![Page 1: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/1.jpg)
Locking DownYour FreeBSD Install
Black Hat 6Rich Murphey
![Page 2: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/2.jpg)
Black Hat 6 slide 2
Locking Down Your FreeBSD Install
![Page 3: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/3.jpg)
Black Hat 6 slide 3
Locking Down Your FreeBSD Install
Establish a Security Policy
![Page 4: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/4.jpg)
Black Hat 6 slide 4
Security Management
Policy
Harden
Access Control
Monitor
Audit
Reac
t
Act
Plan
![Page 5: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/5.jpg)
Black Hat 6 slide 5
Security Policy
A high-level overall plan embracing the general goals and acceptable procedures.
![Page 6: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/6.jpg)
Black Hat 6 slide 6
Formulating Policy
What are the goals?
What are the procedures?
What is the impact?
![Page 7: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/7.jpg)
Black Hat 6 slide 7
Formulating Policy
What are the goals?What, Why, Who.
What are the procedures? Roles and Responsibilities.
What is the impact?Network, applications, users.
![Page 8: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/8.jpg)
Black Hat 6 slide 8
Policy Example
How does one define a firewall policy…
![Page 9: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/9.jpg)
Black Hat 6 slide 9
Policy Example
"Don't talk to strangers."
"In God we trust.
All else we monitor.“
![Page 10: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/10.jpg)
Black Hat 6 slide 10
Policy Example
"Don't talk to strangers."Authenticate Everything.
"In God we trust.
All else we monitor.“Log All Exceptions.
![Page 11: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/11.jpg)
Black Hat 6 slide 11
Policy Example
How do we lock down FreeBSD?
Default Deny
Authenticate Everything
Log All Exceptions
![Page 12: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/12.jpg)
Black Hat 6 slide 12
Default Deny
Block non-routable, spoofs and source routed IP.
Allow TCP only from specific subnets to specific ports.
![Page 13: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/13.jpg)
Black Hat 6 slide 13
Authenticate Everything
Narrow anonymous services Tftp, Ftp, Http.
Disable clear text authentication Telnet, ftp, http.
Enforce strong authentication SSH, SSL/Http.
Audit (Log) all authentication.
![Page 14: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/14.jpg)
Black Hat 6 slide 14
Log All Exceptions
Spoofing
Denied Access
plus, run Snort.
![Page 15: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/15.jpg)
Black Hat 6 slide 15
Elements of Security Policy
Act:
Harden
Control access
React:Assess
Monitor
![Page 16: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/16.jpg)
Black Hat 6 slide 16
Hardening the Network
IP Stack
Firewall rules
Inetd/TCP Wrappers
Control access
![Page 17: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/17.jpg)
Black Hat 6 slide 17
IP Stack
Log connection attempts to nonexistent servers:
# sysctl -w net.inet.tcp.log_in_vain=1
# sysctl -w net.inet.udp.log_in_vain=1
![Page 18: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/18.jpg)
Black Hat 6 slide 18
IPFW Firewall
In /etc/rc.conf:
firewall_enable="YES"
firewall_type="SIMPLE"
firewall_logging="YES"
![Page 19: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/19.jpg)
Black Hat 6 slide 19
inetd
inetd uses TCP Wrappers by default.
IPSec policy in inetd.conf:
#@in ipsec ah/transport//require
#@out ipsec esp/tunnel/10.1.1.2-10.1.1.1/use
![Page 20: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/20.jpg)
Black Hat 6 slide 20
inetd/etc/hosts.deny:
ALL: ALL
/etc/hosts.allow:
ALL: LOCAL @some_netgroup
ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
% tcpdchk -v To verify rules.
![Page 21: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/21.jpg)
Black Hat 6 slide 21
IPSec
Key distribution
Authentication
![Page 22: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/22.jpg)
Black Hat 6 slide 22
Hardening FreeBSD
Hardening the Host
![Page 23: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/23.jpg)
Black Hat 6 slide 23
Hardening the Host
Known Vulnerabilities
Install Options
Configuration
![Page 24: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/24.jpg)
Black Hat 6 slide 24
Known Vulnerabilities
zlib – decompress crash
Squid - DNS response crash
mod_frontpage - fpexec overflow
Netscape - JavaScript in GIF
OpenSSH - root buffer overflow
![Page 25: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/25.jpg)
Black Hat 6 slide 25
Fixing Known Vulnerabilities
pkg_add the latest version
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable
![Page 26: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/26.jpg)
Black Hat 6 slide 26
Secure LevelCan be raised but not lowered, even by root./etc/rc.conf:
kern_securelevel_enable="YES"
kern_securelevel="3"
If kern.securelevel > 0, even root within a jail cannot set file flags.
Only rebooting lowers it. Dropping to single user mode doesn’t.
![Page 27: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/27.jpg)
Black Hat 6 slide 27
Secure Level 1
Cannot remove immutable and append-only flags.
