summaryrefslogtreecommitdiffstats
path: root/doc/book-enea-nfv-access-dev-hardening-guide/doc/hardening_checklist.xml
diff options
context:
space:
mode:
Diffstat (limited to 'doc/book-enea-nfv-access-dev-hardening-guide/doc/hardening_checklist.xml')
-rw-r--r--doc/book-enea-nfv-access-dev-hardening-guide/doc/hardening_checklist.xml952
1 files changed, 952 insertions, 0 deletions
diff --git a/doc/book-enea-nfv-access-dev-hardening-guide/doc/hardening_checklist.xml b/doc/book-enea-nfv-access-dev-hardening-guide/doc/hardening_checklist.xml
new file mode 100644
index 0000000..2e008e3
--- /dev/null
+++ b/doc/book-enea-nfv-access-dev-hardening-guide/doc/hardening_checklist.xml
@@ -0,0 +1,952 @@
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4<chapter id="hardening_platform">
5 <title>Hardening Enea NFV Access</title>
6
7 <section id="broken_algorithms">
8 <title>Broken Algorithms</title>
9
10 <para>Make sure that algorithms that are broken in regards to security are
11 not used.</para>
12
13 <remark>Ask Sona/Casc if the algorithms listed below are the broken ones
14 to check for or if they're the ones that are broken to begin with and if
15 seen should be eliminated from use.</remark>
16
17 <itemizedlist>
18 <listitem>
19 <para>DES</para>
20 </listitem>
21
22 <listitem>
23 <para>3DES</para>
24 </listitem>
25
26 <listitem>
27 <para>CAST</para>
28 </listitem>
29
30 <listitem>
31 <para>BLOWFISH</para>
32 </listitem>
33
34 <listitem>
35 <para>MD5</para>
36 </listitem>
37
38 <listitem>
39 <para>SHA-1</para>
40 </listitem>
41
42 <listitem>
43 <para>MODP512</para>
44 </listitem>
45
46 <listitem>
47 <para>MODP768</para>
48 </listitem>
49
50 <listitem>
51 <para>MODP1024</para>
52 </listitem>
53 </itemizedlist>
54 </section>
55
56 <section id="sys_installation">
57 <title>System Installation</title>
58
59 <para>Enea NFV Access Images should be check summed with SHA512 and/or a
60 signed GPG key. See <ulink
61 url="https://www.openssl.org/source/">https://www.openssl.org/source/</ulink>
62 for more details on how to proceed.</para>
63 </section>
64
65 <section id="security_updates">
66 <title>Security Updates</title>
67
68 <para>Applying security patches is an important part of security hardening
69 and maintenance. Enea backports all known critical vulnerabilities within
70 a reasonable time frame if not immeditately, and makes them available to
71 users for updates/upgrades.</para>
72
73 <para>Prepare the system for regular updates in the following
74 manner:</para>
75
76 <itemizedlist>
77 <listitem>
78 <para>Configure the target to get software updates from the Enea
79 source repository.</para>
80 </listitem>
81
82 <listitem>
83 <para>Test to update or remove a package using apt-get command:
84 <programlisting>root@inteld1521:~#apt-get update/upgrade</programlisting></para>
85 </listitem>
86 </itemizedlist>
87 </section>
88
89 <section id="openembedded_security_layer">
90 <title>OpenEmbedded meta-security layer</title>
91
92 <para>An OpenEmbedded meta-security layer provides many hardening tools.
