AERAsec - Network Security - Systems

Some hints for securing systems running with Linux in the Internet:

This information is provided 'as is' - no warranty at all. Before testing these hints on a productive system, please test them in your test-lab!

A default installation of (any) Linux mostly results in an unsafe configured system. Due to this some hints how to harden Linux with easy methods (time and tools).

Simple hints for hardening the system:

Install all Updates:

Mostly there is an amount of time between pressing the CD of a Linux distribution or the download of the images from the Internet. Maybe this has been enough time for a new security risk - beeing installed on a fresh system. So it's strongly recommended to get and install all Updates before connecting the server to the Internet.
Red Hat Enterprise Linux provides the tool up2date to update the system with the latest fixed packages. You will need a valid "support contract" and have to register the System with Red Hat Network first:
up2date --register
An update of all installed RPM packages to the latest versions is done with:
up2date --update
Linux distributions Fedora and CentOS us the yum program for onlie updates. An update of all installed RPM packages to the latest versions is done as user 'root' with:
yum update
Updates of Debian GNU/Linux can be done with the command line utilities apt-get or aptitude. Insure that the config file /etc/apt/sources.list includes an entry for the installed Debian version (woody, sarge, etch, ...), e.g.:
deb http://security.debian.org/ sarge/updates main
An update of all installed packages to the latest versions is done as user 'root' with:
apt-get update apt-get upgrade
On Suse Linux an online upadate can be done with Yast

Replacement of the Telnet-Daemon and R-Tools by SecureSHell:

The use of Telnet or R-Tools for remote access to the system is mostly not needed, except
- Use of an X-Server on hostsi that do not allow X-Tunneling through SSH.
- Backup to tapes using rmt (Remote Magnetic Tape) - SSH for tunneling is possible, but due to encryption and decryption there are performance problems.
If the mentioned aspects aren't relevant, the Telnet-Daemon can be disabled by commenting it out in the file /etc/inetd.conf, sending the HUP-Signal to the inetd and installation of e.g. OpenSSH.
- A list for clients under Microsoft Windows can be found here.
In some cases an FTP server can be replaced by SSH, with the sftp subsystem.

Disable all unneeded Internet services:

Mostly much more Internet services as needed are active. Which service on your system is active can be found out with the command
- IPv4-Services: netstat -lnp --ip
- IPv6-Services: netstat -lnp --inet6
All services not needed should be disabled:
- If the Daemon of this service is started directly, disable it in the Runlevel-Scripts, e.g. when using Red Hat Linux by the commands chkconfig service off.
- If the programs are started by the inetd, comment out the referring line in the file /etc/inetd.conf.
- All programs started by xinetd can be disabled by inserting the option disable=yes in the correct part of the file /etc/xinetd.conf or in the referring files in the directory /etc/xinetd.d/.

Uninstallation of not necessary programs:

Each unnecessary program might result in a serious vulnerability, esp. if the SUID (set user id on execution) or the SGID (set group id on execution) bit is set.
Output of a list of all files with SUID or SGID bit set:
find / -perm +06000 -type f -ls
When using RPM it's quite easy to remove a program packet if it's not necessary. Maybe there are dependencies between packets which are shown when a packet is going to be uninstalled. Then you have to decide to remove the packet forcefully (--nodeps) or to remove the depending packets also.

Useful "Switches" of the Linux-Kernel

More infomation can be found in the kernel source code: /usr/src/linux/Documentation/networking/ip-sysctl.txt

