Re: [CentOS] Hardening CentOS by removing hacker tools
Filipe Brandenburger wrote: On Fri, Jun 6, 2008 at 10:09 PM, Jim Wildman [EMAIL PROTECTED] wrote: Better, google for tiny centos and build a new box with the minimum on it. Hmmm, that looks exactly like what I'm looking for! I'm actually trying to find someone who has already done the tough work and could give me some tips on what to expect on that path. I'll see what Google has to offer and if I find something useful I'll post it here. Thanks! Filipe ___ Applying apf (http://rfxnetworks.com/apf.php) as a front end for iptables enables a sweet setup for RAB (Reactive Address Blocking). I liked it a lot starting back when I was using FC1...I know the project is still around and I have it running on my CentOS5.1 box as well. There's no rpm of which I'm aware, but it's a simple install. Makes iptables very easy to manage. YMMV, -R ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Hardening CentOS by removing hacker tools
Not if /home and /tmp and /var/tmp are mounted with noexec,nodev,nosuid,... Actually, wrong. /lib/ld-2.5.so ~/bin/wget --Erek ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Hardening CentOS by removing hacker tools
Erek Dyskant wrote: Not if /home and /tmp and /var/tmp are mounted with noexec,nodev,nosuid,... Actually, wrong. /lib/ld-2.5.so ~/bin/wget Actually, wrong: [EMAIL PROTECTED] ~]$bin/true ; echo $? 0 [EMAIL PROTECTED] ~]$/lib64/ld-2.5.so bin/true; echo $? 0 [EMAIL PROTECTED] ~]$sudo mount -o remount,noexec /home [EMAIL PROTECTED] ~]$bin/true ; echo $? -bash: bin/true: Permission denied 126 [EMAIL PROTECTED] ~]$/lib64/ld-2.5.so bin/true; echo $? bin/true: error while loading shared libraries: bin/true: failed to map segment from shared object: Operation not permitted 127 [EMAIL PROTECTED] ~]$ Ralph pgp18SNj8sRRD.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Hardening CentOS by removing hacker tools
Filipe Brandenburger wrote: Hi, My boss asked me to harden a CentOS box by removing hacker tools, such as nmap, tcpdump, nc (netcat), telnet, etc. I would like to know which list of packages would you remove from a base install. I would appreciate if someone could point me to a standard way of doing this. I know there are procedures for hardening a machine (I remember reading about Bastille Linux) but I don't know how effective they are and if they include the removal of such tools in their procedures. those are all client-side tools. if someone gains access to them, the box is already hacked.how exactly does that harden it? most all of those (certainly, nmap, tcpdump and telnet) are useful diagnostic tools for troubleshooting network connectivity issues. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Hardening CentOS by removing hacker tools
Filipe Brandenburger wrote: Hi, My boss asked me to harden a CentOS box by removing hacker tools, such as nmap, tcpdump, nc (netcat), telnet, etc. I would like to know which list of packages would you remove from a base install. I would appreciate if someone could point me to a standard way of doing this. I know there are procedures for hardening a machine (I remember reading about Bastille Linux) but I don't know how effective they are and if they include the removal of such tools in their procedures. Any advice would be very appreciated! Thanks, Filipe ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I don't think that removing these tools would make the box any more secure. If a hacker is able to get into the system through exploiting a service, he can download the necessary tools or compile them himself. I suggest to start setting up the firewall to only have the necessary ports open (which is usually already done), moving anything you can to a non standard port (especially things like ssh), and disabling any unneeded services. You would be surprised how many attacks a public server can get on standard ports like ssh. People will run scripts that will just try to bruteforce a password, and can lead to DOS attacks, especially on slower servers. There are also tools, such as the ones that rackspace installs, that stop port scans. They basically detect port scans and add a firewall rule to temporarily block that ip. Does anyone know what tool that is? Also disabling remote login as root should help. Russ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Hardening CentOS by removing hacker tools
On Fri, 2008-06-06 at 19:03 -0400, Filipe Brandenburger wrote: Hi, My boss asked me to harden a CentOS box by removing hacker tools, such as nmap, tcpdump, nc (netcat), telnet, etc. I would like to know which list of packages would you remove from a base install. I would appreciate if someone could point me to a standard way of doing this. I know there are procedures for hardening a machine (I remember reading about Bastille Linux) but I don't know how effective they are and if they include the removal of such tools in their procedures. Any advice would be very appreciated! Filipe, Have a search on google for NSA Hardening RHEL5, you will find a very good document (pdf) which will help you start you're hardening. Regards, Erik ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] Hardening CentOS by removing hacker tools