93 These tools are open source packages suited for embedded devices. Below is
94 a list of several packages included in meta-security layer:</para>
95
96 <itemizedlist>
97 <listitem>
98 <para>Bastille</para>
99 </listitem>
100
101 <listitem>
102 <para>Redhat-security</para>
103 </listitem>
104
105 <listitem>
106 <para>Buck-security</para>
107 </listitem>
108
109 <listitem>
110 <para>Libseccomp</para>
111 </listitem>
112
113 <listitem>
114 <para>Pax-utils</para>
115 </listitem>
116
117 <listitem>
118 <para>Nmap</para>
119 </listitem>
120
121 <listitem>
122 <para>ISIC</para>
123 </listitem>
124
125 <listitem>
126 <para>Tripwire</para>
127 </listitem>
128
129 <listitem>
130 <para>checksecurity</para>
131 </listitem>
132
133 <listitem>
134 <para>TOMOYO, which contains a number of very useful libraries for
135 system analysis. <remark>Ask Sona if this is the intended meaning of
136 what she wrote here originally: TOMOYO and a number of libraries which
137 is very useful system analysis tool</remark></para>
138 </listitem>
139 </itemizedlist>
140
141 <para>For more information about tools supported in the meta-security
142 layer please refer to <emphasis role="bold">Introduction to the Tools in
143 meta-security layer</emphasis>.</para>
144
145 <remark>change the bold text to point to the section/chapter in question
146 through an xref</remark>
147 </section>
148
149 <section id="ker-hardening">
150 <title>Kernel Hardening</title>
151
152 <para>For a secure set of build CONFIGs and runtime settings see the
153 <ulink
154 url="https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings">Kernel
155 Self Protection Project</ulink>. Essentially, there are three ways to pass
156 options to the kernel:</para>
157
158 <itemizedlist>
159 <listitem>
160 <para>When building the kernel (via
161 <command>menuconfig</command>)</para>
162 </listitem>
163
164 <listitem>
165 <para>When starting the kernel (usually, when invoked from a boot
166 loader).</para>
167 </listitem>
168
169 <listitem>
170 <para>At runtime (through the files in <command>/proc</command> and
171 <command>/sys</command>). See <command>sysctl</command> for
172 details.</para>
173 </listitem>
174 </itemizedlist>
175
176 <para>Parameters either have the format <literal>parameter</literal> or
177 <literal>parameter=value</literal>. Kernel parameters can be configured
178 via <command>/etc/sysctl.conf</command> at run time or via
179 <command>menuconfig</command> at build time.</para>
180
181 <orderedlist>
182 <listitem>
183 <para>How to enable/disable kernel parameters via menuconfig:</para>
184
185 <itemizedlist>
186 <listitem>
187 <para>bitbake virtual/kernel &ndash;c menuconfig</para>
188 </listitem>
189
190 <listitem>
191 <para>Enable the configuration you want, save the .config file in
192 the build directory, and run bitbake.</para>
193 </listitem>
194 </itemizedlist>
195
196 <para>For more info see <ulink
197 url="http://www.tldp.org/HOWTO/SCSI-2.4-HOWTO/kconfig.html">http://www.tldp.org/HOWTO/SCSI-2.4-HOWTO/kconfig.html</ulink>.</para>
198 </listitem>
199
200 <listitem>
201 <para>Permanently add a Kernel Boot Parameter from boot loader:</para>
202
203 <para><programlisting>sudo gedit /etc/default/grub</programlisting></para>
204
205 <para>Enter your password when prompted by sudo. If the file
206 <command>/etc/default/grub</command> appears to be empty or does not
207 exist, see the instructions for earlier releases above.</para>
208 </listitem>
209
210 <listitem>
211 <para>Using <command>etc/sysctl.conf</command>:</para>
212
213 <para>We can view the value of a particular Linux kernel parameter
214 using sysctl, followed by the name of the parameter:</para>
215
216 <programlisting>root@inteld1521:~# sysctl dev.cdrom.autoclose
217dev.cdrom.autoclose = 1</programlisting>
218
219 <para>Or read the associated file:</para>
220
221 <programlisting>root@inteld1521:~# cat /proc/sys/dev/cdrom/autoclose
2221
223root@inteld1521:~# cat /proc/sys/dev/cdrom/</programlisting>
224
225 <para>It is good to store the output of the kernel settings for
226 comparison or reference by redirecting the output of the sysctl
227 command to a file, for example:</para>
228
229 <programlisting>sysctl -A &gt; /root/sysctl.settings.store</programlisting>
230 </listitem>
231 </orderedlist>
232
233 <para>The following kernel configurations can be used to secure the Linux
234 system against attacks.</para>
235
236 <programlisting># Turn on execshield
237kernel.exec-shield=1
238kernel.randomize_va_space=1
239
240# Enable IP spoofing protection
241net.ipv4.conf.all.rp_filter=1
242
243# Disable IP source routing
244net.ipv4.conf.all.accept_source_route=0
245
246# Ignore broadcasts request
