book

Mastering FreeBSD and OpenBSD Security

by Paco Hope, Bruce Potter, Yanek Korff

March 2005

Beginner to intermediate

464 pages

17h 6m

English

O'Reilly Media, Inc.

Read now

Unlock full access

AudienceAssumptions This Book MakesContents of This BookPart I: Security FoundationPart II: Deployment SituationsPart III: Auditing and Incident ResponseConventions Used in This BookTypographic ConventionsConventions in ExamplesUsing Code ExamplesComments and QuestionsSafari EnabledAcknowledgmentsYanek KorffPaco HopeBruce PotterOur ReviewersO’Reilly
What Is System Security?ConfidentialityIntegrityAvailabilitySummaryIdentifying RisksAttacksProblems in SoftwareBuffer overflowsSQL injectionOther software problemsProtecting yourselfDenial of Service AttacksTarget: physicalTarget: networkTarget: applicationProtecting yourselfImproper Configuration and UseSloppy application configurationProtecting yourselfAccounts and permissionsPasswords and other account problemsNetwork Versus Local AttacksPhysical SecuritySummaryResponding to RiskHow Much Security?Risk and consequenceSecurity versus functionalityChoosing the Right ResponseMitigate riskAccept riskTransfer riskSecurity Process and PrinciplesInitial ConfigurationOngoing MaintenanceAuditing and Incident ResponseSystem Security PrinciplesApply Security EvenlyPractice Defense in DepthFail SafeEnforce Least PrivilegeSegregate ServicesSimplifyUse Security Through Obscurity WiselyDoubt by DefaultStay Up to DateWrapping UpResourcesGeneral Security ResourcesGeneral Security-Related Request for Comments (RFCs)
Filesystem ProtectionsOverviewUFS Filesystem FlagsManipulating flagsSystem immutable flag (schg)User immutable flag (uchg)Nodump flag (nodump)System append-only flag (sappnd)User append-only flag (uappnd)System no unlink flag (sunlnk)User no unlink flag (uunlnk)Opaque flag (opaque)Archived flag (arch)Common Uses of FlagsCandidates for system immutableCandidates for append-onlyFinding files with flagsPOSIX Access Control Lists (FreeBSD Only)Enabling ACLsACLs in /etc/fstabACLs in the superblockManaging ACLsTweaking a Running Kernel: sysctlSetting sysctl ValuesKernel Security LevelLevel -1: “permanently insecure”Level 0: transitional security levelLevel 1: improved operational securityLevel 2: high securityLevel 3: network securitySetting the securelevel for FreeBSDSetting the securelevel for OpenBSDThoughts on using securelevelOther Security-Related Kernel VariablesRandom PIDsControlling core dumpsReducing visibility in the networkDropping “synfins”The Basic Sandbox: chrootCreating a chroot EnvironmentAn Example: chrooting ntpdFinding Other DependenciesSorting through kdump’s outputMaking device nodesLimitations of chrootJail: Beyond chrootNew LimitationsLimited process interactionLimited access to network resourcesDevices and mknodCreating Jail EnvironmentsBuilding jails from sourceInstalling from a distribution CDLaunching JailsFat jails as virtual machinesJail security optionsManaging jailsInstalling Software in JailMake a builder jailInstall from binary packageGetting custom software installed in a jailNFS-Based JailsCreating a single NFS master jailInherent ProtectionsFighting Buffer OverflowsW^X memory protectionProPolice stack protectionCryptographyCode ReviewOS Tuningmaxusers: Basic InfluenceIncreasing Maximum ValuesNetwork BufferingWrapping UpResources