They basically detect port scans and add a firewall rule to temporarily block that ip. Does anyone know what tool that is? Also disabling remote login as root should help. Russ Fail2ban, is what you are looking for, I think http://www.fail2ban.org/wiki/index.php/Main_Page Dennis ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Hardening CentOS by removing hacker tools
Dennis McLeod wrote: They basically detect port scans and add a firewall rule to temporarily block that ip. Does anyone know what tool that is? Also disabling remote login as root should help. Russ Fail2ban, is what you are looking for, I think http://www.fail2ban.org/wiki/index.php/Main_Page Dennis Sweet, actually this looks more like what I wanted, but rackspace said wasn't available. This bans the ips if there are a lot of password failures. There is also another tool which bans ips for port scans. I think it's been discontinued, but perhaps there is another one out there? Russ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Hardening CentOS by removing hacker tools
Have a search on google for NSA Hardening RHEL5, you will find a very good document (pdf) which will help you start you're hardening. http://www.nsa.gov/snac/downloads_redhat.cfm?MenuID=scg10.3.1.1 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Hardening CentOS by removing hacker tools
Filipe Brandenburger [EMAIL PROTECTED] writes: My boss asked me to harden a CentOS box by removing hacker tools, such as nmap, tcpdump, nc (netcat), telnet, etc. Removing network tools does not make it harder to break into the box, however, it can make it harder to do something with it once you are in. removing those tools might help keep an infection from spreading, but it wont protect the box itself. (also, just installing the programs just means that if your box get compromised, the hacker needs to install some new packages. Not difficult, even without root- the attacker can install to the compromised user homedir.) It sounds like your boss doesn't know much about this. you have 2 choices... You can do what he says (largely useless.) or you can try to educate yourself (and your boss) on ways to actually make your systems more secure. I would advise the latter course, personally, - if the boss is a good boss, he will listen to his technical people. here are the basics: First, turn off all daemons you don't need. if it's not running, you don't need to worry if there is a security hole in it. I think a good firewall is useful... it saves your ass if you accidentally leave a daemon running that you don't need, or if the new guy starts up a demon that you weren't running before, or if you need a daemon to be accessibly to the office but not the world. use the centos iptables default setup- make sure you can take the box offline, then change the, default to 'reject' and then open things up one service at a time until your system works again. third, subscribe to the announce list for your distro- and check it every day. apply security updates immediately (you can't just do this with cron; some require reboots) also, make sure that PermitRootLogin is set to no in /etc/ssh/sshd_config - all of the successful brute-force attacks I've seen have been against the root user. Brute-forcing other users is more difficult, as the attacker (usually an automated process) needs to first obtain the username; if you watch /var/log/secure you see a lot more attempts at root than others. if you use applications that are not provided by your distro's standard distribution, subscribe to the mailing lists for those, as well. the idea being that the majority of hacks are known exploits... if you watch the mailing lists, you can at least solve the known problems soon after they become generally known. those are the minimum steps you need to take... it's thousands of times better than nothing.these are the 'easy' steps that get you a lot of security while minimally interfering with usability going beyond here, you must recognize that in the optimal case, there is a tradeoff between usability and security. this is the optimal case; sometimes you can make things less usable without increasing security. Beyond here, look at selinux, look at mounting all user-accessible partitions (/tmp, /home/ and /var) as noexec and ensuring that nobody but root can write anywhere else...- it doesn't help if you get rooted, but it makes things mildly more difficult for a local user to run a local root exploit. some people remove development tools, because many people transport exploit code as c source code to the box, compile it and then execute it. many other things can be done... but don't bother until you take down unnecessary demons, put up a firewall, subscribe to the announce lists for your distro, and disable remote root login. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Hardening CentOS by removing hacker tools
On Fri, Jun 6, 2008 at 7:54 PM, Luke S Crawford [EMAIL PROTECTED] wrote: Filipe Brandenburger [EMAIL PROTECTED] writes: My boss asked me to harden a CentOS box by removing hacker tools, such as nmap, tcpdump, nc (netcat), telnet, etc. Removing network tools does not make it harder to break into the box, however, it can make it harder to do something with it once you are in. removing those tools might help keep an infection from spreading, but it wont protect the box itself. (also, just installing the programs just means that if your box get compromised, the hacker needs to install some new packages. Not difficult, even without root- the attacker can install to the compromised user homedir.) But removing networking would :) -- -matt ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Hardening CentOS by removing hacker tools