247net.ipv4.icmp_echo_ignore_broadcasts=1
248net.ipv4.icmp_ignore_bogus_error_messages=1
249
250# Make sure spoofed packets get logged
251net.ipv4.conf.all.log_martians = 1</programlisting>
252
253 <section id="security-options">
254 <title>Security Options</title>
255
256 <itemizedlist>
257 <listitem>
258 <para>SECURITY</para>
259
260 <itemizedlist>
261 <listitem>
262 <para>(on/off) Enable different security models</para>
263 </listitem>
264
265 <listitem>
266 <para>Depends on SYSFS</para>
267 </listitem>
268 </itemizedlist>
269
270 <para>This option allows you to choose different security modules to
271 configure into your kernel. If this option is not selected, the
272 default Linux security model will be used.</para>
273 </listitem>
274
275 <listitem>
276 <para>SECURITY_NETWORK</para>
277
278 <itemizedlist>
279 <listitem>
280 <para>(on/off) Socket and Networking Security Hooks</para>
281 </listitem>
282
283 <listitem>
284 <para>Depends on SECURITY</para>
285 </listitem>
286 </itemizedlist>
287
288 <para>This enables the socket and networking security hooks. If
289 enabled, a security module can use these hooks to implement socket
290 and networking access controls. If you are unsure how to answer this
291 question, answer N.</para>
292 </listitem>
293
294 <listitem>
295 <para>SECURITY_CAPABILITIES</para>
296
297 <itemizedlist>
298 <listitem>
299 <para>Kernel Version(s): 2.6.15.6</para>
300 </listitem>
301
302 <listitem>
303 <para>(on/off/module) Default Linux Capabilities</para>
304 </listitem>
305
306 <listitem>
307 <para>Depends on SECURITY</para>
308 </listitem>
309 </itemizedlist>
310
311 <para>This enables the "default" Linux capabilities
312 functionality.</para>
313 </listitem>
314
315 <listitem>
316 <para>SECURITY_ROOTPLUG</para>
317
318 <itemizedlist>
319 <listitem>
320 <para>Kernel Version(s): 2.6.15.6</para>
321 </listitem>
322
323 <listitem>
324 <para>(on/off/module) Root Plug Support</para>
325 </listitem>
326
327 <listitem>
328 <para>depends on USB &amp;&amp; SECURITY</para>
329 </listitem>
330 </itemizedlist>
331
332 <para>This is a sample LSM module that should only be used as such.
333 It prevents any programs running with <command>egid == 0</command>
334 if a specific USB device is not present in the system.</para>
335 </listitem>
336
337 <listitem>
338 <para>SECURITY_SECLVL</para>
339
340 <itemizedlist>
341 <listitem>
342 <para>Kernel Version(s): 2.6.15.6</para>
343 </listitem>
344
345 <listitem>
346 <para>(on/off/module) BSD Secure Levels</para>
347 </listitem>
348
349 <listitem>
350 <para>Depends on SECURITY</para>
351 </listitem>
352
353 <listitem>
354 <para>select CRYPTO</para>
355 </listitem>
356
357 <listitem>
358 <para>select CRYPTO_SHA1</para>
359 </listitem>
360 </itemizedlist>
361
362 <para>Implements BSD Secure Levels as an LSM. See file
363 <command>Documentation/seclvl.txt</command> for instructions on how
364 to use this module.</para>
365 </listitem>
366 </itemizedlist>
367 </section>
368
369 <section id="config_stackprotector">
370 <title>Stack Protector (-fstack-protector GCC feature)</title>
371
372 <para><programlisting>CONFIG_CC_STACKPROTECTOR
373CONFIG_CC_STACKPROTECTOR_REGULAR
374CONFIG_CC_STACKPROTECTOR_STRONG</programlisting>This option turns on the
375 <command>-fstack-protector</command> GCC feature. This feature inserts a
376 canary value on the stack just before the return address, and validates
377 the value just before returning. Stack based buffer overflows (that need
378 to overwrite this return address) will now also overwrite the canary,
379 which gets detected and the attack is then neutralized via a kernel
380 panic. This feature requires gcc version 4.2 or above.</para>
381
382 <itemizedlist>
383 <listitem>
384 <para>prompt: Enable -fstack-protector buffer overflow detection
385 (EXPERIMENTAL)</para>
386 </listitem>
387
388 <listitem>
389 <para>type: bool</para>
390 </listitem>
391
392 <listitem>
393 <para>depends on: (none)</para>
394 </listitem>
395
396 <listitem>
397 <para>defined in arch/arm/Kconfig</para>
398 </listitem>
399
400 <listitem>
401 <para>found in Linux kernels: 2.6.36&ndash;2.6.39,
402 3.0&ndash;3.13</para>
403 </listitem>
404 </itemizedlist>
405
406 <para>Currently these configurations are not set in the Intel kernel in
407 Enea NFV Access:<programlisting>tmp/deploy/images/inteld1521/config-inteld1521.config
408
409CONFIG_CC_STACKPROTECTOR is not set
410CONFIG_CC_STACKPROTECTOR_REGULAR is not set
411CONFIG_CC_STACKPROTECTOR_STRONG is not set</programlisting></para>
412 </section>
413
414 <section id="config-freelist-random">
415 <title>CONFIG_FREELIST_RANDOM</title>
416
417 <para>An optional config to randomize the SLAB freelist (heap freelist).
