5c5
< .\" $FreeBSD: head/share/man/man7/security.7 129400 2004-05-18 18:17:25Z dannyboy $
---
> .\" $FreeBSD: head/share/man/man7/security.7 130524 2004-06-15 12:48:50Z ru $
12c12,13
< .Nd introduction to security under FreeBSD
---
> .Nd introduction to security under
> .Fx
19c20
< .Sq honest
---
> .Dq honest
21c22,23
< one of the single largest undertakings of the sysadmin. Machines are
---
> one of the single largest undertakings of the sysadmin.
> Machines are
27,28c29,31
< and many of these processes operate as servers \(em meaning that external entities
< can connect and talk to them. As yesterday's mini-computers and mainframes
---
> and many of these processes operate as servers \(em meaning that external
> entities can connect and talk to them.
> As yesterday's mini-computers and mainframes
32c35,36
< Security is best implemented through a layered onion approach. In a nutshell,
---
> Security is best implemented through a layered onion approach.
> In a nutshell,
34c38,39
< and then carefully monitor the system for intrusions. You do not want to
---
> and then carefully monitor the system for intrusions.
> You do not want to
37,38c42,44
< mechanism. For example, it makes little sense to set the
< .Pa schg
---
> mechanism.
> For example, it makes little sense to set the
> .Cm schg
47c53
< System security also pertains to dealing with various forms of attack,
---
> System security also pertains to dealing with various forms of attacks,
49c55,56
< but do not attempt to break root. Security concerns can be split up into
---
> but do not attempt to break root.
> Security concerns can be split up into
53c60
< Denial of service attacks
---
> Denial of Service attacks (DoS)
65c72,73
< resources. Typically, D.O.S. attacks are brute-force mechanisms that attempt
---
> resources.
> Typically, DoS attacks are brute-force mechanisms that attempt
67,69c75,80
< network stack. Some D.O.S. attacks try to take advantages of bugs in the
< networking stack to crash a machine with a single packet. The latter can
< only be fixed by applying a bug fix to the kernel. Attacks on servers can
---
> network stack.
> Some DoS attacks try to take advantages of bugs in the
> networking stack to crash a machine with a single packet.
> The latter can
> only be fixed by applying a bug fix to the kernel.
> Attacks on servers can
71,72c82,84
< incur on the system under adverse conditions. Brute-force network
< attacks are harder to deal with. A spoofed-packet attack, for example, is
---
> incur on the system under adverse conditions.
> Brute-force network attacks are harder to deal with.
> A spoofed-packet attack, for example, is
77,80c89,100
< A user account compromise is even more common than a D.O.S. attack. Many
< sysadmins still run standard telnetd, rlogind, rshd, and ftpd servers on their
< machines. These servers, by default, do not operate over encrypted
< connections. The result is that if you have any moderate-sized user base,
---
> A user account compromise is even more common than a DoS attack.
> Many
> sysadmins still run standard
> .Xr telnetd 8 ,
> .Xr rlogind 8 ,
> .Xr rshd 8 ,
> and
> .Xr ftpd 8
> servers on their machines.
> These servers, by default, do not operate over encrypted
> connections.
> The result is that if you have any moderate-sized user base,
82,84c102,104
< (which is the most common and convenient way to login to a system)
< will
< have his or her password sniffed. The attentive system admin will analyze
---
> (which is the most common and convenient way to log in to a system)
> will have his or her password sniffed.
> The attentive system administrator will analyze
89c109,110
< the attacker can break root. However, the reality is that in a well secured
---
> the attacker can break root.
> However, the reality is that in a well secured
91c112,113
< attacker access to root. The distinction is important because without access
---
> attacker access to root.
> The distinction is important because without access
98c120,121
< to break root on a machine. The attacker may know the root password,
---
> to break root on a machine.
> The attacker may know the root password,
101c124
< connection to that server, or the attacker may know of a bug in an suid-root
---
> connection to that server, or the attacker may know of a bug in an SUID-root
103c126,127
< user's account. If an attacker has found a way to break root on a machine,
---
> user's account.
> If an attacker has found a way to break root on a machine,
106,107c130,133
< of work by the attacker to cleanup after himself, so most attackers do install
< backdoors. This gives you a convenient way to detect the attacker. Making
---
> of work by the attacker to clean up after himself, so most attackers do install
> backdoors.
> This gives you a convenient way to detect the attacker.
> Making
113c139
< .Sq onion peel
---
> .Dq onion peel
119c145
< Securing root \(em root-run servers and suid/sgid binaries
---
> Securing root \(em root-run servers and SUID/SGID binaries
132,133c158,161
< Don't bother securing staff accounts if you haven't secured the root
< account. Most systems have a password assigned to the root account. The
---
> Do not bother securing staff accounts if you have not secured the root
> account.
> Most systems have a password assigned to the root account.
> The
135,136c163,166
< .Sq always
< compromised. This does not mean that you should remove the password. The
---
> .Em always
> compromised.
> This does not mean that you should remove the password.
> The
141,142c171,173
< command.
< For example, make sure that your pty's are specified as being unsecure
---
> utility.
> For example, make sure that your PTYs are specified as being
> .Dq Li unsecure
144c175
< .Sq Pa /etc/ttys
---
> .Pa /etc/ttys
146,149c177,190
< so that direct root logins via telnet or rlogin are disallowed. If using
< other login services such as sshd, make sure that direct root logins are
< disabled there as well. Consider every access method \(em services such as
< ftp often fall through the cracks. Direct root logins should only be allowed
---
> so that direct root logins via
> .Xr telnet 1
> or
> .Xr rlogin 1
> are disallowed.
> If using
> other login services such as
> .Xr sshd 8 ,
> make sure that direct root logins are
> disabled there as well.
> Consider every access method \(em services such as
> .Xr ftp 1
> often fall through the cracks.
> Direct root logins should only be allowed
153,156c194,200
< a few holes. But we make sure these holes require additional password
< verification to operate. One way to make root accessible is to add appropriate
< staff accounts to the wheel group
< (in
---
> a few holes.
> But we make sure these holes require additional password
> verification to operate.
> One way to make root accessible is to add appropriate
> staff accounts to the
> .Dq Li wheel
> group (in
158,170c202,226
< The staff members placed
< in the wheel group are allowed to
< .Sq su
< to root. You should never give staff
< members native wheel access by putting them in the wheel group in their
< password entry. Staff accounts should be placed in a
< .Sq staff
< group, and then added to the wheel group via the
< .Sq Pa /etc/group
< file. Only those staff members who actually need to have root access
< should be placed in the wheel group. It is also possible, when using an
< authentication method such as kerberos, to use kerberos's
< .Sq Pa .k5login
---
> The staff members placed in the
> .Li wheel
> group are allowed to
> .Xr su 1
> to root.
> You should never give staff
> members native
> .Li wheel
> access by putting them in the
> .Li wheel
> group in their password entry.
> Staff accounts should be placed in a
> .Dq Li staff
> group, and then added to the
> .Li wheel
> group via the
> .Pa /etc/group
> file.
> Only those staff members who actually need to have root access
> should be placed in the
> .Li wheel
> group.
> It is also possible, when using an
> authentication method such as Kerberos, to use Kerberos's
> .Pa .k5login
173,174c229,235
< to root without having to place anyone at all in the wheel group. This
< may be the better solution since the wheel mechanism still allows an
---
> to root without having to place anyone at all in the
> .Li wheel
> group.
> This
> may be the better solution since the
> .Li wheel
> mechanism still allows an
176,177c237,241
< file and can break into a staff account. While having the wheel mechanism
< is better than having nothing at all, it isn't necessarily the safest
---
> file and can break into a staff account.
> While having the
> .Li wheel
> mechanism
> is better than having nothing at all, it is not necessarily the safest
182c246,247
< for the staff accounts. This way an intruder may be able to steal the password
---
> for the staff accounts.
> This way an intruder may be able to steal the password
185c250,251
< you've limited root access to the console). Staff members
---
> you have limited root access to the console).
> Staff members
191,194c257,262
< key pair. When you use something like kerberos you generally must secure
< the machines which run the kerberos servers and your desktop workstation.
< When you use a public/private key pair with ssh, you must generally secure
< the machine you are logging in FROM
---
> key pair.
> When you use something like Kerberos you generally must secure
> the machines which run the Kerberos servers and your desktop workstation.
