2002, Marchany OS Installation Tips Basic Tips During OS Installation OS Installation Tips Core - base OS, 50Mb in size End-user - CDE / x windows, UCB support, NIS / NIS+ / LDAP Developer - man pages, include files( / usr / include), compiler libraries, make, ar, ld commands Full OEM - everything on the install CD Make sure SUNWter is installed. This adds xterm and other term support
2002, Marchany OS Installation Tips Basic Tips During OS Installation OS Installation Tips Core - base OS, 50Mb in size End-user - CDE / x windows, UCB support, NIS / NIS+ / LDAP Developer - man pages, include files( / usr / include), compiler libraries, make, ar, ld commands Full OEM - everything on the install CD Make sure SUNWter is installed. This adds xterm and other term support
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPT, PDF, TXT or read online from Scribd
2002, Marchany OS Installation Tips Basic Tips During OS Installation OS Installation Tips Core - base OS, 50Mb in size End-user - CDE / x windows, UCB support, NIS / NIS+ / LDAP Developer - man pages, include files( / usr / include), compiler libraries, make, ar, ld commands Full OEM - everything on the install CD Make sure SUNWter is installed. This adds xterm and other term support
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPT, PDF, TXT or read online from Scribd
OS Installation Tips Core – base OS, 50Mb in size End-user – CDE/X Windows, UCB support, NIS/NIS+/LDAP Developer – man pages, include files(/usr/include), compiler libraries, make, ar, ld commands Full OEM – everything on the install CD Make sure SUNWter is installed. This adds xterm and other term support. Remote administration requires this package.
va-scan Copyright 2002, Marchany
OS Installation- Disk Partitions
Solaris 2.x no longer require as much swap space
as memory but it doesn’t hurt /var should be large - > 2GB /opt should be large - > 2GB. Compilers and other Sun packages install here by default. DiskSuite requires 5MB on each disk for configuration information Veritas requires 2 free partitions to encapsulate and mirror the root drive
OS Package Dependencies Developer Tools SUNWhea, SUNWtnfc, SUNWarc, SUNWsprot, SUNWbtool, SUNWtoo, SUNWhmdu, SUNWlibm, SUNWlibC, SUNWlibCf, SUNWtnfd X Client (not X Server) SUNWxwrtl, SUNWxilow, SUNWxwplt, SUNWxwfnt, SUNWxwice, SUNWmfrun, SUNWtltk, SUNWxilrl, SUNWxildh Virtual Adrian SUNWsprot
va-scan Copyright 2002, Marchany
Determining Which Package Pomeranz Method Attempt to install or run app Find missing file(s) via error and/or truss Check /var/sadm/install/contents of full OS system, grep for file. This file contains the package name Add the needed package Add appropriate dependencies Repeat until done
va-scan Copyright 2002, Marchany
Patches Available from sunsolve.sun.com 2 install tools Patchdiag – available from sunsolve.sun.com GASP – available from discovery.cc.vt.edu and Brian Reilly at Georgetown U GUI front end to patchdiag Patchdiag is required
va-scan Copyright 2002, Marchany
Patches - GASP Build from kit. Create a /tmp/patches Modify the patchadd command to keep backout option if you want it. Start: xgasp Click on Generate Patch Report Enter sunsolve userid/password You can select individual patches or all of them for download
va-scan Copyright 2002, Marchany
va-scan Copyright 2002, Marchany va-scan Copyright 2002, Marchany va-scan Copyright 2002, Marchany Patches - Sunsolve Go to http://sunsolve.sun.com Login as vtsug/sunsucks Use the search tools to find the patches you need. At a minimum, installed recommended and security patches. This is NOT the complete answer Install all patches then the applications Do NOT install Sun sendmail patches if you are using the VT sendmail.
va-scan Copyright 2002, Marchany
OS Settings Console Security (SPARC only) Prevents someone from using console commands Disable STOP-A sequence Command Mode Prevents EEPROM changes w/o proper password
va-scan Copyright 2002, Marchany
OS Settings Full Mode Same as command mode with extras: Can’t boot system w/o EEPROM password Use eeprom command from shell # eeprom security-mode=full Use setenv command from OK prompt OK setenv security-mode full
va-scan Copyright 2002, Marchany
OS Settings Disable keyboard abort sequence Change the following line in /etc/default/kbd from #KEYBOARD_ABORT=enable KEYBOARD_ABORT=disable CAUTION: system will have to powered down to reset. No crash dumps from the PROM on a running system for analysis.
va-scan Copyright 2002, Marchany
Cleaning System Scripts
Some Startup and Boot Scripts to
Check
va-scan Copyright 2002, Marchany
Create umask for System Daemons Solaris 7 echo ‘umask 022’ > /etc/init.d/umask.sh chmod 744 /etc/init.d/umask.sh for dir in /etc/rc?.d do ln –s ../init.d/umask $dir/S00umask.sh done Solaris 8 Set CMASK in /etc/default/init
va-scan Copyright 2002, Marchany
Mount Options Mount filesystems with nosuid, read- only options /usr can be mounted read-only /var can be mounted nosuid / can’t / is mounted RO at boot and then remounted RW. The second mount cancels the nosuid. Note: FS mounted in 1 mode and changed to another requires a reboot. va-scan Copyright 2002, Marchany Securing /etc/vfstab Protect OS binaries in /usr ro – FS is mounted Read Only Prevent rogue SUID programs nosuid – SUID bit is ignored in FS Allow other software to be installed remount option allows you to apply options because some FS are mounted early in the boot process mount –o remount, ro /usr
va-scan Copyright 2002, Marchany
Securing /etc/vfstab nosuid caution Implies nodev which means files in /dev/ and /devices will not function in a nosuid FS / cannot be mounted nosuid. Solaris ignores this option for root FS Creating a separate /devices and mounting the rest of the / nosuid doesn’t work. /devices doesn’t get mounted at boot so the kernel panics. Anon FTP areas require device files and must not be mounted nosuid
va-scan Copyright 2002, Marchany
The logging feature Logging option for FS creates transaction log, allows faster reboots but slower file writes and more disk space for logs Prevents physical access attack Continuously crash system until / is corrupted then the OS asks you to fsck /. At that point, you have a root shell and can install backdoors, etc Logging prevents this from happening so we’re a little safer from a physical access attack. Solaris 8 allows logging on /. Enable this if possible!
va-scan Copyright 2002, Marchany
/etc/rmmount.conf Add to /etc/rmmount.conf mount hsfs –o nosuid mount ufs –o nosuid Prevents SUID programs from being loaded from removable media. Default in Solaris 8 Common attack is to create SUID shell on CD or floppy, use this to get root on system you have physical access
va-scan Copyright 2002, Marchany
/etc/ftpusers Lists users NOT allowed to FTP Include root in /etc/ftpusers touch /etc/ftpusers for user in root daemon bin sys nobody\ noaccess nobody4 uucp adm lp smtp \ listen do echo $user >> /etc/ftpusers done chown root /etc/ftpusers; chgrp root \ /etc/ftpusers;chmod 600 /etc/ftpusers
va-scan Copyright 2002, Marchany
.rhosts Remove rhosts_auth from /etc/pam.conf Causes system to ignore .rhosts authentication grep –v rhosts_auth > /etc/pam.conf >\ /etc/pam.new mv /etc/pam.new /etc/pam.conf chmod 644 /etc/pam.conf
va-scan Copyright 2002, Marchany
Crontab Limit use by adding appropriate users to /etc/cron.d/cron.allow Only users listed in *.allow files can modify cron/at jobs Cron can still run jobs as other users
va-scan Copyright 2002, Marchany
More Scripts to Check Syslog -t flag stops syslogd from listening on port 514/udp. Keeps the system from being a syslog server Devfsadm (Solaris 7 or later) Solaris >=7 supports hot swap devices Solaris 8 device daemons also control dynamic pty allocation. If you don’t have hot swap devices, you can disable this script
va-scan Copyright 2002, Marchany
More Cleanup /etc/inittab Remove sc:234:respawn:/usr/lib/saf/sac –t 300 Disables listener on serial ports Login prompt will still appear on the console rm /etc/inetd.conf and add only what you need rm adm lp sys from /var/spool/cron/crontabs rm /etc/auto_* /etc/dfs/dfstab if not using NFS
va-scan Copyright 2002, Marchany
Finding Trojans: Fingerprints Use Solaris Fingerprint database to check for trojans Verifies local MD5 checksums of systems files with known checksums at the SunSolve site. sfbDB maps a digital fingerprint to a path name, package version/identifier and product name. Contains 1M entries used in Solaris OE, Solaris OE patches and unbundled products.
va-scan Copyright 2002, Marchany
Finding Trojans: Fingerprints Installation Download MD5 binaries from http://sunsolve.sun.com/md5/md5.tar.Z zcat md5.tar.Z |tar xvf – Creates a md5 directory with the binaries md5-sparc and md5-x86 chmod 700 md5/* chown root:root md5/*
va-scan Copyright 2002, Marchany
Finding Trojans: Fingerprints Create MD5 Digital fingerprint md5/md5-sparc <file name> … Use to create fingerprints of files that have changed recently find /usr/bin –type f –mtime –1 –print | xargs –n100 md5/md5- sparc > /tmp/md5s.txt
va-scan Copyright 2002, Marchany
Finding Trojans: Fingerprints Testing a Digital Fingerprint Go to http://sunsolve.sun.com, login using vtsug userid, click on Security Information, click on Solaris Fingerprints. Paste your digital fingerprints into the www form. Click submit. Wait a few and then view the results.
