FreeBSD security problem - from http:xfocus.org

xiaoxiao2021-03-06 45

Article original:

http://www.xfocus.net/articles/200108/248.html

Creation time: 2001-08-07

Article attribute: original

Article Source:

Http://xfocus.org/

Article submission:

Xundi (xundi_at_xfocus.org)

Some freebsd related security issues

By xundi@xfocus.org

Http://xfocus.org/

2001/08/07

FreeBSD log security

--------------------

I) If you have installed SSHD (also strongly recommended SSHD, because the default Telnetd program is serious

Security problem). Please edit your /etc/syslog.conf file, generally modified

The contents of the security. * / var / log / security entry is as follows:

Security. *; auth.info / var / log / security

The reason is very simple, so syslogd records the log information connected to SSHD.

Of course, if you are willing, you can also build other log files, but if you create a new log file,

You must check if you have a related entry, such as:

/ var / log / auth 600 10 100 * z

Where / var / log / auth represents the log file name, 600 is the property specified by the log file, and 10 means

The number of files to be archive, 100 represent file byte size, in K, * indicate interval or designated

Time, where * indicates that log archiving is determined by byte (size). The last z represents the specified archive

The format to be processed, z represents using Gzip (1) to compress the archive log to save space, more information

You can use Man Newsyslog to get.

Here you build some global readable properties in Newsyslog.conf, such as Mailog and Messages

LOG, generally set their properties to 600. As follows:

/ var / log / messages 600 5 100 * z

/ var / log / maillog 600 7 * @ T00 z

Of course, if you have to record the information to other hosts, you can modify /etc/syslog.conf

As the following entry, remove the comments and modify the loghost for the machine name to be recorded:

# *. * @Loghost

Finally, you prevent any users from reading these files, you use the following command to modify the file properties:

# chmod 600 /etc/syslog.conf

# chmod 600 /etc/newsyslog.conf========================================= =======================================================================================================================================================

About SSH configuration

-------------

As mentioned above, the TelnetD daemon has a serious buffer overflow to cause remote root shells.

The acquisition, it is highly recommended that if you need remote control, use the SSH tool and guarantee that it is the most

The new version, at least not very serious vulnerabilities, there are still a few vulnerabilities, you can refer to

Some security information).

SSHD control file is / etc / ssh / sshd_config, if you don't use the opportunity to use SSH Protocol 1,

Here, you recommend that you close the use of Protocol 1, because SSH Protocol 1 is not as safe as Protocol 2,

It is also possible to effectively prevent the attacker from hijacking by modifying the version of the package.

The session process is downgrade you to Protocol 1, theoretically forced to communicate with the SSH 1 protocol. you

You must comment out of Protocol 2, 1 and use the following line instead:

Protocol 2

Second, SSH consumes more memory when running, is a "cost of grain", this is also Cisco product

Recently, I found that the reasons for the presence of the dejected service attacks were found. Each connection uses a large piece of considerable memory,

FreeBSD uses "maxStartups" by default, the default value is a healthy value, such as:

Maxstartups 5:50:10

Because of a system, you have many people's management systems or provide shell services, this value is usually

It's enough, MaxStartup does not mean the total number of connections, just that the number of connections that have not been certified,

This means that in either (mean) time, up to 5 people can (can) simultaneously call the login process.

By default, FreeBSD's OpenSSH configuration turns off remote root login and empty password, here

The suggestion is turned off X11Forward, you can change the X11Forwarding this line to:

X11Forwarding NO

If your machine is running as a server, you don't need to install the X service program because it is used.

X11Forwarding ON, it may be controlled by the remote host to send your own attach you

The x11 session process can be recorded, display some messy information and capture your display.

It is highly recommended not to use a static password, but use the DSA or RSA Key, you can change it as follows.

Use password authentication:

PasswordAuthentication No

Because the use of password verification is not a safe way, there is social engineering, guess, stealing

The possibility.

