[FUGSPBR] Pequeno artigo de como fazer =?iso-8859-1?q?seguran=E7a?=no seu FreeBSD
Christian
mandapraesse em uol.com.br
Seg Jun 23 15:06:00 BRT 2003
Galerinha, um pequeno artigo da
http://www.net-security.org
Na íntegra, aqui.
4 newbies (like me) .
;-)
=================================================
Basic Security Measures for FreeBSD
by Szekely Ervin - Thursday, 19 June 2003.
Introduction
This document will describe the basic security measures that should be
applied to a FreeBSD 4.x workstation.
Mostly all of these measures should be applied in a server environment
too with some extra measures
(CGI/PHP security for webservers, SQL security for databases, etc.)
The basics
FreeBSD is a pretty secure OS, although security aware people shouldn't
rely on default OS security
because even if the installed release is secure at the moment, our
security system should protect us not
only from current vulnerabilities but from ALL of them, even the
undiscovered/undisclosed ones.
The first thing to do after we install FreeBSD is disabling to services
we don't need.
Let's say that you need FTP for file transfer and a SSHD (that you will
only use in your local network).
In order to disable all other services edit /etc/rc.conf like this:
sendmail_enable="NONE" # disable sendmail
sshd_enable="YES" # only if you need sshd otherwise set it to "NO"
If you need ftpd you should also add:
inetd_enable="YES"
Now edit /etc/inetd.conf and uncomment ftp. The rest of the services
should be left commented unless you
don't need something else too (but remember that more services mean more
risk).
Ok, now you should check the /usr/local/etc/rc.d/ directory. That's
where httpd,
rpcd, and other daemons are initialized just chmod -x the scripts you
don't need
(or just move/delete them if you feel more comfortable with it).
Now reboot your system and type this:
sockstat -l4
you should see something like:
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN
ADDRESS
root sshd 432 4 tcp4 *:22 *:*
root lpd 72 7 tcp4 *:515 *:*
root syslogd 60 5 udp4 *:514 *:*
root inetd 445 4 tcp4 *:21 *:*
If you see any other open service that you don't need you probably
missed something in /usr/local/etc/rc.d/.
User management
If you are the only one who's using the workstation you should have at
least 2 users besides root.
The first one should be used for ftp access. That's because ftp
transfers are not encrypted and they
can be sniffed. This user should have the lowest security level and
SHOULD NOT BE PART OF THE WHEEL GROUP.
This is very important, this is the reason for having 2 users. The
difference between regular users
and users added to the wheel group is that while those in the wheel
group are able to "su root",
regular users can't access root even if they would have the root
password.
The second user should be part of the wheel group and it will be used
ONLY for ssh.
This user's password shouldn't be exposed to unencrypted protocols (like
ftp, telnet, pop, etc).
In order to make sure that you will never accidentally log in to ftp,
you should add this user to
/etc/ftpusers. If you need multiple users you should use this scheme
for all of them
(depending on their needs). I guess it's useless to say that you should
use different passwords for these users :).
Firewalling
Firewalls are usually designed to prevent outsiders from accessing
services on our network, they're also
used to prevent DoS (Denial of Service) and DDoS (Distributed Denial of
Service) attacks.
FreeBSD comes with a superb firewalling tool called ipfw. It's very
flexible has tons of options yet it's
pretty easy to use & set up. Now we're going to discuss how to set up a
firewall for a workstation
connected to the internet trough a dial-up connection (that's what I
have at home), however you can use
this document for other connection types too.
First of all you have to reconfigure your kernel. If you don't know how
to do that, check in the FreeBSD
handbook.
Edit your own kernel and add the following lines:
options IPFIREWALL
options IPFW2 # for FreeBSD < 4.7 use IPFW instead of IPFW2
options IPFIREWALL_VERBOSE #we also want logs, right ?
options IPFIREWALL_VERBOSE_LIMIT=100 # This prevents your log file from
filling
# up with lots of repetitive
entries
options IPDIVERT # Enables divert sockets (we're gonna talk
about this
# latter
options TCP_DROP_SYNFIN # This option ignores all TCP packets that
contain
# SYN and FIN, this prevents OS fingerprinting with
tools
# like nmap. This option is not recommended if your
gonna
# run a webserver on this machine because it breaks
support
# for RFC1644.
Now all you have to do is recompile the kernel. But don't reboot yet.
We're gonna still need to do some
changes in /etc/rc.conf.
Open /etc/rc.conf in your favorite text editor and add these lines:
firewall_enable="YES"
firewall_script="/etc/firewall/ifpw.rules" # This is where your firewall
script
# is going to be located
natd_enable="YES"
natd_interface="tun0" # Or eth0 if your not on dial-up
natd_flags="-dynamic"
Now, if you are a dial-up user you might have natd enabled either in
your rc.conf file either in
your ppp.conf file. Disable them by adding/modifying this line in
rc.conf:
ppp_nat="NO"
Now let's get down to the firewall rules. Create the /etc/firewall/
directory and start editing the
ipfw.rules file (or whatever you added to rc./conf) - example:
# First let's define the firewall command:
fwcmd="/sbin/ipfw"
# Now let's flush the existing ipfw commands (you'll see that this
# command is gonna be usefull in the future
$fwcmd -f flush
# Ignore SYN, FIN, FRAG TCP packets
$fwcmd add 50 deny tcp from any to any in via any tcpflags syn,fin
$fwcmd add 60 deny ip from any to any in via any frag
#Allow ssh access in the local network, only if you need it
$fwcmd add 70 allow ip from 192.168.1.0/24 to 192.168.1.0/24 22
#Allow netbios access in the local network, only if you need it
$fwcmd add 80 allow ip from 192.168.1.0/24 to 192.168.1.0/24 135-137
# Divert all packets through the tunnel interface.
$fwcmd add 90 divert natd all from any to any via tun0
# Of course tun0 should be change to eth0 if your not on dial-up
# Allow all connections that have dynamic rules built for them,
# but deny established connections that don't have a dynamic rule.
$fwcmd add 100 check-state
$fwcmd add 110 deny tcp from any to any established
# Allow all localhost connections
$fwcmd add 120 allow tcp from me to any out via lo0 setup keep-state
$fwcmd add 130 deny tcp from me to any out via lo0
$fwcmd add 140 allow ip from me to any out via lo0 keep-state
# Allow all connections from your network card (that should be
# intialised first)
$fwcmd add 150 allow tcp from me to any out xmit any setup keep-state
$fwcmd add 160 deny tcp from me to any
$fwcmd add 170 allow ip from me to any out xmit any keep-state
# Everyone on the Internet is allowed to connect to the following
# services on the machine.
$fwcmd add 180 allow tcp from any to me dst-port 21,80 in recv any setup
keep-state
# If you don't have a webserver or you don't want it to be open to the
# world remove "80"
# This sends a RESET to all ident packets.
$fwcmd add 190 reset log tcp from any to me 113 in recv any
# Enable ICMP: remove type 8 if you don't want your host to be pingable
$fwcmd add 200 allow icmp from any to any icmptypes 0,3,8,11,12,13,14
# Denny everything else.
$fwcmd add 210 deny log ip from any to any
That's all. Now reboot your machine. In order to check if the firewall
was loaded type:
ipfw show
You should see the firewall rules you just made. Now your firewall is up
and running protecting you
from the outside world. If you want to disable your firewall do:
ipfw -f flush
The great thing about ipfw is that you can add commands on the way. All
you have to do is type:
ipfw add Rule_Number Rule
The Rule_Number is important because ipfw interprets the commands in the
order you specify them.
For more advanced ipfw rules read the man.
Testing your security
OK, now you have a pretty secure workstation that you can safely connect
to the internet.
But how can you know that for sure ? Test it.
Testing the firewall
For this operation you'll probably need a friend's help (because your
firewall was configured
to allow localhost connections. Of course you could add something like:
ipfw del 120
ipfw del 130
ipfw del 140
Or whatever the numbers of the rules that allow localhost connections
are. Either way you have to
find a way to be "outside" the firewall.
Now, ask a friend, or by yourself do a nmap scan (you can install it in
freeBSD from /usr/ports/security/nmap).
The command should be something like:
nmap -v -O -sS your.host.com
If everything is right you should only see the ports you enabled (21 and
maybe 80). To check your ftp and
httpd security the best way is to look up their version number in a
security database like bugtraq,
security-focus, packetstormsecurity, etc.
_______________________________________________________________
Sair da Lista: http://www2.fugspbr.org/mailman/listinfo/fugspbr
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/
Mais detalhes sobre a lista de discussão freebsd