FYI, OpenBSD does this by default. :)
(no, this isnt a flame, I just figured I would let everyone know that there is an
OS that does this FOR you, and I thank you Ben for showing everyone how to do it
in Red Hat).
Benjamin Scott wrote:
> Hello list,
>
> In an attempt to provide some *useful* information about DNS server security
> to the list, ;-), here is the procedure I use to lock down ISC BIND's named on
> a Red Hat Linux 6.2 system. I am reporting on RHL 6.2 because that is what I
> use, but a lot of this information applies generically.
>
> First, obtain and install the 8.9.3 release of the Red Hat BIND RPMs.
> These are Red Hat Errata Updates. Earlier releases have serious known
> security holes!
>
> Edit the /etc/rc.d/init.d/named file. Change the "daemon" command to read as
> follows:
>
> daemon named -t /var/named -u named -c named.conf
>
> Save the file and exit. The "-t /var/named" puts named(8) in a chroot jail,
> and "-c named.conf" is required to locate the config file once you do that.
> The "-u named" is part of the updated Red Hat package; it causes named to run
> as user named, group named, rather than root/root.
>
> Now, run these commands:
>
> cd /etc
> mv named.conf /var/named
> ln -s ../var/named/named.conf
>
> These commands move the config file to /var/named, where it needs to be for
> a chroot'ed daemon to access it. It also puts a symlink in the original
> location, so that people and programs do not get confused. Next do this:
>
> cd /var/run
> rm ndc
> ln -s ../named/ndc
>
> That sets up a symlink to the (not yet present) named control socket, so that
> ndc(8) will still work.
>
> Now, check the permissions on /var/named. It and its children should
> generally be user-owned by root, group-owned by named, and writable only by
> root. You can limit read (and execute for dirs) to the named group only
> (640), or make them world readable (644) -- your choice.
>
> Edit your named.conf file, and change the directory line to read:
>
> directory ".";
>
> The named directory will become the current directory once the chroot is done.
>
> You also need to add these lines for the ndc control socket to be created
> correctly:
>
> controls {
> unix "ndc" perm 0600 owner 0 group 0;
> };
>
> That tells named to create the ndc socket in the current directory
> (/var/named), owned and restricted to root.
>
> If you are using any slave zones or custom log files, you will need to
> create separate subdirectories for them, and make the permissions on those
> directories 775 (rwxrwxr-x), owned by root.named, so that named can write its
> files.
>
> Restart named, and make sure it comes up okay.
>
> After doing this, named will no longer write messages to the syslog daemon,
> presumably because it is chroot'ed and cannot access /dev/log. I have not
> solved this issue yet, but if you are using custom named channels and log
> files instead of the default syslog, you will not be affected.
>
> I hope this helps someone!
>
> --
> Ben Scott <[EMAIL PROTECTED]>
> Net Technologies, Inc. <http://www.ntisys.com>
> Voice: (800)905-3049 x18 Fax: (978)499-7839
>
> **********************************************************
> To unsubscribe from this list, send mail to
> [EMAIL PROTECTED] with the following text in the
> *body* (*not* the subject line) of the letter:
> unsubscribe gnhlug
> **********************************************************
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