Cannot mount file systems
Cannot write to /dev/mem,kmem.Breaks XFree86!!!
Cannot load kernel modules.
![Page 28: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/28.jpg)
Black Hat 6 slide 28
Secure Level 2
Only `mount' may open disks for writing.
Time changes are limited to one second.
Level 3:
ipfw and dummynet configuration are fixed.
![Page 29: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/29.jpg)
Black Hat 6 slide 29
Caveats
One must still harden the boot process (loader, autoconfig) because securelevel is set late in the boot process.
![Page 30: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/30.jpg)
Black Hat 6 slide 30
Harden User Land
Protect against free space exhaustion in rc.conf:
check_quotas="YES“
Protect against set-uid files in /home and /var:/dev/ad… /home ufs rw,nosuid,userquota
![Page 31: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/31.jpg)
Black Hat 6 slide 31
Hardening User Land
Block Broad/Multicast pings:/etc/sysctl.conf:icmp.bmcastecho=0
Hide logs/etc/newsyslog.conf:
/var/log/authlog root:wheel 600 3 100 * Z
![Page 32: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/32.jpg)
Black Hat 6 slide 32
Harden the executables
chflags -F schg /kernel
chflags -F schg /bin /sbin
![Page 33: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/33.jpg)
Black Hat 6 slide 33
Hardening Services
DNS – restrict zone transfers
HTTP – disable CGI
Samba – IP address ACLs
Email – spam, filtering
telnet, FTP, finger – don’t
![Page 34: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/34.jpg)
Black Hat 6 slide 34
SSH - Secure Shell
host.allow
RSA authentication
Listen on a non-standard port
![Page 35: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/35.jpg)
Black Hat 6 slide 35
Auditing
Authentication for:
HTTP
FTP
Samba
Telnet, Rlogin wrappers
![Page 36: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/36.jpg)
Black Hat 6 slide 36
Log Monitoring
Use regexp to match 'interesting' log entries and email a periodic report to an administrator.
'Systems Under Siege', Chris Boyd, SANS
![Page 37: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/37.jpg)
Black Hat 6 slide 37
Log Monitoring
Syslog-ng w/regex
Swatch - perl
LogSurfer
LogSentry - tail logfile | grep | mail
![Page 38: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/38.jpg)
Black Hat 6 slide 38
Host-Based Intrusion Detection
Tripwire/AIDE
Systrace
![Page 39: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/39.jpg)
Black Hat 6 slide 39
Tripwire/AideFile adds,deletes,modifications
File permissions
Inode number, number of links
User id of owner,group id of owner
File type, file size
Device number that stores the inode.
Device number that the inode points to.
Number of blocks allocated
Modification timestamp
Inode creation/modification timestamp
Access timestamp
![Page 40: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/40.jpg)
Black Hat 6 slide 40
SysTraceA BlackHat Zero Day Tool!
Like tcpwrappers but for syscalls.
Filters:
specific routines: open(), fork(), exec(), etc.
specific arguments: filename, file mode, etc.
FreeBSD version on the conference CDROM!
More details at Defcon Talks:
“FreeBSD Exploits and Remedies”
“Intrusion Prevention with SysTrace for FreeBSD
![Page 41: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/41.jpg)
Black Hat 6 slide 41
SysTrace
Policy: /usr/libexec/ftpd, Emulation: native
native-open: filename eq "$HOME" and oflags sub "ro" then permit
native-open: filename eq "/etc" then deny[eperm], if group != wheel
native-fchdir: permit
native-stat: permit
![Page 42: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/42.jpg)
Black Hat 6 slide 42
Network-Based Intrusion Detection
Snort
ACID
![Page 43: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/43.jpg)
Black Hat 6 slide 43
Honeypots
Use inetd.conf to provide honeypot services.
Use hosts.allow to log each connection to them.
![Page 44: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/44.jpg)
Black Hat 6 slide 44
Countermeasures
Trace route
Firewall rules
/etc/hosts.deny:
in.tftpd: ALL: (finger -l @%h | /usr/ucb/mail -s %d-%h root) &
![Page 45: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/45.jpg)
Black Hat 6 slide 45
Monitoring
In /etc/syslog.conf:
auth.*,authpriv.*/var/log/authlog
![Page 46: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/46.jpg)
Black Hat 6 slide 46
Keeping Abreast of Vulnerabilities
CERT announcements:echo "subscribe freebsd-security-notifications"
| mail [email protected]
Archive of announcements: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories
![Page 47: Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey](https://reader036.vdocuments.us/reader036/viewer/2022062806/56649d9f5503460f94a8a1a4/html5/thumbnails/47.jpg)
Black Hat 6 slide 47
Future
ACLs - finer grained access controls.
Robert Watson’s ACLs for VFS, still need UFS support.