> When you use a public/private key pair with SSH, you must generally secure
> the machine you are logging in
> .Em from
202c270,271
< can only login through secure access methods that you have setup. You can
---
> can only log in through secure access methods that you have set up.
> You can
204c273
< all their sessions which closes an important hole used by many intruders: That
---
> all their sessions which closes an important hole used by many intruders: that
208,210c277,281
< from a more restrictive server to a less restrictive server. For example,
< if your main box is running all sorts of servers, your workstation shouldn't
< be running any. In order for your workstation to be reasonably secure
---
> from a more restrictive server to a less restrictive server.
> For example,
> if your main box is running all sorts of servers, your workstation should not
> be running any.
> In order for your workstation to be reasonably secure
214c285
< a workstation an attacker can break any sort of security you put on it.
---
> a workstation, an attacker can break any sort of security you put on it.
220c291
< Using something like kerberos also gives you the ability to disable or
---
> Using something like Kerberos also gives you the ability to disable or
222c293,294
< affect all the machines the staff member may have an account on. If a staff
---
> affect all the machines the staff member may have an account on.
> If a staff
224,227c296,300
< password on all machines should not be underrated. With discrete passwords,
< changing a password on N machines can be a mess. You can also impose
< re-passwording restrictions with kerberos: not only can a kerberos ticket
< be made to timeout after a while, but the kerberos system can require that
---
> password on all machines should not be underrated.
> With discrete passwords, changing a password on N machines can be a mess.
> You can also impose
> re-passwording restrictions with Kerberos: not only can a Kerberos ticket
> be made to timeout after a while, but the Kerberos system can require that
230,239c303,325
< .Sh SECURING ROOT \(em ROOT-RUN SERVERS AND SUID/SGID BINARIES
< The prudent sysadmin only runs the servers he needs to, no more, no less. Be
< aware that third party servers are often the most bug-prone. For example,
< running an old version of imapd or popper is like giving a universal root
< ticket out to the entire world. Never run a server that you have not checked
< out carefully. Many servers do not need to be run as root. For example,
< the ntalk, comsat, and finger daemons can be run in special user
< .Sq sandboxes .
< A sandbox isn't perfect unless you go to a large amount of trouble, but the
< onion approach to security still stands: If someone is able to break in
---
> .Sh SECURING ROOT \(em ROOT-RUN SERVERS AND SUID/SGID BINARIES
> The prudent sysadmin only runs the servers he needs to, no more, no less.
> Be aware that third party servers are often the most bug-prone.
> For example,
> running an old version of
> .Xr imapd 8
> or
> .Xr popper 8
> is like giving a universal root
> ticket out to the entire world.
> Never run a server that you have not checked
> out carefully.
> Many servers do not need to be run as root.
> For example,
> the
> .Xr talkd 8 ,
> .Xr comsat 8 ,
> and
> .Xr fingerd 8
> daemons can be run in special user
> .Dq sandboxes .
> A sandbox is not perfect unless you go to a large amount of trouble, but the
> onion approach to security still stands: if someone is able to break in
241,242c327,330
< sandbox. The more layers the attacker must break through, the lower the
< likelihood of his success. Root holes have historically been found in
---
> sandbox.
> The more layers the attacker must break through, the lower the
> likelihood of his success.
> Root holes have historically been found in
244,245c332,339
< If you are running a machine through which people only login via sshd and
< never login via telnetd or rshd or rlogind, then turn off those services!
---
> If you are running a machine through which people only log in via
> .Xr sshd 8
> and never log in via
> .Xr telnetd 8 ,
> .Xr rshd 8 ,
> or
> .Xr rlogind 8 ,
> then turn off those services!
248c342,347
< now defaults to running ntalkd, comsat, and finger in a sandbox.
---
> now defaults to running
> .Xr talkd 8 ,
> .Xr comsat 8 ,
> and
> .Xr fingerd 8
> in a sandbox.
251,252c350,355
< The default rc.conf includes the arguments necessary to run
< named in a sandbox in a commented-out form. Depending on whether you
---
> The default
> .Pa rc.conf
> includes the arguments necessary to run
> .Xr named 8
> in a sandbox in a commented-out form.
> Depending on whether you
254c357,358
< user accounts used by these sandboxes may not be installed. The prudent
---
> user accounts used by these sandboxes may not be installed.
> The prudent
258c362,367
< sendmail, popper, imapd, ftpd, and others. There are alternatives to
---
> .Xr sendmail 8 ,
> .Xr popper 8 ,
> .Xr imapd 8 ,
> .Xr ftpd 8 ,
> and others.
> There are alternatives to
266,267c375,378
< The other big potential root hole in a system are the suid-root and sgid
< binaries installed on the system. Most of these binaries, such as rlogin,
---
> The other big potential root hole in a system are the SUID-root and SGID
> binaries installed on the system.
> Most of these binaries, such as
> .Xr rlogin 1 ,
269,271c380
< .Pa /bin ,
< .Pa /sbin ,
< .Pa /usr/bin ,
---
> .Pa /bin , /sbin , /usr/bin ,
275,278c384,389
< the system-default suid and sgid binaries can be considered reasonably safe.
< Still, root holes are occasionally found in these binaries. A root hole
< was found in Xlib in 1998 that made xterm
< (which is typically suid)
---
> the system-default SUID and SGID binaries can be considered reasonably safe.
> Still, root holes are occasionally found in these binaries.
> A root hole
> was found in Xlib in 1998 that made
> .Xr xterm 1
> (which is typically SUID)
280c391
< It is better to be safe than sorry and the prudent sysadmin will restrict suid
---
> It is better to be safe than sorry and the prudent sysadmin will restrict SUID
283,286c394,400
< .Pq Li "chmod 000"
< any suid binaries that nobody uses. A
< server with no display generally does not need an xterm binary. Sgid binaries
< can be almost as dangerous. If an intruder can break an sgid-kmem binary the
---
> .Pq Dq Li "chmod 000"
> any SUID binaries that nobody uses.
> A server with no display generally does not need an
> .Xr xterm 1
> binary.
> SGID binaries can be almost as dangerous.
> If an intruder can break an SGID-kmem binary the
290,293c404,414
< file, potentially compromising any passworded account. Alternatively an
< intruder who breaks group kmem can monitor keystrokes sent through pty's,
< including pty's used by users who login through secure methods. An intruder
< that breaks the tty group can write to almost any user's tty. If a user
---
> file, potentially compromising any passworded account.
> Alternatively an
> intruder who breaks group
> .Dq Li kmem
> can monitor keystrokes sent through PTYs,
> including PTYs used by users who log in through secure methods.
> An intruder
> that breaks the
> .Dq Li tty
> group can write to almost any user's TTY.
> If a user
300,302c421,425
< User accounts are usually the most difficult to secure. While you can impose
< Draconian access restrictions on your staff and *-out their passwords, you
< may not be able to do so with any general user accounts you might have. If
---
> User accounts are usually the most difficult to secure.
> While you can impose
> draconian access restrictions on your staff and *-out their passwords, you
> may not be able to do so with any general user accounts you might have.
> If
304,305c427,430
< user accounts properly. If not, you simply have to be more vigilant in your
< monitoring of those accounts. Use of ssh and kerberos for user accounts is
---
> user accounts properly.
> If not, you simply have to be more vigilant in your
> monitoring of those accounts.
> Use of SSH and Kerberos for user accounts is
311c436,437
< use ssh or kerberos for access to those accounts. Even though the
---
> use SSH or Kerberos for access to those accounts.
> Even though the
321c447
< .Sq Checking file integrity
---
> .Sx CHECKING FILE INTEGRITY
325,326c451,453
< are certain conveniences. For example, most modern kernels have a
< packet sniffing device driver built in. Under
---
> are certain conveniences.
> For example, most modern kernels have a packet sniffing device driver built in.
> Under
330,333c457,464
< .Sq bpf
< device. An intruder will commonly attempt to run a packet sniffer
< on a compromised machine. You do not need to give the intruder the
< capability and most systems should not have the bpf device compiled in.
---
> .Xr bpf 4
> device.
> An intruder will commonly attempt to run a packet sniffer
> on a compromised machine.
> You do not need to give the intruder the
> capability and most systems should not have the
> .Xr bpf 4
> device compiled in.
