On Tue, Mar 07, 2006 at 11:42:23PM -0500, Peter wrote:
> Hi. I've set up several firewalls with OpenBSD but I have yet to go to
> any extremes regarding "hardening". So far I have updated the source
> (stable), recompiled the system & kernel, removed the source code,
> turned off inetd, and set up a tight pf.conf. I have been reading up
> on an interesting strategy of removing tons of executables, storing
> them on a cd, and setting up symlinks to the cd mount point so they can
> be accessed when needed.
>
> My firewall will be providing internet access (NAT) to a small office
> lan (not mine).
>
> What strategies are others using in this area?
As mentioned, restrict sshd(8). Ideally, turn it off, but that's not
usually necessary/possible.
Depending on how far you're willing to deviate from base, some other
tricks:
1. Use sudo exclusively - set an empty or nonsense root password
2. Use public key authentication only for sshd(8), and restrict
which users can log in.
2a. If you really need something password-like, use S/KEY.
2b. If neither is feasible, audit the passwords (use John the
Ripper for existing passwords; some schemes exist to act when setting
new passwords)
3. Restrict the use of ports, and research into the security of
a program before installing. mail/postfix is unlikely to open too many
holes; www/php5 is best left alone, if security is the goal [1].
4. Audit suid/sgid executables - quite a few are not needed on a
minimalist system, but again - breaking stuff will lead to other stuff
breaking. (Where 'audit' will typically mean 'remove any that are not
needed' - the other end, a full source audit, is very, very
time-consuming and difficult.)
5. Monitor the appropriate lists (did you know about the pf DoS
problems in 3.8-rel? They are not in the patches, and very unlikely to
cause trouble, but it's good to know what not to do).
Actually, regarding 1 - I find myself wondering whether logging in as
root, where no suspicious stuff in my own account can reach me, is not
preferable to using sudo (which is trivially subverted with a single
line in .profile). Does anyone have a good opinion on this? (Yes, I know
that root is not to be used for trivial matters, and yes, I know when to
log out.)
Of course, sudo does have the invaluable side effect of producing quite
informative log files.
Removing (non-s*id) binaries and sources, while annoying to an attacker,
is also quite annoying to the system administrator and will not stop a
knowledgeable attacker anyway.
Joachim
[1] Of course, PHP is quite often impossible to avoid - it *is* the
biggest in what it does, after all.
