42.2. Server Security

42.2. Server Security

42.2. Server Security

When a system is used as a server on a public network, it becomes a target for attacks. Hardening the system and locking down services is therefore of paramount importance for the system administrator.

Before delving into specific issues, review the following general tips for enhancing server security:

42.2.1. Securing Services With TCP Wrappers and xinetd

TCP Wrappers provide access control to a variety of services. Most modern network services, such as SSH, Telnet, and FTP, make use of TCP Wrappers, which stand guard between an incoming request and the requested service.

The benefits offered by TCP Wrappers are enhanced when used in conjunction with xinetd, a super server that provides additional access, logging, binding, redirection, and resource utilization control.

Tip

It is a good idea to use iptables firewall rules in conjunction with TCP Wrappers and xinetd to create redundancy within service access controls. Refer to Section 42.8, “Firewalls” for more information about implementing firewalls with iptables commands.

Refer to Section 15.2, “TCP Wrappers” for more information on configuring TCP Wrappers and xinetd.

The following subsections assume a basic knowledge of each topic and focus on specific security options.

42.2.1.1. Enhancing Security With TCP Wrappers

TCP Wrappers are capable of much more than denying access to services. This section illustrates how they can be used to send connection banners, warn of attacks from particular hosts, and enhance logging functionality. Refer to the hosts_options man page for information about the TCP Wrapper functionality and control language.

42.2.1.1.1. TCP Wrappers and Connection Banners

Displaying a suitable banner when users connect to a service is a good way to let potential attackers know that the system administrator is being vigilant. You can also control what information about the system is presented to users. To implement a TCP Wrappers banner for a service, use the banner option.

This example implements a banner for vsftpd. To begin, create a banner file. It can be anywhere on the system, but it must have same name as the daemon. For this example, the file is called /etc/banners/vsftpd and contains the following line:


220-Hello, %c
220-All activity on ftp.example.com is logged.
220-Inappropriate use will result in your access privileges being removed.

The %c token supplies a variety of client information, such as the username and hostname, or the username and IP address to make the connection even more intimidating.

For this banner to be displayed to incoming connections, add the following line to the /etc/hosts.allow file:


vsftpd : ALL : banners /etc/banners/

42.2.1.1.2. TCP Wrappers and Attack Warnings

If a particular host or network has been detected attacking the server, TCP Wrappers can be used to warn the administrator of subsequent attacks from that host or network using the spawn directive.

In this example, assume that a cracker from the 206.182.68.0/24 network has been detected attempting to attack the server. Place the following line in the /etc/hosts.deny file to deny any connection attempts from that network, and to log the attempts to a special file:


ALL : 206.182.68.0 : spawn /bin/ 'date' %c %d >> /var/log/intruder_alert

The %d token supplies the name of the service that the attacker was trying to access.

To allow the connection and log it, place the spawn directive in the /etc/hosts.allow file.

Note

Because the spawn directive executes any shell command, create a special script to notify the administrator or execute a chain of commands in the event that a particular client attempts to connect to the server.

42.2.1.1.3. TCP Wrappers and Enhanced Logging

If certain types of connections are of more concern than others, the log level can be elevated for that service using the severity option.

For this example, assume that anyone attempting to connect to port 23 (the Telnet port) on an FTP server is a cracker. To denote this, place an emerg flag in the log files instead of the default flag, info, and deny the connection.

To do this, place the following line in /etc/hosts.deny:


in.telnetd : ALL : severity emerg

This uses the default authpriv logging facility, but elevates the priority from the default value of info to emerg, which posts log messages directly to the console.

42.2.1.2. Enhancing Security With xinetd

This section focuses on using xinetd to set a trap service and using it to control resource levels available to any given xinetd service. Setting resource limits for services can help thwart Denial of Service (DoS) attacks. Refer to the man pages for xinetd and xinetd.conf for a list of available options.

42.2.1.2.1. Setting a Trap

One important feature of xinetd is its ability to add hosts to a global no_access list. Hosts on this list are denied subsequent connections to services managed by xinetd for a specified period or until xinetd is restarted. You can do this using the SENSOR attribute. This is an easy way to block hosts attempting to scan the ports on the server.

The first step in setting up a SENSOR is to choose a service you do not plan on using. For this example, Telnet is used.