General ConcernsWhat Are You Building?WorkstationWorkgroup serverInfrastructure serverMultipurpose systemMedia and NetworkTo be networked or not to be networkedMedia verificationPreexisting VulnerabilitiesSlicing Up Your FilesystemXFree86Users and PasswordsSummaryInstalling FreeBSDPreparing the DiskChoosing Distribution SetsPost-Installation ConfigurationBasic network configurationNetwork gatewayinetdsshdSecurity profile (FreeBSD 4.x only)Anonymous FTPNFSTime zoneLinux compatibilityXFree86PackagesFinishing up the installFreeBSD Hardening: Your First StepsStep 1: Configure sudoStep 2: Turn Off Unnecessary ServicesStep 3: Update Your SystemGetting the latest sourcesKernel configurationYour first upgradeStep 4: Wrapping UpInstalling OpenBSDPreparing the DiskConfiguring Your NetworkChoosing Your Distribution SetsActivating sshdAn Innocuous Question About XFinishing UpOpenBSD Hardening: Your First StepsStep 1: Create a UserStep 2: Configure sudoStep 3: Turn Off Unnecessary ServicessshdinetdSendmailStep 4: Update Your SystemStep 5: Wrapping UpPost-Upgrade HardeningConfigure Users and GroupsToor (FreeBSD only)Adjust Mount OptionsLock Down sshdPassword authenticationPublic key authenticationChallenge response authenticationConfigure Basic LoggingCreate Login BannersConfigure NTPTune Your KernelSet File FlagsLocal SecurityOn the screenAdjust /etc/ttysWrapping UpResourcesFreeBSDOpenBSD
Access ControlControlling User AccessUsing a catchall primary groupProject-based or role-based primary groupsPer-user groupsLogin classesumasksThe danger of ACLs (FreeBSD only)Controlling Administrator AccessDisable and avoid clear-text accessConnect using SSHPrivileged access using sshGeneral sudo ConfigurationAvoid dangerous commandsUse explicit pathsBe very specificUse NOPASSWD sparinglyBe realisticComparing sudo and suSafeguard the Root PasswordSecurity in Everyday TasksInstalling SoftwarePorts and packagesPorts ownershipPorts and base conflictsMultiple versions installed (FreeBSD only)Change ControlTracking ChangesData RecoveryData completenessData confidentialityData retentionFilesystem accessNetwork accessUpgradingPatching OnlyTracking BranchesTracking OpenBSD branchesTracking FreeBSD branchesSecurity Vulnerability ResponseKeeping AbreastSecurity Advisory ResponseCategorizationSeverity assessmentResponse planning and executionNetwork Service Securityinetd and tcpwrappersNetwork File SystemImplicit UID and GID trustNFS export controlNFS network restrictionsNetwork Information ServicesPassword format compatibilityEncrypted password exposureLimiting access to NIS mapsOn the client sideWhen is NIS right for you?Secure File Distribution Using scpInitial setupPushing files with passphrase authenticationPushing files without passphrase authenticationAn scp alternativeWrapping upThe Importance of Time (NTP)SecurityArchitectureMonitoring System HealthNagiosInstallationConfigurationInstalling NRPEConfiguring Nagios with NRPEFine-tuningWrapping upWrapping UpResourcesOperating SystemSystem MonitoringGeneral Security