"Switch"	Kind	Kernel- version	Activation (maybe compilation of kernel necessary)
Syncookie Support	against SYN-Flodding	2.2.x 2.4.x 2.6.x	`sysctl -w net.ipv4.tcp_syncookies=1`
Limitation of the rate of transmitted special ICMP packets	against DoS attacks	2.2.x	`sysctl -w net.ipv4.icmp_destunreach_rate=100` `sysctl -w net.ipv4.icmp_echoreply_rate=100` `sysctl -w net.ipv4.icmp_paramprob_rate=100` `sysctl -w net.ipv4.icmp_timeexceed_rate=100` Here: Limitation on 1 packet per second
Limitation of the rate of transmitted special ICMP packets	against DoS attacks	2.4.x 2.6.x	`sysctl -w net.ipv4.icmp_ratemask=6169` 6169=0x1819 = 1<<ICMP_ECHOREPLY (0) + 1<<ICMP_DEST_UNREACH (3) + 1<<ICMP_SOURCE_QUENCH (4) + 1<<ICMP_TIME_EXCEEDED (11) + 1<<ICMP_PARAMETERPROB (12) `sysctl -w net.ipv4.icmp_ratelimit=100` (1/s) or `sysctl -w net.ipv4.icmp_ratelimit=10` (10/s)
Disabling of ICMP echo-reply directed to Broadcast addresses	against scanning and smurf attackes	2.2.x 2.4.x 2.6.x	`sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1`
Gerneal disabling of ICMP echo-reply	against scanning	2.2.x 2.4.x 2.6.x	`sysctl -w net.ipv4.icmp_echo_ignore_all=1`
Blocking of IP packets with the option Source-Routing set	against attacks	2.2.x 2.4.x 2.6.x	`sysctl -w net.ipv4.conf.*.accept_source_route=0`
Blocking of packets with ICMP redirect	against attacks	2.2.x 2.4.x 2.6.x	`sysctl -w net.ipv4.conf.*.accept_redirects=0`
Always defragment incoming IP packets	against attacks	2.2.x	`sysctl -w net.ipv4.conf.*.ip_always_defrag=1`
Logging of all packets with unreal IP addresses	against scanning	2.2.x 2.4.x 2.6.x	`sysctl -w net.ipv4.conf.*.log_martians=1`
Disabling of ICMP Address mask replies	gegen scanning	early 2.2.x	`sysctl -w net.ipv4.ip_addrmask_agent=0`
Disabling of IPv4 forwarding	turns off Routing	2.2.x 2.4.x 2.6.x	`sysctl -w net.ipv4.ip_forward=0`
Disabling of IPv4 forwarding per Interface (decision is done for "incoming" packets!)	turns off Routin	2.2.x 2.4.x 2.6.x	`sysctl -w net.ipv4.conf.*.forwarding`
Disabling of TCP timestamps	against (NMAP's) Uptime Detection (Info)	2.2.x 2.4.x 2.6.x	`sysctl -w net.ipv4.tcp_timestamps=0`
Change of Source Port Range for outbound connections	for safe rulesets when using stateless filter (ipchains)	2.2.x 2.4.x 2.6.x	`sysctl -w net.ipv4.ip_local_port_range="32768 60999"`

Replacement of vulnerable Daemons

Attention: Before replacement test first, if the wanted or needed functionality is still given...

"Vulnerable" Daemon	Replacement	Informationen for replacement	How to ...	Loss of features
inetd	xinetd	different syntax for configuration	eays	none
inetd	ucspi-tcp	different concept	medium	none
BIND8/4	BIND9	complete rewrite of code, but nearly identical configuration as BIND8	easy	none
BIND8/4	djbdns	different concept	medium	no ACL supported
sendmail	postfix	different syntax for configuration and configuration files	medium	hardly any, depending on purpose of use
sendmail	qmail	different concept, supports Maildir format only (one file per E-Mail)	not trivial	maybe, depending on purpose of use and patchlevel
syslogd	syslog-ng	different syntax for configuration	medium	none, and much better syntax for describing filters
wu-ftpd	proftpd	different syntax for configuration	easy	not too much (e.g. no compression on-the-fly), much more other options and TLS
wu-ftpd	publicfile	Command line option only	easy	high, anonymous FTP in chroot environment only
wu-ftpd	vsftpd	different syntax for configuration	easy

Protection in the Kernel

Tool	Kernel- version	Protection	Installation
Openwall Project	2.2.x 2.4.x	- Non-executable user stack area - Restricted links in /tmp - Restricted FIFOs in /tmp - Restricted /proc - ...	patch kernel and compile, integrated in OWL (Openwall Linux)
PaX	2.2.x 2.4.x 2.6.x	- Address space modification protection	patch kernel and compile, integrated in grsecurity and RSBAC
ExecShield	2.4.x 2.6.x	- Ascii Zone - Address space randomization - NX data pages	patch kernel and compile, integrated in Red Hat Enterprise Linux and Fedora Core

Mandatory Access Control (MAC)

Tool	Kernel- version	Protection	Installation
AppArmor	2.6.x	- mandatory control of applications access to resources	patch kernel and compile, configuration integrated in Suse Linux 10.1 and SLES 10
grsecurity	2.4.x 2.6.x	- Role-based Access Control - Chroot Restrictions - Auditing Features - integrated PaX - ...	patch kernel and compile, configuration
LIDS	2.2.x 2.4.x 2.6.x	- mandatory control of applications access to resources	patch kernel and compile, configuration
RSBAC	2.4.x 2.6.x	- Rule Set Based Access Control - modular framework - Multiple Security Models - Chroot Restrictions - integrated PaX - ...	patch kernel and compile, configuration, integrated in Adamantix
SELinux	2.4.x 2.6.x	- Role-based Access Control - Type Enforcement - Multi Level Security - Multi Category Security	patch kernel and compile, configuration, integrated in Red Hat Enterprise Linux and Fedora Core

Protection of the Process Stack

Tool	GCC- Version	Protection	Implementation
StackGuard	2.x	- Canary protects Return Addresses	recompile all application with patched GCC compiler
Stack-Smashing Protector (fr�her ProPolice)	2.x 3.x 4.x	- Canary protects Return Addresses and Stack-Frame-Pointer - Modifies order of local variables - Copies of function arguments	recompile all application with patched GCC compiler (SSP is included in GCC 4.1)