Edit the file /etc/xinetd.d/telnet and change the flags line to read:

flags           = SENSOR

Add the following line:

deny_time       = 30

This denies any further connection attempts to that port by that host for 30 minutes. Other acceptable values for the deny_time attribute are FOREVER, which keeps the ban in effect until xinetd is restarted, and NEVER, which allows the connection and logs it.

Finally, the last line should read:

disable         = no

This enables the trap itself.

While using SENSOR is a good way to detect and stop connections from undesirable hosts, it has two drawbacks:

  • It does not work against stealth scans.

  • An attacker who knows that a SENSOR is running can mount a Denial of Service attack against particular hosts by forging their IP addresses and connecting to the forbidden port.

42.2.1.2.2. Controlling Server Resources

Another important feature of xinetd is its ability to set resource limits for services under its control.

It does this using the following directives:

  • cps = <number_of_connections> <wait_period> — Limits the rate of incoming connections. This directive takes two arguments:

    • <number_of_connections> — The number of connections per second to handle. If the rate of incoming connections is higher than this, the service is temporarily disabled. The default value is fifty (50).

    • <wait_period> — The number of seconds to wait before re-enabling the service after it has been disabled. The default interval is ten (10) seconds.

  • instances = <number_of_connections> — Specifies the total number of connections allowed to a service. This directive accepts either an integer value or UNLIMITED.

  • per_source = <number_of_connections> — Specifies the number of connections allowed to a service by each host. This directive accepts either an integer value or UNLIMITED.

  • rlimit_as = <number[K|M]> — Specifies the amount of memory address space the service can occupy in kilobytes or megabytes. This directive accepts either an integer value or UNLIMITED.

  • rlimit_cpu = <number_of_seconds> — Specifies the amount of time in seconds that a service may occupy the CPU. This directive accepts either an integer value or UNLIMITED.

Using these directives can help prevent any single xinetd service from overwhelming the system, resulting in a denial of service.

42.2.2. Securing Portmap

The portmap service is a dynamic port assignment daemon for RPC services such as NIS and NFS. It has weak authentication mechanisms and has the ability to assign a wide range of ports for the services it controls. For these reasons, it is difficult to secure.

Note

Securing portmap only affects NFSv2 and NFSv3 implementations, since NFSv4 no longer requires it. If you plan to implement an NFSv2 or NFSv3 server, then portmap is required, and the following section applies.

If running RPC services, follow these basic rules.

42.2.2.1. Protect portmap With TCP Wrappers

It is important to use TCP Wrappers to limit which networks or hosts have access to the portmap service since it has no built-in form of authentication.

Further, use only IP addresses when limiting access to the service. Avoid using hostnames, as they can be forged by DNS poisoning and other methods.

42.2.2.2. Protect portmap With iptables

To further restrict access to the portmap service, it is a good idea to add iptables rules to the server and restrict access to specific networks.

Below are two example iptables commands. The first allows TCP connections to the port 111 (used by the portmap service) from the 192.168.0.0/24 network. The second allows TCP connections to the same port from the localhost. This is necessary for the sgi_fam service used by Nautilus. All other packets are dropped.

iptables -A INPUT -p tcp -s! 192.168.0.0/24 --dport 111 -j DROP
iptables -A INPUT -p tcp -s 127.0.0.1  --dport 111 -j ACCEPT

To similarly limit UDP traffic, use the following command.

iptables -A INPUT -p udp -s! 192.168.0.0/24  --dport 111 -j DROP

Tip

Refer to Section 42.8, “Firewalls” for more information about implementing firewalls with iptables commands.

42.2.3. Securing NIS

The Network Information Service (NIS) is an RPC service, called ypserv,--> which is used in conjunction with portmap and other related services to distribute maps of usernames, passwords, and other sensitive information to any computer claiming to be within its domain.

An NIS server is comprised of several applications. They include the following:

  • /usr/sbin/rpc.yppasswdd — Also called the yppasswdd service, this daemon allows users to change their NIS passwords.

  • /usr/sbin/rpc.ypxfrd — Also called the ypxfrd service, this daemon is responsible for NIS map transfers over the network.

  • /usr/sbin/yppush — This application propagates changed NIS databases to multiple NIS servers.