418 SLAB is a memory management mechanism intended for the efficient memory
419 allocation of kernel objects. SLAB displays the desirable property of
420 eliminating fragmentation caused by allocations and
421 deallocations.</para>
422
423 <para>This security feature reduces the predictability of the kernel
424 slab allocator against heap overflows.</para>
425 </section>
426
427 <section id="config_page_poisoning">
428 <title>CONFIG_PAGE_POISONING</title>
429
430 <para>This feature fills the pages with poison patterns after
431 <literal>free_pages()</literal> and verifies the patterns before
432 <literal>alloc_pages()</literal>. This results in a large slowdown, but
433 helps to find certain types of memory corruption.</para>
434
435 <para>This option cannot be enabled in combination with hibernation as
436 that would result in incorrect warnings of memory corruption after a
437 resume, since free pages are not saved to the suspend image. Poison
438 pages after freeing are found in
439 <literal>mm/Kconfig.debug</literal>.</para>
440
441 <para>The configuration item CONFIG_PAGE_POISONING:</para>
442
443 <itemizedlist>
444 <listitem>
445 <para>prompt: Poison pages after freeing</para>
446 </listitem>
447
448 <listitem>
449 <para>type: bool</para>
450 </listitem>
451
452 <listitem>
453 <para>depends on: (none)</para>
454 </listitem>
455
456 <listitem>
457 <para>defined in <ulink
458 url="https://github.com/torvalds/linux/tree/master/mm/Kconfig.debug">mm/Kconfig.debug</ulink></para>
459 </listitem>
460
461 <listitem>
462 <para>found in Linux kernels: 4.6&ndash;4.12, 4.13-rc+HEAD</para>
463 </listitem>
464 </itemizedlist>
465 </section>
466
467 <section id="config_hardened_usercopy">
468 <title>CONFIG_HARDENED_USERCOPY</title>
469
470 <para><programlisting>CONFIG_HARDENED_USERCOPY
471CONFIG_HARDENED_USERCOPY_PAGESPAN</programlisting>This configuration checks
472 that objects being copied to/from user space meet certain
473 criteria.</para>
474 </section>
475
476 <section id="config_stackprotector_strong">
477 <title>CONFIG_CC_STACKPROTECTOR_STRONG</title>
478
479 <para><command>CONFIG_CC_STACKPROTECTOR_STRONG=y</command>, is a more
480 powerful stack canary checking method supported by GCC versions 4.9 and
481 later. On an x86 "defconfig" build, this feature adds canary checks to
482 about 20% of all kernel functions, which increases the kernel code size
483 by about 2%.</para>
484
485 <para>More info about this feature can be found at <ulink
486 url="https://lwn.net/Articles/584278/">https://lwn.net/Articles/584278/</ulink>.</para>
487 </section>
488
489 <section id="config_randomize_base">
490 <title>CONFIG_RANDOMIZE_BASE</title>
491
492 <para><command>CONFIG_RANDOMIZE_BASE</command> with physical memory
493 randomization, extends kernel image physical address randomization to
494 addresses larger than 4GB, among other improvements.</para>
495 </section>
496
497 <section id="config_randomize_memory">
498 <title>CONFIG_RANDOMIZE_MEMORY</title>
499
500 <para><command>CONFIG_RANDOMIZE_MEMORY</command> randomizes the virtual
501 addresses of memory sections, including physical memory mappings:
502 <command>vmalloc</command>, and <command>vemmap</command>. As with other
503 memory randomization routines, by randomizing the virtual address space
504 of kernel memory sections, the goal is to mitigate predictable memory
505 locations.</para>
506 </section>
507 </section>
508
509 <section id="os_hardening">
510 <title>OS Hardening</title>
511
512 <para>The sections below detail various ways in which a developer can
513 effectively secure their operating system(s).</para>
514
515 <section id="removing_root_account">
516 <title>Remove root account</title>
517
518 <para>Create a default user with <command>su</command> access and then
519 use <literal>sudo</literal> to delegate administrative access.</para>
520 </section>
521
522 <section id="syslog-rsyslog">
523 <title>Rsyslog, Syslog, Syslogng Service</title>