va-scan Copyright 2002, Marchany
Finding Trojans: Fingerprints Advantages Massive checksum DB of binaries WWW interface Easy to create file of checksums Disadvantages Need net access to Sun www site Doesn’t read input from a file 256 queries at a time
va-scan Copyright 2002, Marchany
Solaris Fingerprint Database Developed by Sun to help find trojan programs installed by hackers MD5 checksum of 1 million Sun binaries used in OE, Patches, unbundled products Need MD5 program http://sunsolve.sun.com/md5/md5.tar.Z Do the chmod, chown on /opt/md5
va-scan Copyright 2002, Marchany
Solaris Fingerprint Database Create local MD5 /opt/md5/md5-sparc /usr/bin/su find /usr/bin –type f –mtime –1 –print\ \ | xargs –n100 /opt/md5/md5-sparc > \ /tmp/md5s.txt Compare MD5 list to Sun’s FPD http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl Copy/paste MD5 into web form, press submit. 256 entries max at one time
va-scan Copyright 2002, Marchany
Solaris Fingerprint Database Database Companion automates the process of collecting and checking MD5 against the SFD Database Sidekick checks a system for known rootkits. It maintains a list of commonly trojaned Solaris binaries.
va-scan Copyright 2002, Marchany
Tripwire Available from www.tripwire.com First of the file integrity checkers Unix and NT versions available Network capable versions available Academic version is free. Commercial and NT versions are not. Useful in finding trojan programs
va-scan Copyright 2002, Marchany
Tripwire Generates a “signature” for each file based on checksums and other characteristics. These signatures are stored in a database file that should be kept offline. This is the baseline. Latest threat involves dynamic exec redirection. This is part of the newer Kernel Module Rootkits.
va-scan Copyright 2002, Marchany
Tripwire List of files to check: tw.config All files in a directory will be checked. Can prune directories from the check step. Can examine just the directory and nothing else. Can check by access time but not recommended since you’ll get a report of everything that changed. Everything!
va-scan Copyright 2002, Marchany
Tripwire To initialize the DB: tripwire –initialize Update DB interactively: tripwire -interactive Non-interactive DB update: tripwire – update <FN>
va-scan Copyright 2002, Marchany
Tripwire Security Issues Need to protect the DB Need to protect the vulnerable executables Advantages Simple interface, good choice of crypto hash functions, good all-around tool Disadvantages Kernel mod attacks, initial tw.config takes some time to customize, NT version is good but costs $$ $, no network security
va-scan Copyright 2002, Marchany
va-scan Copyright 2002, Marchany User Accounts Some accounts can be deleted smtp, nuucp, listen passmgmt –d <account name> JASS toolkit contains a noshell command that will generate a syslog entry when someone tries to login a disabled account.
va-scan Copyright 2002, Marchany
User Accounts Lock userids: passwd –l <userid> Modify accounts: passwd –e <userid> System accounts in /etc/passwd have no shell assigned to them They also have NP in the password field of /etc/shadow UID/GID pairs must be unique across NFS. Recommend using the PID # as a UID
va-scan Copyright 2002, Marchany
at, cron, batch Access to these commands can be restricted using the at.allow, at.deny, cron.deny and cron.allow files in /usr/lib/cron If neither file exists, then only root can run cron or at commands
va-scan Copyright 2002, Marchany
Init System services controlled by the /etc/rcX.d directories where X=0 : shutdown X=S : single user mode X=1 : start X=2 : multi-user, no network services X=3 : multi-user (default) X=4 : unused X=5 : shutdown and power off X=6 : shutdown and reboot
va-scan Copyright 2002, Marchany
Init Start up scripts : SxxService Kill scripts : KxxService Main scripts live in /etc/init.d Symlinks are in the /etc/rcX.d directories
va-scan Copyright 2002, Marchany
RC Scripts Create S99local Startup ssh, portsentry, etc. Some of the startup scripts can be disabled. Caution: your mileage will vary tremendously. Some examples: S80lp, S73nfs.*, S74autofs, S88sendmail
va-scan Copyright 2002, Marchany
Kernel Adjustments
Kernel Settings to Help Protect
Your System From Network Attacks
va-scan Copyright 2002, Marchany
Kernel Adjustments ndd command display/sets kernel parms on the fly ndd /dev/arp \? ndd /dev/icmp \? ndd /dev/ip \? ndd /dev/tcp \? \? = list all driver parms and status: RO, RW Response of 0 means the option is disabled ndd –set <driver> <option> <value> to set a parameter
va-scan Copyright 2002, Marchany
Kernel Adjustments /etc/system contains kernel parameters Some kernel parameters can be adjusted to improve performance and security NFS Server Set nfssrv:nfs_portmon = 1 Forces NFS server to accept client requests from privileged port range (port<1024) May break file sharing with older versions of Linux, SCO Unix
va-scan Copyright 2002, Marchany
Kernel Adjustments Executable Stacks set noexec_user_stack = 1 set noexec_user_stack_log = 1 Helps defend against stack overflow attacks. Logs the attempt as well. All 64 bit Solaris use non-executable stacks by default
va-scan Copyright 2002, Marchany
Kernel Adjustments Core Files set sys:coredumpsize = 0 Prevents the creation of core files. Beware! Use the coreadm command to define target directories and file name patterns for core files. Useful in creating a central core repository. SUID/SGID will be prevented from creating core files if the above is set.