For SSHD, you can limit the group users or light from the following method to access the shell:

ALLOWGROUPS shellusers or

ALLOWGROUPS WEL

AllowUsers Xundi

Of course, if you want to change the original user to access the shell properties, if you want to change the user into / sbin / nologin

And don't let it access the shell, you can use the following command to change directly:

Chsh -s / sbin / nologin user

Finally, you'd better use TCPWrapPers to limit some access, you modify /etc/hosts.allow files, comments

Remove the other independent control accesses, add the following:

Sshd: Localhost: Allow

Sshd: FriendlyComputer: allow

SSHD: All: Deny

FreeBSD is not recorded by default in the SSH landing, you need to / etc / security

Conductive, the following patch only detects the password invalid login and records, you can add to DSA / RSA

KEY login failed or unlaveiled user login test:

--- / etc / security Mon Jun 11 15:45:02 2001

/ etc / security Mon Jun 11 15:48:29 2001

@@ -44, 6 44 ,7 @@

sort -t. -r -n 1 -2 |

Xargs Zcat -F

[-f $ log / messages] && cat $ log / message

[-F $ log / security] && catch $ log / security

}

sflag = false ignore =

@@ -188, 6 189, 12 @@

Separator

echo "$ {host} login failies:"

n = $ (CATMSGS | grep -i "^ $ YesterDay. * login failure" | Tee / dev / stderr | wc -l)

[$ N -GT 0 -A $ RC -LT 1] && rc = 1

# Show "$ {Host} SSH login failes:"

Separetor

Echo "$ {Host} login failes:"

n = $ (CATMSGS | grep -i "^ $ Yesterday. * Failed password" | TEE / DEV / STDERR | WC -L)

[$ n -gt 0 -a $ rc -lt 1] && rc = 1

# SW TCP_Wrapper WARNING Messages

Network part

-------- By default, FreeBSD and many operating systems accepted TCP SYN segment on the closed port.

Send the RST packet, that is, tell the attacker that this port is turned off, causing an attacker to continue to scan the next one.

Port, in general, we are unwilling to simplify the port scan, and don't want to waste too much CPU time

On the DOS attack. So we can use the FREEBSD system, named Blackhole, Blackhole

SYSCTL (8) MIB is used to control some TCP or UDP ports without Socket listening to the connection

If the behavior is requested, you can use Man Blackhole to get detailed information, when setting this

After the option, the connection to the TCP or UDP port without the socket listening, the system will immediately discard it.

This package does not send an RST package. The connection will see "Connection Reset By Peer".

This feature will be activated:

sysctl -w net.inet.tcp.blackhole = 2

Sysctl -w net.inet.udp.blehole = 1

You can start this feature immediately by the following operations:

# / bin / sh /etc/rc.sysctl

Of course, this feature cannot be used as an alternative to IPFW (8) tools to defense system, and it is necessary to establish a higher security.

System, you certainly need to use IPFW (8) or IPFilter tool implementation.

Modify /etc/rc.conf, turn off unwanted service, i) Portmap service, if you don't have NFS, NIS

Waiting for it. Add /etc/rc.conf to join:

Portmap_enable = "no"

You may often find someone who hates the entire network, the target port is 111, this is someone

Want to find if there is a scan of the RPC service vulnerability, you can discard the dstport in your edge router

111 packet.

II) Unless you run the Mil server or Mail gateway, here I suggest you put Sendmail in Queueing ONLY

Mode, if you really need SMTP gateway, it is recommended that you install postfix.

Sendmail_flags = "- q1m"

III) It is recommended that you discard the ICMP redirection to prevent DOS attacks or hijacking processes (Hijack sessions).

You can also record ICMP redirects, but here you have to distinguish some information, because sometimes Cisco

Routers also generate redirection rather than attack information, to record this information, use the following entry:

ICMP_LOG_REDIRECT = "YES"

Of course, you have to completely remove uncertain information records, you can turn off the redirection on your Cisco router:

"no ip send-redirects"

(Iv) You can set the system to discard the synfin packet, but this you can filter it through IPFW.

This kind of packet, but you can also add such an entry to activate this option in /etc/rc.conf:

TCP_DROP_SYNFIN = "YES"

Of course, you need to increase the following configuration in the Kernel configuration:

Options tcp_drop_synfin

v) Close the response to the broadcast type

#sysctl -w net.inet.icmp.bmcastecho = 0

After filtering the ICMP response, the server cannot ping, which helps improve some security performance.

VI) Check and calculation of UDP packets

#sysctl -w Net.inet.udp.checksum = 1

You can prevent an incorrect UDP package attack. VII) Set rc.sysctl, rc.conf and sysctl.conf permissions:

# chmod 600 /etc/rc.sysctl

# chmod 600 /etc/rc.conf

# chmod 600 /etc/sysctl.conf

Crontab and AT issues

----------------

Crontab is a relatively powerful service, there are many vulnerabilities to discover in cron, and ordinary users at least

You can also waste resource, here, it is recommended to use crontabs from 'WWW', 'Nobody' and 'Bind'.

