The Problem

1
The Problem

• Seclab computers get attacked
• This is expected no way to prevent it
• Attacker breaks in, compromises our systems
• Dangerous to us, because it compromises research
  programs, data, papers, and results
• Embarrassing to us, as were supposed to prevent
  this
• Were a research lab!

2
Goal of Talk

• Show you how to install and strip down a Linux
  box so
• its more secure than most systems

3
Key Principles

• Least Privilege
• If you dont need it, dont run it or allow it
• If you do need it, confine it as much as possible
• Fail-Safe Defaults
• Disable or deny everything, then make exceptions
  to enable servers or allow access
• Do not hook up to the Internet until your system
  is locked down
• May not be possible with Windows

4
Practical OS LockdownorHow I Learned to Stop
Worrying and Love the Internet

• Jeff Rowe
• Seclab Seminar
• Oct. 1, 2003

5
Typical Seclab Experience

• Start with
• A computer
• OS Installation CDs
• a Network connection and IP address
• Thats it
• Result Seclab computers are hacked once every
  few months.

6
RedHat Linux Lockdown

• Start with
• A computer
• Three RH9 CDs
• a Network connection and IP address
• a Plan

Rule 1 Plug in the network cable last
7
Basic Lockdown Plan

• The Problem The standard installation will allow
  attackers to hack your machine immediately
• Unnecessary services are installed
• Unnecessary services are started at boot time
• Packages on the CDs contain root level
  vulnerabilities
• The Plan
• A security aware install
• A reasonably secure configuration after the
  install
• A strict personal firewall
• An efficient update and patch regimen

8
RedHat 9 Installation

• Put in CD 1 and boot

9
RedHat 9 Installation
Choose whatever suits you
10
RedHat 9 Installation

• Choose a new Red Hat Linux installation

11
RedHat 9 Installation

• Rule 2 Never, never, never choose a packaged
  installation

12
RedHat 9 Installation

• Partition the disks. Whatever

13
RedHat 9 Installation

• Boot Loader password? I choose No.

14
RedHat 9 Installation

• Set up the network addresses. No cables yet!

Even Better Choose Configure using DHCP and
connect to Supports protected network
15
DHCP Network Hubs in the Wild
16
RedHat 9 Installation

• Rule 3 Use the personal firewall

• Security level High
• Customize rules
• Allow only SSH
• iptables will block all incoming packets to ports
  1-1024, sending back an ICMP unreachable. More on
  iptables firewall rules later...

17
RedHat 9 Installation

• Set a reasonable root password, use default
  shadow password and authentication policy.

18
RedHat 9 Installation

• Now the Hard Part, package configuration

19
RedHat 9 Installation

• Rule 4 Unless you are sure you need it, turn it
  off

Add nmap Add nmapfe Add emacs,xemacs Add ethereal
Get rid of IM Get rid of IRC chat Get rid of
network services (FTP, HTTP, DNS, etc.) Get rid
of scanner front-ends, CD labelers, graphics
tools, TV support... They can always be added
later
20
RedHat 9 Installation

• Finally you can install.

21
RedHat 9 Installation Notes

• RedHat Linuxs installation procedure is called
  anaconda.
• /root/anaconda-cfg contains a configuration file
  that was used in the install. I can supply you
  with a sample configuration showing which
  packages are reasonable to remove or include.
• Dont plug in the network cable yet!

22
Configuring RedHat 9

• Even with a security aware installation there are
  plenty of services started by default during
  boot.
• Scan the loopback address (127.0.0.1) with nmapfe
  to see what is on
• The firewall rules are configured to pass all
  traffic to the loopback address.

23
Configuring RedHat 9

• Scan the external routable IP address with nmapfe
  to see what will get past the firewall.