va-scan Copyright 2002, Marchany
Kernel Adjustments No ndd parameter documentation Parameter names may change with new releases Be Very Careful
va-scan Copyright 2002, Marchany
ARP Kernel Defense 2 types of ARP attacks DOS Local Attacker inserts bogus info into ARP cache Remote Attacker feeds remote sys bogus info (cache poisoning Spoofing Used to compromise remote systems on the local network
va-scan Copyright 2002, Marchany
ARP Kernel Defense ARP entries can be deleted or they time out in the cache Default TO is 5 minutes Default IP Routing Table TO is 20 minutes Change the Intervals ndd –set /dev/arp \ arp_cleanup_interval 60000 ndd –set /dev/ip \ ip_ire_flush_interval 60000 Units are in milliseconds. 60000 = 1 minute
Only slows the attack
va-scan Copyright 2002, Marchany
IP Defense IP forwarding routes packets between network interfaces on one system Multihomed systems has several network I/F, each with a separate IP address Not intended to route/forward packets Used for NFS servers on multiple nets – server response is faster when connected to same net as clients va-scan Copyright 2002, Marchany IP Defense /etc/notrouter disables IP forwarding at boot time /etc/init.d/inetinit determines the configuration at boot To dynamically disable IP forwarding: ndd -set /dev/ip ip_forwarding 0 Solaris 8 allows you to set this per I/F
va-scan Copyright 2002, Marchany
IP Defense Strict Destination multihoming prevents packet spoofing on nonforwarding multihomed systems System will ignore packets sent to an interface from which it didn’t arrive ndd –set /dev/ip \ ip_forwarding 0 ndd -set /dev/ip \ ip_strict_dest_multihoming 1
va-scan Copyright 2002, Marchany
IP Defense – Multicast Routing Used to send data to multiple systems simultaneously using only 1 net address Solaris 7: comment out from /etc/init.d/inetsvc mcastif=`/sbin/dchpinfo Yiaddr` to /usr/sbin/route add –interface – netmask “244.0.0.0” “224.0.0.0” “$mcastif” Solaris 8: (if [ “$_INIT_NET_STRATEGY….) to the /usr/sbin/route line
va-scan Copyright 2002, Marchany
IP Defense Eliminate DCHP, named startup support and multicast support. This leaves /etc/init.d/inetsvc script:
IP Defense – Directed Broadcast Directed broadcast is sent from a remote machine to all systems on another net Used by “smurf” attack. CNS router rules limit smurf to the same subnet Forged ICMP echo request sent to broadcast w/ target source address ndd -set /dev/ip \ ip_forward_directed_broadcasts 0 Default is 1
va-scan Copyright 2002, Marchany
IP Defense – Src Route Packet Source routed packet contains a specific path the packet should take to get to a target Bypasses router decisions Enabled by default Disable: ndd –set /dev/ip \ ip_forward_src_routed 0
va-scan Copyright 2002, Marchany
ICMP Defense Usually safe to disable ICMP broadcasts All systems configured to respond to broadcast echo request will send an echo reply Disable: ndd -set /dev/ip \ ip_respond_to_echo_broadcast 0 This breaks PING. You won’t be able to ping this
system
va-scan Copyright 2002, Marchany
ICMP Defense Individual timestamp requests are ok. No reason for broadcast request. Disable: ndd –set /dev/ip \ ip_respond_to_timestamp_broadcast 0 ndd –set /dev/ip \ ip_respond_to_timestamp 0 (unicast) Address mask used to get netmask. Printers, X- term use this. Solaris disables by default ndd – set /dev/ip ip_respond_to_address_mask_broadcast 0
va-scan Copyright 2002, Marchany
TCP Defense Syn Floods work on unestablished connections 2 queues Q for established connections Q for unestablished connections Increase size on unestablished connect Q ndd –set /dev/tcp \ tcp_conn_req_max_q0 4096 ndd –set /dev/tcp \ tcp_ip_abort_cinterval 60000
va-scan Copyright 2002, Marchany
TCP Defense Connection Exhaustion Attack Works on established connections OS has max # connect limit. Attacker exceeds this limit Default Q is 128. Increase to 1024 ndd –set \ /dev/tcp tcp_conn_req_max_q 1024 This increases the amount of memory needed to process all TCP connections
va-scan Copyright 2002, Marchany
TCP Defense IP Spoofing uses TCP Hijacking based on ISN prediction RFC 1498 defines better way to generate ISN 3 types: 0 – predictable; 1 – improved with random increment; 2 – RFC 1498 method Solaris 8 uses 2, modify Solaris 7 by editing /etc/default/inetinit and add line: TCP_STRONG_ISS=2
