bastille linux past, present and future jay beale lead developer, bastille linux president, jjb...
TRANSCRIPT
![Page 1: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/1.jpg)
Bastille Linux Past, Present and Future
Jay BealeLead Developer, Bastille Linux
President, JJB Security Consulting
![Page 2: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/2.jpg)
Bastille Linux
A security hardening script for Linux and Unix
Red Hat 7.3Mandrake 8.2
Turbo 7.0SuSE 7.2
Debian currentHP-UX 11.x
![Page 3: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/3.jpg)
Bastille Linux
More operating systems:
SolarisOpenBSD (SSH worm anyone?)
FreeBSD?
![Page 4: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/4.jpg)
Sample Screen
![Page 5: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/5.jpg)
What Does Bastille Do? 1/3
Firewall
Set-UID and Permissions Audit
![Page 6: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/6.jpg)
What Does Bastille Do? 2/3
Deactivate unncessary stuff
Tighten configurations of remaining stuff
![Page 7: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/7.jpg)
What Does Bastille Do? 3/3
Educate Users and Admins
(They have guns pointed at their boots)
![Page 8: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/8.jpg)
Why Do I Need It?
Shipped defaults are not optimized for security
Users need ease-of-useProgrammers want convenience
and
Neither groks security
![Page 9: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/9.jpg)
But Why Do I Need Security? 1/4
You're targeted by clueful hackers (even if you're not interesting)
because you're one hop on the way to the real target.
![Page 10: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/10.jpg)
But Why Do I Need Security? 2/4
You're targeted by script kiddies...
because you have an IP address!
(That got picked up as vulnerable by their vulnerability scanners.)
![Page 11: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/11.jpg)
But Why Do I Need Security? 3/4
You're targeted by worms...
Slightly smarter than script kiddies, but fully automated.
Easy to defeat, with hardening!
![Page 12: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/12.jpg)
But Why Do I Need Security? 4/4
Script kiddies choose your box at random to:
● Run their IRC bots● Run their IRC server● Serve as an exchange point for files, filez...● Attack other machines with DoS/DDoS programs● Brag about how many random machines they 0wn.● <your use here>
![Page 13: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/13.jpg)
How Does It Work? 1/2
Minimize Points of Entry
Network DaemonsUser-accessible programs
![Page 14: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/14.jpg)
How Does It Work? 2/2
Prevent Privilege Escalation
Set-UID programs let me turn my user nobody access into root!
![Page 15: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/15.jpg)
But Does It Work?
Bastille was written before most of the security vulnerabilities in Red Hat 6.0 were discovered.
It could stop or contain almost all of them.
![Page 16: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/16.jpg)
Vulnerabilties Stopped -Red Hat 6.0
BIND - remote rootwu-ftpd - remote rootuserhelper - local root
lpd + sendmail - remote rootdump/restore - local rootgpm - console local root
![Page 17: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/17.jpg)
Vulnerabilties Not Stopped -RH 6.0
nmh - local root?
man - whatever user runs it
![Page 18: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/18.jpg)
So Who's Using it?
You tell me!
MandrakeSoft had it in their distribution.Red Hat has talked about integrating it.
SGI sold appliances with it loaded.Guardent/foo uses it in some appliance.
Estimated around 75,000-150,000 people?
![Page 19: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/19.jpg)
Capabilities
2.0 Release
● Intelligence - "requires" tags● X or Curses configuration● Reusable config file, with consistency checking
![Page 20: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/20.jpg)
Where We're Going Soon
More content: this talk will demonstrate
Growing to run on more platforms: Solaris first.
Enterprise features
![Page 21: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/21.jpg)
Firewall
Configure a default-deny firewall for a masquerading network, or a
single machine
![Page 22: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/22.jpg)
Firewall
Firewall off daemons, but also harden/remove them.
Why both?
![Page 23: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/23.jpg)
Defense in Depth
Protect each service or possible vulnerability through multiple means, so that if one fails, the
remaining methods keep your machine from being compromised.
![Page 24: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/24.jpg)
File Permissions
File Permissions Audit
Want to do something more comprehensive!Educate newbies about groups?