524
525 <para>Rsyslog is the default logging program on several Linux
526 distributions. Apart from implementing the syslog protocol, rsyslog adds
527 additional features such as content-based filtering and also uses TCP
528 for transporting, providing many configuration options. Further reading
529 is available at <ulink
530 url="https://linux-audit.com/central-audit-logging-configuration-collecting-linux-audit-events/">https://linux-audit.com/central-audit-logging-configuration-collecting-linux-audit-events/</ulink>.</para>
531 </section>
532
533 <section id="unnecessary_packages">
534 <title>Removing unnecessary Packages</title>
535
536 <para>Enea provides a minimum set of packages in release images. All
537 extra packages should be available in the Enea source repository so
538 users can get when needed.</para>
539
540 <remark>Ask Sona/Casc for details on what should be definitively written
541 in this section</remark>
542 </section>
543
544 <section id="disk-iso-prot">
545 <title>Disk Isolation and Protection</title>
546
547 <para>Critical systems should be separated into different partitions. An
548 example to start from would be:</para>
549
550 <para><programlisting>/
551/boot
552/usr
553/home
554/tmp
555/var</programlisting></para>
556
557 <para>Create a separate volume with the <command>nodev</command>,
558 <command>nosuid</command>, and <command>noexec</command> options set for
559 <command>/tmp</command>. <command>/tmp</command> is intended to be
560 globally writable, creating a separate partition for it can prevent
561 resource exhaustion.</para>
562
563 <para>Setting <command>nodev</command> prevents users from creating or
564 using block or special character devices. Setting
565 <command>noexec</command> prevents users from running binary executables
566 from /tmp. Setting <command>nosuid</command> prevents users from
567 creating set userid files in /tmp.</para>
568 </section>
569
570 <section id="unwanted_suid_sgid">
571 <title>Disable unwanted SUID and SGID Binaries</title>
572
573 <para>There are 3 special permissions available for executable files and
574 directories:</para>
575
576 <itemizedlist>
577 <listitem>
578 <para>SUID permission</para>
579 </listitem>
580
581 <listitem>
582 <para>SGID permission</para>
583 </listitem>
584
585 <listitem>
586 <para>Sticky bit</para>
587 </listitem>
588 </itemizedlist>
589
590 <section id="suid_sgid">
591 <title>SUID/SGID</title>
592
593 <para>To better understand, check the permissions of the
594 <command>/usr/bin/passwd</command> command: <programlisting># ls -lrt /usr/bin/passwd
595-r-sr-sr-x 1 root sys 31396 Jan 20 2014 /usr/bin/passwd</programlisting>There
596 are 2 S&rsquo;s in the permission field, the first &rdquor;s&rdquo;
597 stands for the SUID and the second for SGID. When a command or script
598 set with SUID bit is run, its effective UID becomes that of the owner
599 of the file, rather than of the user who is running it.</para>
600
601 <para>If there are files with all SUID/SGID bits enabled, said files
602 can be misused if the SUID/SGID executable has a security problem or
603 bug. All local or remote users can access/use the file, which may
604 prove dangerous. It's a good idea to find all such files and this can
605 be done using the <command>find</command> command:</para>
606
607 <para><programlisting>#See all set user id files:
608 find / -perm +4000
609
610# See all group id files
611 find / -perm +2000
612
613# Or combine both in a single command
614 find / \( -perm -4000 -o -perm -2000 \) -print
615 find / -path -prune -o -type f -perm +6000 -ls</programlisting>You
616 need to investigate each reported file. See reported file(s) man page
617 for further details.</para>
618 </section>
619
620 <section id="sticky_bit">
621 <title>Sticky Bit</title>
622
623 <para>The Sticky Bit is primarily used on shared directories. It's
624 useful for shared directories such as <command>/var/tmp</command> and