va-scan Copyright 2002, Marchany
TCP Defense Privileged Ports can only be acquired by root owned processes NFS uses 2049, 4045. Hacker can set up fake NFS server listening on these ports Extend port range: ndd –set /dev/tcp \ tcp_smallest_nonpriv_port 2050 Add individual ports: ndd –set /dev/tcp \ tcp_extra_priv_ports_add 6112
va-scan Copyright 2002, Marchany
ICMP Defense Redirect errors used to tell a system to use a different router Can be used in Man-in-the-Middle to install bogus routes Disable incoming: ndd –set /dev/ip ip_ignore_redirect 1 Disable outgoing: ndd –set /dev/ip ip_send_redirects 0
va-scan Copyright 2002, Marchany
System Logs /etc/syslog.conf Program I/F: syslog() System command: logger Log files defined in /etc/syslog.conf /var/adm/messages (default) /var/log/syslog (default) /var/log/authlog (disabled by default) /usr/lib/newsyslog rotates logs every 7 days /var/adm/loginlog records failed login attempts
va-scan Copyright 2002, Marchany
Syslog Strategies Create a central syslog server Auth.debug @central-logger.vt.edu Install logcheck Create additional syslogs Auth.notice ifdef(‘LOGHOST’. /var/log/Today/auth.log, @loghost) Make sure your system is defined at LOGHOST in /etc/hosts
va-scan Copyright 2002, Marchany
Application Logs /var/adm/sulog /usr/bin/su cat, more /var/adm/vold.log /usr/sbin/vold cat, more /var/adm/wtmpx /usr/bin/login last /var/adm/loginlog /usr/bin/login Must touch 1st /var/cron/log /usr/sbin/cron
va-scan Copyright 2002, Marchany
System Accounting Use the sar command to gather system resource usage data: Cpu, memory, disk, file I/O, system calls Archives stored in /var/adm/sa vmstat command collects data in a real-time data Need SUNWaccr, SUNWaccu, uncomment: /etc/init.d/perf, /var/spool/cron/crontabs sys Reset default shell for user: sys passmgmt –m –s /sbin/sh sys
va-scan Copyright 2002, Marchany
System Accounting Run it every 20 minutes Archive data longer than 1 month Edit /etc/init.d/perf and scripts in /usr/lib/sa Change calls like `date +%d` to ‘date +%Y%m%d` sar command will still be looking for files in the old naming so you need to use the –f option to point to correct file /usr/lib/sa/sa2 purges raw data after 1 week. Remove the find command at the end of the sa2 script.
va-scan Copyright 2002, Marchany
Process Accounting You can tell the kernel to log data about every process on the system Can be selective enabled/disabled using the accton command Specify where the log file is /usr/lib/acct/accton /var/adm/pacct Once enabled, the kernel logs 40 bytes of data for each process that runs to completion Use acctcom to examine the logs Process accounting can cause 10-20% degradation
va-scan Copyright 2002, Marchany
RPC Services Rpcbind – central RPC service agent New RPC service registers with rpcbind Rpcbind maintains table of RPC services (program #) and the ports they listen Client contacts rpcbind first with a program # to determine the port to connect to its requestor Used by Disksuite, NFS, NIS+, Kerberos
va-scan Copyright 2002, Marchany
RPC Services - /etc/inetd.conf Testsvc, sadmind, rquotad, rpc.ruserd, rpc.sprayd, rpc.rwalld, rpc.rstatd, rpc.rexd, kcms.server, ufsd, cachefs, kerbd, xaudio, rpc.cmsd, rpcttdbserverd Remove all of these services unless specifically required
va-scan Copyright 2002, Marchany
RPC Services – Startup scripts /etc/rc2.d/S71rpc, /etc/rc3.d/S71rpc Rpcbind, keyserv, rpc.nisd, nis_cachmgr, rpc.nipasswdd Used by rpcbind, NIS/NIS+, NFS client/server NFS Server /etc/rc2.d/S73nfs.server, /etc/rc3.d/S15nfs.server Explicitly list client hosts, no world access Export lowest level dir only and RO Synchronize UID/GID between pairs Use strong authentication if possible (AUTH_DES, AUTH_KERB)
va-scan Copyright 2002, Marchany
Sendmail Use sendmail kit available from ftp://ftp.vt.edu/pub/cc/Solaris/sendmail X.tar.Z Sendmail kit built by VT with anti-relay and anti-spam filters Contains install and backout scripts
va-scan Copyright 2002, Marchany
Sendmail Tailor as necessary Solaris 8 undocumented way to have sendmail handle mail w/o cron echo “MODE=“””” > /etc/default/sendmail Sendmail will only process outgoing mail and no accept incoming connections. Useful if you forward mail to PID@vt.edu See Sun Blueprint tools page ( www.sun.com/blueprints/tools) for replacement /etc/default/sendmail