335,336c466,468
< But even if you turn off the bpf device,
< you still have
---
> But even if you turn off the
> .Xr bpf 4
> device, you still have
340c472,473
< to worry about. For that matter,
---
> to worry about.
> For that matter,
345c478,480
< his own bpf device or other sniffing device on a running kernel.
---
> his own
> .Xr bpf 4
> device or other sniffing device on a running kernel.
347,348c482,488
< the kernel at a higher secure level, at least securelevel 1. The securelevel
< can be set with a sysctl on the kern.securelevel variable. Once you have
---
> the kernel at a higher secure level, at least securelevel 1.
> The securelevel can be set with a
> .Xr sysctl 8
> on the
> .Va kern.securelevel
> variable.
> Once you have
350,352c490,495
< special chflags flags, such as
< .Sq schg ,
< will be enforced. You must also ensure
---
> special
> .Xr chflags 1
> flags, such as
> .Cm schg ,
> will be enforced.
> You must also ensure
354c497
< .Sq schg
---
> .Cm schg
357,361c500,514
< is set. This might be overdoing it, and upgrading the system is much more
< difficult when you operate at a higher secure level. You may compromise and
< run the system at a higher secure level but not set the schg flag for every
< system file and directory under the sun. Another possibility is to simply
< mount / and /usr read-only. It should be noted that being too draconian in
---
> is set.
> This might be overdoing it, and upgrading the system is much more
> difficult when you operate at a higher secure level.
> You may compromise and
> run the system at a higher secure level but not set the
> .Cm schg
> flag for every
> system file and directory under the sun.
> Another possibility is to simply
> mount
> .Pa /
> and
> .Pa /usr
> read-only.
> It should be noted that being too draconian in
367,369c520,531
< rears its ugly head. For example, using chflags to set the schg bit
< on most of the files in / and /usr is probably counterproductive because
< while it may protect the files, it also closes a detection window. The
---
> rears its ugly head.
> For example, using
> .Xr chflags 1
> to set the
> .Cm schg
> bit on most of the files in
> .Pa /
> and
> .Pa /usr
> is probably counterproductive because
> while it may protect the files, it also closes a detection window.
> The
372c534,535
< a false sense of safety) if you cannot detect potential incursions. Half
---
> a false sense of safety) if you cannot detect potential incursions.
> Half
378c541,542
< unexpected files. The best
---
> unexpected files.
> The best
386,387c550,552
< limited-access box, or by setting up ssh keypairs to allow the limit-access
< box to ssh to the other machines. Except for its network traffic, NFS is
---
> limited-access box, or by setting up SSH keypairs to allow the limit-access
> box to SSH to the other machines.
> Except for its network traffic, NFS is
389c554,555
< client box virtually undetected. If your
---
> client box virtually undetected.
> If your
391c557,558
< the NFS method is often the better choice. If your limited-access server
---
> the NFS method is often the better choice.
> If your limited-access server
393,394c560,561
< of routing, the NFS method may be too insecure (network-wise) and using ssh
< may be the better choice even with the audit-trail tracks that ssh lays.
---
> of routing, the NFS method may be too insecure (network-wise) and using SSH
> may be the better choice even with the audit-trail tracks that SSH lays.
398c565,566
< monitoring. Given an NFS mount, you can write scripts out of simple system
---
> monitoring.
> Given an NFS mount, you can write scripts out of simple system
401a570,571
> .Xr md5 1 .
> It is best to physically
403c573
< It is best to physically md5 the client-box files boxes at least once a
---
> the client-box files boxes at least once a
408c578,579
< even more often. When mismatches are found relative to the base md5
---
> even more often.
> When mismatches are found relative to the base MD5
410,411c581,583
< a sysadmin to go check it out. A good security script will also check for
< inappropriate suid binaries and for new or deleted files on system partitions
---
> a sysadmin to go check it out.
> A good security script will also check for
> inappropriate SUID binaries and for new or deleted files on system partitions
415c587
< .Pa /usr
---
> .Pa /usr .
417,419c589,592
< When using ssh rather than NFS, writing the security script is much more
< difficult. You essentially have to
< .Pa scp
---
> When using SSH rather than NFS, writing the security script is much more
> difficult.
> You essentially have to
> .Xr scp 1
421,423c594,603
< for safety you also need to scp the binaries (such as find) that those scripts
< use. The ssh daemon on the client box may already be compromised. All in all,
< using ssh may be necessary when running over unsecure links, but it's also a
---
> for safety you also need to
> .Xr scp 1
> the binaries (such as
> .Xr find 1 )
> that those scripts use.
> The
> .Xr sshd 8
> daemon on the client box may already be compromised.
> All in all,
> using SSH may be necessary when running over unsecure links, but it is also a
428,430c608
< .Pa .rhosts ,
< .Pa .shosts ,
< .Pa .ssh/authorized_keys
---
> .Pa .rhosts , .shosts , .ssh/authorized_keys
434,437c612,617
< through every file on those partitions. In this case, setting mount
< flags to disallow suid binaries and devices on those partitions is a good
< idea. The
< .Sq nodev
---
> through every file on those partitions.
> In this case, setting mount
> flags to disallow SUID binaries and devices on those partitions is a good
> idea.
> The
> .Cm nodev
439c619
< .Sq nosuid
---
> .Cm nosuid
443c623,624
< are what you want to look into. I would scan them anyway at least once a
---
> are what you want to look into.
> I would scan them anyway at least once a
452c633,634
< mechanism. It is especially useful in tracking down how an intruder has
---
> mechanism.
> It is especially useful in tracking down how an intruder has
458c640,641
< very useful. An intruder tries to cover his tracks, and log files are critical
---
> very useful.
> An intruder tries to cover his tracks, and log files are critical
460c643,644
< break-in. One way to keep a permanent record of the log files is to run
---
> break-in.
> One way to keep a permanent record of the log files is to run
464c648,649
< A little paranoia never hurts. As a rule, a sysadmin can add any number
---
> A little paranoia never hurts.
> As a rule, a sysadmin can add any number
467c652,653
< thought. Even more importantly, a security administrator should mix it up
---
> thought.
> Even more importantly, a security administrator should mix it up
471,473c657,660
< .Sh SPECIAL SECTION ON D.O.S. ATTACKS
< This section covers Denial of Service attacks. A DOS attack is typically
< a packet attack. While there isn't much you can do about modern spoofed
---
> .Sh SPECIAL SECTION ON DoS ATTACKS
> This section covers Denial of Service attacks.
> A DoS attack is typically a packet attack.
> While there is not much you can do about modern spoofed
480c667
< Limiting springboard attacks (ICMP response attacks, ping broadcast, etc...)
---
> Limiting springboard attacks (ICMP response attacks, ping broadcast, etc.)
485c672
< A common DOS attack is against a forking server that attempts to cause the
---
> A common DoS attack is against a forking server that attempts to cause the
487,489c674,677
< dies. Inetd
< (see
< .Xr inetd 8 )
---
> dies.
> The
> .Xr inetd 8
> server
493c681,684
< by the attack. Read the inetd manual page carefully and pay specific attention
---
> by the attack.
> Read the
> .Xr inetd 8
> manual page carefully and pay specific attention
495,496c686
< .Fl c ,
< .Fl C ,
---
> .Fl c , C ,
499c689,690
< options. Note that spoofed-IP attacks will circumvent
---
> options.
> Note that spoofed-IP attacks will circumvent
502c693,695
< option to inetd, so typically a combination of options must be used.
---
> option to
> .Xr inetd 8 ,
> so typically a combination of options must be used.
505c698,700
< Sendmail has its
---
> The
> .Xr sendmail 8
> daemon has its
508,510c703,708
< better than trying to use sendmail's load limiting options due to the
< load lag. You should specify a
< .Cm MaxDaemonChildren
---
> better than trying to use
> .Xr sendmail 8 Ns 's
> load limiting options due to the
> load lag.
> You should specify a
> .Va MaxDaemonChildren
512,514c710,719
< sendmail high enough to handle your expected load but no so high that the
< computer cannot handle that number of sendmails without falling on its face.
< It is also prudent to run sendmail in queued mode
---
> .Xr sendmail 8
> high enough to handle your expected load but not so high that the
> computer cannot handle that number of
> .Nm sendmail Ns 's
> without falling on its face.