24
Configuring RedHat 9

• To see what is started at boot time use
• chkconfig list grep on

chkconfig --list grep on kudzu 0off
1off 2off 3on 4on 5on
6off syslog 0off 1off 2on
3on 4on 5on 6off netfs
0off 1off 2off 3on 4on 5on
6off network 0off 1off 2on
3on 4on 5on 6off random
0off 1off 2on 3on 4on 5on
6off rawdevices 0off 1off 2off
3on 4on 5on 6off pcmcia
0off 1off 2on 3on 4on 5on
6off keytable 0off 1on 2on
3on 4on 5on 6off apmd
0off 1off 2on 3on 4on 5on
6off atd 0off 1off 2off
3on 4on 5on 6off gpm
0off 1off 2on 3on 4on 5on
6off autofs 0off 1off 2off
3on 4on 5on 6off iptables
0off 1off 2on 3on 4on 5on
6off isdn 0off 1off 2on
3on 4on 5on 6off sshd
0off 1off 2on 3on 4on 5on
6off portmap 0off 1off 2off
3on 4on 5on 6off nfslock
0off 1off 2off 3on 4on 5on
6off sendmail 0off 1off 2on
3on 4on 5on 6off rhnsd
0off 1off 2off 3on 4on 5on
6off crond 0off 1off 2on
3on 4on 5on 6off anacron
0off 1off 2on 3on 4on 5on
6off xfs 0off 1off 2on
3on 4on 5on 6off xinetd
0off 1off 2off 3on 4on 5on
6off cups 0off 1off 2on
3on 4on 5on 6off canna
0off 1off 2on 3on 4on 5on
6off sgi_fam on
25
Configuring RedHat 9

• Rule 5 Turn off everything you dont need,
  especially network services (i.e. sendmail)
• Step 1 Remove them from the startup procedure.
  chkconfig modifies all appropriate /etc/rc.d
  configuration files.
• Step 2 Stop the currently running server.

chkconfig portmap --levels 345 off chkconfig
--list portmap portmap 0off 1off
2off 3off 4off 5off 6off
/etc/init.d/portmap stop Stopping portmapper
OK
26
Configuring RedHat 9

• Check the services again to see that only the
  essential services remain.
• chkconfig list grep on

chkconfig --list grep on syslog
0off 1off 2on 3on 4on 5on
6off network 0off 1off 2on
3on 4on 5on 6off random
0off 1off 2on 3on 4on 5on
6off keytable 0off 1on 2on
3on 4on 5on 6off apmd
0off 1off 2on 3on 4on 5on
6off atd 0off 1off 2off
3on 4on 5on 6off gpm
0off 1off 2on 3on 4on 5on
6off autofs 0off 1off 2off
3on 4on 5on 6off iptables
0off 1off 2on 3on 4on 5on
6off sshd 0off 1off 2on
3on 4on 5on 6off rhnsd
0off 1off 2off 3on 4on 5on
6off crond 0off 1off 2on
3on 4on 5on 6off anacron
0off 1off 2on 3on 4on 5on
6off cups 0off 1off 2on
3on 4on 5on 6off
27
Configuring RedHat 9

• Scan the external routable IP address again after
  turning off most services to see how attackers
  will see your computer over the network.
• Dont plug in the network cable yet!

28
Iptables Firewall Rules

• RedHat 9 uses iptables for its personal
  firewall.
• The iptables firewall is configured using rule
  chains.
• The firewall configuration uses three standard
  chains
• INPUT governing acceptance of incoming packets
• OUTPUT governing acceptance of outgoing packets
• FORWARD for passing packets from one interface
  to another.

29
Iptables Firewall Rules

• Check the firewall rules with
• iptables list

Chain INPUT (policy ACCEPT) target prot opt
source destination
RH-Lokkit-0-50-INPUT all -- anywhere
anywhere Chain FORWARD (policy
ACCEPT) target prot opt source
destination RH-Lokkit-0-50-INPUT all
-- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot
opt source destination
Chain RH-Lokkit-0-50-INPUT (2
references) target prot opt source
destination ACCEPT udp --
regnant7.cs.ucdavis.edu anywhere udp
sptdomain dpts102565535 ACCEPT tcp --
anywhere anywhere tcp dptssh
flagsSYN,RST,ACK/SYN ACCEPT all --
anywhere anywhere REJECT tcp --
anywhere anywhere tcp dpts01023
flagsSYN,RST,ACK/SYN reject-with
icmp-port-unreachable REJECT tcp --
anywhere anywhere tcp dptnfs
flagsSYN,RST,ACK/SYN reject-with
icmp-port-unreachable REJECT udp --
anywhere anywhere udp dpts01023 reject-with
icmp-port-unreachable REJECT udp --
anywhere anywhere udp dptnfs reject-with
icmp-port-unreachable REJECT tcp --
anywhere anywhere tcp dptsx116009
flagsSYN,RST,ACK/SYN reject-with
icmp-port-unreachable REJECT tcp --
anywhere anywhere tcp dptxfs
flagsSYN,RST,ACK/SYN reject-with
icmp-port-unreachable
30
Iptables Firewall Rules