On Fri, 6 Jun 2008, Filipe Brandenburger wrote: Hi, My boss asked me to harden a CentOS box by removing hacker tools, such as nmap, tcpdump, nc (netcat), telnet, etc. I would like to know which list of packages would you remove from a base install. I would appreciate if someone could point me to a standard way of doing this. I know there are procedures for hardening a machine (I remember reading about Bastille Linux) but I don't know how effective they are and if they include the removal of such tools in their procedures. Any advice would be very appreciated! Thanks, Filipe Assuming from the question that a) the box is already installed and b) the application for which it exists is installed via a well formed rpm... (Tell your boss the box or the app may go down unexpectedly while you're doing this. This will almost certainly happen if condition b) is not met. And the app may not come back up right when you reboot the box or restart the app. Definitely schedule a power cycle or two for after you think you're done. Maybe freshen up your resume too. Probably should mention to the boss that if the app has gone through any internal certification process, you are probably going to invalidate it and he needs to talk to the development/enduser folks to schedule a recert.) rpm -qa | sort rpm.lst look at the list, anything you don't know what it is, rpm -qi. Season with a liberal dose of man -k package;man something and less /usr/share/doc/package If you think you probably don't need it yum erase. If it doesn't try to erase the application or something else necessary (like ssh or the kernel), say yes. Use yum not rpm so you have a record in /var/log/yum.log of what you did. Maybe start a screen session with history or a typescript session. Read everything c.a.r.e.f.u.l.l.y and slowly. Don't multitask. If you're really paranoid (twitch, twitch), run your application test suite after each deletion (you do have a test suite, right???). Better, google for tiny centos and build a new box with the minimum on it. Then get the well formed application rpm from the vendor (evil laughter), put it in a local repository and use yum to install it and it's dependencies. And do all the firewall, selinux, hosts.{allow,deny} and NSA stuff too. Jim Wildman, CISSP, RHCE [EMAIL PROTECTED] http://www.rossberry.com Society in every state is a blessing, but Government, even in its best state, is a necessary evil; in its worst state, an intolerable one. Thomas Paine ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Hardening CentOS by removing hacker tools
On Fri, Jun 6, 2008 at 7:54 PM, Luke S Crawford [EMAIL PROTECTED] wrote: Removing network tools does not make it harder to break into the box, however, it can make it harder to do something with it once you are in. That's the idea. (also, [not] installing the programs just means that if your box get compromised, the hacker needs to install some new packages. Not difficult, even without root- the attacker can install to the compromised user homedir.) Not if /home and /tmp and /var/tmp are mounted with noexec,nodev,nosuid,... It sounds like your boss doesn't know much about this. you have 2 choices... You can do what he says (largely useless.) or you can try to educate yourself (and your boss) on ways to actually make your systems more secure. Actually his argument (with which I agree) is that no box is uncompromisable. Once compromised, you want to limit what can be done from that box to reach more critical and secure parts of your network. Also, removing those tools certainly WON'T make the box LESS secure. First, turn off all daemons you don't need. if it's not running, you don't need to worry if there is a security hole in it. This is a worry for this box because it will need to be particularly exposed to the world (that's inherent to its role). I think a good firewall is useful... apply security updates immediately make sure that PermitRootLogin is set to no in /etc/ssh/sshd_config Beyond here, look at selinux, look at mounting all user-accessible partitions (/tmp, /home/ and /var) as noexec some people remove development tools, because many people transport exploit code as c source code to the box, compile it and then execute it. Yes, I'm doing all of those, including SELinux, and I'm planning on doing yet more (like chroot'ed SSH). Thanks! Filipe ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Hardening CentOS by removing hacker tools
On Fri, Jun 6, 2008 at 10:09 PM, Jim Wildman [EMAIL PROTECTED] wrote: Better, google for tiny centos and build a new box with the minimum on it. Hmmm, that looks exactly like what I'm looking for! I'm actually trying to find someone who has already done the tough work and could give me some tips on what to expect on that path. I'll see what Google has to offer and if I find something useful I'll post it here. Thanks! Filipe ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos