the bastion host firewall script - home - springer978-1-4302-0005-5/1.pdfthe bastion host firewall...

511

A P P E N D I X A

■ ■ ■

The Bastion Host Firewall Script

This appendix contains a script to set up firewall rules for a bastion host. I discussed thisscript and the firewall rules in Chapter 2. Modify the rules and the variables I have specifiedto suit your firewalling requirements. You can then add these to a script file, make the file exe-cutable using the chmod command, and run the script to apply your firewall rules. You will needto modify the script to suit your host. I have included a variables section at the start of the script,and I recommend you configure these to suit your host. This also makes it easier to maintainyour rules and settings, as you need to make any required changes in only one place, ratherthan repeatedly in your script.

You can also find this script in the Downloads section of the Apress Web site (http://www.apress.com).

#!/bin/bash# Bastion Host IPTables Script

# VARIABLES - Change these to match your environment.# Location of the binariesIPT="/sbin/iptables"SYSCTL="/sbin/sysctl"

# Loopback InterfaceLOOPBACK="lo"

# Define External NetworkEXT_INTER="eth0"EXT_ADDR="220.240.52.228"

# Define External ServersEXT_NTP1="clock3.redhat.com"EXT_NTP2="ntp.public.otago.ac.nz"

# Define Internal NetworkINT_INTER="eth1"INT_ADDR="192.168.0.100"INT_NET="192.168.0.0/24"

APPENDIX A ■ THE BASTION HOST F IREWALL SCRIPT512

# Define Internal ServersINT_SMTP="192.168.0.20"INT_DNS1="192.168.0.10"INT_DNS2="192.168.0.11"

# Set Kernel Parameters$SYSCTL -w net/ipv4/conf/all/accept_redirects="0"$SYSCTL -w net/ipv4/conf/all/accept_source_route="0"$SYSCTL -w net/ipv4/conf/all/log_martians="1"$SYSCTL -w net/ipv4/conf/all/rp_filter="1"$SYSCTL -w net/ipv4/icmp_echo_ignore_all="0"$SYSCTL -w net/ipv4/icmp_echo_ignore_broadcasts="1"$SYSCTL -w net/ipv4/icmp_ignore_bogus_error_responses="0"$SYSCTL -w net/ipv4/ip_forward="0"$SYSCTL -w net/ipv4/tcp_syncookies="1"

# Flush all Rules$IPT -F

#Set Policies$IPT -P INPUT DROP$IPT -P OUTPUT DROP$IPT -P FORWARD DROP

# Delete all User-created Chains$IPT -X

# Allow access to the Loopback host$IPT -A INPUT -i $LOOPBACK -j ACCEPT$IPT -A OUTPUT -o $LOOPBACK -j ACCEPT

# Create ICMP Incoming Chain$IPT -N ICMP_IN

# Pass ICMP Incoming Traffic to the ICMP Incoming Chain$IPT -A INPUT -p icmp -j ICMP_IN

# Rules for ICMP Incoming Traffic$IPT -A ICMP_IN -i $EXT_INTER -p icmp --icmp-type 0 -m state --state ➥

ESTABLISHED,RELATED -j ACCEPT$IPT -A ICMP_IN -i $EXT_INTER -p icmp --icmp-type 3 -m state --state ➥

ESTABLISHED,RELATED -j ACCEPT$IPT -A ICMP_IN -i $EXT_INTER -p icmp --icmp-type 11 -m state --state ➥

ESTABLISHED,RELATED -j ACCEPT$IPT -A ICMP_IN -i $EXT_INTER -p icmp -j LOG --log-prefix ➥

"IPT: ICMP_IN " $IPT -A ICMP_IN -i $EXT_INTER -p icmp -j DROP

# Create ICMP Outgoing Chain$IPT -N ICMP_OUT

# Pass ICMP Outgoing Traffic to the ICMP Outgoing Chain$IPT -A OUTPUT -p icmp -j ICMP_OUT

# Rules for ICMP Outgoing Traffic$IPT -A ICMP_OUT -o $EXT_INTER -p icmp --icmp-type 8 -m state --state ➥

NEW -j ACCEPT$IPT -A ICMP_OUT -o $EXT_INTER -p icmp -j LOG --log-prefix "IPT: ICMP_OUT "$IPT -A ICMP_OUT -o $EXT_INTER -p icmp -j DROP

# Create Bad Sources Chain$IPT -N BAD_SOURCES

# Pass traffic with bad source addresses to the Bad Sources Chain$IPT -A INPUT -j BAD_SOURCES

# Rules for traffic with bad source addresses# Drop incoming traffic allegedly from our own host$IPT -A BAD_SOURCES -i $INT_INTER -s $INT_ADDR -j DROP$IPT -A BAD_SOURCES -i $EXT_INTER -s $EXT_ADDR -j DROP

# Drop outgoing traffic not from our own host$IPT -A BAD_SOURCES -o $INT_INTER -s ! $INT_ADDR -j DROP$IPT -A BAD_SOURCES -o $EXT_INTER -s ! $EXT_ADDR -j DROP

# Drop traffic from other bad sources$IPT -A BAD_SOURCES -s 168.254.0.0/16 -j DROP$IPT -A BAD_SOURCES -i $EXT_INTER -s 10.0.0.0/8 -j DROP$IPT -A BAD_SOURCES -i $EXT_INTER -s 172.16.0.0/12 -j DROP$IPT -A BAD_SOURCES -i $EXT_INTER -s 192.168.0.0/16 -j DROP$IPT -A BAD_SOURCES -i $EXT_INTER -s 192.0.2.0/24 -j DROP$IPT -A BAD_SOURCES -i $EXT_INTER -s 224.0.0.0/4 -j DROP$IPT -A BAD_SOURCES -i $EXT_INTER -s 240.0.0.0/5 -j DROP$IPT -A BAD_SOURCES -i $EXT_INTER -s 248.0.0.0/5 -j DROP$IPT -A BAD_SOURCES -i $EXT_INTER -s 127.0.0.0/8 -j DROP$IPT -A BAD_SOURCES -i $EXT_INTER -s 255.255.255.255/32 -j DROP$IPT -A BAD_SOURCES -i $EXT_INTER -s 0.0.0.0/8 -j DROP

# Create Bad Flags Chain$IPT -N BAD_FLAGS

# Pass traffic with bad flags to the Bad Flags Chain$IPT -A INPUT -p tcp -j BAD_FLAGS

APPENDIX A ■ THE BASTION HOST F IREWALL SCRIPT 513

# Rules for traffic with bad flags$IPT -A BAD_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix ➥

"IPT: Bad SF Flag "$IPT -A BAD_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP$IPT -A BAD_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix ➥

"IPT: Bad SR Flag "$IPT -A BAD_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP$IPT -A BAD_FLAGS -p tcp --tcp-flags SYN,FIN,PSH SYN,FIN,PSH -j LOG ➥

--log-prefix "IPT: Bad SFP Flag "$IPT -A BAD_FLAGS -p tcp --tcp-flags SYN,FIN,PSH SYN,FIN,PSH -j DROP$IPT -A BAD_FLAGS -p tcp --tcp-flags SYN,FIN,RST SYN,FIN,RST -j LOG ➥

--log-prefix "IPT: Bad SFR Flag "$IPT -A BAD_FLAGS -p tcp --tcp-flags SYN,FIN,RST SYN,FIN,RST -j DROP$IPT -A BAD_FLAGS -p tcp --tcp-flags SYN,FIN,RST,PSH SYN,FIN,RST,PSH ➥

-j LOG --log-prefix "IPT: Bad SFRP Flag "$IPT -A BAD_FLAGS -p tcp --tcp-flags SYN,FIN,RST,PSH SYN,FIN,RST,PSH -j DROP$IPT -A BAD_FLAGS -p tcp --tcp-flags FIN FIN -j LOG --log-prefix ➥

"IPT: Bad F Flag "$IPT -A BAD_FLAGS -p tcp --tcp-flags FIN FIN -j DROP$IPT -A BAD_FLAGS -p tcp --tcp-flags ALL NONE -j LOG --log-prefix ➥

"IPT: Null Flag "$IPT -A BAD_FLAGS -p tcp --tcp-flags ALL NONE -j DROP$IPT -A BAD_FLAGS -p tcp --tcp-flags ALL ALL -j LOG --log-prefix ➥

"IPT: All Flags "$IPT -A BAD_FLAGS -p tcp --tcp-flags ALL ALL -j DROP$IPT -A BAD_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix ➥

"IPT: Nmap:Xmas Flags "$IPT -A BAD_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP$IPT -A BAD_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG ➥

--log-prefix "IPT: Merry Xmas Flags "$IPT -A BAD_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

# Prevent SYN Flooding$IPT -A INPUT -i $EXT_INTER -p tcp --syn -m limit --limit 5/second -j ACCEPT

# Log and Drop Traffic in the INVALID state$IPT -A INPUT -m state --state INVALID -j LOG --log-prefix "IPT: INV_STATE "$IPT -A INPUT -m state --state INVALID -j DROP

# Log and Drop Fragmented Traffic$IPT -A INPUT -f -j LOG --log-prefix "IPT: Frag "$IPT -A INPUT -f -j DROP


# Bastion Host Service Rules# Internet SMTP Rules$IPT -A INPUT -i $EXT_INTER -p tcp --dport smtp -m state --state ➥

NEW,ESTABLISHED -j ACCEPT$IPT -A OUTPUT -o $EXT_INTER -p tcp --sport smtp -m state --state ➥

NEW,ESTABLISHED -j ACCEPT

# Internal Network SMTP Rules$IPT -A INPUT -i $INT_INTER -p tcp -s $INT_SMTP --sport smtp -m state ➥

--state NEW,ESTABLISHED -j ACCEPT$IPT -A OUTPUT -o $INT_INTER -p tcp -d $INT_SMTP --dport smtp -m state ➥

--state NEW,ESTABLISHED -j ACCEPT

# Internet DNS Rules$IPT -A INPUT -i $EXT_INTER -p udp --dport domain -m state ➥

--state NEW,ESTABLISHED -j ACCEPT$IPT -A INPUT -i $EXT_INTER -p tcp --dport domain -m state ➥

--state NEW,ESTABLISHED -j ACCEPT$IPT -A OUTPUT -o $EXT_INTER -p udp --sport domain -m state ➥

--state NEW,ESTABLISHED -j ACCEPT$IPT -A OUTPUT -o $EXT_INTER -p tcp --sport domain -m state ➥

--state NEW,ESTABLISHED –j ACCEPT

# Internal Network Incoming DNS Rules$IPT -A INPUT -i $INT_INTER -p udp -s $INT_DNS1 --dport domain -m state ➥

--state NEW,ESTABLISHED -j ACCEPT$IPT -A INPUT -i $INT_INTER -p udp -s $INT_DNS2 --dport domain -m state ➥

--state NEW,ESTABLISHED -j ACCEPT$IPT -A INPUT -i $INT_INTER -p tcp -s $INT_DNS1 --dport domain -m state ➥

--state NEW,ESTABLISHED -j ACCEPT$IPT -A INPUT -i $INT_INTER -p tcp -s $INT_DNS2 --dport domain -m state ➥


# Internal Network Outgoing DNS Rules$IPT -A OUTPUT -o $INT_INTER -p udp -d $INT_DNS1 --sport domain -m state ➥

--state NEW,ESTABLISHED -j ACCEPT$IPT -A OUTPUT -o $INT_INTER -p udp -d $INT_DNS2 --sport domain -m state ➥

