Presentation is loading. Please wait.

Presentation is loading. Please wait.

Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey.

Published byJemima West Modified over 10 years ago

Similar presentations

Presentation on theme: "Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey."— Presentation transcript:

1 Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey

2 Black Hat 6 slide 2 Locking Down Your FreeBSD Install

3 Black Hat 6 slide 3 Locking Down Your FreeBSD Install Establish a Security Policy

4 Black Hat 6 slide 4 Security Management Policy Harden Access Control Monitor Audit React Act Plan

5 Black Hat 6 slide 5 Security Policy A high-level overall plan embracing the general goals and acceptable procedures.

6 Black Hat 6 slide 6 Formulating Policy What are the goals? What are the procedures? What is the impact?

7 Black Hat 6 slide 7 Formulating Policy What are the goals? What, Why, Who. What are the procedures? Roles and Responsibilities. What is the impact? Network, applications, users.

8 Black Hat 6 slide 8 Policy Example How does one define a firewall policy…

9 Black Hat 6 slide 9 Policy Example "Don't talk to strangers." "In God we trust. All else we monitor.“

10 Black Hat 6 slide 10 Policy Example "Don't talk to strangers." Authenticate Everything. "In God we trust. All else we monitor.“ Log All Exceptions.

11 Black Hat 6 slide 11 Policy Example How do we lock down FreeBSD? Default Deny Authenticate Everything Log All Exceptions

12 Black Hat 6 slide 12 Default Deny Block non-routable, spoofs and source routed IP. Allow TCP only from specific subnets to specific ports.

13 Black Hat 6 slide 13 Authenticate Everything  Narrow anonymous services  Tftp, Ftp, Http.  Disable clear text authentication  Telnet, ftp, http.  Enforce strong authentication  SSH, SSL/Http.  Audit (Log) all authentication.

14 Black Hat 6 slide 14 Log All Exceptions Spoofing Denied Access plus, run Snort.

15 Black Hat 6 slide 15 Elements of Security Policy Act: Harden Control access React: Assess Monitor

16 Black Hat 6 slide 16 Hardening the Network IP Stack Firewall rules Inetd/TCP Wrappers Control access

17 Black Hat 6 slide 17 IP Stack Log connection attempts to nonexistent servers: # sysctl -w net.inet.tcp.log_in_vain=1 # sysctl -w net.inet.udp.log_in_vain=1

18 Black Hat 6 slide 18 IPFW Firewall In /etc/rc.conf: firewall_enable="YES" firewall_type="SIMPLE" firewall_logging="YES"

19 Black Hat 6 slide 19 inetd inetd uses TCP Wrappers by default. IPSec policy in inetd.conf: #@in ipsec ah/transport//require #@out ipsec esp/tunnel/10.1.1.2- 10.1.1.1/use

20 Black Hat 6 slide 20 inetd /etc/hosts.deny: ALL: ALL /etc/hosts.allow: ALL: LOCAL @some_netgroup ALL:.foobar.edu EXCEPT terminalserver.foobar.edu % tcpdchk -v To verify rules.

21 Black Hat 6 slide 21 IPSec Key distribution Authentication

22 Black Hat 6 slide 22 Hardening FreeBSD Hardening the Host

23 Black Hat 6 slide 23 Hardening the Host Known Vulnerabilities Install Options Configuration

24 Black Hat 6 slide 24 Known Vulnerabilities zlib – decompress crash Squid - DNS response crash mod_frontpage - fpexec overflow Netscape - JavaScript in GIF OpenSSH - root buffer overflow

25 Black Hat 6 slide 25 Fixing Known Vulnerabilities pkg_add the latest version ftp://ftp.FreeBSD.org/pub/FreeB SD/ports/i386/packages-4- stable

26 Black Hat 6 slide 26 Secure Level Can be raised but not lowered, even by root. /etc/rc.conf: kern_securelevel_enable="YES" kern_securelevel="3" If kern.securelevel > 0, even root within a jail cannot set file flags. Only rebooting lowers it. Dropping to single user mode doesn’t.

27 Black Hat 6 slide 27 Secure Level 1 Cannot remove immutable and append-only flags. Cannot mount file systems Cannot write to /dev/mem,kmem. Breaks XFree86!!! Cannot load kernel modules.

28 Black Hat 6 slide 28 Secure Level 2 Only `mount' may open disks for writing. Time changes are limited to one second. Level 3: ipfw and dummynet configuration are fixed.

29 Black Hat 6 slide 29 Caveats One must still harden the boot process (loader, autoconfig) because securelevel is set late in the boot process.