va-scan Copyright 2002, Marchany
Name Service Caching (nscd) Provides caching for NS requests Performance boost, all NS requests made by system library call routed to nscd Sun recommends caching as little as possible Do not disable. NIS/NIS+ and some versions of Netscape break nscd – g : see current configuration
va-scan Copyright 2002, Marchany
Banner Files /etc/motd /etc/issue /etc/default/telnetd BANNER=“place your text here” /etc/default/fptd BANNER=“place your text here” /etc/sendmail.cf SmtpGreetingMessage=Put Warning here va-scan Copyright 2002, Marchany More on /etc/default /etc/default/cron CRONLOG=yes tells cron to log to /var/cron/log for each cron job. Roll this log often – see /etc/cron.d/logchecker /etc/default/su Defines PATH, SUPATH for su command /etc/default/passwd Set password aging, password length /etc/default/kbd Disable STOP-A on systems
va-scan Copyright 2002, Marchany
/etc/default/login CONSOLE – root logins allowed only on this device usually the console PATH, SUPATH – uncomment and set UMASK – uncomment and set RETRIES – number of failed logins before login exits SYSLOG_FAILED_LOGINS – number of failed logins before message logged to /var/adm/loginlog (Solaris 8)
va-scan Copyright 2002, Marchany
Additional Login Files Set UMASK, PATH in /etc/profile, /etc/.login Default files for userid creation in /etc/skel. These files are used by useradd or admintool programs Can be overridden by users
va-scan Copyright 2002, Marchany
Fix-modes Program Corrects insecure system file/directory perms: Removes group/world write permissions Makes most files owned by root Uses /var/sadm/install/contents for list of programs to check User files NOT installed with pkgadd will not be affected Core files in Solaris 8 are fixed. Things like CDE aren’t va-scan Copyright 2002, Marchany Building TCP Wrappers Available from ftp://ftp.porcupine.org/pub/security/ind ex.html Modify the Makefile Set REAL_DAEMON_DIR Send logging to LOG_AUTH Download the IPv6 version for Solaris 8 Use the advanced installation method
va-scan Copyright 2002, Marchany
Building OpenSSH OpenSSH implements SSH1, SSH2 Maintained by OpenBSD Tested on Solaris 2.6 5/98 Sparc, Solaris 7 11/99 Sparc, Solaris 8 4/01 Sparc with ForteDeveloper 6 update 1 and gcc 2.95.2
va-scan Copyright 2002, Marchany
Building OpenSSH Prerequisite Components OpenSSH 2.9p2 from http://www.openssh.com/portable.html Zlib 1.1.3 from http://www.freesoftware.com/pub/infozip/zlib Solaris 8 CD – package format OpenSSL 0.9.6b from http://www.openssl.org/source PRNGD 0.9.19 from http://www.aet.tu- cottbus.de/personen/jaenicke/postfix_tls/prngd.ht ml (pseudo random number generator)
va-scan Copyright 2002, Marchany
Building OpenSSH Building zlib cd zlib-1.1.3 ./configure (for gcc) env CC=cc CFLAGS=“-xo4 – KPIC” ./configure make make install ls –l /usr/local/lib/libza.a va-scan Copyright 2002, Marchany Building OpenSSH Building OpenSSL cd openssl-0.9.6b ./Configure <compiler> make make install ls –l /usr/local/ssl/lib Building PRNGD cd prngd-0.9.19 make CC=gcc CFLAGS=“-O3 –DSOLARIS” SYSLIBS=“- lsocket –lnsl” make CC=cc CFLAGS=“-x04 –DSOLARIS –KPIC” SYSLIBS=“-lsocket –lnsl”
Building OpenSSH Building OpenSSH gcc version ./configure –prefix=/opt/OBSDssh –with- pam –without-rsh –disable-suid-sh – sysconfdir=/etc \ --with-prngd- socket=/var/spool/prngd/pool make make install ls –l /opt/OBSDssh/bin/ssh Start: /etc/init.d/openssh.server start
va-scan Copyright 2002, Marchany
Building OpenSSH http://www.sun.com/blueprints/tools/m akeOpenSSHPackage.ksh builds a Solaris package containing OpenSSH ./makeOpenSSHPackage.ksh pkgadd –d OBSDssh.pkg OBSDssh
va-scan Copyright 2002, Marchany
/etc/sshd_config Guidelines ListenAddress – used to set up SSH servers on virtual I/F Protocol 2,1 – try v2 first then v1 SyslogFacility AUTH – send logging messages to LOG_AUTH like TCP Wrappers CheckMail, PrintMotd – done by SSH or login, your choice KeepAlive – send a heartbeat packet to verify the host is still reachable. Good for keeping hung sessions down
va-scan Copyright 2002, Marchany
/etc/sshd_config Guidelines IgnoreRhosts yes – disable all types of rhosts authentication PermitRootLogin no – forces people to su to root Be careful. This also prevents remote command execution and copying files from one system to another via scp
va-scan Copyright 2002, Marchany
SSH: Using RSA Authentication Generate your key pair using something like PGP Copy public key to remote system Remote system authenticates user by encrypting message w/public key User decrypts using private key and send it back to remote system
va-scan Copyright 2002, Marchany
SSH RSA Example % ssh-keygen –b 1024 –f ~/.ssh/identity […] Enter passphrase: XXXXXXXX Enter the same passphrase again: XXXXXXXX […] % scp ~/.ssh/identity.pub \ remotehost:~/.ssh/authorized_keys rcm@remotehost password: YYYYYYY Identity.pub | 0 KB| 0.3kB/s| ETA: 00:00| 100% % ssh remotehost Enter passphrase for RSA key rcm@thishost : KKKKKKK va-scan Copyright 2002, Marchany Testing & Verification
Minimum Security Benchmark
Procedures and Toolkits for Testing and Verifying System Security
va-scan Copyright 2002, Marchany
Testing & Verification Pomeranz Test Can get here from there Can’t get here from there Can’t get here as Superuser What’s Running? Can’t write in /usr Can’t run SUID from /var/tmp Check your logs
va-scan Copyright 2002, Marchany
Can Get Here From There ssh userid@securehost Reasons for failure Localhost isn’t in securehost’s hosts.allow TCP Wrappers in sshd can’t find localhost’s name from its IP address sshd can’t read hosts.allow, hosts.deny The userid doesn’t exist on securehost RSA identity certificate not properly installed
va-scan Copyright 2002, Marchany
Can’t Get Here From There From badhost: ssh securehost Root should be getting an email if logcheck and syslog are working Reasons the connection might work hosts.allow is too permissive Reasons for failure Securehost may have an invalid sendmail.cf file
va-scan Copyright 2002, Marchany
Can’t Get Here As Superuser ssh –l root securehost Reason for success /etc/sshd-config is incorrect You shouldn’t allow direct root logins
va-scan Copyright 2002, Marchany
What’s Running? Do a ‘ps –ef’ or lsof on an idle system Reasons you might see different output: You’re logged in multiple times You logged in on the console Forgot to remove all recommended files from /etc/rc*.d /etc/defaultrouter doesn’t exist
va-scan Copyright 2002, Marchany
Can’t Write in /usr touch /usr/bin/BAD Should generate an error message. Reasons for success: Forgot to reboot/remount /usr in RO mode Incorrect configuration of /etc/vfstab
va-scan Copyright 2002, Marchany
Can’t Run SUID from /var/tmp # cd /var/tmp # cp /usr/bin/ps . # chmod 4111 ps ^D $ /usr/bin/ps –ef $ /var/tmp/ps –ef
Reasons for Success: 1) still running as root 2) running wrong
Version of ps 3) misconfigured /etc/vfstab
va-scan Copyright 2002, Marchany
Check Your Logs Reasons for failure /etc/syslog.conf has no auth.* entries Files/devices listed in /etc/syslog.conf are invalid Loghost is unreachable or misconfigured Forgot to modify TCP Wrapper’s Makefile to send logging messages to LOG_AUTH /etc/sshd_config is misconfigured
va-scan Copyright 2002, Marchany
Backups Have a complete level 0 dump of all file systems] Set up an alternate boot disk Lock it up and don’t re-use the tape/disk Make another dump every time you make significant changes Should you use network backup for sensitive servers? In our environment, it’s ok because of network topology
va-scan Copyright 2002, Marchany
Alternate Boot Disk Setup Install 2 identical internal disks Install OS on primary disk Partition 2nd disk identical to primary Format the secondary disk Create filesystems on secondary disk dd copy from primary to secondary Install ufs bootblock in s0 of secondary Modify /broot/etc/vfstab to mount secondary as /, change auto bootup device in EEPROM
va-scan Copyright 2002, Marchany
Security Benchmarks
Tools and Benchmark Documents
for Securing Solaris Systems
va-scan Copyright 2002, Marchany
Configurator http://www.deer- run.com/~hal/jumpstart/configurator Testing tool for SANS “Securing Solaris” and CIS “Solaris Security Benchmark” docs Will CHANGE your system setting to conform with the above docs Can be integrated into Jumpstart server or run in standalone mode
va-scan Copyright 2002, Marchany
CIS Solaris Benchmark Minimum actions to harden your system Configurator script available from http://www.deer- run.com/~hal/jumpstart/configurator Can be used to configure according to CIS benchmark or SANS Securing Solaris
