810 likes | 913 Vues
AIT ITServ & Lab Supervisors Meeting. Practical How-To for System and Network Security ITServ Plans on Policies and Services Alain Fauconnet <alain@ait.ac.th> #5083 Security Specialist / CISO March 31st, 2003 Meeting V 20030331. Presentation Roadmap. 1. Introduction
E N D
AIT ITServ & Lab Supervisors Meeting Practical How-To forSystem and Network Security ITServ Plans on Policies and Services Alain Fauconnet <alain@ait.ac.th> #5083 Security Specialist / CISO March 31st, 2003 Meeting V 20030331 AIT ITServ
Presentation Roadmap 1. Introduction 1.1. Attacks are not only for others 1.2. Potential damage 2. Basic security how-to 2.1. General recommendations 2.2. Rule #1: Install and configure carefully 2.3. Rule #2: Keep software up-to-date 2.4. Rule #3: Servers are not workstations AIT ITServ
Presentation Roadmap 2.5. Rule #4: Monitor your servers and network 2.6. Rule #5: Do network filtering 3. Useful links and resources 4. ITServ plans 4.1. Local resources 4.2. Support and consulting 4.3. Services 4.4. Policies Questions and answers AIT ITServ
1. Introduction1.1. Attacks are not only for others • Frequent lack of real concern about security • “I have no confidential data” • “I have a so small network, I’m not concerned” • “Hackers/abusers inside. So what? Still works…” • too often: “I have no clue” :-) • Too many misconceptions • “Hackers only target (large) (US) businesses” • “I’ve switched to Unix (Linux), so I’m safe” • “I’m protected by AIT global filtering” • “Security is expensive and requires experts” AIT ITServ
1. Introduction1.1. Attacks are not only for others • The facts • All AIT networks are being scanned by hackers several times a day, known vulnerabilities are actively searched • Your network has been scanned already today! • Academic networks especially targeted • Filtering at AIT border can not protect you from all kind of attacks (there will be more Nimda & SQLslammer-like) • Attacks from inside AIT likely (more and more to come) • Not only servers open to the Internet exposed AIT ITServ
1. Introduction1.1. Attacks are not only for others • The facts (cont.) • Basic system and network security: • is simple: • install and configure properly • update • be consistent • requires just serious, consistent people with fair IT experience • blocks 80% (at least) of attacks • can save you a lot of time, efforts and money • You will learn 5 recipes today: use them! AIT ITServ
1. Introduction1.1. Attacks are not only for others • The facts (cont.) • An unpatched, unsecured Red Hat Linux server is at least as vulnerable as Windows • Windows 2000 (even with SP3) is not safe • A misconfigured firewall can make your security worse than no firewall at all • gives wrong feeling of safety • protect servers first, then set up a firewall if you wish and if you can AIT ITServ
1. Introduction1.2. Potential damage • Hackers use the network bandwidth we all share and servers resources that you have paid for • Damage to the services you provide • Downtime for legitimate users • Defaced web site (reputation, confidence, image) • Loss or alteration of data • Wasted time and efforts to repair damage • Leaking of confidential data • From LAN sniffing also (data from other servers) AIT ITServ
1. Introduction1.2. Potential damage • Damage to the services we all use • Slow network connections • Slow servers • Part or all of AIT networks / domains banned from major sites • Loss of connectivity • Cannot send e-mail • Legal liability • Attacks on other sites / networks from your network • Offensive or illegal material on your servers AIT ITServ
2. Basic Security How-To2.1. General recommendations • This simple how-to can avoid at least 80% of the break-ins currently seen • Do it for allservers (new and old) • This is an ongoing task: never finished • Assign someone to handle security (can be part-time): must have authority to control that the following rules are applied • Don’t trust people saying that buying extra software will do it for you AIT ITServ