> It is also prudent to run
> .Xr sendmail 8
> in
> .Dq queued
> mode
517c722
< .Pq Cm sendmail -bd
---
> .Pq Dq Nm sendmail Fl bd
519,520c724,725
< .Pq Cm sendmail -q15m .
< If you still want realtime delivery you can run the queue
---
> .Pq Dq Nm sendmail Fl q15m .
> If you still want real-time delivery you can run the queue
524,525c729,732
< .Cm MaxDaemonChildren
< option for that sendmail to prevent cascade failures.
---
> .Va MaxDaemonChildren
> option for that
> .Xr sendmail 8
> to prevent cascade failures.
527c734,736
< Syslogd can be attacked directly and it is strongly recommended that you use
---
> The
> .Xr syslogd 8
> daemon can be attacked directly and it is strongly recommended that you use
536c745,746
< be attacked directly. You generally do not want to use the reverse-ident
---
> be attacked directly.
> You generally do not want to use the reverse-ident
540c750,751
< by firewalling them off at your border routers. The idea here is to prevent
---
> by firewalling them off at your border routers.
> The idea here is to prevent
542,543c753,755
< services from network-based root compromise. Always configure an exclusive
< firewall, i.e.\&
---
> services from network-based root compromise.
> Always configure an exclusive
> firewall, i.e.,
551c763,764
< services such as named
---
> services such as
> .Xr named 8
553c766,767
< ntalkd, sendmail,
---
> .Xr talkd 8 ,
> .Xr sendmail 8 ,
558c772
< .Sq close
---
> .Dq close
560c774,775
< service and forget to update the firewall. You can still open up the
---
> service and forget to update the firewall.
> You can still open up the
562c777,778
< without compromising your low ports. Also take note that
---
> without compromising your low ports.
> Also take note that
566,567c782,784
< net.inet.ip.portrange sysctl's
< .Pq Li "sysctl -a | fgrep portrange" ,
---
> .Va net.inet.ip.portrange
> sysctl's
> .Pq Dq Li "sysctl net.inet.ip.portrange" ,
569c786,787
< ease the complexity of your firewall's configuration. I usually use a normal
---
> ease the complexity of your firewall's configuration.
> I usually use a normal
575c793
< Another common DOS attack is called a springboard attack \(em to attack a server
---
> Another common DoS attack is called a springboard attack \(em to attack a server
577,578c795,798
< the server, the local network, or some other machine. The most common attack
< of this nature is the ICMP PING BROADCAST attack. The attacker spoofs ping
---
> the server, the local network, or some other machine.
> The most common attack
> of this nature is the ICMP PING BROADCAST attack.
> The attacker spoofs ping
580c800,801
< to the actual machine they wish to attack. If your border routers are not
---
> to the actual machine they wish to attack.
> If your border routers are not
584,586c805,808
< broadcast addresses over several dozen different networks at once. Broadcast
< attacks of over a hundred and twenty megabits have been measured. A second
< common springboard attack is against the ICMP error reporting system. By
---
> broadcast addresses over several dozen different networks at once.
> Broadcast attacks of over a hundred and twenty megabits have been measured.
> A second common springboard attack is against the ICMP error reporting system.
> By
589,591c811,817
< outgoing network with ICMP responses. This type of attack can also crash the
< server by running it out of mbuf's, especially if the server cannot drain the
< ICMP responses it generates fast enough. The
---
> outgoing network with ICMP responses.
> This type of attack can also crash the
> server by running it out of
> .Vt mbuf Ns 's ,
> especially if the server cannot drain the
> ICMP responses it generates fast enough.
> The
594,596c820,828
< compile option called ICMP_BANDLIM which limits the effectiveness of these
< sorts of attacks. The last major class of springboard attacks is related to
< certain internal inetd services such as the udp echo service. An attacker
---
> compile option called
> .Dv ICMP_BANDLIM
> which limits the effectiveness of these
> sorts of attacks.
> The last major class of springboard attacks is related to
> certain internal
> .Xr inetd 8
> services such as the UDP echo service.
> An attacker
599,603c831,841
< are both on your LAN. The two servers then bounce this one packet back and
< forth between each other. The attacker can overload both servers and their
< LANs simply by injecting a few packets in this manner. Similar problems
< exist with the internal chargen port. A competent sysadmin will turn off all
< of these inetd-internal test services.
---
> are both on your LAN.
> The two servers then bounce this one packet back and
> forth between each other.
> The attacker can overload both servers and their
> LANs simply by injecting a few packets in this manner.
> Similar problems
> exist with the internal chargen port.
> A competent sysadmin will turn off all
> of these
> .Xr inetd 8 Ns -internal
> test services.
606,607c844,850
< Refer to the net.inet.ip.rtexpire, rtminexpire, and rtmaxcache sysctl
< parameters. A spoofed packet attack that uses a random source IP will cause
---
> Refer to the
> .Va net.inet.ip.rtexpire , net.inet.ip.rtminexpire ,
> and
> .Va net.inet.ip.rtmaxcache
> .Xr sysctl 8
> variables.
> A spoofed packet attack that uses a random source IP will cause
610c853
< .Sq netstat -rna \&| fgrep W3 .
---
> .Dq Li "netstat -rna | fgrep W3" .
612,614c855,862
< seconds or so. If the kernel detects that the cached route table has gotten
< too big it will dynamically reduce the rtexpire but will never decrease it to
< less than rtminexpire. There are two problems: (1) The kernel does not react
---
> seconds or so.
> If the kernel detects that the cached route table has gotten
> too big it will dynamically reduce the
> .Va rtexpire
> but will never decrease it to
> less than
> .Va rtminexpire .
> There are two problems: (1) The kernel does not react
616c864,865
< rtminexpire is not low enough for the kernel to survive a sustained attack.
---
> .Va rtminexpire
> is not low enough for the kernel to survive a sustained attack.
618c867,871
< prudent to manually override both rtexpire and rtminexpire via
---
> prudent to manually override both
> .Va rtexpire
> and
> .Va rtminexpire
> via
625,629c878,888
< There are a few issues with both kerberos and ssh that need to be addressed
< if you intend to use them. Kerberos V is an excellent authentication
< protocol but the kerberized telnet and rlogin suck rocks. There are bugs that
< make them unsuitable for dealing with binary streams. Also, by default
< kerberos does not encrypt a session unless you use the
---
> There are a few issues with both Kerberos and SSH that need to be addressed
> if you intend to use them.
> Kerberos5 is an excellent authentication
> protocol but the kerberized
> .Xr telnet 1
> and
> .Xr rlogin 1
> suck rocks.
> There are bugs that make them unsuitable for dealing with binary streams.
> Also, by default
> Kerberos does not encrypt a session unless you use the
631c890,891
< option. Ssh encrypts everything by default.
---
> option.
> SSH encrypts everything by default.
633c893
< Ssh works quite well in every respect except when it is set up to
---
> SSH works quite well in every respect except when it is set up to
636,638c896,903
< keys that give you access to the rest of the system, and you ssh to an
< unsecure machine, your keys become exposed. The actual keys themselves are
< not exposed, but ssh installs a forwarding port for the duration of your
---
> keys that give you access to the rest of the system, and you
> .Xr ssh 1
> to an
> unsecure machine, your keys become exposed.
> The actual keys themselves are
> not exposed, but
> .Xr ssh 1
> installs a forwarding port for the duration of your
643,646c908,914
< We recommend that you use ssh in combination with kerberos whenever possible
< for staff logins. Ssh can be compiled with kerberos support. This reduces
< your reliance on potentially exposable ssh keys while at the same time
< protecting passwords via kerberos. Ssh keys
---
> We recommend that you use SSH in combination with Kerberos whenever possible
> for staff logins.
> SSH can be compiled with Kerberos support.
> This reduces
> your reliance on potentially exposable SSH keys while at the same time
> protecting passwords via Kerberos.
> SSH keys
648,651c916,920
< that kerberos is unsuited to). We also recommend that you either turn off
< key-forwarding in the ssh configuration, or that you make use of the
< .Pa "from=IP/DOMAIN"
< option that ssh allows in its
---
> that Kerberos is unsuited to).