Establish a / etc / cron / allow file and put it in the user you need, such as:

# echo root> / var / cron / allow

# chmod 600 / var / cron / allow

And set the permissions crontab can't be arbitrarily accessed by other users:

# chmod 600 / etc / crontab

However, if you don't need to use 'at' command, turn off this service because the principle of security is always "

You don't want it, lose it ", tell the following line in / etc / crontab file:

# * / 5 * * * * Root / usr / libexec / atrun

Inetd and Rate restriction problem

---------------------

Inetd is enabled by default, which controls a lot of unsafe services, such as: Telnet, NTALK

And finger. Check the services in all /etc/inetd.conf to close any services you don't need.

If there is no user needs, close inetd starts in /etc/rc.conf:

inetd_enable = "no"

If you want to use FreeBSD's inetd. You can control the resources of Rate through the INENT request, such as:

Auth Stream TCP NOWAIT / 10/10 ROOT INTERNAL AUTH -R -F -N -O UNKNOWN -T 30

The first 10 indicates the number of maximum sub-process we allow, the second value is the maximum number of each IP connection. Generally, the value of 10/10 is healthy, but you generally don't use this Ident, we generally Only see this service in IRC.

SecureLevel problem

==================

FreeBSD core has a security level (SecureLevel) concept, refers to the use of internal core operations

Security grade, different levels have different protection and inspection mechanisms. General workstation running in SecureLevel

0 level, because they may need to run X11, and the server is generally running on 2 or 1 level, about

Details of the kernel security level. "You can see Wang Bo's" FreeBSD Using Daquan ".

If you want to change the level system 2, you can add the following entry in /etc/rc.conf:

Kern_secureLevel_enable = "YES"

KERN_SECURELEVEL = "2"

You can re-start, or use

# sysctl -w keern.secureevel = 2

To activate.

Some local security TIP

---------------

i) Edit / etc / ttys, change the Secure of the following line to INSecure:

Console None Unknown Off Secure

This way users will be required to enter the root password when the user enters the single user mode. Of course, you will make you forget the root password.

There is a certain difficulty in restoration.

II) Modify some computer related settings, such as BIOS, do not allow floppism, CDROM start, etc., that is, loading

Hard disk drives do not allow other media to start. Set the BIOS password to protect the machine physical security (if others

There is no way with a hoe, bomb, and a pot of water.

III) About virtual terminal and virtual terminal buffer, the content in the virtual terminal buffer is after you logoff and

Do not refresh, all activities you operate in the machine can be reviewed. You can reconfigure the kernel parameters such as: sc_no_history # cancel history

SC_DISABLE_DDBKEY # Cancel Debug

SC_DISABLE_REBOOT # Cancel CLT-Alt-Del button

IV) safety protection for / bin, / sbin.

#CHFLAGS SCHG / BIN / *

#CHFLAGS SCHG / SBIN / *

Information filtering problem

----------------

FreeBSD package filtering tool has powerful rule settings to filter information you want to block, you can use

IPFW is implemented, but you need to have some option settings in the kernel, such as:

You need to open the following options to reactivate kernels when compiling the kernel.

Options ipfirewall

Options IpfireWall_Verbose

Options "ipfirewall_verbose_limit = 100"

Options ipfirewall_default_to_accept

Options ipdivert

Where the first setting IPFIREWALL is used to open the basic package filter support, only it can

Support package filtration in the kernel. IpfireWall_Verbose and IPFireWall_Verbose_limit

Set the filter log, and the log record limit. IpfireWall_Default_to_accept is setup

IpFireWall default behavior, in the case of packets that do not meet all filter rules,

Obviously this is a loose limit, at which time the system is mainly used to block a specific address and a specific service,

For other default network capabilities. If this option is not defined, the system can only allow for a defined

The rule data package is passed, and the other packets are blocked, so that the filtering rule is not defined.

Next, the system cannot communicate with other computers. The last option ipdivert is used to define

IpfireWall and NATD interface (taken from Wang Bo -freeBSD Using Daquan).

You can create /tc/firewall.rules to build your own rules and set the file to 600 properties.