• Modify the current iptables ruleset to block
  everything except ssh.
• Important! The modifications must be saved to
  take effect even after reboot.

iptables -R RH-Lokkit-0-50-INPUT 4 -p tcp -m
tcp --dport 065535 --syn -j REJECT iptables -R
RH-Lokkit-0-50-INPUT 6 -p udp -m udp --dport
065535 -j REJECT
/sbin/service iptables save
31
Iptables Firewall Rules

• Check the firewall rules with
• iptables list

Chain INPUT (policy ACCEPT) target prot opt
source destination
RH-Lokkit-0-50-INPUT all -- anywhere
anywhere Chain FORWARD (policy
ACCEPT) target prot opt source
destination RH-Lokkit-0-50-INPUT all
-- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot
opt source destination
Chain RH-Lokkit-0-50-INPUT (2
references) target prot opt source
destination ACCEPT udp --
regnant7.cs.ucdavis.edu anywhere udp
sptdomain dpts102565535 ACCEPT tcp --
anywhere anywhere tcp dptssh
flagsSYN,RST,ACK/SYN ACCEPT all --
anywhere anywhere REJECT tcp --
anywhere anywhere tcp flagsSYN,RST,ACK/SYN
reject-with icmp-port-unreachable REJECT tcp
-- anywhere anywhere tcp dptnfs
flagsSYN,RST,ACK/SYN reject-with
icmp-port-unreachable REJECT udp --
anywhere anywhere udp reject-with
icmp-port-unreachable REJECT udp --
anywhere anywhere udp dptnfs reject-with
icmp-port-unreachable REJECT tcp --
anywhere anywhere tcp dptsx116009
flagsSYN,RST,ACK/SYN reject-with
icmp-port-unreachable REJECT tcp --
anywhere anywhere tcp dptxfs
flagsSYN,RST,ACK/SYN reject-with
icmp-port-unreachable
32
Test the Configuration

• Finally you can plug in the network cable.
• Open the web browser and connect to a web site to
  verify that networking is available.
• Check your configuration from another host.

33
Patch

• We still arent done patches need to be applied.
• ssh remains open and available to anyone on the
  Internet. Two weeks ago 3 vulnerabilities were
  found in OpenSSH within the course of two days.
• Red Hat Network provides free updating for one
  machine per person. 65/year each additional.

34
Patching with up2date

• In RedHat 9 the up2date tool provides distributed
  patches up2date --register

35
Patching with up2date

• Register with username, password, email

36
Patching with up2date

• Send them your system profile and package set

37
Patching with up2date

• Subscribe to a patch channel

38
Patching with up2date

• Every time you run up2date you get the latest
  patches

39
Windows Lockdown

• The Problem
• Windows is designed to give you limited control.
• The inside may be as worrisome as the outside.
• The Plan
• Make your computer a strict client
• Keep it up to date and patched
• Run a personal firewall
• Put it on the unroutable DHCP network

40
DHCP Network Hubs in the Wild
41
Windows Lockdown

• A Windows Strict Client Dont Install List
• IIS Web Server
• Windows messenger (hard to turn off)
• Chat
• Turn off file sharing
• Use and Love Windows Update
• The department now scans for vulnerable machines.
  Dont make them track you down.

42
Windows Personal Firewall

• Use free ZoneAlarm - www.zonelabs.com

The free download of ZoneAlarm basic is here on
ZoneLabs main web page.
43
Windows Personal Firewall

• ZoneAlarm intercepts
• Application bindings to local sockets. Blocks
  remote connections to the local machine.
• Local connections to remote sockets. Your own
  applications can be prevented from connecting out
  without your knowledge or permission.
• Shows a histogram of active in and out
  connections on the taskbar

44
Windows Personal Firewall

• ZoneAlarm is configured interactively no
  preconfiguration is needed.

Check this box and youll never be bothered again.
45
Windows Personal Firewall

• Fine grained control is obtained using the tray
  icon.