  • /usr/sbin/ypserv — This is the NIS server daemon.

NIS is somewhat insecure by today's standards. It has no host authentication mechanisms and transmits all of its information over the network unencrypted, including password hashes. As a result, extreme care must be taken when setting up a network that uses NIS. This is further complicated by the fact that the default configuration of NIS is inherently insecure.

It is recommended that anyone planning to implement an NIS server first secure the portmap service as outlined in Section 42.2.2, “Securing Portmap”, then address the following issues, such as network planning.

42.2.3.1. Carefully Plan the Network

Because NIS transmits sensitive information unencrypted over the network, it is important the service be run behind a firewall and on a segmented and secure network. Whenever NIS information is transmitted over an insecure network, it risks being intercepted. Careful network design can help prevent severe security breaches.

42.2.3.2. Use a Password-like NIS Domain Name and Hostname

Any machine within an NIS domain can use commands to extract information from the server without authentication, as long as the user knows the NIS server's DNS hostname and NIS domain name.

For instance, if someone either connects a laptop computer into the network or breaks into the network from outside (and manages to spoof an internal IP address), the following command reveals the /etc/passwd map:

ypcat -d <NIS_domain> -h <DNS_hostname> passwd

If this attacker is a root user, they can obtain the /etc/shadow file by typing the following command:

ypcat -d <NIS_domain> -h <DNS_hostname> shadow

Note

If Kerberos is used, the /etc/shadow file is not stored within an NIS map.

To make access to NIS maps harder for an attacker, create a random string for the DNS hostname, such as o7hfawtgmhwg.domain.com. Similarly, create a different randomized NIS domain name. This makes it much more difficult for an attacker to access the NIS server.

42.2.3.3. Edit the /var/yp/securenets File

If the /var/yp/securenets file is blank or does not exist (as is the case after a default installation), NIS listens to all networks. One of the first things to do is to put netmask/network pairs in the file so that ypserv only responds to requests from the appropriate network.

Below is a sample entry from a /var/yp/securenets file:

255.255.255.0     192.168.0.0

Warning

Never start an NIS server for the first time without creating the /var/yp/securenets file.

This technique does not provide protection from an IP spoofing attack, but it does at least place limits on what networks the NIS server services.

42.2.3.4. Assign Static Ports and Use iptables Rules

All of the servers related to NIS can be assigned specific ports except for rpc.yppasswdd — the daemon that allows users to change their login passwords. Assigning ports to the other two NIS server daemons, rpc.ypxfrd and ypserv, allows for the creation of firewall rules to further protect the NIS server daemons from intruders.

To do this, add the following lines to /etc/sysconfig/network:

YPSERV_ARGS="-p 834" YPXFRD_ARGS="-p 835"

The following iptables rules can then be used to enforce which network the server listens to for these ports:

iptables -A INPUT -p ALL -s! 192.168.0.0/24  --dport 834 -j DROP
iptables -A INPUT -p ALL -s! 192.168.0.0/24  --dport 835 -j DROP

This means that the server only allows connections to ports 834 and 835 if the requests come from the 192.168.0.0/24 network, regardless of the protocol.

Tip

Refer to Section 42.8, “Firewalls” for more information about implementing firewalls with iptables commands.

42.2.3.5. Use Kerberos Authentication

One of the issues to consider when NIS is used for authentication is that whenever a user logs into a machine, a password hash from the /etc/shadow map is sent over the network. If an intruder gains access to an NIS domain and sniffs network traffic, they can collect usernames and password hashes. With enough time, a password cracking program can guess weak passwords, and an attacker can gain access to a valid account on the network.

Since Kerberos uses secret-key cryptography, no password hashes are ever sent over the network, making the system far more secure. Refer to Section 42.6, “Kerberos” for more information about Kerberos.

42.2.4. Securing NFS

The Network File System (NFS) is a service that provides network accessible file systems for client machines. Refer to Chapter 18, Network File System (NFS) for more information about NFS. The following subsections assume a basic knowledge of NFS.