--state NEW,ESTABLISHED -j ACCEPT$IPT -A OUTPUT -o $INT_INTER -p tcp -d $INT_DNS1 --sport domain -m state ➥

--state NEW,ESTABLISHED -j ACCEPT$IPT -A OUTPUT -o $INT_INTER -p tcp -d $INT_DNS2 --sport domain -m state ➥


APPENDIX A ■ THE BASTION HOST F IREWALL SCRIPT 515

# Internet NTP Rules$IPT -A INPUT -i $EXT_INTER -p udp -s $EXT_NTP1 --dport ntp -m state ➥

--state ESTABLISHED -j ACCEPT$IPT -A INPUT -i $EXT_INTER -p udp -s $EXT_NTP2 --dport ntp -m state ➥

--state ESTABLISHED -j ACCEPT$IPT -A OUTPUT -o $EXT_INTER -p udp -d $EXT_NTP1 --sport ntp -m state ➥

--state NEW,ESTABLISHED -j ACCEPT$IPT -A OUTPUT -o $EXT_INTER -p udp -d $EXT_NTP2 --sport ntp -m state ➥


# Internal Network NTP Rules$IPT -A INPUT -i $INT_INTER -p udp -s $INT_NET --dport ntp -m state ➥

--state NEW,ESTABLISHED -j ACCEPT$IPT -A OUTPUT -o $INT_INTER -p udp -d $INT_NET --sport ntp -m state ➥

--state ESTABLISHED -j ACCEPT

# Internal Network SSH Rules$IPT -A INPUT -i $INT_INTER -p tcp -s $INT_NET --dport ssh -m state ➥

--state NEW,ESTABLISHED -j ACCEPT$IPT -A OUTPUT -o $INT_INTER -p tcp -d $INT_NET --sport ssh -m state ➥

--state ESTABLISHED -j ACCEPT


517

A P P E N D I X B

■ ■ ■

BIND Configuration Files

This Appendix contains a series of secure BIND configuration files demonstrating the differ-ent types of BIND configuration files discussed in Chapter 11.

A Caching ServerThe named.conf file in Listing B-1 is for a caching-only server that is designed to be deployedin your internal network in order to provide recursive DNS resolution to internal clients. It isnot authoritative for any domains. You will need to fill in the details of your trusted networksand any IP addresses or networks you would like to block with the blackhole option. I wouldalso recommend adding the bad source networks listed in Chapter 2.

I have included extensive logging to the syslog daemon, and I have also added a logfile, named_sec.log, as an additional repository to hold your security-, configuration-, andDNSSEC/TSIG-related logs.1

Listing B-1. named.conf, Caching Only

acl "trusted" {//specify your trusted network here};

acl "bad_source" {//specify any sources you wish to blackhole here};

logging {channel "default_syslog" { syslog daemon; severity info; };channel "security_log" {

file "/var/logs/named_sec.log" versions 32 size 1m;severity dynamic; print-time yes;print-category yes;print-severity yes; };

1. None of the named.conf configuration files contain support for rndc. See Chapter 11 for details ofadding this support.

APPENDIX B ■ BIND CONFIGURATION FILES518

category default { default_syslog; };category general { default_syslog; };category xfer-in { default_syslog; };category xfer-out { default_syslog; };category client { default_syslog; };category network { default_syslog; };category config { default_syslog; security_log; };category security { default_syslog; security_log; };category dnssec { default_syslog; security_log; };};

options {directory "/"; pid-file "/var/run/named.pid"; version "[null]";allow-transfer { none; };blackhole { bad_source; };query-source address * port 53;};

view "internal" {match-clients { trusted; };recursion yes;

zone "." {type hint;file "/master/db.cache"; };

zone "localhost" {type master;file "/master/db.localhost";notify no;allow-transfer { none; };};

zone "0.0.127.in-addr.arpa" {type master;file "/master/db.127.0.0";notify no;allow-transfer { none; };};};

view "chaosnet" chaos {match-clients { any; };recursion no;

APPENDIX B ■ BIND CONFIGURATION FILES 519

zone "bind" chaos {type master;file "/master/db.bind"; allow-transfer { none; };};};

An Authoritative Master Name ServerThe named.conf file in Listing B-2 is for an authoritative master name server that is designed tobe deployed in your DMZ in order to provide answers to DNS queries from external clients. It isauthoritative for two domains: yourdomain.com and anotherdomain.com. You will need to replacethe zone statements with statements applicable to your domains.

You will need to specify details of any slave servers in the transfer acl statement. I rec-ommend also adding TSIG security for any zone transfers. You will also need to specify anyIP addresses or networks you would like to block with the blackhole option. I recommendadding the bad source networks listed in Chapter 2.

I have included extensive logging to the syslog daemon, and I have also added a logfile, named_sec.log, as an additional repository to hold your security-, configuration-, andDNSSEC/TSIG-related logs.

Listing B-2. named.conf, Authoritative Master

acl "transfer" {//specify your slave servers here};




category default { default_syslog; };category general { default_syslog; };category xfer-in { default_syslog; };category xfer-out { default_syslog; };category client { default_syslog; };category network { default_syslog; };


category config { default_syslog; security_log; };category security { default_syslog; security_log; };category dnssec { default_syslog; security_log; };};

options {directory "/"; pid-file "/var/run/named.pid"; version "[null]";allow-transfer { transfer; };blackhole { bad_source; };query-source address * port 53;};

view "external" IN {match-clients { any; };recursion no;

zone "yourdomain.com" {type master;file "/master/db.yourdomain.com";};

zone "anotherdomain.com" {type master;file "/master/db.anotherdomain.com";};};



A Split DNS Name ServerThe named.conf file in Listing B-3 is for a split DNS name server that is designed to bedeployed in your DMZ in order to provide answers to DNS queries from both internal andexternal clients for the domains for which it is authoritative. It also allows recursion for yourinternal clients. It is authoritative for two domains: yourdomain.com and anotherdomain.com.You will need to replace the zone statements with statements applicable to your domains.


You will need to specify details of any slave servers in the transfer acl statement. I rec-ommend also adding TSIG security for any zone transfers. You will also need to specify anyIP addresses or networks you would like to block with the blackhole option. I recommendadding the bad source networks listed in Chapter 2.

I have included extensive logging to the syslog daemon, and I have also added a logfile, named_sec.log, as an additional repository to hold your security-, configuration-, andDNSSEC/TSIG-related logs.

Listing B-3. named.conf, Split DNS

acl "trusted" {//specify your trusted network here};

acl "transfer" {//specify your slave servers here};




category default { default_syslog; };category general { default_syslog; };category xfer-in { default_syslog; };category xfer-out { default_syslog; };category client { default_syslog; };category network { default_syslog; };category config { default_syslog; security_log; };category security { default_syslog; security_log; };category dnssec { default_syslog; security_log; };};

options {directory "/"; pid-file "/var/run/named.pid"; version "[null]";recursion no;allow-recursion { none; };


allow-transfer { transfer; };blackhole { bad_source; };query-source address * port 53;};

view "internal" IN {match-clients { trusted; };recursion yes;

zone "." {type hint;file "/master/db.cache";};

zone "localhost" {type master;file "/master/db.localhost";notify no;allow-transfer { none; };};

zone "0.0.127.in-addr.arpa" {type master;file "/master/db.127.0.0";notify no;allow-transfer { none; };};

zone "yourdomain.com" {type master;file "/master/db.yourdomain.com.internal";};

zone "anotherdomain.com" {type master;file "/master/db.anotherdomain.com.internal";};};

view "external" IN {match-clients { any; };recursion no;

zone "yourdomain.com" {type master;file "/master/db.yourdomain.com.external";};


zone "anotherdomain.com" {type master;file "/master/db.anotherdomain.com.external";};};



A Sample Named init ScriptListing B-4 shows a sample named init script.

Listing B-4. Named init Script

#!/bin/sh# This shell script takes care of starting and stopping named# chkconfig: 345 55 45# description: named (BIND) is a Domain Name Server daemon

# Source function library.. /etc/rc.d/init.d/functions

# Source networking configuration.. /etc/sysconfig/network

# Check that networking is up.[ ${NETWORKING} = "no" ] && exit 0[ -f /usr/local/sbin/named ] || exit 0[ -f /chroot/named/etc/named.conf ] || exit 0

# See how we were called.case "$1" instart)

# Start daemons.echo -n "Starting named: "daemon /usr/local/sbin/named -u named –t /chroot/namedecho


touch /var/lock/subsys/named;;

stop)# Stop daemons.echo -n "Shutting down named: "killproc namedrm -f /var/lock/subsys/namedecho;;

status)status namedexit $?;;

restart)$0 stop$0 startexit $?;;

reload)/usr/local/sbin/rndc reloadexit $?;;

*)echo "Usage: named {start|stop|status|restart|reload}"exit 1

esacexit 0

525

A P P E N D I X C

■ ■ ■

Checkpoints

This appendix summarizes the checkpoints from each chapter.

Chapter 1Install only what you need. Use your distribution’s minimal installation option. Removeextraneous or unnecessary packages. Confirm that each package on your system is actu-ally required by your system.

Do not install your system when connected to the Internet or an Internet-connectednetwork. Install any required patches and updates offline.

Secure your system’s physical security, BIOS, and boot loader. Protect your boot processwith passwords. I recommend using the Grub boot loader rather than the LILO bootloader, as Grub has a more robust security model.

Start only the services you need for your system, and secure the functions controlled inthe inittab file.

Secure your console and virtual terminals. Also ensure your login screen provides theminimum possible information to a user or potential attacker. Defense through obscu-rity can be a powerful tool. The less information you reveal about your system and itspurpose, the better.

Add only those users and groups that you require. Delete any others. Refer to the list ofthe users and groups I have provided in Chapter 1 to find some of those users who canbe removed.

Use MD5 passwords and shadow passwording. Ensure users select secure passwordsand configure your passwording environment accordingly. Ensure passwords arescheduled to regularly expire.

Turn on user (and if required process) accounting for your system. Monitor the reportsgenerated by these accounting processes regularly for anomalies.

Use sudo rather than root to administer your system. Ensure you carefully test your sudoconfiguration before implementing it to ensure it is secure.

APPENDIX C ■ CHECKPOINTS526

Use PAM to secure the authentication processes of your system. PAM offers an easy-to-use, highly configurable framework to control access to your system using a large numberof different criteria.

Confirm the integrity of any files you download or install on your system using methodssuch as MD5 and SHA1 checksums or digital signatures. This includes using the rpm com-mand with the --checksig option to verify any RPM files.

Review the available kernel hardening options, and install one of the packages or patchesto further harden your kernel. I recommend the Openwall patch, but if you want to takekernel security further, then an access control model-based package such as SELinux,whilst requiring more implementation effort, offers a considerable amount of additionalsecurity.

Keep up with security updates, and keep informed about newly discovered vulnerabilitiesusing resources such as Security Focus’s Vulnerability Database and the CERT advisorymailings.

Chapter 2Base your firewall on a minimalist design that denies by default and allows by exception.You should build your firewall like building a wall around your host and remove only thosebricks you absolutely need to see through.

Use a default policy of DROP for your built-in chains. This is in line with the denial bydefault model I have recommended by allowing only incoming and outgoing trafficyou’ve explicitly authorized.