The Criticality of DNSTechnical Risks Related to DNSVulnerabilities in DNS softwareZone misconfigurationsMissing zone informationRisks Related to DNS and MailRisks Related to DNS AttacksCache poisoningDNS spoofingRegistration hijackingResponding to DNS-Based RisksLimit recursionLimit zone transfersMaintain your own zonesRun secure, organization-wide recursion serversSeparate caches from authoritative serversSummaryDNS SoftwareBIND 9djbdnsTypical ArchitectureBIND Versus djbdnsOne process or many?Zone maintenanceDynamic updatesIncremental zone transfers and notifyRemote controlSummaryInstalling BINDFreeBSDInstalling djbdnsPreliminariesLocating zone dataDaemontoolsucspi-tcpFreeBSDInstalling on OpenBSD via sourceInstalling on OpenBSD via unofficial portsOperating BINDRunning BIND in chrootMake a filesystemLaunch BIND from /etc/rc.confConfiguration IdeasSecurity restrictionsLoggingUsing includes to separate permissionsManaging BINDTransaction Signatures (TSIG)Cautions about using TSIGPractical uses for TSIGOperating djbdnsRunning tinydnsRoutine MaintenanceThe tinydns data fileLoad balancingNaming nameserversWrapping UpResourcesBIND Resourcesdjbdns ResourcesSelected DNS-Related Requests for Comments (RFCs)
Mail Server AttacksOperating System Level AttacksIllegitimate Mail RelayingUnwanted MailMail ArchitectureProtect the Operating SystemAvoid Being an Open RelayStop Unwanted MailContent filtering with SpamAssassinArbitrary content filteringDNS real-time blacklists (RBLs)Mail and DNSSecurity ImplicationsSMTPEnvelope Versus HeaderSecurity ImplicationsSMTP AUTH via SASLTLSSPFMessage integrity, privacy, and non-repudiationMail Server ConfigurationsNull ClientInternal Mail ServerMail RelayExternal Mail ServerSendmailInstallation and ConfigurationRoot BackgroundThe Configuration FilesOverall Sendmail SecurityFile and directory permissionsBeware recipient programsSecurity-Related Configuration OptionsArbitrary program restrictionDon’t blame SendmailMasquerade your domainObfuscate greetingPermissions of transient filesPrivacy optionsRunning sendmail as nonprivileged usersSafe file environmentTrusted userTrusted usersLimiting Denial of Service AttacksBlocking Unwanted MailAccess databaseDNS blacklistsMiltersArbitrary content filteringVirus protectionAuthentication and EncryptionInstalling Sendmail+SASL+TLS on FreeBSDInstalling Sendmail+SASL+TLS on OpenBSDConfiguring Sendmail with SASL+TLSPostfixInstallation and Configuration: FreeBSDInstallation and Configuration: OpenBSDPostfix Security FoundationDo one thing, do it wellUnderstanding loggingChrootConfiguration filesSecurity-Related Configuration OptionsArbitrary program restrictionMasquerade your domainObfuscate smtpd bannerDisable unneeded commandsLimiting Denial of Service AttacksBlocking Unwanted MailAccess tableArbitrary content filteringDNS blacklistsVirus protectionAuthentication and EncryptionVerifying Postfix+SASL+TLS installationConfiguring Postfix with SASL+TLSqmailMail AccessGuidelines for Securing Mail Access—InternallyGuidelines for Securing Mail Access—ExternallyVirtual private networks (VPN)WebmailWrapping UpResourcesMTA SoftwareSpam Defense and AntivirusSMTP SecurityMail Access SoftwareSelected Mail-Related Request for Comments (RFCs)

