Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting.

Published byLiliana Dawson Modified over 9 years ago

Similar presentations

Presentation on theme: "Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting."— Presentation transcript:

1 Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting

2 Bastille Linux A security hardening script for Linux and Unix Red Hat 7.3 Mandrake 8.2 Turbo 7.0 SuSE 7.2 Debian current HP-UX 11.x

3 Bastille Linux More operating systems: Solaris OpenBSD (SSH worm anyone?) FreeBSD?

4 Sample Screen

5 What Does Bastille Do? 1/3 Firewall Set-UID and Permissions Audit

6 What Does Bastille Do? 2/3 Deactivate unncessary stuff Tighten configurations of remaining stuff

7 What Does Bastille Do? 3/3 Educate Users and Admins (They have guns pointed at their boots)

8 Why Do I Need It? Shipped defaults are not optimized for security Users need ease-of-use Programmers want convenience and Neither groks security

9 But Why Do I Need Security? 1/4 You're targeted by clueful hackers (even if you're not interesting) because you're one hop on the way to the real target.

10 But Why Do I Need Security? 2/4 You're targeted by script kiddies... because you have an IP address! (That got picked up as vulnerable by their vulnerability scanners.)

11 But Why Do I Need Security? 3/4 You're targeted by worms... Slightly smarter than script kiddies, but fully automated. Easy to defeat, with hardening!

12 But Why Do I Need Security? 4/4 Script kiddies choose your box at random to: ● Run their IRC bots ● Run their IRC server ● Serve as an exchange point for files, filez... ● Attack other machines with DoS/DDoS programs ● Brag about how many random machines they 0wn. ●

13 How Does It Work? 1/2 Minimize Points of Entry Network Daemons User-accessible programs

14 How Does It Work? 2/2 Prevent Privilege Escalation Set-UID programs let me turn my user nobody access into root!

15 But Does It Work? Bastille was written before most of the security vulnerabilities in Red Hat 6.0 were discovered. It could stop or contain almost all of them.

16 Vulnerabilties Stopped -Red Hat 6.0 BIND- remote root wu-ftpd - remote root userhelper - local root lpd + sendmail - remote root dump/restore - local root gpm - console local root

17 Vulnerabilties Not Stopped -RH 6.0 nmh - local root? man - whatever user runs it

18 So Who's Using it? You tell me! MandrakeSoft had it in their distribution. Red Hat has talked about integrating it. SGI sold appliances with it loaded. Guardent/foo uses it in some appliance. Estimated around 75,000-150,000 people?

19 Capabilities 2.0 Release ● Intelligence - "requires" tags ● X or Curses configuration ● Reusable config file, with consistency checking

20 Where We're Going Soon More content: this talk will demonstrate Growing to run on more platforms: Solaris first. Enterprise features

21 Firewall Configure a default-deny firewall for a masquerading network, or a single machine

22 Firewall Firewall off daemons, but also harden/remove them. Why both?

23 Defense in Depth Protect each service or possible vulnerability through multiple means, so that if one fails, the remaining methods keep your machine from being compromised.

24 File Permissions File Permissions Audit Want to do something more comprehensive! Educate newbies about groups?

25 SUID Audit Blocking all paths to root! Real Example: UserRooter (userhelper)

26 SUID Audit 1/2 mount/umount* ping traceroute dump/restore* cardctl ( * = has been vulnerable in past 3 years)

27 SUID Audit 2/2 at dosemu inn tools lpr/lp* r-tools* usernetctl

28 Account Security Protect the users' accounts Enforce good policies to prevent privilege escalation

29 Account Security Protect rhosts via PAM Password Aging Restrict Cron Umask Root TTY Logins

30 Boot Security Password protect LILO Password protect runlevel 1

31 Secure Inetd Deactivate Telnet Deactivate FTP...

32 Applied Minimalism Since crackers may discover an exploitable vulnerability in any service running with privilege, minimize both the number of these services and their levels of privilege.