Model your traffic and design your firewall on paper before you start creating your rules.This should include incoming and outgoing connections, the source, and destination ofyour traffic, including addresses and ports. You can also include the required connectionstates for your traffic.

Use connection states to further restrict your allowed incoming and outgoing traffic.If you only require existing connections to enter and leave your host, then you can usestates to control this. Only allow new connections in and out of your hosts if they areabsolutely required.

Ensure you have a suitable amount of logging in place so that you know what is going onwith your firewall. Ensure you have sufficient disk space to hold the required volume of logs.

Set rules to block spoofed addresses, bad flags, bad fragments, and states and to limit thepossibility of Denial of Service attacks. These types of attacks change and evolve overtime. You should keep updated with new variations and attacks on mailing lists such asthe Netfilter list and on the security lists and sites (see Chapter 1).

If you take care to test them, the Patch-O-Matic tool comes with several useful patchesand modules that can extend iptables functionality. Additionally, review and carefullyconfigure your kernel parameters to best suit the requirements of your environment.

Use a tool such as tcpdump to examine the traffic on your host to ensure your firewall isfully functional and allowing or denying the right traffic. Remember you can filter yourtraffic to display only the traffic on which you want to focus.

Chapter 3OpenSSL is a widely used and useful open-source version of the SSL protocol that can beused to secure a variety of applications. I recommend developing a solid knowledge of itscapabilities and functionality.

If you have unencrypted connections, then you can use Stunnel with OpenSSL to encap-sulate and secure them.

Use a VPN tool utilizing IPSec such as Openswan to secure your network connections,securely join two systems, or two subnets together across the Internet.

Do not use clear-text administrations tools such as rsh and telnet. Replace them withSSH-based tools.

Though you can tunnel X through SSH I recommend you exercise caution in doing thisor indeed in running X on a production server system at all.

Chapter 4Ensure you understand how basic Unix permissions work and grant only the minimumpermissions you need to users and applications to maintain functionality.

World permissions are dangerous and potentially allow attackers to misuse files andapplications. Review all the objects on your system with world-readable, world-writable,and world-executable permissions and ensure you understand why they have those per-missions. If they do not need those permissions, then revoke them!

Sticky bits allow you to better control access to directories where multiple users sharedaccess permissions by allowing users to manage only the files and objects they have cre-ated. Investigate the potential of using sticky bits where you have directories in whichmultiple users shared access permissions.

Amongst the most dangerous permission settings on your system are setuid and setgidpermissions. When set on binaries, these allow any users to adopt the permissions of theobject’s owner or group when running that binary. These binaries have the potential to beserious vulnerabilities on your system, and you should check that all setuid and setgidbinaries actually require these permissions to function. If they do not, then remove them!

APPENDIX C ■ CHECKPOINTS 527

All files and objects on your system should be owned by a user and belong to a group. Anyfiles that do not could potentially be malicious in nature, and you should investigate themand either assign them to a user or group or remove them.

You should regularly scan your system for unowned files and objects with world-permissionsset and/or with setuid or setgid permissions. You can use tools such as sXid or Adeos todo this. Files with these permissions introduced into your system without your approvalare often signs of a potential attack or penetration of your system.

Immutable files cannot be changed, deleted, hard-linked to, or renamed even by the rootuser. They allow you to protect some files—for example, configuration files and someimportant binaries—from most forms of compromise. You should examine your systemfor files or binaries that you can make immutable. On some bastion-type systems, youmay be able to make most of your configuration files and binaries immutable. Remem-ber, you will need to remove their immutable status to update or upgrade your config-uration and binaries.

File encryption provides a useful method of securing your individual files against eaves-dropping by an attacker. Use file encryption to secure files that need to be kept private.Always ensure you choose a suitable passphrase to secure your encrypted files to preventyour encrypted files from being compromised.

You can mount your file systems (including removable file systems) with a variety of options,including mounting them read-only, preventing setuid and setgid permissions from func-tioning, stopping devices from being interpreted, and disallowing binary execution. Theseoptions, especially when used with removable devices such as CD drives, and floppy drives,as well as pluggable devices such as USB drives, reduce the risk of a threat being introducedto your system from these devices. You should examine what file systems you have and howthey are mounted.

Like you can encrypt files, you can also create entire encrypted file systems. This allowsyou to create secure, encrypted file systems for large numbers of files that need to beprotected. Or create protected file systems for devices such as laptops to secure sensitiveinformation while in transit.

Monitoring your files and objects for changes is a good way of detecting unauthorizedaccess to your systems. You can use a file integrity scanner such as Tripwire to monitorthe characteristics of your files and objects such as size, permissions, ownership, andhash values. Tripwire will alert you via e-mail or through a report of any files or objectson your system that have changed from an established baseline.

Chapter 5If your logging environment is large, is complicated, or you want to better control yourlogs and their destinations and filtering, then I recommend you use Syslog-NG.

Constantly refine your logging environment to ensure you have picked up on all thepossible sources of information.

Constantly refine your filtering so you are not overwhelmed with irrelevant log data.


Secure the transmission of your logs, as an attacker can gain considerable advantages byreading your logs.

Use correlation and analysis tools to highlight the messages important to you, and usealerting tools to get that information to you.

Design and manage your archiving and rotation of logs to ensure you keep the informa-tion you need for the time frame and discard information that is not relevant.

Chapter 6Remember to keep up-to-date with regular security reviews.

Schedule regular checks of your system for root kits.

Ensure your users have secure passwords, and regularly check the integrity and securityof your users’ passwords.

For a consistent approach to some base-level security, run a hardening script such asBastille Linux across your systems.

Use NMAP to scan your systems to confirm that you know and understand all the serv-ices and ports that are active on your systems.

Use a tool such as Nessus or SARA to audit your applications and systems for knownvulnerabilities.

If you are attempting to investigate a potential penetration, keep detailed records bothfor your own purposes and in case auditors or law enforcement require evidence of thepenetration.

If you recover a system, you should follow the basic rules I have articulated.

Chapter 7Keep your mail server software up-to-date by regularly checking its site (http://www.sendmail.org for Sendmail and http://www.postfix.org for Postfix). You should alsoconsider subscribing to any announcement mailing lists available for your mail server.

Keep informed about threats to your mail infrastructure via mailing lists such as BugTraqand via Web sites such as CERT (http://www.cert.org). I also detail a variety of other sitesand mailing lists in Chapter 1.

Ensure you have secured your mail server from penetration and DoS attacks by configur-ing your mail server securely, as described in this chapter. You should also ensure yourfirewall rules are strong and secure as described in Chapter 2.

Keep on top of new trends in spammer tactics and antispam techniques. You can dothis at sites such as http://spam.abuse.net/ and http://www.arachnoid.com/lutusp/antispam.html.


Regularly tweak your antispam rules and checks to ensure they are doing the job. Askyour users to forward spam that slips through your filters to a central Spam mailbox, anduse this spam to tweak your antispam rules. Regularly check the efficiency of any RBLsyou have defined against other available RBLs.

Ensure your antivirus software is up-to-date and that your virus definitions are updatedregularly.

Chapter 8Where possible, you should try to always use TLS encryption for your mail transmission.

Handle your TLS keys and passphrases with the same level of security you would treatother system passwords.

If you need relaying, use SMTP AUTH with Cyrus SASL with authenticate your users andensure only legitimate users are allowed to relay mail through your MTA.

Always try to use SMTP AUTH in conjunction with TLS encryption.

Keep your OpenSSL and Cyrus SASL packages up-to-date to ensure you address anypotential vulnerabilities and exploits.

Chapter 9Choose appropriate remote e-mail access for your site, taking into consideration the pur-poses, benefits, and disadvantages of the available protocols. I recommend for security,stability and available access controls that you use a server based on IMAP.

Choose a stable and secure server as your platform for remote e-mail access and ensureyou periodically update it and apply any relevant security patches.

If you are using a product such as UW-IMAP or Qpopper, which have proven to havea number of security flaws, consider using another application such as Cyrus IMAP.

Consider chrooting your remote e-mail installation to further secure your installationsfrom penetration. I show you how to do this using Cyrus IMAP.

Always ensure you use SSL/TSL-enabled remote access via IMAP or POP, and ensure yourclients use SSL/TLS to encrypt any connections. This will protect your e-mail traffic fromeavesdropping during its transmission.

Always use a secure authentication method such as those available through Cyrus SASLto authenticate your users against the remote e-mail access server. Also consider usinga “sealed” system where the only local shell logins are for system administration use only,and all other users have access to their e-mail stores only.

If you are going to use Fetchmail, then ensure you use TLS to ensure all connections areencrypted. If you cannot use TLS, try to tunnel your connections through OpenSSH. Thiswill help prevent attackers from eavesdropping on your Fetchmail sessions.


Chapter 10Unless you have a real need to run an FTP server, then I recommend you do not run one.The inherent insecurities in FTP server daemons and the difficulty in securing FTP trafficmake FTP an extremely risky proposition as a production service.

If you do choose to run an FTP server, then I recommend the vsftpd FTP server availablefrom http://vsftpd.beasts.org/. It is secure, has good performance, and contains a num-ber of security features including support for SSL/TLS FTP transfers.

Ensure you adequately firewall your FTP server. You should utilize the ip_conntrack_ftpmodule provided with iptables to enable FTP connection state tracking. This providesyou with the ability to limit the types of connections made to your host. Additionally, youshould look at limiting the range of ephemeral ports used by your FTP server for its dataconnections.

If you going to allow local user access to your FTP server, consider limiting the networksable to log into that server. I recommend you allow access only from trusted networks.

I recommend placing your local users in chroot jails. The vsftpd server allows you tochroot your local users into their home directories.

If you are going to allow the uploading of files to your FTP server, ensure you set your umaskand default upload permissions carefully to prevent the uploading of files that could beused to compromise your host. For example, restrict the uploading of executable files.

Ensure you set up resource controls on your FTP server to limit the number of incomingconnections and the number of connections from an individual IP address. This limits the risk that your FTP server could be subject to a DoS attack. You could also limit the datatransfer volumes on your FTP server.

Examine the feasibility of using SSL/TLS for your FTP control and data connections. Youwill need to utilize FTP clients that support SSL/TLS.0

Chapter 11One of the key reasons so many BIND servers are the targets of attacks is that a large num-ber of vulnerabilities have been discovered in older versions of BIND. If you are running anolder version of BIND, especially a version prior to BIND 8, you should upgrade immedi-ately. You should keep your BIND version up-to-date and regularly monitor the CERT andBIND mailing lists and the ISC Web site for notifications of any vulnerabilities or issues.

When designing your DNS infrastructure, you should provide separate servers for yourserver and caching functions. This reduces the risk that an attack on one function will affectthe other function. The same principle applies to your internal- and external-facing BINDservers. You should place your external BIND servers in a DMZ, protected by a firewall, ora similar network design. These servers should not also provide server or caching functionsfor your internal network. You should provide other servers, located on your internal net-work, for the provision of server and caching functions for your internal clients.


Always ensure you have suitable slave servers for all your master servers. For every domainfor which you are authoritative, you should ensure you have at least one slave server thatwill able to resolve that domain in the event the master server is unavailable.

You should place your BIND installation in a chroot jail and run it as a nonprivileged user.This will help limit the risk that if an attacker compromises BIND that they will be able todo further damage on your host.

Use access control lists, created with acl statements, to centralize the management ofwhom has access to the functions of your BIND server. This allows you to specify youraccess controls at one source rather than having to update numerous options in yournamed.conf file.

