bruce Schneier
(C) 1995 John Wiley & Sons
ISBN: 0471117099
By Gary R. Wright and W. Richard Stevens
(C) 1994, 1995, 1996 Addison-Wesley
ISBN: 0201633469 (Vol 1 - The Protocols)
ISBN: 020163354X (Vol 2 - The Implementation)
ISBN: 0201634953 (Vol 3 - TCP for Transactions, HTTP,
NNTP, and the UNIX(R) Domain Protocols)
Notes:
BSD commands
# /bin/ps -aux | /bin/grep -E "inetd|^USER" | /bin/grep -v grep # /bin/kill -HUP <inetd-PID>SVR4 commands
# /bin/ps -ef | /bin/grep inetd | /bin/grep -v grep # /bin/kill -HUP <inetd-PID>C.2 Ascertain which services are registered with the portmapper
# /usr/bin/rpcinfo -pC.3 Rebuild alias maps
# /usr/bin/newaliasesIf you run NIS (YP), you will then need to rebuild your maps to have the change take effect over all clients:
# (cd /var/yp; /usr/bin/make aliases)
C.4 Printing the umask value for each user
Use the following shell script:
#!/bin/sh PATH=/bin:/usr/bin:/usr/etc:/usr/ucb HOMEDIRS=`cat /etc/passwd | awk -F":" 'length($6) > 0 {print $6}' | sort -u` FILES=".cshrc .login .profile" for dir in $HOMEDIRS do for file in $FILES do grep -s umask /dev/null $dir/$file done done
C.5 Set sendmail log level to 9
Include lines describing the log level (similar to the following two) in the options part of the general configuration information section of the sendmail configuration file:
# log level OL9The log level syntax changed in sendmail 8.7 to:
# log level O LogLevel=9C.6 Set syslog log level for mail messages
Include lines describing the logging required (similar to the following two) in the syslog.conf file:
mail.info /dev/console mail.info /var/adm/messagesFor the change to take effect, you must then instruct syslog to reread the configuration file.
BSD commands
Get the current PID of syslog:
# /bin/ps -aux | /bin/grep syslogd | /bin/grep -v grepThen tell syslog to reread its configuration file:
# /bin/kill -HUP <syslog-PID>SVR4 commands
# /bin/ps -ef | /bin/grep syslogd | /bin/grep -v grepThen tell syslog to reread its configuration file:
# /bin/kill -HUP <syslog-PID>NOTE: In the logs, look for error messages like:
C.7 (Rebuilding and) restarting sendmail(8)
To rebuild the frozen configuration file, firstly do:
# /usr/lib/sendmail -bzNOTE: The above process does not apply to sendmail v8.x which does not support frozen configuration files.
To restart sendmail(8), you should kill *all* existing sendmail(8) processes by sending them a TERM signal using kill, then restart sendmail(8).
BSD commands
Get the pid of every running sendmail process:
# /bin/ps -aux | /bin/grep sendmail | /bin/grep -v grepKill every running sendmail process and restart sendmail:
# /bin/kill <pid> #pid of every running sendmail process # /usr/lib/sendmail -bd -q1hSVR4 commands
# /bin/ps -ef | /bin/grep sendmail | /bin/grep -v grepKill every running sendmail process and restart sendmail:
# /bin/kill <pid> #pid of every running sendmail process # /usr/lib/sendmail -bd -q1hC.8 Test whether ftpd supports SITE EXEC
For normal users:
% ftp localhost 21 USER username PASS password SITE EXECFor anonymous users:
% ftp localhost 21 USER ftp PASS username@domainname.au SITE EXECYou should see the response "5nn error return" (e.g., "500 'SITE EXEC' command not understood"). If your ftp daemon has SITE EXEC enabled, make sure you have the most recent version of the daemon. Older versions of ftpd allow any user to gain shell access using the SITE EXEC command. Use QUIT to end the telnet session.
C.9 Ascertain whether anonymous FTP is enabled
% ftp localhost Connected to localhost 220 hostname FTP server ready Name (localhost:username): anonymous 331 Guest login ok, send username as password Password: user@domain.au 230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp>
C.10 Ensure that '*' in the password field is correctly implemented
# /bin/find / -name '.exrc' -exec /bin/cat {} \; -printSee also C.19.
# /bin/find / -name '.forward' -exec /bin/cat {} \; -printSee also C.19.
C.13 Remove execute permission on /usr/lib/expreserve
# /bin/chmod 400 /usr/lib/expreserveC.14 Set ownership and permissions for /tmp correctly
# /bin/chown root /tmp # /bin/chgrp 0 /tmp # /bin/chmod 1777 /tmpNOTE: This will NOT recursively set the sticky bit on sub-directories below /tmp, such as /tmp/.X11-unix and /tmp/.NeWS-unix; you may have to set these manually or through the system startup files.
C.15 Find group and world writable files and directories
# /bin/find / -type f \( -perm -2 -o -perm -20 \) -exec ls -lg {} \; # /bin/find / -type d \( -perm -2 -o -perm -20 \) -exec ls -ldg {} \;See also C.19.
C.16 Find files with the SUID or SGID bit enabled
# /bin/find / -type f \( -perm -004000 -o -perm -002000 \) \ -exec ls -lg {} \;See also C.19.
C.17 Find normal files in /dev
# /bin/find /dev -type f -exec ls -l {} \;See also C.19.
C.18 Find block or character special files
# /bin/find / \( -type b -o -type c \) -print | grep -v '^/dev/'See also C.19.
C.19 Avoid NFS mounted file systems when using /bin/find
# /bin/find / \( \! -fstype nfs -o -prune \) <expression>As an example, <expression> could be
-type f \( -perm -004000 -o -perm -002000 \) -exec ls -lg {} \;
It is intended that this short version of the checklist be used in conjunction with the full checklist as a progress guide (mark off the sections as you go so that you remember what you have done so far).