625 <command>/tmp</command> because users can create files, read and
626 execute files owned by other users, but are not allowed to remove
627 files owned by other users.</para>
628
629 <para>For example, if user Bob creates a file named /tmp/bob, user Tom
630 cannot delete this file even when the /tmp directory has permission
631 777. If Sticky Bit is not set, then Tom can delete /tmp/bob, since the
632 file inherits the parent directory permissions. The root users and
633 file owners can remove their own files.</para>
634
635 <para>Example:<programlisting># ls -ld /var/tmp
636drwxrwxrwt 2 sys sys 512 Jan 26 11:02 /var/tmp</programlisting>T refers
637 to when the execute permissions are off and t refers to when they are
638 on.</para>
639 </section>
640 </section>
641
642 <section id="secure_boot_dir">
643 <title>Secure boot directory</title>
644
645 <para>The boot directory contains important files related to the Linux
646 kernel, make sure that this directory is locked down with read-only
647 permissions. You can set the owner and group of
648 <filename>/etc/grub.conf</filename> to the root user like so:</para>
649
650 <programlisting>#chown root:root /etc/fstab
651#chown root:root /etc/grub.conf
652
653EX: ls -ld /boot/* &lt;&lt;&lt;&lt; root only
654
655lrwxrwxrwx 1 root root 32 Aug 7 13:07 /boot/bzImage -&gt; /
656bzImage-4.9.30-intel-pk-standard
657-rw-r--r-- 1 root root 7860816 Jun 8 10:55 /boot/bzImage-4.9.20-yocto-standard
658-rw-r--r-- 1 root root 4624464 Aug 7 12:48 /boot/bzImage-4.9.30-intel-pk-standard</programlisting>
659 </section>
660 </section>
661
662 <section id="netsecure_remoteacc">
663 <title>Network Security &amp; Remote Access</title>
664
665 <para>The networking stack includes IPsec, which provides confidentiality,
666 authenticity, and integrity protection of IP networking. It can be used to
667 implement VPNs, and also point to point security.</para>
668
669 <section id="encrypt_datacoms">
670 <title>Encrypt Data Communication</title>
671
672 <para>All data transmitted over a network is open to monitoring. Encrypt
673 transmitted data whenever possible with passwords or by using
674 keys/certificates.</para>
675
676 <para>Below are several methods and tools that facilitate
677 encryption:</para>
678
679 <orderedlist>
680 <listitem>
681 <para>Use <command>scp</command>, <command>ssh</command>,
682 <command>rsync</command>, or <command>sftp</command> for file
683 transfers. You can also mount a remote server file system or your
684 own home directory using special <command>sshfs</command> and fuse
685 tools.</para>
686 </listitem>
687
688 <listitem>
689 <para>GnuPG allows you to encrypt and sign your data and
690 communication, features a versatile key management system as well as
691 access modules for all kind of public key directories.</para>
692 </listitem>
693
694 <listitem>
695 <para>OpenVPN is a cost-effective, lightweight SSL VPN.</para>
696
697 <para>Another option to try out is <command>tinc</command>, which
698 uses tunneling and encryption to create a secure private network
699 between hosts, on the Internet or on a private insecure LAN.</para>
700 </listitem>
701
702 <listitem>
703 <para>Lighttpd SSL (Secure Server Layer) HTTPS Configuration and
704 Installation.</para>
705 </listitem>
706
707 <listitem>
708 <para>Apache SSL (Secure Server Layer) HTTPS (mod_ssl) Configuration
709 and Installation.</para>
710 </listitem>
711
712 <listitem>
713 <para>Configure Nginx with free Let&rsquo;s Encrypt SSL certificate
714 on Debian or Ubuntu Linux.</para>
715 </listitem>
716 </orderedlist>
717 </section>
718
719 <section id="ssh_service">
720 <title>SSH service</title>
721
722 <para>SSH is secure by default but its services need to be hardened as
723 well. Open <command>/etc/ssh/sshd_config</command> and change the
724 default configuration:</para>
725
726 <itemizedlist>
727 <listitem>
728 <para>Change the default port number 22 to something else, e.g.