Ensure you are logging enough information and that you regularly review your logs tocheck for anomalies. I recommend logging from your BIND daemon be directed to thesyslog daemon.

Hide your BIND version using the version option in your options statement. Remember,if you want to log requests for your BIND version, then you need to configure a bind chaosclass domain in your named.conf file.

Only allow trusted sources to perform functions, for example, recursion. Do not openyour BIND server to recursive queries or caching functions from external sources. Onlyallow your internal, trusted networks to perform these functions. The only access externalsources should have to your BIND servers is for the external resolution of domains for whichyour BIND servers are authoritative.

If you use the rndc command to control your BIND server, you should preferably allowaccess only to the local system. The rndc command authenticates to the BIND serverusing a key. You should protect your rndc.conf file to ensure an attacker cannot reador write to this file and potentially compromise the key.

Consider using TSIG to secure communications between your DNS servers. Using a key-based hash with your DNS transactions provides a greater level of confidence that you arecommunicating with the correct and authentic server. Remember you need to protect yourTSIG keys by securing the permissions of your configuration files. If attackers compromiseyour keys, then they can impersonate the server with which you are communicating.


Index

533

■Special Characters- flag, 189-? option, 213- syntax, 221! prefix, 224$> operator, 356$>+ operator, 356\d escape character, 19\n escape character, 251\t escape character, 19=m suffix, 210-> symbol, 219-2 option, 172-4 option, 172-6 option, 172-A flag, 83-a (nessusd option), 306

■AA option, 393-a option, 14, 240-a switch, 327ACCEPT policy, 82accept statement, 154, 304–5accept_redirects parameter, 126Access Control List (ACL), 75, 188access db, 352–53access permissions, 188–96

overview, 188–91setuid and setgid permissions, 194–96sticky bits, 193–94umask command, 191–92world-readable, world-writable, and

world-executable files, 192–93accounting

process, 44–46user, 42–44

acct package, 44accton command, 45ACK flag, 112ACL (Access Control List), 75, 188acl statement, 477action-log file, 295--add option, 11adeos command, 198Adeos command-line options, 197adm user, 28agent forwarding, 172, 177–79AH (Authentication Header), 166

ALL flag, 114ALL variable, 39allow_untrusted_routing option, 361allowanonymous option, 419AllowGroups option, 183allow-notify control, 487allowplaintext option, 419allow-query control, 487allow-recursion control, 487allow-transfer control, 487allow-transfer option, 479AllowUsers option, 183AMaVis, 370–72anacron service, 9Andrews System Group, 407anonymous identifier, 428ANONYMOUS mechanism, 387anonymous_enable option, 452, 457antispam, 351–64

overview, 351settings for Postfix, 357–64settings for Sendmail, 351–57

antivirus scanning, of e-mail server, 364–72installing ClamAV, 364–68integrating ClamAV with Postfix, 370–72integrating ClamAV with Sendmail,

368–70overview, 364

ANY flag, 112any keyword, 480anyone identifier, 428Apache Web server, 3, 152apmd service, 9APOP protocol, 435apt.conf file, 63apt-get command, 62–63, 448ArchiveDetectEncrypted option, 366ArchiveMaxCompressionRatio option, 366ArchiveMaxFiles option, 366ArchiveMaxFileSize option, 366ArchiveMaxRecursion option, 366ARP, 109as limit, 52ASCII, 203atd service, 9AUTH command, 393auth facility, 236auth module, 46authconfig tool, 35

■INDEX534

authentication, 1, 410. See also mail,authenticating and securing

Authentication Header (AH), 166authentication-agent forwarding, 179authorization, 39, 410auth-priv facility, 236authwarnings flag, 339auto option, 205AUTO protocol, 435Autodetect option, 72autofs service, 9automated security hardening, with Bastille

Linux, 290–95Bastille logging, 295installing Bastille Linux, 291–92overview, 290–91running Bastille, 292–94

automating Fetchmail, 438–40auxprop (Auxiliary Property), 392awk command, 286

■B-b (clamav-milter option), 369-b option, 174-B option, 441background option, 451backup user, 28BAD_FLAGS chain, 113banner_file option, 454barf function, 166bash script, 426Basic Input/Output System (BIOS), 5basics of hardening. See hardening basicsBastille Linux, 290–95

installing, 291–92logging, 295overview, 290–91running, 292–94

bastion host, creating firewalls for, 97–117bastion host rules, 116–17firewall logging, 101–5handling ICMP traffic, 105–8iptables and TCP flags, 111–16

blocking bad flag combinations, 113–15overview, 111–12SYN flooding, 115–16

overview, 97–98securing bastion services, 98–101spoofing, hijacking, and denial of service

attacks, 108–11bastion host firewall script, 511–16Batchmode option, 181Beale, Jay, 291bin user, 28BIND

chrooting, 472–73configuration files, 517–24

authoritative master name server, 519–20caching server, 517–19overview, 517sample named init script, 523–24split DNS name server, 520–23

configuring, 476–500access control lists, 479–80logging, 480–84options, 484–93overview, 476–79views and zones, 493–96zones, 497–500

installing, 470–71permissions in chroot jail, 473–74resources, 510rndc command, 504–9

adding rndc support to named.conf,507–8

overview, 504–5rndc.conf, 505–7using rndc, 508–9

secure BIND design, 467–70starting and running named daemon,

474–76/bin/false script, 21BIOS (Basic Input/Output System), 5blackhole control, 487blackhole option, 517blacklist_recipients feature, 352blind spoofing, 109Blowfish, 209boat loader, 5–8

overview, 5securing grub with password, 6–8securing LILO with password, 5–6

Boolean, 125/boot directory, 71boot image, 121boot sequencing, 15bottlenecking, 116Bourne script, 319Bourne shell command, 178Brute-force cracking, 287btmp file, 44buffer overflow, 74Build command, 378builddefs.h file, 449burst function, 115bzImage option, 72

■Cc flag, 189-C option, 172-c option, 390–91C programming language, 73CA (Certificate Authority), 139, 142–48,

374–76, 459

ca (Openssl command-line function), 142cache poisoning, of DNS server, 465CAfile option, 262–63-CAfile option, 151Calendar rule type, 276-CApath option, 151Carnegie Mellon University, 388–89cat command, 38catchall flag, 254cert option, 262Certificate Authority (CA), 139, 142–48,

374–76, 459Certificate Revocation List (CRL), 149certificates, signing, 142–48certs directory, 260CFS, 208chage tool, 36chains, of iptables rules, 82CHAOSnet protocol, 485chattr command, 198–99--checkall option, 284CheckHostIP option, 181CheckPoint Firewall, 79checksecurity, 196--checksig option, 61chkconfig, 10–11Chkrootkit, 285–86chmod command, 189–90, 193–94, 511chmod man, 191chroot command, 416, 472chroot jail, permissions in, 473–74chroot_list_enable option, 457chroot_local_user option, 457chrooting

BIND, 472–73Postfix, 330–33Sendmail SMTP gateway or relay, 324–30

/chroot/sendmail/dev directory, populating,327–28

/chroot/sendmail/etc directory, populating,326–27

CIDR notation, 311--cipher-algo option, 203Cisco devices, 235Cisco PIX firewall, 97ClamAV

installing, 364–68integrating with Postfix, 370–72integrating with Sendmail, 368–70

clamav-milter program, 365, 369clamd daemon, 365clamscan tool, 365client authentication, 140client category, 484command-line options, 11, 26comment module, 123–24--comment module, 124

compat_check feature, 352compilers and development tools, 64–66

overview, 64removing, 64–65restricting, 65–66

Compression option, 181-conf option, 267config category, 484.config file, 71config script, 141CONFIG_CRYPTO prefix, 210configure statement, 410conn section, 164connect statement, 154connect_from_port_20 option, 454ConnectionRateThrottle directive, 342connections and remote administration. See

also public-key encryptionoverview, 137remote administration, 169–85

configuring ssh and sshd, 180–83forwarding X with OpenSSH, 184–85overview, 169–71port forwarding with OpenSSH, 183–84scp and sftp, 175–76ssh, 171–75ssh-agent and agent forwarding, 177–79sshd daemon, 179–80

resources, 185console, 16console.perms file, 17, 207contrib directory, 179, 242controls statement, 477core limit, 52correlation, 265CPAN, 291cpu limit, 52CRAM-MD5 mechanism, 387create option, 213create_dirs( ) option, 246createmailbox command, 427crit priority, 238CRL (Certificate Revocation List), 149-crldays option, 149crond service, 9, 46--cronjob option, 284Cryptoloop, 208cryptosystem, 143cryptsetup command, 211–12cryptsetup package, 209Crystal Reports, 256cups service, 9Custom (installation option), 2cut command, 286cyradm tool, 426Cyrus IMAP, 407–29

access control and authorization, 425–28

■INDEX 535

Cyrus IMAP (continued)authentication with SASL, 422–25configuring, 417–22

integrating Cyrus IMAP with Sendmailand Postfix, 421–22

overview, 417–20installing and compiling, 409–11installing into chroot jail, 411–17

adding Cyrus IMAP binaries andlibraries, 412–13

overview, 411–12permissions and ownership, 415populating /chroot/cyrus/dev

directory, 413–14populating /chroot/cyrus/etc directory,

414–15starting and stopping Cyrus IMAP in

chroot jail, 416–17overview, 407–9testing with imtest/pop3test, 428–29

Cyrus SASL. See SMTP AUTH using CyrusSASL

cyrus-sasl package, 388

■D-d (logrotate Command-Line Option), 279-d (nessusd option), 306-D (clamav-milter option), 369-D (nessusd option), 306daemon user, 28daemons, 10data corruption and alteration, of DNS

server, 466dd command, 210–11DDoS. See Distributed Denial of Service

attacksdeb package, 470Debian, 9, 11–13, 76default category, 484default policy, 90default statement, 304–5default_bits option, 145default_debug channel, 483default_process_limit option, 344default_stderr channel, 483default_syslog channel, 483defaults option, 205–6--del option, 11delay option, 157deleteaclmailboxd command, 427deletemailbox command, 427deleting unnecessary users and groups,

28–30Demilitarized Zone (DMZ), 91, 324, 519Denial of Service (DoS) attacks, 4, 51, 108–11,

167, 463. See also Distributed Denialof Service (DDoS) attacks

on DNS server, 465–66and FTP server, 443–44, 455–56protecting Fetchmail from, 440–41

deny statement, 304–5deny_email_enable option, 453DenyGroups option, 183DenyUsers option, 183dep option, 72-des3 option, 142desktop user, 28destination{ }, 244, 249–52-detach option, 267dev option, 205–6development tools. See compilers and

development toolsDictionary-based cracking, 287.diff file, 70dig command, 486DIGEST-MD5 mechanism, 387digital signatures, 138

and GNU privacy guard, 58–59and RPM, 59–61

dir_group( ) option, 246dir_owner( ) option, 246dir_perm( ) option, 246--disable-threads option, 471DISCARD option, 360Distributed Denial of Service (DDoS) attacks,

limiting risk of, 341–46overview, 341–42with Postfix, 344–46with Sendmail, 342–44

distribution security sites, 76djbdns package, 467-dla options, 193dm_mod module, 210dm-crypt module, 208–10DMZ (Demilitarized Zone), 91, 324, 519DNS server

choosing, 466–67resources, 510risks to, 464–66

cache poisoning, 465data corruption and alteration, 466denial of service attacks, 465–66man-in-the-middle attacks, 464–65overview, 464

and transaction signatures (TSIG),500–504

DNS_COMMANDS command alias, 40DNS_SERVERS command alias, 40dnscache application, 467DNSSEC, 464dnssec category, 484dnssec-keygen command, 501domains, 469DontCont option, 270

■INDEX536

DoS. See Denial of Service (DoS) attacksdownloading updates and patches, 61–64

apt-get, 62–63overview, 61up2date, 62Yum, 63–64

--dport flag, 84, 123DROP policy, 82, 98, 132dselect tool, 65dsniff, 318dump command, 205DUNNO option, 359

■E-e option, 174e2fsprogs package, 198Eavesdropping, 138echo (Shell command), 340egrep command, 286EHLO command, 385EJBCA, 139EL (Enterprise Linux), 67e-mail, hardening remote access to, 403–42.