Web Server AttacksWhy You CareSpecific Threats to Web ServersFile and data disclosureArbitrary program executionApplication abuseWeb ArchitectureServer Software ChoicesApacheInstalling ApacheFreeBSDMakefile optionsRecording your use of Apache 2OpenBSDConfigure parametersConfiguring ApacheUser overridesProtecting critical filesResisting denial of serviceModule Overviewmod_cgimod_phpPHP and permissionsmod_php Apache configurationPHP configurationmod_perlmod_includemod_davmod_autoindexmod_info and mod_statusmod_userdirApache Best PracticesEnable only modules you needMinimize information leaksAlways separate HTML and CGI locationsProtect sensitive configuration filesRun CGI programs as normal userscgiwrapmod_suexecSummaryEncrypting Web TrafficSSL and certificatesEnabling SSLSSL, TLS, and cipher choiceRestricting ciphers at the serverCPU usagethttpdInstalling thttpdConfiguring thttpdResisting Denial of ServiceAdvanced Web Servers with JailsUsing Jail or ChrootHow many instances?Building and installing into a jailFinding and adding support filesLaunching httpd in chroot(8) on OpenBSD or FreeBSDLaunching httpd in jail(8) on FreeBSDA Two-Tiered ArchitectureConfigure the internal jailsConfiguring the external jailJail versus chrootAdvantages and DisadvantagesUltimate separationPerformanceModularityWrapping UpResourcesApache Resourcesthttpd ResourcesGeneral ResourcesSelected Web-Related RFCs
Firewall ArchitecturesBump in the WireDMZSpiderTransparentHostHigh AvailabilityHost LockdownThe Options: IPFW Versus PFIPFWPFDifferencesBasic IPFW ConfigurationKernel ConfigurationStartup ConfigurationFirewall ConfigurationOptional argumentsRequired argumentsUsing the FirewallBasic PF ConfigurationKernel and Startup ConfigurationPF in FreeBSDFirewall ConfigurationUsing the FirewallLoggingHandling FailureCARPCARP ConfigurationpfsyncWrapping UpResources
No Magic BulletsMonitoring an IDSResponding to IDS EventsIDS ArchitecturesHost-Based IDSNetwork-Based IDSLog Analysis Versus IDSHoneypots Versus IDSIntrusion Prevention SystemsNIDS on BSDSnortSensor HardwareHost LockdownInstalling and Configuring SnortContaining SnortStoring Events in Flat FilesStoring Events in MySQLSnort with PFACIDInstalling ACIDConfiguring ACIDRunning ACIDHIDS on BSDOsirisInstalling and Configuring OsirisRunning OsirisWrapping UpResources
System LoggingLogging via syslogdsyslog.conf ConfigurationSyslog FacilitiesSyslog LevelsProgram and Hostname MatchingSyslog ActionsDebugging syslogdRunning syslogdAdditional socketssyslogd on FreeBSDsyslogd on OpenBSDsyslogd DrawbacksLack of access controlLack of reliabilityLack of integrity or confidentialityMonolithicsyslogd Replacementssyslog-ngminirsyslogdmsyslogCapturing LogsSecuring a LoghostBenefits of a LoghostLoghost System SecuritySyslog RelaySyslog relay configurationConclusionlogfile Managementnewsyslog OverviewConfiguring Log RotationSecuring logfilesAutomated Log MonitoringAutomated Auditing Using logcheckInstallationConfigurationDrawbacksAutomated Auditing Using swatchInstallationConfigurationRunning swatchCatching new messagesOngoing MonitoringAutomated Auditing ScriptsOpenBSD’s Security ScriptFreeBSD’s Periodic ScriptsWrapping UpResourcesLogging ToolsSecure Transport Providers for LoggingLog MonitoringSelected Logging-Related Request for Comments (RFCs)
Incident ResponsePreparationIdentifying resourcesTraining staffCreation of document templatesBuilding your bag of tricksIncident DetectionIncident AssessmentResponsePostmortem AnalysisForensics on BSDHow Serious Are You?Online and Offline AnalysisThings to Look ForChanged filesAdded usersStrange directoriesUnknown processes and LKMsKnown rootkits and hacker toolsDigging Deeper with the Sleuth KitHistory of the Sleuth KitInstalling and Understanding TSKUsing TSKAutopsyWrapping UpResources

Content preview from Mastering FreeBSD and OpenBSD Security

Chapter 7. Building a Secure Web Server

What he trusts in is fragile; what he relies on is a spider’s web.

—Job 8:14, Holy Bible,New International Version

The World Wide Web: to many people, it is the Internet. Few machines in your network are so blatantly visible if they are compromised. Your router might be weak, your mail server might be compromised, but it is hard for the average person to see that. If your web server is compromised, however, all manner of things go very wrong very fast. Your organization might be publically humiliated, it might lose money or sales, or your server might be commandeered to attack another site. Additionally, it is a core server in your network that probably has many non-administrators working on it. You know that if your mail server suddenly breaks or if the firewall starts denying everything, it was either an administrator or a hacker who did it. With web servers, you have any number of sources of code and configurations that are managed by a wide variety of people with varying skill sets. The potential for inadvertent problems is high. The system is critical and there are a lot of sources for problems, both inside and outside your organization. Fortunately, with FreeBSD and OpenBSD, you have an outstanding tool chest full of diverse tools for securing your web servers.

In this chapter, we focus on Internet-facing web servers, because FreeBSD and OpenBSD systems thrive there, despite the hostile environment. First, we cover a variety of topics ...