30 Black Hat 6 slide 30 Harden User Land Protect against free space exhaustion in rc.conf: check_quotas="YES“ Protect against set-uid files in /home and /var: /dev/ad… /home ufs rw,nosuid,userquota

31 Black Hat 6 slide 31 Hardening User Land Block Broad/Multicast pings: /etc/sysctl.conf:  icmp.bmcastecho=0 Hide logs /etc/newsyslog.conf: /var/log/authlog root:wheel 600 3 100 * Z

32 Black Hat 6 slide 32 Harden the executables chflags -F schg /kernel chflags -F schg /bin /sbin

33 Black Hat 6 slide 33 Hardening Services DNS – restrict zone transfers HTTP – disable CGI Samba – IP address ACLs Email – spam, filtering telnet, FTP, finger – don’t

34 Black Hat 6 slide 34 SSH - Secure Shell host.allow RSA authentication Listen on a non-standard port

35 Black Hat 6 slide 35 Auditing Authentication for: HTTP FTP Samba Telnet, Rlogin wrappers

36 Black Hat 6 slide 36 Log Monitoring Use regexp to match 'interesting' log entries and email a periodic report to an administrator. 'Systems Under Siege', Chris Boyd, SANS

37 Black Hat 6 slide 37 Log Monitoring Syslog-ng w/regex Swatch - perl LogSurfer LogSentry - tail logfile | grep | mail

38 Black Hat 6 slide 38 Host-Based Intrusion Detection Tripwire/AIDE Systrace

39 Black Hat 6 slide 39 Tripwire/Aide File adds,deletes,modifications File permissions Inode number, number of links User id of owner,group id of owner File type, file size Device number that stores the inode. Device number that the inode points to. Number of blocks allocated Modification timestamp Inode creation/modification timestamp Access timestamp

40 Black Hat 6 slide 40 SysTrace A BlackHat Zero Day Tool! Like tcpwrappers but for syscalls. Filters: specific routines: open(), fork(), exec(), etc. specific arguments: filename, file mode, etc. FreeBSD version on the conference CDROM! More details at Defcon Talks: “FreeBSD Exploits and Remedies” “Intrusion Prevention with SysTrace for FreeBSD

41 Black Hat 6 slide 41 SysTrace Policy: /usr/libexec/ftpd, Emulation: native native-open: filename eq "$HOME" and oflags sub "ro" then permit native-open: filename eq "/etc" then deny[eperm], if group != wheel native-fchdir: permit native-stat: permit

42 Black Hat 6 slide 42 Network-Based Intrusion Detection Snort ACID

43 Black Hat 6 slide 43 Honeypots Use inetd.conf to provide honeypot services. Use hosts.allow to log each connection to them.

44 Black Hat 6 slide 44 Countermeasures Trace route Firewall rules /etc/hosts.deny: in.tftpd: ALL: (finger -l @%h | /usr/ucb/mail -s %d-%h root) &

45 Black Hat 6 slide 45 Monitoring In /etc/syslog.conf: auth.*,authpriv.*/var/log/authlog

46 Black Hat 6 slide 46 Keeping Abreast of Vulnerabilities CERT announcements: echo "subscribe freebsd-security-notifications"  | mail majordomo@FreeBSD.org Archive of announcements: ftp://ftp.freebsd.org/  pub/FreeBSD/CERT/advisories

47 Black Hat 6 slide 47 Future ACLs - finer grained access controls. Robert Watson’s ACLs for VFS, still need UFS support.

Download ppt "Locking Down Your FreeBSD Install Black Hat 6 Rich Murphey."

Similar presentations

DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Winter 20021 CMPE 155 Week 7. Winter 20022 Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
BSD Security Fundamentals Sean Lewis Sean Lewis

BSD Security Fundamentals Sean Lewis Sean Lewis
Linux Security An overview notes from Linux Network Security HowTO.

Linux Security An overview notes from Linux Network Security HowTO.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Chapter 21 Security. Computer Center, CS, NCTU 2 Firewall (1)  Using ipfw 1.Add these options in kernel configuration file and recompile the kernel 2.Edit.

Chapter 21 Security. Computer Center, CS, NCTU 2 Firewall (1)  Using ipfw 1.Add these options in kernel configuration file and recompile the kernel 2.Edit.
Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.

Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.
Controlling access with packet filters and firewalls.

Controlling access with packet filters and firewalls.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Ssh: secure shell. overview Purpose Protocol specifics Configuration Security considerations Other uses.

Ssh: secure shell. overview Purpose Protocol specifics Configuration Security considerations Other uses.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.

Similar presentations

Ads by Google