See also Cyrus IMAP; Fetchmailchoosing IMAP or POP servers, 405–6how IMAP or POP server is at risk, 406–7IMAP, 404overview, 403POP, 404–5resources, 441–42

e-mail server, antivirus scanning of, 364–72installing ClamAV, 364–68integrating ClamAV with Postfix, 370–72integrating ClamAV with Sendmail, 368–70overview, 364

emailto attribute, 222emerg priority, 238–39emulate GCC trampolines option, 72--enable-inet6 option, 433--enable-krb4 option, 388--enable-login option, 388-enable-opie option, 433--enable-sql option, 388encrypted file system, creating, 208–15

enabling functionality, 209–10encrypting loop file system, 210–14installing userland tools, 209overview, 208–9remounting, 215unmounting encrypted file system, 214

encrypting files, 202–4encryption. See public-key encryptionEnhanced Simple Mail Transfer Protocol

(ESMTP), 334enhdnsbl feature lines, 353Enterprise Linux (EL), 67ephemeral port, 437

err priority, 237error-log file, 295ESMTP (Enhanced Simple Mail Transfer

Protocol), 334ESTABLISHED connection, 93–97/etc/default/useradd file, 24/etc/fstab file, 208/etc/group file, 20/etc/groups file, 23/etc/gshadow file, 24/etc/ipsec.secrets file, 164/etc/login.defs file, 36/etc/modules.conf file, 210/etc/pam.d directory, 31, 55/etc/pam.d/passwd file, 34/etc/passwd file, 20/etc/security directory, 207/etc/shadow file, 20, 23/etc/shells file, 21/etc/ssh file, 173/etc/sysconfig/iptables file, 131/etc/tripwire directory, 225eth0 interface, 87eth1 interface, 87Ethereal, 80, 318ETRN command, 336–38Ettercap, 318Eudora, 374exec command, 340exec option, 205–6execute permission, 189exit (shell command), 340EXPIRE, 25EXPN command, disabling, 337–38

■F-F flag, 89-f (logrotate command-line option), 279f_infotoemerg filter, 253facility( ) filter, 252fallback flag, 254Fedora, 62Fetchmail

configuring and running, 434–41automating Fetchmail securely, 438–40overview, 434–35protecting Fetchmail from denial of

service attacks, 440–41tunneling Fetchmail with SSH, 437–38using Fetchmail with OpenSSL, 435–36

installing, 431–34overview, 430–31

.fetchmailrc file, 439FIFO (First In First Out), 69file( ) source, 247–49File Transfer Protocol. See FTPfile_open_mode option, 458

■INDEX 537

files and file systems, 187–231. See alsopermissions and attributes; Tripwire

capabilities and lcap, 200–201creating encrypted file system, 208–15

enabling functionality, 209–10encrypting loop file system, 210–14installing userland tools, 209overview, 208–9remounting, 215unmounting encrypted file system, 214

encrypting files, 202–4ensuring file integrity, 57–61

digital signatures and GNU privacyguard, 58–59

MD5 and SHA1 checksums, 57–58overview, 57RPM and digital signatures, 59–61

file destination, 481immutable files, 196–99Network File System (NFS), 229–30overview, 187–88resources, 231securely mounting file systems, 204–7securing removable devices, 207–8

filesnarf tool, 318filter table, 82filter{ }, 244, 252–53FIN flag, 112–13final flag, 254find command, 192–93, 205, 286, 315finger command, 21Firestarter tool, 129firewalls, 79–136

adding first rules, 83–85and boot sequencing, 15choosing filtering criteria, 86–87creating basic firewall, 91–97creating for bastion host, 97–117

bastion host rules, 116–17firewall logging, 101–5handling ICMP traffic, 105–8iptables and TCP flags, 111–16overview, 97–98securing bastion services, 98–101spoofing, hijacking, and denial of

service attacks, 108–11enabling during installation, 2firewalling FTP server, 446–48how Linux firewall works, 80–83

chains, 82overview, 80–82policies, 82–83tables, 82

iptables command, 87–91kernel modules, 117. See also Patch-o-Matickernel parameters, 124–29. See also Patch-o-

Matic

/proc/sys/net/ipv4/conf/all/accept_redirects, 126

/proc/sys/net/ipv4/conf/all/accept_source_route, 126

/proc/sys/net/ipv4/conf/all/log_martians, 126–27

/proc/sys/net/ipv4/conf/all/rp_filter,127–28

/proc/sys/net/ipv4/icmp_echo_ignore_all, 128

/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts, 128

/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses,128

/proc/sys/net/ipv4/ip_forward, 129/proc/sys/net/ipv4/tcp_syncookies, 129overview, 117, 124–26managing iptables and rules, 129–35

iptables init scripts, 131iptables-save and iptables-restore,

130–31overview, 129–30testing and troubleshooting, 132–35

overview, 79–80resources, 136

First In First Out (FIFO), 69-fN option, 183FORWARD chain, 82, 92forward option, 493forward type, 497ForwardAgent option, 181forwarders option, 493forwarding X, with OpenSSH, 184–85ForwardX11 option, 181FQDN (Fully Qualified Domain Name), 375fraggling, 109FreeSWAN, 162-fromstart option, 269fsck command, 205fsize limit, 52FTP server, 443–61

adding SSL/TLS support, 459–60configuring vsftpd for anonymous FTP,

450–56general configuration, 451–52general security, 454–55mode and access rights, 452–54overview, 450–51preventing denial of service attacks,

455–56configuring vsftpd with local users, 456–59firewalling FTP server, 446–48how FTP works, 444–46installing vsftpd, 448–50overview, 443–44resources, 461

■INDEX538

starting and stopping vsftpd, 461what FTP server to use, 448

ftp user, 28ftpd_banner option, 454Fully Qualified Domain Name (FQDN), 375

■G-g option, 184games user, 28gcc package, 65gdm user, 28GECOS3, 21gendsa (Openssl command-line function),

142general category, 484Generic Security Services Application

Programming Interface (GSSAPI),422

genrsa option, 142Gentoo, 76, 382getpwent mechanism, 423GFI, 351GID, 24Gimp Toolkit (GTK), 302–3glibc, 72GMP (GNU Multi-Precision), 159gnats user, 28Gnome Lokkit, 129GNU Multi-Precision (GMP), 159GNU Privacy Guard (GPG), 4, 58–59, 432goaway flag, 339gopher user, 28gpasswd command, 27gpg -c command, 202gpg command, 202GPG (GNU Privacy Guard), 4, 58–59, 432gpg --import option, 58gpm service, 9Graphical User Interface (GUI), 3group( ) option, 246groupadd command, 26groupdel command, 28groupmod command, 28groups. See users and groupsgrsecurity package, 74Grub, securing with password, 6–8grub.conf configuration file, 73GSSAPI (Generic Security Services Applica-

tion Programming Interface), 422GTK (Gimp Toolkit), 302–3GuardDog tool, 129GUI (Graphical User Interface), 3

■H-h option, 212–13halt user, 28handshake, 140

hardening basics, 1–77. See also kernelboot sequencing, 15compilers and development tools, 64–66

overview, 64removing, 64–65restricting, 65–66

Debian init scripts, 11–13downloading updates and patches, 61–64

apt-get, 62–63overview, 61up2date, 62Yum, 63–64

ensuring file integrity, 57–61digital signatures and GNU privacy

guard, 58–59MD5 and SHA1 checksums, 57–58overview, 57RPM and digital signatures, 59–61

inittab file, 13–14installing distribution securely, 2–4keeping informed about security, 75–76overview, 1–2pluggable authentication modules (PAM),

46–56overview, 46–48PAM module stacking, 48–49PAM “other” service, 49–50restricting su using, 50–51restricting users to specific login times

with, 53–56setting limits with, 51–53

process accounting, 44–46Red Hat console, 16–17Red Hat init scripts, 10–11resources, 76–77securing boat loader, 5–8

overview, 5securing Grub with password, 6–8securing LILO with password, 5–6

securing console, 16securing login screens, 18–19securing virtual terminals, 17–18users and groups, 19–44

adding groups, 26–28adding users, 24–26deleting unnecessary users and groups,

28–30groups, 23–24overview, 19–22password aging, 35–37passwords, 31–35shadow passwording, 22–23sudo, 37–42user accounting, 42–44

hash, 146head command, 286header checks, Sendmail, 354–57

■INDEX 539

help command, 427--help option, 153, 284, 471hide_ids option, 454hijacking, 108–11hint type, 497HMAC-MD5 algorithm, 506home directory, 25/home partition, 21host( ) filter, 252host keys, 173host selector, 134HTML (Hyper Text Markup Language), 302HTTPS (Hyper Text Transfer Protocol–

Secured), 84

■I-i flag, 83–84-I flag, 87IANA (Internet Assigned Numbers

Authority), 86ICMP (Internet Control Message Protocol),

81ICMP traffic, handling, 105–8, 128icmp_echo_ignore_all parameter, 128--icmp-type flag, 107id command, 286identd user, 28if option, 211ifconfig, 80IGNORE option, 360IKE (Internet Key Exchange), 165IMAP (Internet Message Access Protocol),

403–7. See also Cyrus IMAPimmutable files, 196–99import module, 121imtest tool, 428INACTIVE option, 25include command, 278include function, 354inet option, 507inetd and xinetd-based connections, 167–69inetd daemon, 167–68--init option, 226init process, 4init script, 10, 475init scripts

Debian init scripts, 11–13Red Hat init scripts, 10–11sample named init script, 523–24

inittab file, 13–14inner layer security, 282–95

automated security hardening withBastille Linux, 290–95

Bastille logging, 295installing Bastille Linux, 291–92overview, 290–91running Bastille, 292–94

overview, 282scanning for exploits and root kits, 282–86

Chkrootkit, 285–86overview, 282–83Rootkit Hunter, 283–85

testing password security, 287–90INPUT chain, 82, 107, 113-input option, 267insmod command, 122–23Installation option (Custom), 2Installation option (Minimal), 2installing

Bastille Linux, 291–92BIND, 470–71Fetchmail, 431–34Openwall Project, 69–73SEC, 267–68userland tools, 209vsftpd, 448–50