Important

The version of NFS included in Red Hat Enterprise Linux, NFSv4, no longer requires the portmap service as outlined in Section 42.2.2, “Securing Portmap”. NFS traffic now utilizes TCP in all versions, rather than UDP, and requires it when using NFSv4. NFSv4 now includes Kerberos user and group authentication, as part of the RPCSEC_GSS kernel module. Information on portmap is still included, since Red Hat Enterprise Linux supports NFSv2 and NFSv3, both of which utilize portmap.

42.2.4.1. Carefully Plan the Network

Now that NFSv4 has the ability to pass all information encrypted using Kerberos over a network, it is important that the service be configured correctly if it is behind a firewall or on a segmented network. NFSv2 and NFSv3 still pass data insecurely, and this should be taken into consideration. Careful network design in all of these regards can help prevent security breaches.

42.2.4.2. Beware of Syntax Errors

The NFS server determines which file systems to export and which hosts to export these directories to by consulting the /etc/exports file. Be careful not to add extraneous spaces when editing this file.

For instance, the following line in the /etc/exports file shares the directory /tmp/nfs/ to the host bob.example.com with read/write permissions.

/tmp/nfs/     bob.example.com(rw)

The following line in the /etc/exports file, on the other hand, shares the same directory to the host bob.example.com with read-only permissions and shares it to the world with read/write permissions due to a single space character after the hostname.

/tmp/nfs/     bob.example.com (rw)

It is good practice to check any configured NFS shares by using the showmount command to verify what is being shared:

showmount -e <hostname>

42.2.4.3. Do Not Use the no_root_squash Option

By default, NFS shares change the root user to the nfsnobody user, an unprivileged user account. This changes the owner of all root-created files to nfsnobody, which prevents uploading of programs with the setuid bit set.

If no_root_squash is used, remote root users are able to change any file on the shared file system and leave applications infected by trojans for other users to inadvertently execute.

42.2.5. Securing the Apache HTTP Server

The Apache HTTP Server is one of the most stable and secure services that ships with Red Hat Enterprise Linux. A large number of options and techniques are available to secure the Apache HTTP Server — too numerous to delve into deeply here.

When configuring the Apache HTTP Server, it is important to read the documentation available for the application. This includes Chapter 21, Apache HTTP Server, and the Stronghold manuals, available at http://www.redhat.com/docs/manuals/stronghold/.

System Administrators should be careful when using the following configuration options:

42.2.5.1. FollowSymLinks

This directive is enabled by default, so be sure to use caution when creating symbolic links to the document root of the Web server. For instance, it is a bad idea to provide a symbolic link to /.

42.2.5.2. The Indexes Directive

This directive is enabled by default, but may not be desirable. To prevent visitors from browsing files on the server, remove this directive.

42.2.5.3. The UserDir Directive

The UserDir directive is disabled by default because it can confirm the presence of a user account on the system. To enable user directory browsing on the server, use the following directives:

UserDir enabled
UserDir disabled root

These directives activate user directory browsing for all user directories other than /root/. To add users to the list of disabled accounts, add a space-delimited list of users on the UserDir disabled line.

42.2.5.4. Do Not Remove the IncludesNoExec Directive

By default, the Server-Side Includes (SSI) module cannot execute commands. It is recommended that you do not change this setting unless absolutely necessary, as it could potentially enable an attacker to execute commands on the system.

42.2.5.5. Restrict Permissions for Executable Directories

Ensure that only the root user has write permissions to any directory containing scripts or CGIs. To do this, type the following commands:

chown root <directory_name>
chmod 755 <directory_name>

Important

Always verify that any scripts running on the system work as intended before putting them into production.

42.2.6. Securing FTP

The File Transport Protocol (FTP) is an older TCP protocol designed to transfer files over a network. Because all transactions with the server, including user authentication, are unencrypted, it is considered an insecure protocol and should be carefully configured.

Red Hat Enterprise Linux provides three FTP servers.

  • gssftpd — A Kerberos-aware xinetd-based FTP daemon that does not transmit authentication information over the network.

  • Red Hat Content Accelerator (tux) — A kernel-space Web server with FTP capabilities.

  • vsftpd — A standalone, security oriented implementation of the FTP service.

The following security guidelines are for setting up the vsftpd FTP service.

42.2.6.1. FTP Greeting Banner

Before submitting a username and password, all users are presented with a greeting banner. By default, this banner includes version information useful to crackers trying to identify weaknesses in a system.