![Page 25: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/25.jpg)
SUID Audit
SUID Audit Blocking all paths to root!
Real Example: UserRooter (userhelper)
![Page 26: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/26.jpg)
SUID Audit 1/2
mount/umount*ping
traceroutedump/restore*
cardctl
( * = has been vulnerable in past 3 years)
![Page 27: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/27.jpg)
SUID Audit 2/2
atdosemuinn toolslpr/lp*r-tools*
usernetctl
![Page 28: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/28.jpg)
Account Security
Protect the users' accountsEnforce good policies to prevent privilege
escalation
![Page 29: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/29.jpg)
Account Security
Protect rhosts via PAMPassword Aging
Restrict CronUmask
Root TTY Logins
![Page 30: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/30.jpg)
Boot Security
Password protect LILOPassword protect runlevel 1
![Page 31: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/31.jpg)
Secure Inetd
Deactivate TelnetDeactivate FTP
...
![Page 32: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/32.jpg)
Applied Minimalism
Since crackers may discover an exploitable vulnerability in any service running with privilege,
minimize both the number of these services and their levels of privilege.
![Page 33: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/33.jpg)
Miscellaneous PAM
Mandatory System Resource Limits
prevent core dumpslimit number of processes per user
filesize limit 100mb
![Page 34: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/34.jpg)
Logging
Lots of extra logging
Remote Logging Host
Process Accounting
![Page 35: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/35.jpg)
Killing Daemons 1/2
apmdnfs/portmapper*
samba
atdpcmcia
dhcp server (*?)
![Page 36: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/36.jpg)
Killing Daemons 2/2
gpm*news server*
routing daemonsNIS
SNMPd*
![Page 37: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/37.jpg)
Sendmail
Reduce attacker's access to Sendmail
Remove recon. Commands.
Run sendmail as a non-root process via inetd/xinetd
![Page 38: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/38.jpg)
Postfix?
Sendmail's security vulnerability history is rich!
Why? Consider PostFix, by Wietse Venema,
author of TCP Wrappers Modular, safer design!
![Page 39: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/39.jpg)
DNS - BIND
Secure BIND
Historical note: We secured BIND before the remote
root exploits were released.
Philosophy: Harden it now, before the bugs are
discovered!
![Page 40: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/40.jpg)
Hardening BIND 1/2
Chroot
Run as user/group dns
CONTAINMENT
![Page 41: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/41.jpg)
Hardening BIND 2/2
Restrict queries to set of hosts
Restrict zone transfers to set of hosts
Choose a random version string
Offer to configure views in BIND 9
![Page 42: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/42.jpg)
Hardening Apache 1/3
Deactivate Apache?
Bind Apache to localhost?
![Page 43: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/43.jpg)
Hardening Apache 2/3
Symlinks
Server Side Includes
CGI Scripts
Indices
![Page 44: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/44.jpg)
Hardening Apache 3/3
Removing Modules
Removing handlers
Restricting .htaccess overrides
![Page 45: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/45.jpg)
FTP
FTP is Really Bad(tm)!
Unauthenticated data transfer channel (file theft)Bad authentication on command channel
Takeover issues (cleartext session)
Try to replace it:HTTP for downloads?
SFTP for password-ed user uploads?
![Page 46: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/46.jpg)
Hardening FTP 1/2
Deactivate anonymous modeDeactivate normal user mode
![Page 47: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/47.jpg)
Hardening FTP 2/2
Apply path filters to all filenames usedDeactivate compression/tar-ing (external progs)Choose version string randomlyChroot normal users via 'guest' accountsRequire RFC 822-compliant e-mail addressesDisable all dynamic 'message file' parsing/deliveryCreate less useful upload areaLog: transfers, commands and security violations
![Page 48: Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting](https://reader036.vdocuments.mx/reader036/viewer/2022070400/56649e615503460f94b5d13c/html5/thumbnails/48.jpg)
Speaker Bio
Jay Beale is the Lead Developer of Bastille Linux and an independent security consultant/trainer.
Mandrake. He's currently working on a book on Locking Down Linux for Addison Wesley. Read
more of his articles on:
http://www.bastille-linux.org/jay