Internet Assigned Numbers Authority(IANA), 86

Internet Control Message Protocol. See ICMPInternet Key Exchange (IKE), 165Internet Message Access Protocol. See IMAPInternet Systems Consortium (ISC), 466intrusion, 286INVALID state, 93, 116invoke-rc.d command, 168IP security (IPSec), 159ip_conntrack_ftp module, 446–47ip_forward option, 125–26ipchains command, 81ipfwadm command, 81iprange module, 121, 122ipsec command, 161, 166–67IPSec (IP security), 159ipsec setup command, 166ipsec showhostkey --right command, 165IPSec, VPNs, and Openswan, 159–67

firewalling for Openswan and IPSec,165–66

ipsec command, 166–67ipsec.conf file, 162–65overview, 159–62

ipsec.o module, 161ipt_conntrack module, 93iptables and TCP flags, 111–16

blocking bad flag combinations, 113–15managing iptables and rules, 129–35

iptables init scripts, 131iptables-save and iptables-restore,

130–31overview, 129–30testing and troubleshooting, 132–35

overview, 111–12SYN flooding, 115–16

iptables command, 83, 87–91

■INDEX540

iptables match module, 115iptables-restore command, 130–31iptables-save command, 130–31IPv4 networking, 476IPv6, 433, 476irc user, 28irda service, 9ISC (Internet Systems Consortium), 466isdn service, 9issue.net file, 18

■J-j flag, 84Janicke, Lutz, 382John the Ripper (JTR) password cracker,

287–90

■KKDE (K Desktop Environment), 295Kerberos, 410kerberos4 mechanism, 389kerberos5 mechanism, 389kern facility, 236kern logging, 128kernel, 1–2, 5–6, 8, 66–75

getting kernel source, 66–68grsecurity package, 74Linux Intrusion Defense System (LIDS), 74modules, 117. See also Patch-o-MaticOpenwall Project, 68–74

installing, 69–73overview, 68–69testing, 73–74

overview, 66parameters, 124–29. See also Patch-o-

Matic/proc/sys/net/ipv4/conf/all/

accept_redirects, 126/proc/sys/net/ipv4/conf/all/

accept_source_route, 126/proc/sys/net/ipv4/conf/all/

log_martians, 126–27/proc/sys/net/ipv4/conf/all/rp_filter,

127–28/proc/sys/net/ipv4/icmp_echo_ignore_

all, 128/proc/sys/net/ipv4/icmp_echo_ignore_

broadcasts, 128/proc/sys/net/ipv4/icmp_ignore_

bogus_error_responses, 128/proc/sys/net/ipv4/ip_forward, 129/proc/sys/net/ipv4/tcp_syncookies,

129overview, 117, 124–26

Rule Set Based Access Controls (RSBAC)project, 74

SELinux package, 75

key statement, 477keyserver, 60keytable, 9klipsdebug option, 163klogd daemon, 234KPOP protocol, 435kudzu service, 9

■L-l (clamav-milter option), 369l flag, 189-L flag, 88-l option, 36, 174, 441lame-servers category, 484LAN (Local Area Network), 110Lasser, Jon, 291last command, 43, 314lastb command, 43lastcomm command, 45lastlog command, 44LaTeX, 302lcap command, 200–201LDAP (Lightweight Directory Access

Protocol), 392ldap mechanism, 423ldd command, 328, 381–83, 412libmilter library, 368libnet, 318libnids, 318libol library, 241libpam-cracklib, 32LIDS (Linux Intrusion Defense System), 74,

318Lightweight Directory Access Protocol

(LDAP), 392LILO, securing with password, 5–6lilo.conf, 73limit module, 115--limit-burst option, 115limits.conf file, 52--line-numbers flag, 88Linux Intrusion Defense System (LIDS), 74,

318list user, 28listaclmailboxl command, 427listen option, 451, 452listen_address option, 452listen-on option, 489listmailbox command, 427listquota command, 427LMTP (Local Mail Transfer Protocol), 409lmtp socket, 420–22lo host, 98Local Area Network (LAN), 110Local Mail Transfer Protocol (LMTP), 409local option, 157Local port forwarding, 183

■INDEX 541

local_destination_concurrency_limit option,344–45

local_enable option, 457local0–local7 facility, 236localhost keyword, 480localnets keyword, 480--localstatedir option, 153log_martians parameter, 126–27log{ }, 253–54logger command, 259logger (command-line tool), 263–64logging and log monitoring, 233–80. See also

syslog; syslog-NGfirewall logging, 101–5log analysis and correlation, 264–76

building SEC rules, 270–76inputting messages to SEC, 269–70installing and running SEC, 267–68overview, 264–66

log management and rotation, 277–79overview, 233resources, 280

logging statement, 477login command, 50LOGIN mechanism, 387–88login screens, 18–19login_alert.conf file, 55login.defs file, 23LoginGraceTime option, 183--log-ip-options flag, 102--log-level flag, 102--log-prefix flag, 101logrotate tool, 277–79--log-tcp-options flag, 102--log-tcp-sequence flag, 102loop file system, encrypting, 210–14Loop-AES, 208Loopback addresses, 109losetup command, 211, 214lp user, 28lpd service, 9lpd user, 28lpr facility, 236ls command, 45, 188, 193, 286, 315ls_recurse_enable option, 455

■M-m mins option, 239-m option, 36-M option, 36, 416m4 command, 334mail, authenticating and securing, 373–402.

See also TLSoverview, 373resources, 402SMTP AUTH using Cyrus SASL, 387–89

compiling Cyrus SASL, 388

configuring SASL saslauthd, 389overview, 387–88

SMTP AUTH using Cyrus SASL for Postfix,395–400

compiling Cyrus SASL into Postfix,395–96

configuring Cyrus SASL for Postfix,396–98

overview, 395using SMTP client authentication with

Postfix, 400using SMTP server authentication with

Postfix, 398–400SMTP AUTH using Cyrus SASL for

Sendmail, 389–95compiling Cyrus SASL into Sendmail,

390–91configuring Cyrus SASL for Sendmail,

391–92overview, 389–90using SMTP client authentication with

Sendmail, 394–95using SMTP server authentication with

Sendmail, 392–93testing SMTP AUTH with Outlook Express,

400–401Mail Exchange Record (MX), 349mail server, 321–72, 346–64

antispam, 351–64antispam settings for Postfix, 357–64antispam settings for Sendmail, 351–57overview, 351

antivirus scanning of e-mail server, 364–72installing ClamAV, 364–68integrating ClamAV with Postfix, 370–72integrating ClamAV with Sendmail,

368–70overview, 364

choosing, 321–23how mail server is at risk, 323overview, 321, 346protecting mail server, 323–33

chrooting Postfix, 330–33chrooting Sendmail SMTP gateway or

relay, 324–30overview, 323–24

relaying, 346–51overview, 346–47in Postfix, 350–51in Sendmail, 348–50testing if you are open relay, 347–48

resources, 372securing SMTP server, 333–46

disabling dangerous and legacy SMTPcommands, 336–38

limiting risk of (Distributed) DoSattacks, 341–46

■INDEX542

obfuscating MTA banner and version,333–35

overview, 333Sendmail and smrsh, 339–40some additional Sendmail privacy flags,

339writing to files safely, 340–41

Mail Submission Program (MSP), 323Mail Transfer Agent (MTA), 146, 333–35mail user, 28mail_always option, 41mail_badpass option, 41mail_no_host option, 41mail_no_perms option, 41mail_no_user option, 41mailCA, 375Maildir mailbox, 25maildrop program, 340mailing lists, 75–76mailnull user, 28mailq command, 328mailsnarf tool, 318main.cf file, 335make bzImage command, 160make config command, 71make mrproper function, 70make oldconfig command, 72make process, 260, 459makedepend command, 409makemap command, 349man user, 29Mandrake, 17, 76man-in-the-middle attacks, on DNS server,

464–65mark facility, 236, 239–40master type, 497match( ) filter, 252match-clients substatement, 496match-destinations substatement, 495match-recursive-only substatement, 495max_clients option, 455max_per_ip option, 455--max-children (clamav-milter option), 369MaxDaemonChildren directive, 342MaxHeaderLength option, 343maxlogins limit, 52MaxMessageLength option, 343MaxMIMEHeaderLength option, 343MAY option, 386MD5, 2, 4, 6–7, 21, 23, 31, 34, 57, 287–88md5sum command, 57memlock limit, 52Message digest, 57, 138message_size_limit option, 346Microsoft Certificate Server, 139MinFreeBlocks option, 344minimal installation option, 2, 525

mkfs.ext3 command, 214mknod command, 327, 413, 472–73mode numbers, 190modprobe command, 210module command, 121module stacking, 33modules_install command, 121modules_install option, 72MonMotha tool, 129mounting file systems securely, 204–7mport module, 123MSP (Mail Submission Program), 323MTA (Mail Transfer Agent), 146, 333–35multiport module, 123MUST option, 386MUST_NOPEERMATCH option, 386mux file, 391MX (Mail Exchange Record), 349MySQL, 39, 256–59

■Nn option, 120named daemon, 472, 474–76named.conf file, 476–78, 507–8NASL (Nessus Attack Scripting Language),

302NAT (Network Address Translation), 79, 445NAT-T (Network Address Translation

Traversal), 160needmailhelo flag, 339Nessus, 281, 295, 302–13

overview, 302–5running Nessus client, 307–13running Nessusd daemon, 306–7

Nessus Attack Scripting Language (NASL),302

nessus client options, 307nessus-adduser command, 304nessus-mkcert command, 304NessusWX, 307net selector, 134NetBSD, 80Netcat, 319Netfilter, 79–81netfs service, 9NetHack, 3netmask( ) filter, 252Netscape Certificate Management System,

139netstat -a command, 169, 296netstat command, 286Network Address Translation (NAT), 79, 445Network Address Translation Traversal

(NAT-T), 160network category, 484Network File System (NFS), 229–30Network Time Protocol (NTP), 100–101, 503

■INDEX 543

NEW connection, 93–97newaliases command, 328-newca option, 145newgrp command, 27news user, 29NFS (Network File System), 229–30nfslock service, 9nfsnobody user, 29nfswatch command, 230NMAP, 296–301nmap tool, 112–13no_oe.conf file, 165noactive option, 398noanonymous option, 398–99noauto option, 205nobody user, 29nobodyreturn flag, 339--nocolors option, 284--nodeps option, 65-nodes option, 376nodev option, 205nodictionary option, 398noexec option, 205–6nofile limit, 52-nofromstart option, 269NONE option, 112noplaintext option, 398nopriv_user option, 452noreceipts flag, 339normal mode, 197noshell, 21–22nosuid option, 205–6notify-source substatement, 491nouser option, 205–6noverb flag, 339nproc limit, 52NSA, 75nscd user, 29NTML protocol, 433NTP (Network Time Protocol), 100–101, 503ntpd service, 9ntsysv, 11null channel, 483null destination, 481

■O-o option, 172, 369-o=w flag, 192obscure option, 32ODBC (Open Database Connectivity), 256ODMR (On-Demand Mail Relay), 430OE (Opportunistic Encryption), 162of option, 211On-Demand Mail Relay (ODMR), 430one-way hash, 138Open Database Connectivity (ODBC), 256

OpenSSH, 169–71, 312forwarding X with, 184–85port forwarding with, 183–84

OpenSSL, 302, 377, 435–36, 459. See also SSL,TLS, and OpenSSL

openssl command, 150–52openssl s_client command, 150openssl s_server function, 151openssl.cnf file, 143Openwall Project, 68–74

installing, 69–73overview, 68–69testing, 73–74

operator user, 29Opportunistic Encryption (OE), 162op.ps file, 330optional module, 47options statement, 477options{ }, 244–46-out option, 142outer layer security, 295–313

Nessus, 302–13overview, 302–5running Nessus client, 307–13running Nessusd daemon, 306–7