To change the greeting banner for vsftpd, add the following directive to the /etc/vsftpd/vsftpd.conf file:

ftpd_banner=<insert_greeting_here>

Replace <insert_greeting_here> in the above directive with the text of the greeting message.

For mutli-line banners, it is best to use a banner file. To simplify management of multiple banners, place all banners in a new directory called /etc/banners/. The banner file for FTP connections in this example is /etc/banners/ftp.msg. Below is an example of what such a file may look like:

######### # Hello, all activity on ftp.example.com is logged. #########

Note

It is not necessary to begin each line of the file with 220 as specified in Section 42.2.1.1.1, “TCP Wrappers and Connection Banners”.

To reference this greeting banner file for vsftpd, add the following directive to the /etc/vsftpd/vsftpd.conf file:

banner_file=/etc/banners/ftp.msg

It also is possible to send additional banners to incoming connections using TCP Wrappers as described in Section 42.2.1.1.1, “TCP Wrappers and Connection Banners”.

42.2.6.2. Anonymous Access

The presence of the /var/ftp/ directory activates the anonymous account.

The easiest way to create this directory is to install the vsftpd package. This package establishes a directory tree for anonymous users and configures the permissions on directories to read-only for anonymous users.

By default the anonymous user cannot write to any directories.

Caution

If enabling anonymous access to an FTP server, be aware of where sensitive data is stored.

42.2.6.2.1. Anonymous Upload

To allow anonymous users to upload files, it is recommended that a write-only directory be created within /var/ftp/pub/.

To do this, type the following command:

mkdir /var/ftp/pub/upload

Next, change the permissions so that anonymous users cannot view the contents of the directory:

chmod 730 /var/ftp/pub/upload

A long format listing of the directory should look like this:

drwx-wx---    2 root     ftp          4096 Feb 13 20:05 upload

Warning

Administrators who allow anonymous users to read and write in directories often find that their servers become a repository of stolen software.

Additionally, under vsftpd, add the following line to the /etc/vsftpd/vsftpd.conf file:

anon_upload_enable=YES

42.2.6.3. User Accounts

Because FTP transmits unencrypted usernames and passwords over insecure networks for authentication, it is a good idea to deny system users access to the server from their user accounts.

To disable all user accounts in vsftpd, add the following directive to /etc/vsftpd/vsftpd.conf:

local_enable=NO
42.2.6.3.1. Restricting User Accounts

To disable FTP access for specific accounts or specific groups of accounts, such as the root user and those with sudo privileges, the easiest way is to use a PAM list file as described in Section 42.1.4.2.4, “Disabling Root Using PAM”. The PAM configuration file for vsftpd is /etc/pam.d/vsftpd.

It is also possible to disable user accounts within each service directly.

To disable specific user accounts in vsftpd, add the username to /etc/vsftpd.ftpusers

42.2.6.4. Use TCP Wrappers To Control Access

Use TCP Wrappers to control access to either FTP daemon as outlined in Section 42.2.1.1, “Enhancing Security With TCP Wrappers”.

42.2.7. Securing Sendmail

Sendmail is a Mail Transport Agent (MTA) that uses the Simple Mail Transport Protocol (SMTP) to deliver electronic messages between other MTAs and to email clients or delivery agents. Although many MTAs are capable of encrypting traffic between one another, most do not, so sending email over any public networks is considered an inherently insecure form of communication.

Refer to Chapter 23, Email for more information about how email works and an overview of common configuration settings. This section assumes a basic knowledge of how to generate a valid /etc/mail/sendmail.cf by editing the /etc/mail/sendmail.mc and using the m4 command.

It is recommended that anyone planning to implement a Sendmail server address the following issues.

42.2.7.1. Limiting a Denial of Service Attack

Because of the nature of email, a determined attacker can flood the server with mail fairly easily and cause a denial of service. By setting limits to the following directives in /etc/mail/sendmail.mc, the effectiveness of such attacks is limited.

  • confCONNECTION_RATE_THROTTLE — The number of connections the server can receive per second. By default, Sendmail does not limit the number of connections. If a limit is set and reached, further connections are delayed.

  • confMAX_DAEMON_CHILDREN — The maximum number of child processes that can be spawned by the server. By default, Sendmail does not assign a limit to the number of child processes. If a limit is set and reached, further connections are delayed.