2. Basic Security How-To2.2. Rule #1: Install and configure carefully • Do not do full or default installations of operating system • Lots of useless and dangerous software packages installed • Alternative: do a full or default install, then uninstall packages that you don’t use immediately • Red Hat Linux installation • Consider alternative Linux distributions e.g.:E-smith at http://www.e-smith.org/Trustix at http://www.trustix.net/ • Consider FreeBSD instead of Linux AIT ITServ
2. Basic Security How-To2.2. Rule #1: Install and configure carefully • Windows 2000 • unless specific need, do not install any of Networking Services, Other Network File and Print Services, Remote Installation Services, Remote Storage, Terminal Services, Windows Media Services... AIT ITServ
2. Basic Security How-To2.2. Rule #1: Install and configure carefully • Windows 2000 (cont.) • do not install unused parts of IIS: SMTP, NNTP… • Note: SMTP needed by Active Directory Replication • Configure to use RPC transport instead • Internet server should not handle this anyway AIT ITServ
2. Basic Security How-To2.2. Rule #1: Install and configure carefully • Windows 2000 (cont.) • Disable the features of IIS you don’t need using the Microsoft IIS Lockdown Tool http://www.microsoft.com/technet/security/tools/locktool.asp • Defaults suggested by tool are generally OK AIT ITServ
2. Basic Security How-To2.2. Rule #1: Install and configure carefully • Windows 2000 (cont.) • Install a virus scanner on Windows servers • AVG is a very decent free virus scanner with automatic update • Download it from: http://www.grisoft.com • Registration needed, use a “disposable” e-mail address just in case, but no report of spamming yet • Free version could well disappear due to the current IT business context: enjoy while it lasts • Commercial virus scanner: Sophos highly recommended: http://www.sophos.com • much less problems than with McAfee, Norton • free updates AIT ITServ
2. Basic Security How-To2.2. Rule #1: Install and configure carefully • Windows 2000 (cont.) • Remove Outlook Express in any caseThere is no good reason to have it on a server • Install an alternate web browserMozilla a good choice: http://www.mozilla.org • IE is quite difficult to remove completely • make it a policy not to use it • better: use Windows ACLs to prevent usage (details upon request) AIT ITServ
2. Basic Security How-To2.2. Rule #1: Install and configure carefully • Red Hat Linux installation • Use an up-to-date distribution: Red Hat Linux 7.2 at least, never 7.0 or earlier • not a file server: do not install: nfs*, samba, portmap • not a name server: do not install: bind* • not a mail server: do not install: imap, sendmail • not a web server: do not install: apache* • not a DB server: do not install: MySQL*, postgresql* • unless specific need, do not install: dhcpd, finger.server, anonftp, bootparamsd … • Uninstalling a Linux RPM package: # rpm -e --nodeps packagename ... AIT ITServ
2. Basic Security How-To2.2. Rule #1: Install and configure carefully • Unix configuration: Disable all services not needed • Services started by connection: file /etc/inetd.conf finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd comment out unwanted services by adding ‘#’: #finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd Should be commented out unless specific need:ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, auth, gopher, time, linuxconf (Linux-specific) … almost all lines • Red Hat 7.1+ uses xinetd.conf, can be managed by chkconfig (see next slide) AIT ITServ
2. Basic Security How-To2.2. Rule #1: Install and configure carefully • Disable all services not needed • Services started at boot time: start-up scripts • Details vary a lot from Unix to Unix • Red Hat Linux start-up scripts are controlled using chkconfig command: # chkconfig --list list all services # chkconfig service off disable a service # chkconfig service on enable a service • Unless needed, you should disable: sendmail (if not mail server), portmap, nfs, nfslock, netfs, all r*d (rusersd …), all yp* (ypbind…), lpd, samba, identd, named (if not name server), httpd (if not web server), snmpd, xfs, amd AIT ITServ