The following rules are for reference only:

IPFW -Q -F Flush

Ipfw -q add 00100 allow ip from any to any via lo0

IPFW -Q Add 00220 deny log ip from me to any in

#Syn FIN combination package generally used NMAP and QUESO scanner, so filtering

IPFW -Q Add 00225 deny log tcp from any to any in tcpflags syn, fin

# Check the communication status

IPFW -Q Add 00230 Check-State

Ipfw -q add 00235 deny tcp from any to any in Establish

IPFW -Q add 00240 allow ip from any to any out Keep-state # Control ICMP package, only by ICMP type

Ipfw -q add 00300 allow icmp from any to any icmptype 3

IPFW -Q Add 00301 Allow ICMP from any to any icmptype 4

IPFW -Q add 00302 allow icmp from any to any icmpty item

# Allow DHCP to pass

Ipfw -q add 00401 allow udp from 192.168.2.1 67 to any 68

Ipfw -q add 00402 allow udp from 192.168.1.1 67 to any 68

# Allow Ident Requests

Ipfw -q add 00500 allow tcp from any to any 113 Keep-State Setup

# Log Anything That Falls THROUGH

Ipfw -q add 09000 deny log ip from any to any

In fact, there are many articles about rules to refer to, here is not described here.

You can use the following command to activate the rules right:

# sh /etc/firewall.rules

If you want to view the record of the discard package in your log, you need to set the following:

# sysctl -w net.inet.ip.fw.verbose = 1

If you want all of these settings activated during the machine, edit /etc/rc.conf increases as follows:

FireWall_enable = "YES"

FireWall_Logging = "YES"

FireWall_Script = "/ etc / firewall.rules"

It is best if you want to record this information for debugging, don't forget to increase in /etc/syslog.conf as follows

entry:

iPFW

*. * /VAR/LOG/IPFW.log

Remember to set the following options in /etc/newsyslog.conf:

/VAR/LOG/IPFW.LOG 600 3 100 * Z

============================================================================================================================================================================================================= =====================================================================================================================================================

User resource restriction problem

---------------

Starting from 4.3 BSD Net / 2, BSD UNIX introduces this classification mechanism for login categories to manage users, billing, and environment settings. FreeBSD system uses the data described in /etc/login.conf to divide users into different login categories according to login environments, mandatory resource restrictions, and accounting management, etc., each user's login category is recorded in / etc / master. The user's settings in the PassWD. The following is some of the default installation /etc/login.conf part content.

Bash-2.03 # cat login.conf --------------------- SNIP ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -

DEFAULT: /

: Copyright = / etc / copyright: /

: Welcome = / etc / motd: /

: setENV = Mail = / var / mail / $, blocksize = k, ftp_passive_mode = yes: /

: path = ~ / bin / bin / usr / bin / usr / local / bin / usr / x11r6 / bin: /

: nologin = / var / run / nologin: /

: cputime = unlimited: /

: DataSize = unlimited: /

: stacksize = unlimited: /

: MemoryLocked = unlimited: /

: MemoryUse = unlimited: /

: filesis = unlimited: /

: CoredUmpsize = Unlimited: /

: OpenFiles = unlimited: /

: maxProc = unlimited: /

: priority = 0: /

: ignoretime @: /

: umask = 022:

# A Collection of Common Class Names - Forward Them All to 'Default'

# (Login Would Normal or this Anyway, But Having a class name

# Here Suppresses The Diagnostic)

STANDARD: /

: Tc = Default:

Xuse: /

: Tc = Default:

STAFF: /

: Tc = Default:

Daemon: /

: Tc = Default:

News: /

: Tc = Default:

Dialer: /

: Tc = Default:

# Root Can Always Login

# N.b. Login_Getpwclass (3) Will Use this entry for the root account,

# In Preference '.

root: /

: ignorenologin: /

: Tc = Default:

--------------------- SNIP ----------------------

Using Login.conf, you can easily set the user's login environment and resource license. The default settings have almost no restrictions on the resources that users can use, and login.conf can be changed to the following:

--------------------- SNIP ----------------------

DEFAULT: /

: cputime = infinity: /

: DataSize-Cur = 64m: /

: stacksize-cur = 64m: /

: MemoryLocked-Cur = 10M: /

: MemoryUse-Cur = 100m: /

: FileSize = Infinity: /

: CoredUmpsize = Infinity: /

: maxProc-cur = 64: /

: OpenFiles-Cur = 64: /

: priority = 0: /

: RequirehOME @: /

: umask = 022: /

: tc = auth-defaults:

--------------------- SNIP ----------------------

The above settings have several parameters in the Default login category. If you do not specify the user's login category in the master.passwd file, use this default category as a user's login category. CPUTIME sets the CPU time available for each process of the user, default is unlimited (Infinity). If restricted, some processes that need a large number of CPU time will not be executed normally.