729 99.<programlisting>root@inteld1521:~# xxxxx</programlisting></para>
730 </listitem>
731
732 <listitem>
733 <para>Disable ssh login for root<programlisting>ssh root@172.24.12.73
734root@inteld1521:~#</programlisting></para>
735 </listitem>
736
737 <listitem>
738 <para>Make sure following configuration is set for the SSH
739 server:</para>
740
741 <itemizedlist>
742 <listitem>
743 <para>Protocol version is set to 2</para>
744 </listitem>
745
746 <listitem>
747 <para>LogLevel is set to INFO</para>
748 </listitem>
749
750 <listitem>
751 <para>PermitEmptyPasswords</para>
752 </listitem>
753
754 <listitem>
755 <para>IgnoreRhosts to yes</para>
756 </listitem>
757
758 <listitem>
759 <para>HostbasedAuthentication no</para>
760 </listitem>
761
762 <listitem>
763 <para>PermitEmptyPasswords no</para>
764 </listitem>
765
766 <listitem>
767 <para>X11Forwarding no</para>
768 </listitem>
769
770 <listitem>
771 <para>MaxAuthTries 5</para>
772 </listitem>
773
774 <listitem>
775 <para>Ciphers aes128-ctr,aes192-ctr,aes256-ctr</para>
776 </listitem>
777
778 <listitem>
779 <para>ClientAliveInterval 900</para>
780 </listitem>
781
782 <listitem>
783 <para>ClientAliveCountMax 0</para>
784 </listitem>
785
786 <listitem>
787 <para>UsePAM yes</para>
788 </listitem>
789 </itemizedlist>
790
791 <para>These settings use the default set on most platforms, setting
792 them to other values impacts the security of the SSH server.</para>
793 </listitem>
794 </itemizedlist>
795
796 <para>The SSH connection to a server can be controlled by using the
797 following files: <filename>/etc/hosts.allow</filename> and
798 <filename>/<filename>etc/hosts.deny</filename></filename>. Set the
799 permissions on the <filename>sshd_config</filename> file so that only
800 root users can change its contents like so: <programlisting>#chown root:root /etc/ssh/sshd_config
801#chmod 600 /etc/ssh/sshd_config</programlisting></para>
802 </section>
803
804 <section id="check_open_ports">
805 <title>Check for open ports</title>
806
807 <para>Identifying open connections to the internet is a critical
808 mission. In Kali Linux, the following command can be used to spot any
809 hidden open ports:</para>
810
811 <programlisting>root@172:~# netstat -ral -tuwx -en
812
813Kernel IP routing table
814Destination Gateway Genmask Flags Metric Ref Use Iface
8150.0.0.0 172.24.15.254 0.0.0.0 UG 0 0 0 eth1
816172.24.12.0 0.0.0.0 255.255.252.0 U 0 0 0 eth1</programlisting>
817 </section>
818
819 <section id="no_legacyservices">
820 <title>Legacy services and Unencrypted Authentication</title>
821
822 <para>Disable legacy services that rely on unencrypted authentication
823 such as: <emphasis role="bold">telnet&shy;server, rsh, rlogin, rcp,
824 ypserv, ypbind, tftp, tftp&shy;server, talk</emphasis> and <emphasis
825 role="bold">talk&shy;server.</emphasis></para>
826
827 <para>Use instead<emphasis role="bold"> <ulink
828 url="https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html">OpenSSH</ulink>
829 , </emphasis><ulink
830 url="https://www.cyberciti.biz/tips/configure-vsfptd-secure-connections-via-ssl-tls.html"><emphasis
831 role="bold">SFTP</emphasis> or <emphasis
832 role="bold">FTPS</emphasis></ulink> (<emphasis
833 role="bold">FTP</emphasis> over <emphasis role="bold">SSL</emphasis>),
834 which adds SSL or TLS encryption to FTP.</para>
835 </section>
836
837 <section>
838 <title>Disable unnecessary Services</title>
839
840 <para>Disabling unused services will reduce the attack surface. Examples
841 of such services include: <emphasis role="bold">FTP, DNS, LDAP, SMB,
842 DHCP, NFS, SNMP</emphasis>, etc.</para>
843 </section>
844
845 <section>
846 <title>Firewall</title>
847
848 <para>Firewalls are an important tool and act as a barrier between a