NMAP, 296–301overview, 295

Outlook Express, 374OUTPUT chain, 107owner option, 205–6, 246ownership, 196

■Pp flag, 189-p flag, 83-p (nessusd option), 306-P0 (NMAP command-line option), 310PAM (pluggable authentication modules),

46–56enabling, 170module stacking, 48–49modules, 16, 31–32, 34overview, 46–48PAM “other” service, 49–50Red Hat preconfiguration with, 1–2restricting su using, 50–51restricting users to specific login times

with, 53–56setting limits with, 51–53

pam_access.so module, 56pam_console.so, 16pam_cracklib.so module, 32–33pam_deny.so module, 49pam_env.so module, 56pam_group.so module, 56pam_limits.so module, 51pam_local.so module, 48

■INDEX544

pam_login_alert.so module, 54–55pam_rhosts_auth.so module, 49pam_server_name option, 458pam_stack.so module, 48pam_time.so module, 53pam_unix.so module, 32pam_warn.so module, 50pamnotsosecure.so module, 48parameters, kernel, 124–29

overview, 124–26/proc/sys/net/ipv4/conf/all/


accept_source_route, 126/proc/sys/net/ipv4/conf/all/

log_martians, 126–27/proc/sys/net/ipv4/conf/all/rp_filter,

127–28/proc/sys/net/ipv4/

icmp_echo_ignore_all, 128/proc/sys/net/ipv4/

icmp_echo_ignore_broadcasts, 128/proc/sys/net/ipv4/

icmp_ignore_bogus_error_responses,128

/proc/sys/net/ipv4/ip_forward, 129/proc/sys/net/ipv4/tcp_syncookies, 129

paranoid mode, 197passwd file, 194passwd function, 49password module, 47password option, 6PasswordAuthentication option, 182password.lst file, 288passwords, 31–35

aging, 35–37shadow passwording, 22–23testing security of, 287–90

John the Ripper (JTR) password cracker,287–90

overview, 287PASV command, 444–45pasv_max_port option, 455pasv_min_port option, 455patches. See updates and patchesPatch-O-Matic (POM), 117–24, 527

comment module, 123–24iprange module, 122mport module, 123overview, 117–21

PaX project, 74pcmcia service, 9PDF file format, 302Peer certificate verification, 156PEM file, 460PERL, 65perl-TK, 291

-perm option, 192permissions and attributes, 188–96

access permissions, 188–96overview, 188–91setuid and setgid permissions, 194–96sticky bits, 193–94umask command, 191–92world-readable, world-writable, and

world-executable files, 192–93overview, 188ownership, 196

permit_mynetworks permission, 362permit_sasl_authenticated permission, 362PermitRootLogin option, 182PGP-MIME, 374pgp.net key server, 67PID (Process ID), 366, 485PIN, 31ping command, 105pipe( ) source, 247–51PKI (public-key infrastructure), 138PLAIN mechanism, 387pluggable authentication modules. See PAMPluto IKE, 163plutodebug option, 163policies, 82–83policy file, 218POM. See Patch-O-MaticPOP (Post Office Protocol), 403–7, 435pop3test tool, 428PORT command, 444port forwarding, with OpenSSH, 183–84portmap service, 9PortSentry tool, 342Post Office Protocol (POP), 403–7, 435Postfix, 330–33, 335, 529

antispam configuration, 360–64antispam settings for, 357–64chrooting, 330–33header and body checks, 359–60integrating Cyrus IMAP with, 421–22limiting risk of Denial of Service (DoS)

attacks with, 344–46relaying in, 350–51restriction list, 358–59SMTP AUTH using Cyrus SASL for, 395–400





Postfix, 398–400TLS with, 381–86

compiling TLS into Postfix, 382–83

■INDEX 545

Postfix (continued)configuring TLS in Postfix, 383–85overview, 381–82using TLS for specific host, 385–86

Postfix-TLS patch, 385postgres user, 29PostgreSQL, 392postmap command, 338, 386postrotate command, 279--prefix option, 260, 471--prefixconfigure option, 434prerotate command, 279print-category option, 482--print-report option, 227print-severity option, 482print-time option, 482priority( ) filter, 252priority limit, 52private-key encryption, 202/proc directory, 69/proc/crypto file, 210process accounting, 44–46Process ID (PID), 366, 485procmail program, 340/proc/sys/net/ipv4/conf/all/


accept_source_route, 126/proc/sys/net/ipv4/conf/all/log_martians,

126–27/proc/sys/net/ipv4/conf/all/rp_filter, 127–28/proc/sys/net/ipv4/icmp_echo_ignore_all,

128/proc/sys/net/ipv4/

icmp_echo_ignore_broadcasts, 128/proc/sys/net/ipv4/

icmp_ignore_bogus_error_responses,128

/proc/sys/net/ipv4/ip_forward, 129/proc/sys/net/ipv4/tcp_syncookies, 129ProFTPD FTP server, 448program( ) filter, 252property summaries, 221protocol option, 157proxy user, 29ps -A command, 169ps command, 286PSH flag, 112public-key encryption, 58, 137–69

inetd and xinetd-based connections, 167–69IPSec, VPNs, and Openswan, 159–67

firewalling for Openswan and IPSec,165–66

ipsec command, 166–67ipsec.conf file, 162–65overview, 159–62

overview, 137–39

SSL, TLS, and OpenSSL, 140–52creating certificate authority and

signing certificates, 142–48overview, 140–42revoking certificate, 149–50testing connections using openssl

command, 150–52Stunnel, 152–58

public-key infrastructure (PKI), 138

■Qq option, 121query-source substatement, 490queue_minfree option, 346--quiet (clamav-milter option), 369quit command, 427

■R-r option, 30, 240-R option, 172RAM (Random Access Memory), 178Raymond, Eric S., 430RBLs, and Sendmail, 353–54rcp command, 175read permission, 189recurse attribute, 223recursion option, 492Red Hat, 1, 3, 9

console, 16–17init scripts, 10–11

REJECT policy, 82reject_invalid_hostname restriction, 362reject_multi_recipient_bounce restriction,

362reject_non_fqdn_recipient restriction, 362reject_non_fqdn_sender restriction, 362reject_unauth_destination restriction, 362reject_unknown_hostname restriction, 362reject_unknown_recipient_domain

restriction, 362reject_unknown_sender_domain restriction,

362RELATED state, 93relaying, 346–51

overview, 346–47in Postfix, 350–51in Sendmail, 348–50testing if you are open relay, 347–48

reload option, 213, 243remote access to e-mail, hardening.

See e-mail, hardening remoteaccess to

remote command, 175Remote port forwarding, 183Remote Procedure Call (RPC), 229remounting encrypted file system, 215removable devices, 207–8

■INDEX546

remove option, 213removing compilers and development tools,

64–65renamemailbox command, 427--report-mode option, 284req (Openssl command-line function), 142required flag, 47requisite flag, 47resize option, 213resources, 510

connections and remote administration,securing, 185

DNS server, 510e-mail, hardening remote access to,

441–42files and file systems, securing, 231FTP server, securing, 461hardening basics, 76–77logging and log monitoring, 280mail, authenticating and securing, 402tools, using for security testing, 319–20

--restore option, 289restricted option, 6restrictexpand flag, 339restrictmailq flag, 339restrictqrun flag, 339RFC 1122, 128RFC 3164, 234rhnsd service, 9RHSBL (Right-Hand Side Blacklist), 363rkhunter script, 283rkhunter.log file, 284RLIMIT_NPROC setting, 69rlogin command, 171rndc command, 463, 485, 504–9

adding rndc support to named.conf,507–8

overview, 504–5rndc.conf, 505–7using rndc, 508–9

rndc stats command, 485rndc status command, 509rndc.conf file, 505ro option, 205–6root kit, 282–83root user, 29Rootkit Hunter, 283–85routers, 126rp_filter File, 127–28RPA protocol, 433RPC (Remote Procedure Call), 229rpc user, 29rpcuser user, 29RPM, 59–61, 200, 283rpm --checksig command, 61rpm --import command, 60rpm user, 29

RPOP Protocol, 435rsa (Openssl command-line function), 142RSA private key, 141rsa_cert_file option, 460RSAAuthentication option, 182rsautl (Openssl command-line function), 142RSBAC (Rule Set Based Access Controls)

project, 74rss limit, 52RST flag, 112rule attribute, 222Rule Set Based Access Controls (RSBAC)

project, 74rulename attribute, 223ruleset, 131–32RunAsUser option, 341Rusty Russell, 80rw option, 205–6

■Ss flag, 189-s flag, 94s_client (Openssl command-line function),

142s_server (Openssl command-line function),

142sa tool, 46SafeFileEnvironment option, 340–41Samba, 10SANS, 75SARA (Security Auditor’s Research Assistant),

319SASL (Simple Authentication and Security

Layer), 328sasl_pwcheck_method option, 418saslauthd daemon, 389sasldb2 file, 425saslpasswd2 command, 392, 397SASLv2, 390SATAN (Security Administrator Tool for

Analyzing Systems), 319/sbin/nologin script, 21ScanArchive option, 366ScanMail option, 366ScanOLE2 option, 366ScanRAR option, 366Scheidler, Balazs, 241scp command, 165, 175–76script command, 317SDPS protocol, 435SEC, 104, 265–76

actions, 276building SEC rules, 270–76command-line options, 268FAQ, 276inputting messages to, 269–70installing and running, 267–68

■INDEX 547

SEC (continued)pattern types, 271rule types, 272

sec.pl script, 267sec.startup file, 268Secure Hash Algorithm (SHA), 57Secure Sockets Layer. See SSL, TLS, and

OpenSSLSecure Wide Area Network (S/WAN), 159secure_email_list_enable option, 453Security Administrator Tool for Analyzing

Systems (SATAN), 319Security Auditor’s Research Assistant (SARA),

319security category, 484security, keeping informed about, 75–76security sites, 75–76security testing. See tools, using for security

testingsed command, 286SELinux package, 74–75Sendmail, 8, 377–81, 529

antispam settings for, 351–57banner control, 333–35chrooting Sendmail SMTP gateway or

relay, 324–30header checks, 354–57integrating ClamAV with, 368–72integrating Cyrus IMAP with, 421–22limiting risk of Denial of Service (DoS)

attacks with, 342–44privacy flags, 339and RBLs, 353–54relaying in, 348–50and smrsh, 339–40SMTP AUTH using Cyrus SASL for, 389–95

compiling Cyrus SASL into Sendmail,390–91

configuring Cyrus SASL for Sendmail,391–92

overview, 389–90using SMTP client authentication with


Sendmail, 392–93TLS with, 377–81

compiling Sendmail with TLS, 378configuring Sendmail with TLS, 379–80overview, 377–78using TLS with specific hosts, 380–81

sendmail.cf file, 333–34sendmail.mc file, 333–34server authentication, 140server statement, 477service configuration files, 46session module, 47--session option, 289

setaclmailboxs command, 427setgid permission, 194–96setquota command, 427setuid permission, 194–96severity attribute, 223sftp command, 175–76SHA (Secure Hash Algorithm), 57SHA1 checksum, 57–58sha1sum command, 57shadow authentication, 424shadow mechanism, 389, 423shadow passwording, 2, 22–23sharedscripts option, 279SHELL, 25shell commands, 340shellcmd action, 276--show option, 289–90shows tables command, 258shutdown command, 14shutdown user, 29shutdown.allowed file, 14SIGINT, 133Simple Authentication and Security Layer

(SASL), 328Simple Mail Transfer Protocol (SMTP), 147,

321. See also SMTP serverSingleWithSuppress rule type, 275site.config.m4 file, 390SKEL, 25--skip-keypress option, 284Slackware, 382slave type, 497sleep command, 438S/MIME, 374smime (Openssl command-line function), 142SmoothWall, 79smrsh shell, 339–40SMsg macro, 355SMTP AUTH using Cyrus SASL, 387–89

compiling Cyrus SASL, 388configuring SASL saslauthd, 389overview, 387–88for Postfix, 395–400





Postfix, 398–400for Sendmail, 389–95

compiling Cyrus SASL into Sendmail,390–91

configuring Cyrus SASL for Sendmail,391–92

■INDEX548

overview, 389–90using SMTP client authentication with


Sendmail, 392–93SMTP server, 333–46

disabling commands, 336–38ETRN, 338EXPN, 337–38overview, 336VRFY, 336–37

limiting risk of (Distributed) DoS attacks,341–46

overview, 341–42with Postfix, 344–46with Sendmail, 342–44

obfuscating MTA banner and version,333–35

overview, 333Postfix, 335Sendmail, 333–35

overview, 333privacy flags, 339Sendmail and smrsh, 339–40writing to files safely, 340–41

smtpd_delay_reject option, 361smtpd_error_sleep_time option, 344–45smtpd_hard_error_limit option, 344–45smtpd_helo_required option, 361smtpd_recipient_limit option, 344–45smtpd_soft_error_limit option, 344–45smurf attack, 128smurfing, 109snmpd service, 9snmtptrap service, 9Snort, 319sockets, 81soft limit, 52source port, 86source tarball, 216source{ }, 244, 246–49SourceForge, 216source-routed packets, 126sources.list file, 63-sP scan type, 297SpamAssassin, 351spoofing, 108–11--sport flag, 123--sport option, 84SQL server, 250srvrsmtp.c file, 335-sS scan type, 297SSH, 15–16, 92, 95–96, 171–75, 230

configuring, 180–83tunneling Fetchmail with, 437–38

ssh command, 171, 438ssh connection, 133

ssh-add options, 178ssh-agent and agent forwarding, 177–79sshd daemon, 179–80, 437sshd options, 180sshd server, 170sshd service, 9sshd user, 29sshd_config file, 176, 180–83ssh-keygen command, 173--ssl option, 436SSL, TLS, and OpenSSL, 140–52

creating certificate authority and signingcertificates, 142–48

overview, 140–42revoking certificate, 149–50SSL/TLS support, 459–60testing connections using openssl

command, 150–52--sslcert option, 436--sslcertck option, 436--sslcertpath option, 436SSLdump, 152--sslfingerprint option, 436--sslkey option, 436--sslproto option, 436-sT scan type, 297stack, 47, 52stacktest, 74STARTTLS, 374, 379–80-starttls option, 150--state flag, 94state module, 93, 115stateful packet-filtering firewall, 81stateful protocol, 444stateless packet-filtering firewall, 81stats( ) option, 246--status option, 289stderr destination, 481--stdout option, 289sticky bits, 193–94stop rule, 224StreamMaxLength option, 366StreamSaveToDisk option, 366strict_rfc821_envelopes option, 361StrictHostKeyChecking option, 181StrictModes option, 182strings command, 286stub type, 497Stunnel, 152–58, 260stunnel.conf file, 154stunnel.pem file, 156stunnel-sample.conf, 154su command, 50–51, 273-sU scan type, 297subnet-to-subnet connection, 164sudo command, 37–42sudoers file, 38–40

■INDEX 549

sufficient flag, 47suid option, 205–6Sun Microsystems, 46Suppress rule type, 274–75SuSE, 10, 179, 382S/WAN (Secure Wide Area Network), 159sXid tool, 196symmetrical encryption, 202SYN cookies, 116, 129SYN flag, 112SYN flooding, 115–16--syn option, 116sync( ) option, 246sync user, 29sys user, 29sysacc service, 13--sysconfdir option, 153–54, 260sysctl command, 124–25sysctl.conf file, 124syslog, 233–40

configuring, 104, 235–39actions, 237–38combining multiple selectors, 238–39facilities, 235–36overview, 235priorities, 236–37

overview, 233–35starting syslogd and its options, 239–40

syslog_enable option, 452syslog2ng script, 242syslog.conf file, 239syslog-NG, 241–64, 327–28

contrib directory, 242installing and configuring, 241–42logging to database with, 256–59overview, 241running and configuring, 242–54

destination{ }, 249–52filter{}, 252–53log{ }, 253–54options{ }, 244–46overview, 242–44source{ }, 246–49

sample syslog-ng.conf file, 254–56secure logging with, 259–63testing logging with logger, 263–64

syslog-NG File-Expansion Macros, 250system administrator, 37system-auth service, 46

■T-t flag, 90t option, 120-t option, 174, 475tables, in Netfilter, 82TakeNext option, 270TCP flags. See iptables and TCP flags

tcp( ) source, 247–48TCP SYN scan, 296–97TCP (Transmission Control Protocol), 81TCP Wrapper, 154tcpdump command, 132–35, 319--tcp-flags flag, 112TCP/IP (Transmission Control Protocol /

Internet Protocol), 137, 322telnet command, 171telnetd user, 29Tempest-shielding technology, 144--test option, 289–90testing. See also tools, using for security

testingiptables, 132–35Openwall Project, 73–74password security, 287–90

John the Ripper (JTR) password cracker,287–90

overview, 287SMTP AUTH with Outlook Express,

400–401TEST-NET address range, 109three-way handshake, 111time line, 276time_reopen( ) option, 246time.conf file, 53TIMEOUTbusy option, 157TIMEOUTclose option, 157TIMEOUTidle option, 157Titan package, 319title option, 8TLS (Transport Layer Security), 140, 373–86.

See also SSL, TLS, and OpenSSLcreating certificates for, 374–77overview, 373–74with Postfix, 381–86

compiling TLS into Postfix, 382–83configuring TLS in Postfix, 383–85overview, 381–82using TLS for specific host, 385–86

with Sendmail, 377–81compiling Sendmail with TLS, 378configuring Sendmail with TLS, 379–80overview, 377–78using TLS with specific hosts, 380–81

/tmp directory, 68tools, using for security testing, 281–321.

See also inner layer security; outerlayer security

additional security tools, 318–19other methods of detecting penetration,

313–16overview, 281–82recovering from penetration, 315–18resources, 319–20

traceroute command, 106

■INDEX550

transaction signatures (TSIG), 463, 500–504transfer acl statement, 519Transmission Control Protocol / Internet

Protocol (TCP/IP), 137, 322Transmission Control Protocol (TCP), 81Transport Layer Security. See SSL, TLS, and

OpenSSL; TLSTrendMicro, 351Tripwire, 187, 215–29

configuring, 216–18overview, 215–16policy, 218–29

global variables, 218–19initializing and running Tripwire,

224–29overview, 218Tripwire rules, 219–24

property masks, 220tripwire-setup-keyfiles command, 224–25Trojan program, 282troubleshooting iptables, 132–35TSIG (transaction signatures), 463, 500–504twadmin command, 225, 228–29twcfg.txt file, 217–18twinstall.sh script, 224twpol.txt file, 217–18twprint command, 227--twrfile option, 227–28TXT record, 486–87

■Uu flag, 190-u option, 258, 475UBE (Unsolicited Bulk E-mail), 346UCE (Unsolicited Commercial E-mail), 346UDP packets, 465udp( ) source, 247–48UDP (User Datagram Protocol), 81, 135,

298UID (Unique ID), 408ulimit command, 53umask command, 191–92umount command, 214uname -a command, 66, 73uname command, 286Unique ID (UID), 408unix-dgram( ) source, 247–48unix-stream( ) source, 247–48unmounting encrypted file system, 214Unsolicited Bulk E-mail (UBE), 346Unsolicited Commercial E-mail (UCE),

346up2date command, 61–62-update option, 228--update-policy option, 229update.rc-d command, 11–12update-rc.d command, 168

updates and patches, downloading, 61–64apt-get, 62–63overview, 61up2date, 62Yum, 63–64

URG flag, 112urlsnarf tool, 318use_time_recvd( ) option, 246use_uid option, 51UsePriviledgeSeparation option, 182user account, 19User Datagram Protocol (UDP), 81, 135, 298user facility, 236user option, 205–6useradd command, 24userdel command, 28usermod command, 28users and groups, 19–44

adding groups, 26–28adding users, 24–26deleting unnecessary users and groups,

28–30overview, 19–22passwords, 31–37shadow passwording, 22–23sudo, 37–42user accounting, 42–44

usertty( ) option, 251/usr/sbin directory, 224/usr/src directory, 67, 69/usr/src/linux directory, 68, 70uucp facility, 236uucp user, 29

■V-v flag, 133, 243-v (logrotate command-line option), 279-V option, 199Vaarandi, Risto, 266vcsa user, 29verbose mode, 197--verify gpg option, 59verify (Openssl command-line function),

142verify option, 156VerifyReverseMapping option, 183--versioncheck option, 284versions option, 482view statement, 477, 493Virtual Network Computing (VNC), 157–58virtual private networks. See IPSec, VPNs,

and Openswanvirtual terminals, 14, 17–18visudo command, 38Vlock tool, 17–18VNC (Virtual Network Computing), 157–58VPNs. See IPSec, VPNs, and Openswan

■INDEX 551

VRFY command, disabling, 336–37vsftpd

configuring for anonymous FTP, 450–56general configuration, 451–52general security, 454–55mode and access rights, 452–54overview, 450–51preventing denial of service attacks,

455–56configuring with local users, 456–59installing, 448–50starting and stopping, 461

vsftpd.conf file, 450, 460vsftpd.conf man file, 454-vv flag, 133-vv option, 61

■Ww command, 314w flag, 190-w option, 441Wd entry, 54Webmin, 169who command, 42, 314wildcard, 54winbind service, 9window option, 272--with-auth option, 410--with-com_err option, 410--with-cyrus-group option, 410--with-cyrus-user option, 410--with-krb option, 410--with-openssl option, 410--with-pam option, 388--with-sasl option, 410--with-saslauthd option, 388--with-ssl option, 153--wordlist option, 289world-readable, world-writable, and

world-executable files, 192–93write action, 272write permission, 189–90

write_enable option, 454writing to files safely, 340–41wtmp file, 43, 314WU-FTPD FTP server, 448-www option, 151www-data user, 29

■X-X flag, 91X forwarding, with OpenSSH, 184–85X mode, 290-X option, 172-x option, 172X11, 184–85, 307–8x509 (Openssl command-line function), 142xfer-in category, 484xferlog_enable option, 452xferlog_std_format option, 452xfer-out category, 484xfs service, 9xfs user, 29xinetd daemon, 167–68Xmas-style scanning, 114Xprobe, 299X-Windows, 3, 169, 293

■Yy option, 120, 393-y option, 174, 211yast tool, 65Yellow Dog Updater, Modified (Yum), 63–64Yellow Dog web site, 76ypbind service, 9yum command, 61–64, 209Yum (Yellow dog Updater, Modified), 63–64

■Z-Z flag, 91zero address, 111Zeroconf IP address range, 109Zlib, 170zone statement, 477, 493–94

■INDEX552

the bastion host firewall script - home - springer978-1-4302-0005-5/1.pdfthe bastion host firewall...

Documents