Security Notes

This file details the methods used to secure systems. The basic requirement of all security is to prevent "hackers" from disrupting the normal operations of the system. The second requirement is to protect private data from unauthorized access. The third is to allow authorized users to do whatever they want from wherever they want. Most solutions to the first two requirements usually conflict with the third.

Technigues

Don't run old software, don't run software you don't need, don't allow just anyone to connect to the services you do offer, don't run stuff as root.

A /tmp placed on an independent partition, and mounted noexec, nosuid along with chattr +a on logs, and +i on important directories like /sbin, /bin and the like is a fair policy. It won't stop a hacker, but it will likely stop a worm.

BIND

BIND can be run as a user other than root, and it can chroot itself to some other directory. If you choose the latter, this is the list of files required in the chrooted area, in addition to the DNS data, on RedHat 6.1. Use ldd on the binaries to get a list of shared libraries. to pub in lib

.:
dev  etc  lib  usr  var

./dev:
null  random  zero

./etc:
group  ld.so.cache  ld.so.conf  named.conf  passwd  rndc.key

./usr:
lib  sbin

./usr/sbin:
named  named-bootconf  named-checkconf  named-checkzone

./var:
log  named  run

./var/log:

./var/named:

./var/run:
named

./var/run/named:
named.pid

Sendmail

Newer sendmail can give up root after opening the sendmail socket. Especially if you're not doing any local delivery, this is a good idea.

https

Since the US has (partly) removed it head from it's nether-regions wrt crypto exports, and the RSA patents have expired, the compilation instructions are moot, openssl and mod_ssl are available with your OS.

(Compile and) install the openssl packages, configure mod_ssl --with-apxs=/usr/sbin/apxs if your apache is preinstalled.

Creating your own self signed keys

Assuming you know the limitations of not paying for a certificate

Grab the scripts and config file from openvalidation.org

edit the openssl.cnf and change the default country and stuff (just to save typing)

./MakeRootCA.sh

This creates a self-signed root certificate

mkdir Tokens

./MakeCert.sh server www

This creates a certificate and signs it, and places it in Tokens/www*

wwwcert.crt

SIgned certifiate in DER format

www.p12

Signed certificate in pkcs12 formay

wwwcert.pem

A server certificate signed by the ca.key. Stick this in the location pointed to by SSLCertificateFile. Typically /etc/http/conf/ssl.key/server.crt

wwwkey.pem

The server private key. Stick this in the location pointed to by SSLCertificateKeyFile. TYpically /etc/http/conf/sslcrt/server.crt

You should also grab the Makefile and ca-bundle.crt from ?? and place it in SSLCACertificatePath, along with your self-signed certificate RootCA/certs/00.pem

Create a directory for revocation certificates and point SSLCARevocationPath to it.

You will probably want to strip the password from the server.key file so you don't have to type it in every time the server boots

cp Tokens/wwwkey.pem Tokens/wwwkey.pem.org
openssl rsa -in Tokens/wwwkey.pem.org -out Tokens/wwwkey.pem
    

Repeat the MakeCert.sh for all the servers you need.

IIS

1. In IIS, go under the directory security tab, and generate a certificate request and save it to a file called req.pem.
2. openssl ca -name server -keyfile RootCA/private/RootCAkey.pem -in req.pem -out cert.pem -outdir RootCA/certs -config ./openssl.cnf
3. edit the .pem file, and remove everything before the BEGIN CERTIFICATE line.
4. In IIS, from the same place you generated the certificate request, import the signed certificate.

stunnel

Create the certificate with MakeCert.sh server stunnel, and combine Tokens/stunnelkey.pem and the actual certificate from Tokens/wwwcert.pem into one file, and pass it to stunnel with the -p option.

imap/ipop

create the combined file as for stunnel, and it as /usr/share/ssl/certs/imapd.pem and ipop3d.pem

Tools to Improve Security

LinSec

The main aim of LinSec is to introduce Mandatory Access Control (MAC) mechanism into Linux (as opposed to existing Discretionary Access Control mechanism). LinSec model is based on:

• Capabilities
• Filesystem Access Domains
• IP Labeling Lists
• Socket Access Control

Other Security Tools

Freefire Projekt Startpage, English, Bernd Eckenfels

ARIS Analyser

ARIS analyzer is a service designed, administered and maintained by SecurityFocus to allow participating network administrators to submit suspicious network traffic and intrusion attempts anonymously, for detailed analysis and tracking. Our aim is to help our participants track incidents and find patterns in attacks that will serve as a threat gauging system for the Internet community. Participants receive a copy of ARIS extractor, our Intrusion Detection System log-parsing tool, and access to a secure, personalized, web-based Incident Console. The incident console is comprised of several time saving utilities that enable you to track your incidents, create personal incident reports, and generate attacker notification messages through our easy-to-use Incident Wizard, a notification engine.

Chkrootkit

Checks for known rootkit installations

Related Resources

• 1500 security URLs
• More security URLs
• Linux Administrators Security Guide
• Penetration Testing Tools
• SANS Incident page
• A group actively going after scanners
• SANS Top Twenty Risks
• Trusted Information Systems Home Page
• SESAME
• WWW Security FAQ
• Cryptography and Security
• The Hacker Crackdown: Law and Disorder on the Electronic Frontier
• Frequently Asked Questions about Kerberos
• tcpflow -- TCP Flow Recorder - snoops on and reassembles tcp data connections
• The Linux Security Home Page.

---

Tony Lill,                         Tony.Lill@AJLC.Waterloo.ON.CA
President, A. J. Lill Consultants                 (519) 241 2461
539 Grand Valley Dr., Cambridge, Ont.    fax/data (519) 650 3571

"Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!"