2. Basic Security How-To2.2. Rule #1: Install and configure carefully • Unix start-up scripts (cont.) • Most other Unix (and Linux too): rename files in rcN.d (N = 2, 3…) directories. Solaris has /etc/rcN.d. E.g.: # cd /etc/r2c.d # mv S73nfs.client _S73nfs.client • E.g. for Solaris, you should disable: S73nfs.client, S74autofs, S80lp, S88sendmail (if not mail server), S15nfs.server, S76snmpx, S77dmi • Other kind of Unix: use administration tools • FreeBSD: /stand/sysinstall “Do post-install configuration” • HP-UX: sam • AIX: smit • Refer to documentation, but target should be to disable NFS, RPC, remote printing, SNMP, SMTP server... AIT ITServ
2. Basic Security How-To2.2. Rule #1: Install and configure carefully • Enforce a strict login/password policy • one person = one login account, do not use shared accounts (“operator”, project account…) • minimise root/administrator account usage: only when needed, not for daily work • require correct passwords • no password = login name • no default password (especially empty!) • no password = name of department • no password = nickname • no single words found in a dictionary • etc… Everyone knows this already! AIT ITServ
2. Basic Security How-To2.2. Rule #1: Install and configure carefully • Have a strict policy on remote administration • Only when really needed and from a very little number of client workstations (see “filtering”) • On Unix, do not allow direct remote login to root: log in as normal user and use su or better sudo • Use only standard tools and well-known ones • Avoid home-made web-based admin tools • Good Unix web-based administration tool: Webmin http://www.webmin.com/ • Do not use telnet and FTP ! AIT ITServ
2. Basic Security How-To2.2. Rule #1: Install and configure carefully • Remote administration (cont.) • Require strong encryption and authentication • Unix: install and use SSH (“encrypted telnet”), not standard telnet • ssh server part of Linux and FreeBSD • for other Unix: download from http://www.openssh.org/ • ready-to-install binaries for Solaris at:http://www.sunfreeware.com/ • freeware Windows SSH client (terminal emulator): TeraTerm Pro with SSH extensionhttp://hp.vector.co.jp/authors/VA002416/teraterm.htmlhttp://www.zip.com.au/~roca/ttssh.html • SSH can do file upload/download too: use freeware WinSCP client for Windows (http://winscp.vse.cz/eng/) AIT ITServ
2. Basic Security How-To2.2. Rule #1: Install and configure carefully • Remote administration (cont.) • Require strong encryption and authentication • Windows: use recent version of PC Anywhere with encryption set at least to “PCAnywhere” • Windows Remote Desktop has encryption always on • Avoid VNC (freeware PCAnywhere-like) except over an encrypted tunnel AIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date • Fact: off the CD un-patched installation of Red Hat Linux or Windows + IIS put on the Internet usually hacked within 3 weeks • All standard O/S distributions have many serious security holes: apply critical patches • Check vendor web site once a week for new vulnerabilities or subscribe to alert mailing lists: CERT, Securityfocus, SANS... • Information in next slides to be outdated very soon... AIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date • Windows (W2K) servers • CodeRed and Nimda exploit bugs in IIS that have been known since May 2001“There’s no patch for negligence and laziness” • Microsoft reference page for Nimda: http://www.microsoft.com/technet/security/topics/Nimda.asp • SQLslammer exploits bug in MS-SQL that has been known since July 2002 • Microsoft reference page for SQLslammer: http://www.microsoft.com/security/slammer.asp • Microsoft starting point page for security: http://www.microsoft.com/technet/security/ AIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date • Windows (W2K) servers (cont.) • Bringing up a (reasonably) safe (to external attacks at least) Windows 2000 server is simple: • 1) Install Windows and IIS (correctly,see rule #1) • 2) Install Service Pack 3 http://www.microsoft.com/windows2000/downloads/servicepacks/ • 3) Install Hotfixes MS02-052, MS02-065,MS03-001 http://www.microsoft.com/technet/security/bulletin/MSxx-xxx.asp AIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date • Windows (W2K) servers (cont.) • 4) If your server has MS-SQL, install MS-SQL SP3 (note: if unsure, install it anyway) http://www.microsoft.com/sql/downloads/2000/sp3.asp • 5) Don’t forget to patch Internet Explorer too!Upgrade to IE6 SP1and patch it http://www.microsoft.com/windows/ie/downloads/critical/ie6sp1/ http://www.microsoft.com/technet/security/bulletin/MS03-004.asp • 6) Reminder: remove Outlook Express! There is nogood reason to have it on a server. AIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date • Windows (W2K) servers (cont.) • If infected: • Backup data, format, reinstall and patch!If you don’t patch, you will get infected again • Do not rely on “cleaners”: they cannot handle 100% of infection variants • Restore your data • Check all your HTML and Javascript files: delete all added links to *.EML files • Delete any README.EML or *.EXE file in your data AIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date • Windows (W2K)servers (cont.) • Use automated tools to check against latest security patches • Windows automatic update (installed with SP3), in the Control Panel • + already installed • + easy to use • - gives little control over what is installed AIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date • Microsoft Hot Fix Checker (new version) http://www.microsoft.com/technet/security/tools/hfnetchk.asp • + can scan your network from a single point • +on-line checking: always up-to-date (well, nearly) • + just tells you what you should install, doesn’t install anything • +can run on both NT4/IIS4, W2K/IIS5, XP/IIS6 • -command-line console application AIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date • Microsoft “Hot Fix Checker” (cont.)1) Download and install Can install anywhere, suggested:C:\Program Files\Hotfix Checker AIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date • Microsoft “Hot Fix Checker” (cont.) 2) Open “Command Prompt” window Do not run from Explorer AIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date • Microsoft “Hot Fix Checker” (cont.)3) Change directory where installed:cd “\Program Files\Hotfix Checker”4) Run programhfnetchk -v -z -s 1 -nosum AIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date • Microsoft “Hot Fix Checker” (cont.)5) Check results: look for “Patch not found MSXX-YY” AIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date • Microsoft “Hot Fix Checker” (cont.)6) Search returned missing patches MSXX-YY on Microsoft Technet security site http://www.microsoft.com/technet/security/7) Install them !Options described in detail at:http://support.microsoft.com/support/kb/articles/q303/2/15.asp AIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date • Shavlik ’s HFNetChkPro • improved version of Microsoft’s tool with GUI, much easier to use • not free, but free “Lite” version for networks up to 50 nodes http://www.shavlik.com/pHFNetChkLT.aspx AIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date • Linux servers: Red Hat covered in this presentation, other distributions similar • Check: http://www.redhat.com/apps/support/errata/ • Review all Security Errata(=bugs!) • At least, install all update RPMs mentioning “remote root” or “remote compromise” in the description, and all related to: kernel, ftpd, wu-ftpd, lpd, lprng, rpc, portmap,sendmail, pop, imap, linuxconf, [open]ssh, apache AIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date • Linux servers (cont.) • How to install an updated RPM on Red Hat Linux: 1) download RPM e.g. wu-ftpd-2.6.0-14.6x.i386.rpm 2) type:# rpm -Uvh name-of-RPMe.g.:# rpm -Uvh wu-ftpd-2.6.0-14.6x.i386.rpm Other useful commands: • rpm -q -a lists installed RPMs • rpm -ivh name-of-RPMinstalls a RPM • rpm -e --nodeps name-of-RPM uninstalls a RPM • rpm -V name-of-RPMchecks an installed RPM AIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date • Most critical vulnerabilities in Red Hat Linux 7.x: • OpenSSH (ssh server and client)http://rhn.redhat.com/errata/RHSA-2002-043.htm • OpenSSL (used by Apache)https://rhn.redhat.com/errata/RHSA-2002-155.html • Kernelhttp://rhn.redhat.com/errata/RHSA-2001-130.htmlhttp://rhn.redhat.com/errata/RHSA-2003-098.html • BIND (DNS server)http://rhn.redhat.com/errata/RHSA-2001-007.html • LprNG (print server)http://rhn.redhat.com/errata/RHSA-2000-065.html AIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date • Most critical vulnerabilities in Red Hat Linux 7.x (cont.): • xntp3 (time daemon)http://rhn.redhat.com/errata/RHSA-2001-045.html • telnetd (telnet server)http://rhn.redhat.com/errata/RHSA-2001-099.html • ucd-snmp-utils (SNMP server)http://rhn.redhat.com/errata/RHSA-2001-163.html • sendmail (SMTP server)http://rhn.redhat.com/errata/RHSA-2003-073.html Some may only apply to 7.0, 7.1 or 7.2, check the web pages AIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date • Most critical vulnerabilities in Red Hat Linux 8.0: • Kernelhttp://rhn.redhat.com/errata/RHSA-2003-098.html • sendmail (SMTP server)http://rhn.redhat.com/errata/RHSA-2003-073.html • Apache, mod_ssl, PHPhttp://rhn.redhat.com/errata/RHSA-2002-222.html AIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date • Use automatic update • register to Red Hat Network (needed):# up2date --register • configure the update agent to your preferences:# up2date --configure • run full update:# up2date -u • use option --nox for non-GUI (text) • Full documentation at: http://rhn.redhat.com/help/basic/index.html AIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date • Sun Solaris (on Sun hardware or PC) • Check: http://sunsolve.sun.com Click on “Security Bulletin Archive” • Install Recommended Patch Bundles Click on “Recommended & Security Patches” according to platform (SPARC or x86) and version • 2.6 = 5.6 • 2.7 = 5.7 = 7 Sun likes confusing version • 2.8 = 5.8 = 8 numbering... • Free download: no need for a support contract AIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date • Sun Solaris (cont.) • How to install patch bundle (e.g. for Solaris 7): 1) download zip file 2) unzip it in a temporary directory (100Mb++) # unzip 7_Recommended.zip 3) start the automatic installation script (as root) # cd 7_Recommended # ./install_cluster 4) wait for a long time 5) reboot AIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date • Special care for name servers • All versions of BIND (standard Unix DNS name server) prior to 8.2.3 final released version have severe security bugs allowing remote root compromise • Updates for Red Hat Linux and recommended patch bundles for Sun Solaris take care of this or: • Compile and install BIND version 8.2.4 at least (9.1 OK but requires migration work) from: http://www.isc.org/ AIT ITServ
2. Basic Security How-To2.4. Rule #3: Servers are not workstations • Buy new machines for servers, or do full re-format, re-install if you recycle h/w • Do not use workstations to bring up network services (file server, web server…) • Convince your staff not to use servers as workstations • No web browsing except trusted sites, and not using IE except when browsing Microsoft’s sites • On Windows, no e-mail activity, especially not using Outlook • No installation of any program not directly related to server operation and administration • Avoid program development on server whenever possible AIT ITServ
2. Basic Security How-To2.5. Rule #4: Monitor your servers and network • Any sudden change in load is suspicious • Monitor the traffic on your link to the Internet • If you have manageable switches (support SNMP), bring up MRTG to show per-port trafficReal case: huge rise of the outgoing traffic = scans being launched from a compromised server AIT ITServ
2. Basic Security How-To2.5. Rule #4: Monitor your servers and network • Monitor CPU load on your servers • Task Manager on Windows(Ctrl-Alt-Del, click on “Task Manager” button) • The top command on Unix • Look for unusual processes running • Become familiar with the names of the processes running on your server during normal operations • Check for any new process running • If so, find what it is AIT ITServ
2. Basic Security How-To2.5. Rule #4: Monitor your servers and network • Look for unusual processes (cont.) • Windows: use Processes list of Task Manager AIT ITServ