849 trusted and an untrusted network. <emphasis
850 role="bold">Iptables</emphasis> is a firewall (user space application)
851 which allows users to configure the <emphasis
852 role="bold">Netfilter</emphasis> provided by the Linux kernel. Netfilter
853 hooks packets which pass into, through and from the system. Kernel-level
854 modules may hook into this framework to examine packets and make
855 security decisions about them.</para>
856
857 <para><emphasis role="bold">Iptables</emphasis> contains five
858 tables:</para>
859
860 <itemizedlist>
861 <listitem>
862 <para><emphasis role="bold">Raw</emphasis> is used only for
863 configuring packets to be exempt from connection tracking.</para>
864 </listitem>
865
866 <listitem>
867 <para><emphasis role="bold">Filter</emphasis> is the default table,
868 where all the actions typically associated with a firewall take
869 place.</para>
870 </listitem>
871
872 <listitem>
873 <para><emphasis role="bold">NAT</emphasis> is used for network
874 address translation (e.g. port forwarding).</para>
875 </listitem>
876
877 <listitem>
878 <para><emphasis role="bold">Mangle</emphasis> is used for
879 specialized packet alterations.</para>
880 </listitem>
881
882 <listitem>
883 <para><emphasis role="bold">Security</emphasis> is used for
884 Mandatory Access Control networking rules (e.g. SELinux).</para>
885 </listitem>
886 </itemizedlist>
887
888 <para>Filter and NAT are the most common use cases. The other tables are
889 aimed at complex configurations involving multiple routers and routing
890 decisions, and are beyond the scope of these introductory
891 remarks.</para>
892
893 <para>Here are some important features to consider for securing a host
894 network (these kernel parameters are set in
895 <filename>/etc/sysctl.conf</filename>):</para>
896
897 <para><emphasis role="bold">Disable</emphasis>:</para>
898
899 <itemizedlist>
900 <listitem>
901 <para>IP forwarding</para>
902 </listitem>
903
904 <listitem>
905 <para>send packet redirects</para>
906 </listitem>
907
908 <listitem>
909 <para>source routed packet acceptance</para>
910 </listitem>
911
912 <listitem>
913 <para>ICMP redirect acceptance</para>
914 </listitem>
915 </itemizedlist>
916
917 <para><emphasis role="bold">Enable</emphasis>:</para>
918
919 <itemizedlist>
920 <listitem>
921 <para>Ignore Broadcast Requests</para>
922 </listitem>
923
924 <listitem>
925 <para>Bad Error Message Protection</para>
926 </listitem>
927
928 <listitem>
929 <para>TCP/SYN cookies</para>
930 </listitem>
931 </itemizedlist>
932
933 <para>iptables is a systemd service. However, the service won't start
934 unless it finds a <filename>/etc/iptables/iptables.rules</filename>
935 file. To start the service for the first time edit:</para>
936
937 <para><programlisting># vi /etc/iptables/iptables.rules</programlisting>or<programlisting># cp /etc/iptables/empty.rules /etc/iptables/iptables.rules &lt;&lt;&lt; no empty.rules
938root@inteld1521:~# ls /usr/sbin/iptables
939iptables iptables-restore iptables-save</programlisting></para>
940
941 <para>Then start the <literal>iptables.service</literal> unit. As with
942 other services, if you want iptables to be loaded automatically on boot,
943 you must enable it.</para>
944
945 <para>Iptables rules for IPv6 are, by default, stored in
946 <filename>/etc/iptables/ip6tables.rules</filename>, which is read by
947 <literal>ip6tables.service</literal>. You can start it the same way as
948 shown above. After adding rules via command-line as shown below, save
949 the configuration file manually: <programlisting># iptables-save &gt; /etc/iptables/iptables.rules</programlisting></para>
950 </section>
951 </section>
952</chapter> \ No newline at end of file
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-05-12 22:41:46 +0000