  • confMIN_FREE_BLOCKS — The minimum number of free blocks which must be available for the server to accept mail. The default is 100 blocks.

  • confMAX_HEADERS_LENGTH — The maximum acceptable size (in bytes) for a message header.

  • confMAX_MESSAGE_SIZE — The maximum acceptable size (in bytes) for a single message.

42.2.7.2. NFS and Sendmail

Never put the mail spool directory, /var/spool/mail/, on an NFS shared volume.

Because NFSv2 and NFSv3 do not maintain control over user and group IDs, two or more users can have the same UID, and receive and read each other's mail.

Note

With NFSv4 using Kerberos, this is not the case, since the SECRPC_GSS kernel module does not utilize UID-based authentication. However, it is considered good practice not to put the mail spool directory on NFS shared volumes.

42.2.7.3. Mail-only Users

To help prevent local user exploits on the Sendmail server, it is best for mail users to only access the Sendmail server using an email program. Shell accounts on the mail server should not be allowed and all user shells in the /etc/passwd file should be set to /sbin/nologin (with the possible exception of the root user).

42.2.8. Verifying Which Ports Are Listening

After configuring network services, it is important to pay attention to which ports are actually listening on the system's network interfaces. Any open ports can be evidence of an intrusion.

There are two basic approaches for listing the ports that are listening on the network. The less reliable approach is to query the network stack using commands such as netstat -an or lsof -i. This method is less reliable since these programs do not connect to the machine from the network, but rather check to see what is running on the system. For this reason, these applications are frequent targets for replacement by attackers. Crackers attempt to cover their tracks if they open unauthorized network ports by replacing netstat and lsof with their own, modified versions.

A more reliable way to check which ports are listening on the network is to use a port scanner such as nmap.

The following command issued from the console determines which ports are listening for TCP connections from the network:

nmap -sT -O localhost

The output of this command appears as follows:

Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2004-09-24 13:49 EDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1653 ports scanned but not shown below are in state: closed)
PORT      STATE SERVICE
22/tcp    open  ssh 
25/tcp    open  smtp
111/tcp   open  rpcbind
113/tcp   open  auth
631/tcp   open  ipp
834/tcp   open  unknown
2601/tcp  open  zebra
32774/tcp open  sometimes-rpc11
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X OS details: Linux 2.5.25 - 2.6.3 or Gentoo 1.2 Linux 2.4.19 rc1-rc7)
Uptime 12.857 days (since Sat Sep 11 17:16:20 2004)

Nmap run completed -- 1 IP address (1 host up) scanned in 5.190 seconds

This output shows the system is running portmap due to the presence of the sunrpc service. However, there is also a mystery service on port 834. To check if the port is associated with the official list of known services, type:

cat /etc/services | grep 834

This command returns no output. This indicates that while the port is in the reserved range (meaning 0 through 1023) and requires root access to open, it is not associated with a known service.

Next, check for information about the port using netstat or lsof. To check for port 834 using netstat, use the following command:

netstat -anp | grep 834

The command returns the following output:

tcp   0    0 0.0.0.0:834    0.0.0.0:*   LISTEN   653/ypbind

The presence of the open port in netstat is reassuring because a cracker opening a port surreptitiously on a hacked system is not likely to allow it to be revealed through this command. Also, the [p] option reveals the process ID (PID) of the service that opened the port. In this case, the open port belongs to ypbind (NIS), which is an RPC service handled in conjunction with the portmap service.

The lsof command reveals similar information to netstat since it is also capable of linking open ports to services:

lsof -i | grep 834

The relevant portion of the output from this command follows:

ypbind      653        0    7u  IPv4       1319                 TCP *:834 (LISTEN)
ypbind      655        0    7u  IPv4       1319                 TCP *:834 (LISTEN)
ypbind      656        0    7u  IPv4       1319                 TCP *:834 (LISTEN)
ypbind      657        0    7u  IPv4       1319                 TCP *:834 (LISTEN)

These tools reveal a great deal about the status of the services running on a machine. These tools are flexible and can provide a wealth of information about network services and configuration. Refer to the man pages for lsof, netstat, nmap, and services for more information.