> We also recommend that you either turn off
> key-forwarding in the SSH configuration, or that you make use of the
> .Va from Ns = Ns Ar IP/DOMAIN
> option that SSH allows in its
< .\" $FreeBSD: head/share/man/man7/security.7 129400 2004-05-18 18:17:25Z dannyboy $
---
> .\" $FreeBSD: head/share/man/man7/security.7 130524 2004-06-15 12:48:50Z ru $
12c12,13
< .Nd introduction to security under FreeBSD
---
> .Nd introduction to security under
> .Fx
19c20
< .Sq honest
---
> .Dq honest
21c22,23
< one of the single largest undertakings of the sysadmin. Machines are
---
> one of the single largest undertakings of the sysadmin.
> Machines are
27,28c29,31
< and many of these processes operate as servers \(em meaning that external entities
< can connect and talk to them. As yesterday's mini-computers and mainframes
---
> and many of these processes operate as servers \(em meaning that external
> entities can connect and talk to them.
> As yesterday's mini-computers and mainframes
32c35,36
< Security is best implemented through a layered onion approach. In a nutshell,
---
> Security is best implemented through a layered onion approach.
> In a nutshell,
34c38,39
< and then carefully monitor the system for intrusions. You do not want to
---
> and then carefully monitor the system for intrusions.
> You do not want to
37,38c42,44
< mechanism. For example, it makes little sense to set the
< .Pa schg
---
> mechanism.
> For example, it makes little sense to set the
> .Cm schg
47c53
< System security also pertains to dealing with various forms of attack,
---
> System security also pertains to dealing with various forms of attacks,
49c55,56
< but do not attempt to break root. Security concerns can be split up into
---
> but do not attempt to break root.
> Security concerns can be split up into
53c60
< Denial of service attacks
---
> Denial of Service attacks (DoS)
65c72,73
< resources. Typically, D.O.S. attacks are brute-force mechanisms that attempt
---
> resources.
> Typically, DoS attacks are brute-force mechanisms that attempt
67,69c75,80
< network stack. Some D.O.S. attacks try to take advantages of bugs in the
< networking stack to crash a machine with a single packet. The latter can
< only be fixed by applying a bug fix to the kernel. Attacks on servers can
---
> network stack.
> Some DoS attacks try to take advantages of bugs in the
> networking stack to crash a machine with a single packet.
> The latter can
> only be fixed by applying a bug fix to the kernel.
> Attacks on servers can
71,72c82,84
< incur on the system under adverse conditions. Brute-force network
< attacks are harder to deal with. A spoofed-packet attack, for example, is
---
> incur on the system under adverse conditions.
> Brute-force network attacks are harder to deal with.
> A spoofed-packet attack, for example, is
77,80c89,100
< A user account compromise is even more common than a D.O.S. attack. Many
< sysadmins still run standard telnetd, rlogind, rshd, and ftpd servers on their
< machines. These servers, by default, do not operate over encrypted
< connections. The result is that if you have any moderate-sized user base,
---
> A user account compromise is even more common than a DoS attack.
> Many
> sysadmins still run standard
> .Xr telnetd 8 ,
> .Xr rlogind 8 ,
> .Xr rshd 8 ,
> and
> .Xr ftpd 8
> servers on their machines.
> These servers, by default, do not operate over encrypted
> connections.
> The result is that if you have any moderate-sized user base,
82,84c102,104
< (which is the most common and convenient way to login to a system)
< will
< have his or her password sniffed. The attentive system admin will analyze
---
> (which is the most common and convenient way to log in to a system)
> will have his or her password sniffed.
> The attentive system administrator will analyze
89c109,110
< the attacker can break root. However, the reality is that in a well secured
---
> the attacker can break root.
> However, the reality is that in a well secured
91c112,113
< attacker access to root. The distinction is important because without access
---
> attacker access to root.
> The distinction is important because without access
98c120,121
< to break root on a machine. The attacker may know the root password,
---
> to break root on a machine.
> The attacker may know the root password,
101c124
< connection to that server, or the attacker may know of a bug in an suid-root
---
> connection to that server, or the attacker may know of a bug in an SUID-root
103c126,127
< user's account. If an attacker has found a way to break root on a machine,
---
> user's account.
> If an attacker has found a way to break root on a machine,
106,107c130,133
< of work by the attacker to cleanup after himself, so most attackers do install
< backdoors. This gives you a convenient way to detect the attacker. Making
---
> of work by the attacker to clean up after himself, so most attackers do install
> backdoors.
> This gives you a convenient way to detect the attacker.
> Making
113c139
< .Sq onion peel
---
> .Dq onion peel
119c145
< Securing root \(em root-run servers and suid/sgid binaries
---
> Securing root \(em root-run servers and SUID/SGID binaries
132,133c158,161
< Don't bother securing staff accounts if you haven't secured the root
< account. Most systems have a password assigned to the root account. The
---
> Do not bother securing staff accounts if you have not secured the root
> account.
> Most systems have a password assigned to the root account.
> The
135,136c163,166
< .Sq always
< compromised. This does not mean that you should remove the password. The
---
> .Em always
> compromised.
> This does not mean that you should remove the password.
> The
141,142c171,173
< command.
< For example, make sure that your pty's are specified as being unsecure
---
> utility.
> For example, make sure that your PTYs are specified as being
> .Dq Li unsecure
144c175
< .Sq Pa /etc/ttys
---
> .Pa /etc/ttys
146,149c177,190
< so that direct root logins via telnet or rlogin are disallowed. If using
< other login services such as sshd, make sure that direct root logins are
< disabled there as well. Consider every access method \(em services such as
< ftp often fall through the cracks. Direct root logins should only be allowed
---
> so that direct root logins via
> .Xr telnet 1
> or
> .Xr rlogin 1
> are disallowed.
> If using
> other login services such as
> .Xr sshd 8 ,
> make sure that direct root logins are
> disabled there as well.
> Consider every access method \(em services such as
> .Xr ftp 1
> often fall through the cracks.
> Direct root logins should only be allowed
153,156c194,200
< a few holes. But we make sure these holes require additional password
< verification to operate. One way to make root accessible is to add appropriate
< staff accounts to the wheel group
< (in
---
> a few holes.
> But we make sure these holes require additional password
> verification to operate.
> One way to make root accessible is to add appropriate
> staff accounts to the
> .Dq Li wheel
> group (in
158,170c202,226
< The staff members placed
< in the wheel group are allowed to
< .Sq su
< to root. You should never give staff
< members native wheel access by putting them in the wheel group in their
< password entry. Staff accounts should be placed in a
< .Sq staff
< group, and then added to the wheel group via the
< .Sq Pa /etc/group
< file. Only those staff members who actually need to have root access
< should be placed in the wheel group. It is also possible, when using an
< authentication method such as kerberos, to use kerberos's
< .Sq Pa .k5login
---
> The staff members placed in the
> .Li wheel
> group are allowed to
> .Xr su 1
> to root.
> You should never give staff
> members native
> .Li wheel
> access by putting them in the
> .Li wheel
> group in their password entry.
> Staff accounts should be placed in a
> .Dq Li staff
> group, and then added to the
> .Li wheel
> group via the
> .Pa /etc/group
> file.
> Only those staff members who actually need to have root access
> should be placed in the
> .Li wheel
> group.
> It is also possible, when using an
> authentication method such as Kerberos, to use Kerberos's
> .Pa .k5login
173,174c229,235
< to root without having to place anyone at all in the wheel group. This
< may be the better solution since the wheel mechanism still allows an
---
> to root without having to place anyone at all in the
> .Li wheel
> group.
> This
> may be the better solution since the
> .Li wheel
> mechanism still allows an
176,177c237,241
< file and can break into a staff account. While having the wheel mechanism
< is better than having nothing at all, it isn't necessarily the safest
---
> file and can break into a staff account.
> While having the
> .Li wheel
> mechanism
> is better than having nothing at all, it is not necessarily the safest
182c246,247
< for the staff accounts. This way an intruder may be able to steal the password
---
> for the staff accounts.
> This way an intruder may be able to steal the password
185c250,251
< you've limited root access to the console). Staff members
---
> you have limited root access to the console).
> Staff members
191,194c257,262
< key pair. When you use something like kerberos you generally must secure
< the machines which run the kerberos servers and your desktop workstation.
< When you use a public/private key pair with ssh, you must generally secure
< the machine you are logging in FROM
---
> key pair.
> When you use something like Kerberos you generally must secure
> the machines which run the Kerberos servers and your desktop workstation.
