Unix Network Security
Once you put a computer on a network, you allow many more people potential access to the machine. Without networks, often a machine is not useful.The key to network security is to allow only those functions that the users actually need. Make those services as secure as possible. By disabling non-used functions, you have much less monitoring/securing.
- Filtering
Think of filtering as a way to prevent unwanted access. If on the internet or large network, you will want a firewall machine or router with firewalling capabilities for maximum protection. Hosts themselves can limit the services provided and what hosts can access them.
A firewall machine is a machine between the internet and your network. It provides a point of resistance. It protects your inside systems from external users. A firewall machine can filter your packets and/or be a proxy server. Firewalls can be either software or hardware. When using software, I recommend having a machine dedicated to the purpose of being the firewall (unless you only have one machine). Remember that just because you are using NAT-ed IPs, doesn't mean you have a firewall. I have seen small companies be compromised due to that assumption.
By filtering out services you do not use, at the router level (or firewall machine), potential infiltraters are stopped very early on. Unless you use NFS between networks, turn off all RPC ports on the router. Better yet, only enable specific ports that you use, adding new ones as needed. The next steps are on the host itself.
Create access control lists /var/adm/inetd.sec to say what hosts can connect to your machine. This limits access even further. In addition, do not enable services you are not using by turning them off in /etc/inetd.conf.
TCP wrappers for logging incoming requests allows for easier tracing and protection.
- Prevent Spoofing
One can imitate another host on a network by using the same host name. To prevent this from happening outside your network, you need to make modifications to your router and your hosts system files.
Turn off source routing on your router. Once this is turned off, apply a filter that guarantees that packets coming in from the outside network do not have a source IP address that matches the inside network. This prevents another machine from pretending it is a trusted host.
On your system side, only use qualified hostnames only in any system file (NFS, hosts.equiv, ...). If possible, do not allow hosts.equiv or .rhosts. Having a cron job remove non-agreed upon ones is great. Verify that all .rhost and .netrc files (if allowed) permissions are 600. Having the cron job automatically fix this is great too.
- Telnet Security
Convince your users to use SSH (secure shell). SSH provides encrypted traffic to prevent snooping. If you MUST use telnet, at least close down which IPs you accept telnet from and turn off root login (except console -- see Account Security section).
- FTP Security
As with other services, if you do not need this functionality, turn it off. You can turn off incoming FTP or simply certain users. If you need full FTP functionality, be certain to enable logging and monitor syslog. If possible, use secure ftp (comes with ssh). Standard FTP is known to be a security hazard as it sends passwords in clear text.
Since you only want valid users using FTP, make sure you have /etc/ftpusers include all system accounts (uucp, bin, daemon, sys, adm, lp, root, ...). If there are other users who do not need FTP, also place them in this file. Only allow the users that actually need them. Give them the least amount of access possible. Do not allow writable directories unless absolutely necessary. If writable directories are needed, sometimes write only directories can be utilized.
- Modem Security
Having modems hooked up to one central point makes security easier. All modems should have additional dial-up password for additional security. To do this, setup /etc/d_passwd (see d_passwd man page). Once you are finished, verify that passwords are not guessable by using CRACK. As usual, use one password per user. Be certain to disable the account when the user no longer needs access. All dial-up modems should log users out upon disconnect (hupcl in /etc/gettydefs)
- Verify your work
Use SATAN to make sure you haven't missed any obvious holes. Add all your networking patches. Try to break into your site.
- Monitor to see if you are being attacked
Snort is a nice free IDS (intrusion detection system). Decide what attacks you care about (ie. code red doesn't affect Unix) and configure. If you haven't configured an IDS before, it will be a bit of work -- but well worth the effort.
No comments:
Post a Comment