33 Miscellaneous PAM Mandatory System Resource Limits prevent core dumps limit number of processes per user filesize limit 100mb

34 Logging Lots of extra logging Remote Logging Host Process Accounting

35 Killing Daemons 1/2 apmd nfs/portmapper* samba atd pcmcia dhcp server (*?)

36 Killing Daemons 2/2 gpm* news server* routing daemons NIS SNMPd*

37 Sendmail Reduce attacker's access to Sendmail Remove recon. Commands. Run sendmail as a non-root process via inetd/xinetd

38 Postfix? Sendmail's security vulnerability history is rich! Why? Consider PostFix, by Wietse Venema, author of TCP Wrappers Modular, safer design!

39 DNS - BIND Secure BIND Historical note: We secured BIND before the remote root exploits were released. Philosophy: Harden it now, before the bugs are discovered!

40 Hardening BIND 1/2 Chroot Run as user/group dns CONTAINMENT

41 Hardening BIND 2/2 Restrict queries to set of hosts Restrict zone transfers to set of hosts Choose a random version string Offer to configure views in BIND 9

42 Hardening Apache 1/3 Deactivate Apache? Bind Apache to localhost?

43 Hardening Apache 2/3 Symlinks Server Side Includes CGI Scripts Indices

44 Hardening Apache 3/3 Removing Modules Removing handlers Restricting.htaccess overrides

45 FTP FTP is Really Bad(tm)! Unauthenticated data transfer channel (file theft) Bad authentication on command channel Takeover issues (cleartext session) Try to replace it: HTTP for downloads? SFTP for password-ed user uploads?

46 Hardening FTP 1/2 Deactivate anonymous mode Deactivate normal user mode

47 Hardening FTP 2/2 Apply path filters to all filenames used Deactivate compression/tar-ing (external progs) Choose version string randomly Chroot normal users via 'guest' accounts Require RFC 822-compliant e-mail addresses Disable all dynamic 'message file' parsing/delivery Create less useful upload area Log: transfers, commands and security violations

48 Speaker Bio Jay Beale is the Lead Developer of Bastille Linux and an independent security consultant/trainer. Mandrake. He's currently working on a book on Locking Down Linux for Addison Wesley. Read more of his articles on: http://www.bastille-linux.org/jay

Download ppt "Bastille Linux Past, Present and Future Jay Beale Lead Developer, Bastille Linux President, JJB Security Consulting."

Similar presentations

© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Installation & management of SUSE.

© 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Installation & management of SUSE.
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
Linux’ Security Haifa Linux Club 21.10.99 Orr Dunkelman.

Linux’ Security Haifa Linux Club Orr Dunkelman.
Linux Security An overview notes from Linux Network Security HowTO.

Linux Security An overview notes from Linux Network Security HowTO.
System Hardening Borrowed from the CLICS group. System Hardening How do we respond to problems? (e.g. operating system deadlock) Detect Detect (Detect.

System Hardening Borrowed from the CLICS group. System Hardening How do we respond to problems? (e.g. operating system deadlock) Detect Detect (Detect.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.

Securing Network using Linux. Lesson Outline Setting up a secure system TCP Wrapper configuration Firewalls in Linux Authentication Systems –NIS –Kerberos.
Linux Security 資管研究生 劉順德. Outline General Security –Account –Local –Network –Patch Services Security –Sendmail –BIND/DNS –Apache –FTP Recent Linux security.

Linux Security 資管研究生 劉順德. Outline General Security –Account –Local –Network –Patch Services Security –Sendmail –BIND/DNS –Apache –FTP Recent Linux security.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Enterprise Network Security Accessing the WAN Lecture week 4.

Enterprise Network Security Accessing the WAN Lecture week 4.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Hacking Unix/Linux.

Hacking Unix/Linux.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Ssh: secure shell. overview Purpose Protocol specifics Configuration Security considerations Other uses.

Ssh: secure shell. overview Purpose Protocol specifics Configuration Security considerations Other uses.
Linux System Administration LINUX SYSTEM ADMINISTRATION.

Linux System Administration LINUX SYSTEM ADMINISTRATION.
2440: 141 Web Site Administration Remote Web Server Access Tools Instructor: Enoch E. Damson.

2440: 141 Web Site Administration Remote Web Server Access Tools Instructor: Enoch E. Damson.
DNS & Mail in the DMZ Jason Heiss Collective Technologies

DNS & Mail in the DMZ Jason Heiss Collective Technologies
Botnets An Introduction Into the World of Botnets Tyler Hudak

Botnets An Introduction Into the World of Botnets Tyler Hudak

Similar presentations

Ads by Google