> When you use a public/private key pair with SSH, you must generally secure
> the machine you are logging in
> .Em from
202c270,271
< can only login through secure access methods that you have setup. You can
---
> can only log in through secure access methods that you have set up.
> You can
204c273
< all their sessions which closes an important hole used by many intruders: That
---
> all their sessions which closes an important hole used by many intruders: that
208,210c277,281
< from a more restrictive server to a less restrictive server. For example,
< if your main box is running all sorts of servers, your workstation shouldn't
< be running any. In order for your workstation to be reasonably secure
---
> from a more restrictive server to a less restrictive server.
> For example,
> if your main box is running all sorts of servers, your workstation should not
> be running any.
> In order for your workstation to be reasonably secure
214c285
< a workstation an attacker can break any sort of security you put on it.
---
> a workstation, an attacker can break any sort of security you put on it.
220c291
< Using something like kerberos also gives you the ability to disable or
---
> Using something like Kerberos also gives you the ability to disable or
222c293,294
< affect all the machines the staff member may have an account on. If a staff
---
> affect all the machines the staff member may have an account on.
> If a staff
224,227c296,300
< password on all machines should not be underrated. With discrete passwords,
< changing a password on N machines can be a mess. You can also impose
< re-passwording restrictions with kerberos: not only can a kerberos ticket
< be made to timeout after a while, but the kerberos system can require that
---
> password on all machines should not be underrated.
> With discrete passwords, changing a password on N machines can be a mess.
> You can also impose
> re-passwording restrictions with Kerberos: not only can a Kerberos ticket
> be made to timeout after a while, but the Kerberos system can require that
230,239c303,325
< .Sh SECURING ROOT \(em ROOT-RUN SERVERS AND SUID/SGID BINARIES
< The prudent sysadmin only runs the servers he needs to, no more, no less. Be
< aware that third party servers are often the most bug-prone. For example,
< running an old version of imapd or popper is like giving a universal root
< ticket out to the entire world. Never run a server that you have not checked
< out carefully. Many servers do not need to be run as root. For example,
< the ntalk, comsat, and finger daemons can be run in special user
< .Sq sandboxes .
< A sandbox isn't perfect unless you go to a large amount of trouble, but the
< onion approach to security still stands: If someone is able to break in
---
> .Sh SECURING ROOT \(em ROOT-RUN SERVERS AND SUID/SGID BINARIES
> The prudent sysadmin only runs the servers he needs to, no more, no less.
> Be aware that third party servers are often the most bug-prone.
> For example,
> running an old version of
> .Xr imapd 8
> or
> .Xr popper 8
> is like giving a universal root
> ticket out to the entire world.
> Never run a server that you have not checked
> out carefully.
> Many servers do not need to be run as root.
> For example,
> the
> .Xr talkd 8 ,
> .Xr comsat 8 ,
> and
> .Xr fingerd 8
> daemons can be run in special user
> .Dq sandboxes .
> A sandbox is not perfect unless you go to a large amount of trouble, but the
> onion approach to security still stands: if someone is able to break in
241,242c327,330
< sandbox. The more layers the attacker must break through, the lower the
< likelihood of his success. Root holes have historically been found in
---
> sandbox.
> The more layers the attacker must break through, the lower the
> likelihood of his success.
> Root holes have historically been found in
244,245c332,339
< If you are running a machine through which people only login via sshd and
< never login via telnetd or rshd or rlogind, then turn off those services!
---
> If you are running a machine through which people only log in via
> .Xr sshd 8
> and never log in via
> .Xr telnetd 8 ,
> .Xr rshd 8 ,
> or
> .Xr rlogind 8 ,
> then turn off those services!
248c342,347
< now defaults to running ntalkd, comsat, and finger in a sandbox.
---
> now defaults to running
> .Xr talkd 8 ,
> .Xr comsat 8 ,
> and
> .Xr fingerd 8
> in a sandbox.
251,252c350,355
< The default rc.conf includes the arguments necessary to run
< named in a sandbox in a commented-out form. Depending on whether you
---
> The default
> .Pa rc.conf
> includes the arguments necessary to run
> .Xr named 8
> in a sandbox in a commented-out form.
> Depending on whether you
254c357,358
< user accounts used by these sandboxes may not be installed. The prudent
---
> user accounts used by these sandboxes may not be installed.
> The prudent
258c362,367
< sendmail, popper, imapd, ftpd, and others. There are alternatives to
---
> .Xr sendmail 8 ,
> .Xr popper 8 ,
> .Xr imapd 8 ,
> .Xr ftpd 8 ,
> and others.
> There are alternatives to
266,267c375,378
< The other big potential root hole in a system are the suid-root and sgid
< binaries installed on the system. Most of these binaries, such as rlogin,
---
> The other big potential root hole in a system are the SUID-root and SGID
> binaries installed on the system.
> Most of these binaries, such as
> .Xr rlogin 1 ,
269,271c380
< .Pa /bin ,
< .Pa /sbin ,
< .Pa /usr/bin ,
---
> .Pa /bin , /sbin , /usr/bin ,
275,278c384,389
< the system-default suid and sgid binaries can be considered reasonably safe.
< Still, root holes are occasionally found in these binaries. A root hole
< was found in Xlib in 1998 that made xterm
< (which is typically suid)
---
> the system-default SUID and SGID binaries can be considered reasonably safe.
> Still, root holes are occasionally found in these binaries.
> A root hole
> was found in Xlib in 1998 that made
> .Xr xterm 1
> (which is typically SUID)
280c391
< It is better to be safe than sorry and the prudent sysadmin will restrict suid
---
> It is better to be safe than sorry and the prudent sysadmin will restrict SUID
283,286c394,400
< .Pq Li "chmod 000"
< any suid binaries that nobody uses. A
< server with no display generally does not need an xterm binary. Sgid binaries
< can be almost as dangerous. If an intruder can break an sgid-kmem binary the
---
> .Pq Dq Li "chmod 000"
> any SUID binaries that nobody uses.
> A server with no display generally does not need an
> .Xr xterm 1
> binary.
> SGID binaries can be almost as dangerous.
> If an intruder can break an SGID-kmem binary the
290,293c404,414
< file, potentially compromising any passworded account. Alternatively an
< intruder who breaks group kmem can monitor keystrokes sent through pty's,
< including pty's used by users who login through secure methods. An intruder
< that breaks the tty group can write to almost any user's tty. If a user
---
> file, potentially compromising any passworded account.
> Alternatively an
> intruder who breaks group
> .Dq Li kmem
> can monitor keystrokes sent through PTYs,
> including PTYs used by users who log in through secure methods.
> An intruder
> that breaks the
> .Dq Li tty
> group can write to almost any user's TTY.
> If a user
300,302c421,425
< User accounts are usually the most difficult to secure. While you can impose
< Draconian access restrictions on your staff and *-out their passwords, you
< may not be able to do so with any general user accounts you might have. If
---
> User accounts are usually the most difficult to secure.
> While you can impose
> draconian access restrictions on your staff and *-out their passwords, you
> may not be able to do so with any general user accounts you might have.
> If
304,305c427,430
< user accounts properly. If not, you simply have to be more vigilant in your
< monitoring of those accounts. Use of ssh and kerberos for user accounts is
---
> user accounts properly.
> If not, you simply have to be more vigilant in your
> monitoring of those accounts.
> Use of SSH and Kerberos for user accounts is
311c436,437
< use ssh or kerberos for access to those accounts. Even though the
---
> use SSH or Kerberos for access to those accounts.
> Even though the
321c447
< .Sq Checking file integrity
---
> .Sx CHECKING FILE INTEGRITY
325,326c451,453
< are certain conveniences. For example, most modern kernels have a
< packet sniffing device driver built in. Under
---
> are certain conveniences.
> For example, most modern kernels have a packet sniffing device driver built in.
> Under
330,333c457,464
< .Sq bpf
< device. An intruder will commonly attempt to run a packet sniffer
< on a compromised machine. You do not need to give the intruder the
< capability and most systems should not have the bpf device compiled in.
---
> .Xr bpf 4
> device.
> An intruder will commonly attempt to run a packet sniffer
> on a compromised machine.
> You do not need to give the intruder the
> capability and most systems should not have the
> .Xr bpf 4
> device compiled in.