- Don't attach the machine to an insecure network until all steps in this document have been addressed - preferably, perform all installations on the machine while it is completely isolated from any network. This may be facilitated by the use of patches stored on a CD or file server located within an isolated staging network.
- Retrieve the latest patch list from your vendor and retrieve any recommended security patches not included with your system. Some patches may re-enable default configurations so it is important to go through this checklist after installing any new patches or packages. Information about where to obtain operating system patches or packages is available in the USC at Section IV. Patches for software applications not supplied by the operating system vendor should be obtained directly from the software vendor's web site.
- Ensure that software patches and packages are only downloaded from a reliable source (i.e. direct from the vendor or a trusted mirror). This also applies to the operating system if it is publicly-available or open-source.
- Verify the cryptographic digital signature of any signed downloaded files to ensure integrity. Don't use a file whose signature doesn't match its contents! Information about PGP/GnuPG is available in the USC at A.2.10 PGP/GnuPG.
- Verify the md5 checksum, when possible, of any downloaded patches with a utility like md5(1) or md5sum(1). Information about obtaining an MD5 utility is available in the USC at A.2.6 MD5.
- Subscribe to the vendor's security update mailing list for your particular operating system. Information for individual vendors is available in the USC at Section IV.
- Subscribe to security advisory mailing lists from your local incident response team (if you have one). These mailing lists are typically low volume and provide invaluable information for system and security administrators. Information on subscribing to mailing lists is available in the USC at B.2.3 Mailing Lists.
- Check for last-minute updates for your system that need to be performed subsequent to installation.
- Install security patches retrieved before installation.
- Check for the availability of a hardening script package for your particular system. Information on hardening scripts is available in the USC at Section IV - Specific Operating Systems.
- For more detailed information, refer to the USC at 2.0 Network Services
- Disable any services which you do not absolutely require, by commenting out individual lines in /etc/inetd.conf with a "#" character, then reenabling essential services only. See 2.1 /etc/inetd.conf.
- Unless "r" commands (i.e. rsh, rlogin) are required, remove or empty the file /etc/hosts.equiv.
- If "r" commands are required, consider replacing them with secure alternatives, such as ssh. See A.2.13 ssh in the USC for more information.
- Configure tcp_wrappers in /etc/inetd.conf to provide greater access and logging on enabled services if using the inetd daemon. See 2.2 tcp_wrapper. If using Xinetd, ensure that it is correctly configured in /etc/xinetd.conf. See 2.1 /etc/inetd.conf.
- Edit /etc/hosts.allow to include this entry as the first uncommented line AFTER any configuration lines allowing connections for any specific services required:
ALL:ALL:deny- Edit /etc/hosts.deny to include this entry as the first uncommented line in the file:
ALL:ALL- Verify that you have disabled any unnecessary startup scripts under /etc, /etc/rc.d or /etc/init.d (or startup script directory for your system) and disabled any unneeded services from starting in these scripts.
- Remove unneeded accounts/groups and disable interactive login access to system accounts.
- After restarting the machine, check for running network services by issuing the command netstat -a. Ensure that only required services are running and listening for connections. This helps in preventing security compromises on possibly unknown and unpatches services.
- On systems that implement the /etc/login.access file, consider modifying this file to disallow remote access to privileged accounts. An example to disallow non-local logins to privileged accounts (group wheel):
-:wheel:ALL EXCEPT LOCALSee also 2.10 /etc/login.access
- Ensure that the terminal security file (for example, /etc/securetty or /etc/ttys) is configured to deny privileged (root) access from any external connections. See 2.15 Secure Terminals.
- Check that the configuration files for PAM (/etc/pam.conf, /etc/pam.d/*) are secure. See 2.13 PAM (Pluggable Authentication Modules)
- Ensure that the file /etc/ftpusers contains the names of all system accounts, as well as root. See 5.3 Special accounts
- Prevent lpd and syslogd from listening for network connections if possible. Caution should be exercised to ensure outbound connections are still allowed if required for your system configuration. This may be accomplished with command-line arguments and/or tcp_wrappers - refer to your system's info or man pages.
- Clear /etc/hosts.lpd if not required. If the host is a print server, ensure that only fully qualified domain names are specified ie. hostname.domainname. See 2.9 /etc/hosts.lpd
- At a minimum, make use of any built-in firewalling utility that the operating system provides. For example: Linux has ipchains and iptables (See A.4.2.4 and A.4.2.5), BSD has ipfw (See A.4.2.1), Sun Solaris includes a "light" version of their SunScreen product with Solaris 8 (See A.4.2.6).
- Ensure that the host is configured against IP spoofing and attacks with kernel and firewall rules. See 3.1 Packet Filtering and 3.2 Denial of Service Attacks.
- If you wish to remotely administer your host, don't use unencrypted channels to do so (like telnet). Configure your host to use encrypted communications with a utility like SSH. See 3.3 Encryption and Strong Authentication
- Implement and maintain utilities for intrusion detection. At a minimum, implement a file integrity checker to monitor file-system changes. More information is available in the USC at 4.0 File System Security
- Additional information on security and monitoring tools is available in the USC at Appendix A
- Ensure you implement a procedure to regularly parse and check system log outputs for unusual activity.
- Make a backup of the completed system before putting it on a production network. This allows you a clear path to restore the system to an operational state. You should also implement a continuing backup policy.
- Create and maintain a logbook for each system. This allows you to document any changes made to system configurations.
Revision History | |
Oct 8, 2001 |
Initial Release |