On Tue, Feb 27, 2001 at 09:49:33PM +1100, chesty wrote:
> We had our linux firewalls audited and I wanted to get some opinions on some
> of the issues raised.
The good old firewall audit... Yet to find an auditor who returns a
worthwhile report...
> We were advised to turn sshd PasswordAuthentication off because it allows
> clear text passwords.
> hey? That doesn't sound right.
Nope, it's not right. The session will still be encrypted.
There are arguments for not allowing passwords, but they aren't particularly
good ones.
> Mount partitions read only where possible.
> I guess this is a good idea, but in what situation would this add security?
> You need to be root to be able to write to the partitions that I could mount read
> only, and if someone gets root, they can remount partitions read write.
I presume this is refering to /usr in particular? Is every single file
on /usr owned by root? If not, then what you've said above isn't correct.
If you've got any binaries owned by non-root (eg, "bin") then if someone
can get access to the bin account then they can modify binaries. Ditto for
group write permissions on those files.
Even if all files are root, there's still advantages to making things RO.
eg, consider if you've got a security hole (ie, bug) which allows a user
to upload a binary, but not to actually run it. If things are mounted
RW it's very easy to upload a new /usr/bin/ls and you're up the creek.
Of course, you could just upload something into a different partition which
is read-write (/etc maybe?), but given that we're talking about a firewall,
every little bit helps! The fact that some script kiddie can't just run
the script they downloaded to replace /bin/ls is probably enough to make
them move onto the next machine.
> Remove man pages.
> Again, I can't see the harm in doing this, but I can't see the point.
A firewall sould be an absolutely minimalist build. You shouldn't have
anythere there which isn't needed, regardless of what it is.
> Remove unnecessary binaries.
> A good idea no doubt, but the firewall doesn't allow shell access, and the
> way I see it is if someone gets shell access they can upload their own bin's.
>
> It doesn't mention it in the report, but would mounting /home, /tmp and /var with
> noexec help? It might stop a non root user from running their own programs, but it
> won't stop root.
Same argument as above. Users may not have shell access, but that's not the
point - what happens if a hacker gets access!! Either full shell access, or
even just the ability to run a single command via a bug in a program you're
running (without the ability to upload one first).
In particular, you should make sure you have as few suid/sgid programs
installed. Even programs which normally need SUID to run can probably
have it dropped - it just means you need to run them as root.
Doing all of the above might mean that your firewall is now (say) 2% more
secure. If this was any other machine, you probably wouldn't be to worried
by such a small improvement, but when you're talking about a firewall,
every last thing helps!
Some of the above may fit into the security-by-obsecurity category, but
as far as I'm concerned, security by obsecurity never hurts - as long as
you're not relying on it as your primary defence. We live in a world
where exploits to the latest bugs are in the hands of the "hackers" of
the world within hours of the bugs being found. If your extra security
measures mean that the default exploit fails on your machine because
/usr is mounted read-only, or because /usr/bin/lpr isn't install on
your machine then they will move onto the next machine - even if yours
is still vulnerable to the bug using a different exploit! Hopefully
by the time a "real" "hacker" decides to try your box, you'll have had
time to fix the hole.
Our standard Solaris build for a server which sits on the internet (not
actually a firewall, but similar) contains about 50 megs total. It listens
on a single port (ssh, but not on port 22), has two SUID binaries (su, and
something else which i forget), has /usr mounted readonly and every other
partition mounted nosuid, and only runs about a dozen processes (plus
any for whatever the machine is for of course :)
Scott.
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