335,336c466,468
< But even if you turn off the bpf device,
< you still have
---
> But even if you turn off the
> .Xr bpf 4
> device, you still have
340c472,473
< to worry about. For that matter,
---
> to worry about.
> For that matter,
345c478,480
< his own bpf device or other sniffing device on a running kernel.
---
> his own
> .Xr bpf 4
> device or other sniffing device on a running kernel.
347,348c482,488
< the kernel at a higher secure level, at least securelevel 1. The securelevel
< can be set with a sysctl on the kern.securelevel variable. Once you have
---
> the kernel at a higher secure level, at least securelevel 1.
> The securelevel can be set with a
> .Xr sysctl 8
> on the
> .Va kern.securelevel
> variable.
> Once you have
350,352c490,495
< special chflags flags, such as
< .Sq schg ,
< will be enforced. You must also ensure
---
> special
> .Xr chflags 1
> flags, such as
> .Cm schg ,
> will be enforced.
> You must also ensure
354c497
< .Sq schg
---
> .Cm schg
357,361c500,514
< is set. This might be overdoing it, and upgrading the system is much more
< difficult when you operate at a higher secure level. You may compromise and
< run the system at a higher secure level but not set the schg flag for every
< system file and directory under the sun. Another possibility is to simply
< mount / and /usr read-only. It should be noted that being too draconian in
---
> is set.
> This might be overdoing it, and upgrading the system is much more
> difficult when you operate at a higher secure level.
> You may compromise and
> run the system at a higher secure level but not set the
> .Cm schg
> flag for every
> system file and directory under the sun.
> Another possibility is to simply
> mount
> .Pa /
> and
> .Pa /usr
> read-only.
> It should be noted that being too draconian in
367,369c520,531
< rears its ugly head. For example, using chflags to set the schg bit
< on most of the files in / and /usr is probably counterproductive because
< while it may protect the files, it also closes a detection window. The
---
> rears its ugly head.
> For example, using
> .Xr chflags 1
> to set the
> .Cm schg
> bit on most of the files in
> .Pa /
> and
> .Pa /usr
> is probably counterproductive because
> while it may protect the files, it also closes a detection window.
> The
372c534,535
< a false sense of safety) if you cannot detect potential incursions. Half
---
> a false sense of safety) if you cannot detect potential incursions.
> Half
378c541,542
< unexpected files. The best
---
> unexpected files.
> The best
386,387c550,552
< limited-access box, or by setting up ssh keypairs to allow the limit-access
< box to ssh to the other machines. Except for its network traffic, NFS is
---
> limited-access box, or by setting up SSH keypairs to allow the limit-access
> box to SSH to the other machines.
> Except for its network traffic, NFS is
389c554,555
< client box virtually undetected. If your
---
> client box virtually undetected.
> If your
391c557,558
< the NFS method is often the better choice. If your limited-access server
---
> the NFS method is often the better choice.
> If your limited-access server
393,394c560,561
< of routing, the NFS method may be too insecure (network-wise) and using ssh
< may be the better choice even with the audit-trail tracks that ssh lays.
---
> of routing, the NFS method may be too insecure (network-wise) and using SSH
> may be the better choice even with the audit-trail tracks that SSH lays.
398c565,566
< monitoring. Given an NFS mount, you can write scripts out of simple system
---
> monitoring.
> Given an NFS mount, you can write scripts out of simple system
401a570,571
> .Xr md5 1 .
> It is best to physically
403c573
< It is best to physically md5 the client-box files boxes at least once a
---
> the client-box files boxes at least once a
408c578,579
< even more often. When mismatches are found relative to the base md5
---
> even more often.
> When mismatches are found relative to the base MD5
410,411c581,583
< a sysadmin to go check it out. A good security script will also check for
< inappropriate suid binaries and for new or deleted files on system partitions
---
> a sysadmin to go check it out.
> A good security script will also check for
> inappropriate SUID binaries and for new or deleted files on system partitions
415c587
< .Pa /usr
---
> .Pa /usr .
417,419c589,592
< When using ssh rather than NFS, writing the security script is much more
< difficult. You essentially have to
< .Pa scp
---
> When using SSH rather than NFS, writing the security script is much more
> difficult.
> You essentially have to
> .Xr scp 1
421,423c594,603
< for safety you also need to scp the binaries (such as find) that those scripts
< use. The ssh daemon on the client box may already be compromised. All in all,
< using ssh may be necessary when running over unsecure links, but it's also a
---
> for safety you also need to
> .Xr scp 1
> the binaries (such as
> .Xr find 1 )
> that those scripts use.
> The
> .Xr sshd 8
> daemon on the client box may already be compromised.
> All in all,
> using SSH may be necessary when running over unsecure links, but it is also a
428,430c608
< .Pa .rhosts ,
< .Pa .shosts ,
< .Pa .ssh/authorized_keys
---
> .Pa .rhosts , .shosts , .ssh/authorized_keys
434,437c612,617
< through every file on those partitions. In this case, setting mount
< flags to disallow suid binaries and devices on those partitions is a good
< idea. The
< .Sq nodev
---
> through every file on those partitions.
> In this case, setting mount
> flags to disallow SUID binaries and devices on those partitions is a good
> idea.
> The
> .Cm nodev
439c619
< .Sq nosuid
---
> .Cm nosuid
443c623,624
< are what you want to look into. I would scan them anyway at least once a
---
> are what you want to look into.
> I would scan them anyway at least once a
452c633,634
< mechanism. It is especially useful in tracking down how an intruder has
---
> mechanism.
> It is especially useful in tracking down how an intruder has
458c640,641
< very useful. An intruder tries to cover his tracks, and log files are critical
---
> very useful.
> An intruder tries to cover his tracks, and log files are critical
460c643,644
< break-in. One way to keep a permanent record of the log files is to run
---
> break-in.
> One way to keep a permanent record of the log files is to run
464c648,649
< A little paranoia never hurts. As a rule, a sysadmin can add any number
---
> A little paranoia never hurts.
> As a rule, a sysadmin can add any number
467c652,653
< thought. Even more importantly, a security administrator should mix it up
---
> thought.
> Even more importantly, a security administrator should mix it up
471,473c657,660
< .Sh SPECIAL SECTION ON D.O.S. ATTACKS
< This section covers Denial of Service attacks. A DOS attack is typically
< a packet attack. While there isn't much you can do about modern spoofed
---
> .Sh SPECIAL SECTION ON DoS ATTACKS
> This section covers Denial of Service attacks.
> A DoS attack is typically a packet attack.
> While there is not much you can do about modern spoofed
480c667
< Limiting springboard attacks (ICMP response attacks, ping broadcast, etc...)
---
> Limiting springboard attacks (ICMP response attacks, ping broadcast, etc.)
485c672
< A common DOS attack is against a forking server that attempts to cause the
---
> A common DoS attack is against a forking server that attempts to cause the
487,489c674,677
< dies. Inetd
< (see
< .Xr inetd 8 )
---
> dies.
> The
> .Xr inetd 8
> server
493c681,684
< by the attack. Read the inetd manual page carefully and pay specific attention
---
> by the attack.
> Read the
> .Xr inetd 8
> manual page carefully and pay specific attention
495,496c686
< .Fl c ,
< .Fl C ,
---
> .Fl c , C ,
499c689,690
< options. Note that spoofed-IP attacks will circumvent
---
> options.
> Note that spoofed-IP attacks will circumvent
502c693,695
< option to inetd, so typically a combination of options must be used.
---
> option to
> .Xr inetd 8 ,
> so typically a combination of options must be used.
505c698,700
< Sendmail has its
---
> The
> .Xr sendmail 8
> daemon has its
508,510c703,708
< better than trying to use sendmail's load limiting options due to the
< load lag. You should specify a
< .Cm MaxDaemonChildren
---
> better than trying to use
> .Xr sendmail 8 Ns 's
> load limiting options due to the
> load lag.
> You should specify a
> .Va MaxDaemonChildren
512,514c710,719
< sendmail high enough to handle your expected load but no so high that the
< computer cannot handle that number of sendmails without falling on its face.
< It is also prudent to run sendmail in queued mode
---
> .Xr sendmail 8
> high enough to handle your expected load but not so high that the
> computer cannot handle that number of
> .Nm sendmail Ns 's
> without falling on its face.