DataSize-Cur Sets the user's data segment up to 64m, but the -Cur setting is not forced, the data actually used by the user may exceed this value, but the maximum value cannot exceed the value of the DataSize-Max setting (no setting). If there is no -cur and -max suffix, only DataSize is only defined, and DataSize-Cur and DataSize-Max are also set for DataSize. The same StackSize defines the restrictions on the stack.

MemoryLocked-CUR sets the maximum memory that the user can lock each process.

MemoryUse-Cur sets the maximum memory used by each process.

FileSize-Cur sets the file size generated by the user.

CoredumpSize sets the size of the Core Dump file generated when the application is problematic.

MaxProc-Cur Sets the maximum number of processes that users can perform simultaneously.

OpenFiles-Cur sets the number of files that open for each process.

Priority Sets the priority of the user process.

Requirehome sets whether the primary directory is required when the user is logged in, and the @ symbol indicates that the primary directory is not required.

The umask item sets the default umask for the properties of the user to create a file.

TC Setting System Authentication Policy to use the default authentication policy.

If you want to create a new category, you don't need to reset each value, the system defaults to apply the DEFAULT category, and then apply the settings for the specific category, so you can only set the items that are different from the Default category.

--------------------- SNIP ----------------------

Users: /

: MANPATH = / usr / share / man / usr / x11r6 / man / usr / local / man: /

: cputime = 4h: /

: OpenFiles = 32: /

: maxproc = 48: /

: Tc = Default:

--------------------- SNIP ----------------------

The above is set a new class user, which you can see that it sets the environment variable MANPATH and resets the value of CPUTTIME, OPENFILE, MAXPROC, and TC. After each change login.conf, you must perform the operation of the login category database.

Bash-2.03 # cap_mkdb /etc/login.conf

Since the login category is saved in the master.passwd file, the user's login category is usually set when using the AddUser to add users. If you want to make changes, you must use the VIPW to modify the 5th domain of the /etc/master.passwd file. The following is a row in master.passwd, which specifies the user's login category for User:

Up default:

Bash-2.03 # cat master.passwd

# $ Freebsd: src / etc / master.passwd, v 1.25 1999/09/13 17:09:07 Peter EXP $

Inburst: TioxHDPCTDARE: 1004: 0 :: 0: 0: Stardust: / Home / Stardust: / usr / local / bin / bash

Change to:

Inburst: TiOXHDPCTDARE: 1004: 0: Users: 0: 0: Stardust: / Home / Stardust: / usr / local / bin / bash Settings The user's free space is also the system from the one hand, Users on the system that are not set to Quota can freely pop up the hard disk. To open the Quota function, you can modify this setting in /etc/rc.conf:

Check_quotas = "no" # check quotas (or no).

Change to

Check_quotas = "YES" # check quotas (or no).

Let's take a look at the following Man Page. These files explain how to use Quota's settings and have some samples: quotaon, edquota, repquota, quota, to determine to join "Userquota" in / etc / fstab See Man 5 fstab for details. Thank QUAck

Some administrators daily operations

------------------

i) View frequently

Http://www.freebsd.org/security/index.html Security Announcement

II) Subscribe to Security BugTraq and FreeBSD Official Safe Mail List Understanding Security Dynamics.

Iii) Check the system log every day, check the system log, you can add more information to the capture through other tools.

Such as SNORT can compare complete record information.

IV) If your hard drive is large enough, the information is fast enough, and it is time to use Netstat -an >> /.../.../netstat.log

Record information, of course, you can also create a more detailed script, because NetStat can record connection information, so if some

The back door log cannot be recorded, but NetStat has a connection record in a certain period of time.

v) If you have the original record of your file system, you can use some system integrity check tools.

test.

vi) If you have a firewall, it is better, often viewing firewall information.

转载请注明原文地址:https://www.9cbs.com/read-79877.html

9cbs

New Post(0)