va-scan Copyright 2002, Marchany
SANS Benchmark Available from http://security.vt.edu in the Online Books section. Need PID to get it. Contains step-by-step instructions in a manner similar to the CIS benchmark Systems can be configured using Hal Pomer
va-scan Copyright 2002, Marchany
JASS Free from www.sun.com/blueprints/tools Set of scripts to secure your system Can be used as part of a Jumpstart install Useful for lab situations It’s an “officially endorsed” Sun item JASS doesn’t secure systems enough va-scan Copyright 2002, Marchany YASSP http://www.yassp.org Jean Chouanard took an early version of the SANS Securing Solaris course Went home and wrote YASSP Comes in pkgadd format Endorsed by SANS Runs on Solaris 2.6, 7, 8(beta) Mailing list: secure-sol- request@parc.xerox.com
va-scan Copyright 2002, Marchany
YASSP Pros/Cons Pro pkgadd format very useful Works on Core, end-user, developer, Full Automatically installs security tools Con Not very modular /etc/yassp.conf hard to understand
va-scan Copyright 2002, Marchany
TITAN Collection of programs/scripts which either fix or tighten security problems Not a replacement for anything. It’s a supplement to your system security toolkit. http://www.fish.com/titan
va-scan Copyright 2002, Marchany
TITAN Pros/Cons Pro Modular and extensible Verification function Linux version in beta test Con Writing modules can be complex
va-scan Copyright 2002, Marchany
Conclusions Keep an eye on your system Build minimal functionality then add what you need Mount FS RO or NOSUID Use SSH Verify everything Send Randy log excerpts of probes va-scan Copyright 2002, Marchany Appendix 1
Portsentry, IP Filter, logcheck
configuration guidelines
va-scan Copyright 2002, Marchany
Portsentry Available from www.psionic.com Monitors ports and performs an action when an attempt to access the port is made. Usually access is denied to the probing systems. Monitors TCP and UDP traffic. A little more flexible than TCP Wrappers
va-scan Copyright 2002, Marchany
Portsentry Configuration Files Portsentry.conf contains the list of ports to be monitored. 3 levels of paranoia
va-scan Copyright 2002, Marchany
va-scan Copyright 2002, Marchany Logcheck Available from www.psionic.com Syslog keyword scanner When it matches something, it does something Send email Page someone Run a command
va-scan Copyright 2002, Marchany
logcheck.violations
These keywords denote a
problem and are flagged by logcheck.
va-scan Copyright 2002, Marchany
logcheck.ignore
Phrases listed in this file
are ignored by the logcheck program.
va-scan Copyright 2002, Marchany
logcheck.hacking
Keywords in this file indicate
an attack is taking place
va-scan Copyright 2002, Marchany
va-scan Copyright 2002, Marchany IP Filter Software package that can do NAT or basic firewall services. Designed to be used as a loadable kernel module but can be incorporated into a Unix kernel Can be configured to do IP Accounting (count # bytes), IP Filtering or IP authentication or NAT. http://coombs.anu.edu.au/~avalon/ip- filter.html va-scan Copyright 2002, Marchany IP Filter Can explicitly allow/deny any packet. Distinguishes between multiple interfaces. Filters by IP network, hosts or protocol. Filters by port number or port range. Logs the following: TCP/UDP/ICMP/IP packet headers First 128 bytes Pass or blocked status
va-scan Copyright 2002, Marchany
IP Filter Statistics collected include: Packets blocked Packets used for accounting (packet count) Packets passed Packets logged Inbound/outbound packet information
va-scan Copyright 2002, Marchany
va-scan Copyright 2002, Marchany IP Filter Log Format Jul 30 01:46:52 myhost.vt.edu ipmon[147]: [ID 702911local0.warning] 01:46:52.196772 hme0 @0:5 b 194.143.66.126,21 ->198.82.255.255,21 PR tcp len 20 40 -S IN
Jul 30 01:47:03 myhost.vt.edu ipmon[147]: [ID
702911local0.warning] 01:47:03.269595 hme0 @0:5 b 194.143.66.126,21 ->198.82.255.255,21 PR tcp len 20 40 -S IN
Jul 30 05:53:51 myhost.vt.edu ipmon[147]: [ID
702911local0.warning] 05:53:50.699235 hme0 @0:5 b 203.90.84.163,1781 ->198.82.255.255,21 PR tcp len 20 60 -S IN va-scan Copyright 2002, Marchany WWW Sites Sendmail ftp.vt.edu/pub/cc/Solaris/sendmail* ftp.sendmail.org/pub/sendmail Fix-modes ftp.science.uva.nl/pub/solaris/fix-modes.tar.gz OpenSSH Solaris 8 Installation CD http://www.openssh.com/portable.html