> It is also prudent to run
> .Xr sendmail 8
> in
> .Dq queued
> mode
517c722
< .Pq Cm sendmail -bd
---
> .Pq Dq Nm sendmail Fl bd
519,520c724,725
< .Pq Cm sendmail -q15m .
< If you still want realtime delivery you can run the queue
---
> .Pq Dq Nm sendmail Fl q15m .
> If you still want real-time delivery you can run the queue
524,525c729,732
< .Cm MaxDaemonChildren
< option for that sendmail to prevent cascade failures.
---
> .Va MaxDaemonChildren
> option for that
> .Xr sendmail 8
> to prevent cascade failures.
527c734,736
< Syslogd can be attacked directly and it is strongly recommended that you use
---
> The
> .Xr syslogd 8
> daemon can be attacked directly and it is strongly recommended that you use
536c745,746
< be attacked directly. You generally do not want to use the reverse-ident
---
> be attacked directly.
> You generally do not want to use the reverse-ident
540c750,751
< by firewalling them off at your border routers. The idea here is to prevent
---
> by firewalling them off at your border routers.
> The idea here is to prevent
542,543c753,755
< services from network-based root compromise. Always configure an exclusive
< firewall, i.e.\&
---
> services from network-based root compromise.
> Always configure an exclusive
> firewall, i.e.,
551c763,764
< services such as named
---
> services such as
> .Xr named 8
553c766,767
< ntalkd, sendmail,
---
> .Xr talkd 8 ,
> .Xr sendmail 8 ,
558c772
< .Sq close
---
> .Dq close
560c774,775
< service and forget to update the firewall. You can still open up the
---
> service and forget to update the firewall.
> You can still open up the
562c777,778
< without compromising your low ports. Also take note that
---
> without compromising your low ports.
> Also take note that
566,567c782,784
< net.inet.ip.portrange sysctl's
< .Pq Li "sysctl -a | fgrep portrange" ,
---
> .Va net.inet.ip.portrange
> sysctl's
> .Pq Dq Li "sysctl net.inet.ip.portrange" ,
569c786,787
< ease the complexity of your firewall's configuration. I usually use a normal
---
> ease the complexity of your firewall's configuration.
> I usually use a normal
575c793
< Another common DOS attack is called a springboard attack \(em to attack a server
---
> Another common DoS attack is called a springboard attack \(em to attack a server
577,578c795,798
< the server, the local network, or some other machine. The most common attack
< of this nature is the ICMP PING BROADCAST attack. The attacker spoofs ping
---
> the server, the local network, or some other machine.
> The most common attack
> of this nature is the ICMP PING BROADCAST attack.
> The attacker spoofs ping
580c800,801
< to the actual machine they wish to attack. If your border routers are not
---
> to the actual machine they wish to attack.
> If your border routers are not
584,586c805,808
< broadcast addresses over several dozen different networks at once. Broadcast
< attacks of over a hundred and twenty megabits have been measured. A second
< common springboard attack is against the ICMP error reporting system. By
---
> broadcast addresses over several dozen different networks at once.
> Broadcast attacks of over a hundred and twenty megabits have been measured.
> A second common springboard attack is against the ICMP error reporting system.
> By
589,591c811,817
< outgoing network with ICMP responses. This type of attack can also crash the
< server by running it out of mbuf's, especially if the server cannot drain the
< ICMP responses it generates fast enough. The
---
> outgoing network with ICMP responses.
> This type of attack can also crash the
> server by running it out of
> .Vt mbuf Ns 's ,
> especially if the server cannot drain the
> ICMP responses it generates fast enough.
> The
594,596c820,828
< compile option called ICMP_BANDLIM which limits the effectiveness of these
< sorts of attacks. The last major class of springboard attacks is related to
< certain internal inetd services such as the udp echo service. An attacker
---
> compile option called
> .Dv ICMP_BANDLIM
> which limits the effectiveness of these
> sorts of attacks.
> The last major class of springboard attacks is related to
> certain internal
> .Xr inetd 8
> services such as the UDP echo service.
> An attacker
599,603c831,841
< are both on your LAN. The two servers then bounce this one packet back and
< forth between each other. The attacker can overload both servers and their
< LANs simply by injecting a few packets in this manner. Similar problems
< exist with the internal chargen port. A competent sysadmin will turn off all
< of these inetd-internal test services.
---
> are both on your LAN.
> The two servers then bounce this one packet back and
> forth between each other.
> The attacker can overload both servers and their
> LANs simply by injecting a few packets in this manner.
> Similar problems
> exist with the internal chargen port.
> A competent sysadmin will turn off all
> of these
> .Xr inetd 8 Ns -internal
> test services.
606,607c844,850
< Refer to the net.inet.ip.rtexpire, rtminexpire, and rtmaxcache sysctl
< parameters. A spoofed packet attack that uses a random source IP will cause
---
> Refer to the
> .Va net.inet.ip.rtexpire , net.inet.ip.rtminexpire ,
> and
> .Va net.inet.ip.rtmaxcache
> .Xr sysctl 8
> variables.
> A spoofed packet attack that uses a random source IP will cause
610c853
< .Sq netstat -rna \&| fgrep W3 .
---
> .Dq Li "netstat -rna | fgrep W3" .
612,614c855,862
< seconds or so. If the kernel detects that the cached route table has gotten
< too big it will dynamically reduce the rtexpire but will never decrease it to
< less than rtminexpire. There are two problems: (1) The kernel does not react
---
> seconds or so.
> If the kernel detects that the cached route table has gotten
> too big it will dynamically reduce the
> .Va rtexpire
> but will never decrease it to
> less than
> .Va rtminexpire .
> There are two problems: (1) The kernel does not react
616c864,865
< rtminexpire is not low enough for the kernel to survive a sustained attack.
---
> .Va rtminexpire
> is not low enough for the kernel to survive a sustained attack.
618c867,871
< prudent to manually override both rtexpire and rtminexpire via
---
> prudent to manually override both
> .Va rtexpire
> and
> .Va rtminexpire
> via
625,629c878,888
< There are a few issues with both kerberos and ssh that need to be addressed
< if you intend to use them. Kerberos V is an excellent authentication
< protocol but the kerberized telnet and rlogin suck rocks. There are bugs that
< make them unsuitable for dealing with binary streams. Also, by default
< kerberos does not encrypt a session unless you use the
---
> There are a few issues with both Kerberos and SSH that need to be addressed
> if you intend to use them.
> Kerberos5 is an excellent authentication
> protocol but the kerberized
> .Xr telnet 1
> and
> .Xr rlogin 1
> suck rocks.
> There are bugs that make them unsuitable for dealing with binary streams.
> Also, by default
> Kerberos does not encrypt a session unless you use the
631c890,891
< option. Ssh encrypts everything by default.
---
> option.
> SSH encrypts everything by default.
633c893
< Ssh works quite well in every respect except when it is set up to
---
> SSH works quite well in every respect except when it is set up to
636,638c896,903
< keys that give you access to the rest of the system, and you ssh to an
< unsecure machine, your keys become exposed. The actual keys themselves are
< not exposed, but ssh installs a forwarding port for the duration of your
---
> keys that give you access to the rest of the system, and you
> .Xr ssh 1
> to an
> unsecure machine, your keys become exposed.
> The actual keys themselves are
> not exposed, but
> .Xr ssh 1
> installs a forwarding port for the duration of your
643,646c908,914
< We recommend that you use ssh in combination with kerberos whenever possible
< for staff logins. Ssh can be compiled with kerberos support. This reduces
< your reliance on potentially exposable ssh keys while at the same time
< protecting passwords via kerberos. Ssh keys
---
> We recommend that you use SSH in combination with Kerberos whenever possible
> for staff logins.
> SSH can be compiled with Kerberos support.
> This reduces
> your reliance on potentially exposable SSH keys while at the same time
> protecting passwords via Kerberos.
> SSH keys
648,651c916,920
< that kerberos is unsuited to). We also recommend that you either turn off
< key-forwarding in the ssh configuration, or that you make use of the
< .Pa "from=IP/DOMAIN"
< option that ssh allows in its
---
> that Kerberos is unsuited to).
> We also recommend that you either turn off
> key-forwarding in the SSH configuration, or that you make use of the
> .Va from Ns = Ns Ar IP/DOMAIN
> option that SSH allows in its