1 ait itserv ait itserv & lab supervisors meeting practical how-to for system and network...
TRANSCRIPT
1 AIT ITServAIT ITServ
AIT ITServ & Lab Supervisors Meeting AIT ITServ & Lab Supervisors Meeting
- Practical How To for System and Network Security
ITServ Plans on Policies and Services
#50Alain Fauconnet <[email protected]>83
Security Specialist / CISO MMMMMMM31, 2003
20030331V
2 AIT ITServAIT ITServ
Presentation RoadmapPresentation Roadmap
1. Introduction1.1. Attacks are not only for others1.2. Potential damage
2. Basic security how-to2.1. General recommendations2.2. Rule #1: Install and configure carefully2.3. Rule #2: Keep software up-to-date2.4. Rule #3: Servers are not workstations
3 AIT ITServAIT ITServ
Presentation RoadmapPresentation Roadmap
25 #4. . Rule : Monitor your servers and network
26 #5. . Rule : Do network filtering
3. Useful links and resources 4. ITServ plans
41. . Local resources 42. . Support and consulting 43. . Services 44. . Policies
MMMMMMMMM MMM MMMMMMM
4 AIT ITServAIT ITServ
1. Introduction1.1. Attacks are not only for others1. Introduction1.1. Attacks are not only for others
• Frequent lack of real concern about security– “ I have no confidential data”– “ I have a so small network, I’m not concerned”– “ Hackers/abusers inside. So what? Still works…”– -too often: “I have no clue” : )
• Too many misconceptions– “ Hackers only target (large) (US) businesses”– “ I’ve switched to Unix (Linux), so I’m safe”– “ I’m protected by AIT global filtering”– “ Security is expensive and requires experts”
5 AIT ITServAIT ITServ
1. Introduction1.1. Attacks are not only for others1. Introduction1.1. Attacks are not only for others
• The facts– All AIT networks are being scanned by hackers sev
eral times a day, known vulnerabilities are activelysearched
– Your network has been scanned already today!– Academic networks especially targeted– Filtering at AIT border can not protect you from all
kind of attacks (there will be more Nimda & SQLsla-mmer like)
– Attacks from inside AIT likely (more and more to come)
– Not only servers open to the Internet exposed
6 AIT ITServAIT ITServ
1. Introduction1.1. Attacks are not only for others1. Introduction1.1. Attacks are not only for others
• The facts (cont.)– Basic system and network security:
• is simple:– install and configure properly– update– be consistent
• requires just serious, consistent people with fair IT experience
• blocks 80% (at least) of attacks• can save you a lot of time, efforts and money
– You will learn 5 recipes today: use them!
7 AIT ITServAIT ITServ
1. Introduction1.1. Attacks are not only for others1. Introduction1.1. Attacks are not only for others
• The facts (cont.)– An unpatched, unsecured Red Hat Linux serv
er i s at least as vulnerable as Windows– Windows2000(evenwithSP3) i s not saf e
– A misconfigured firewall can make your secu rity worse than no firewall at all
• gi ves wr ong f eel i ng of saf et y
• pr ot ect ser ver s first , t hen set up a fi r e wal l i f you wi sh and i f you can
8 AIT ITServAIT ITServ
1. Introduction1.2. Potential damage1. Introduction1.2. Potential damage
• Hackers use the network bandwidth we all share and servers resources that you have paid for
• Damage to the services you provide– Downtime for legitimate users– Defaced web site (reputation, confidence, image)– Loss or alteration of data– Wasted time and efforts to repair damage
• Leaking of confidential data– From LAN sniffing also (data from other servers)
9 AIT ITServAIT ITServ
1. Introduction1.2. Potential damage1. Introduction1.2. Potential damage
• Damage to the services we all use– Slow network connections– Slow servers– Part or all of AIT networks / domains banned from
major sites• Loss of connectivity• Cannot send e-mail
• Legal liability– Attacks on other sites / networks from your
network– Offensive or illegal material on your servers
10 AIT ITServAIT ITServ
2. Basic Security How-To2.1. General recommendations2. Basic Security How-To2.1. General recommendations
• This simple how-to can avoid at least 80% of the break-ins currently seen
• Do it for all servers (new and old)• This is an ongoing task: never finished• Assign someone to handle security (can
be part-time): must have authority to control that the following rules are applied
• Don’t trust people saying that buying extra software will do it for you
11 AIT ITServAIT ITServ
2. Basic Security How-To2.2. Rule #1: Install and configure carefully
2. Basic Security How-To2.2. Rule #1: Install and configure carefully• Do not do full or default installations of
operating system– Lots of useless and dangerous software packages
installed– Alternative: do a full or default install, then
uninstall packages that you don’t use immediately
• Red Hat Linux installation– Consider alternative Linux distributions e.g.:
E-smith at http://www.e-smith.org/ Trustix at http://www.trustix.net/
– Consider FreeBSD instead of Linux
12 AIT ITServAIT ITServ
2. Basic Security How-To2.2. Rule #1: Install and configure carefully
2. Basic Security How-To2.2. Rule #1: Install and configure carefully• Windows 2000
– unless specific need, do not install any of Networking Services, Other Network File and Print Services, Remote Installation Services, Remote Storage, Terminal Services, Windows Media Services...
13 AIT ITServAIT ITServ
2. Basic Security How-To2.2. Rule #1: Install and configure carefully
2. Basic Security How-To2.2. Rule #1: Install and configure carefully• Windows 2000 (cont.)
– do not install unused parts of IIS: SMTP, NNTP…
• Note: SMTP needed by Active Directory Replication• Configure to use RPC transport instead• Internet server should not handle this anyway
14 AIT ITServAIT ITServ
2. Basic Security How-To2.2. Rule #1: Install and configure carefully
2. Basic Security How-To2.2. Rule #1: Install and configure carefully• Windows 2000 (cont.)
– Disable the features of IIS you don’t need using the Microsoft IIS Lockdown Tool
http://www.microsoft.com/technet/security/tools/locktool.asp
– Defaults suggested by tool are generally OK
15 AIT ITServAIT ITServ
2. Basic Security How-To2.2. Rule #1: Install and configure carefully
2. Basic Security How-To2.2. Rule #1: Install and configure carefully• Windows 2000 (cont.)
– Install a virus scanner on Windows servers• AVG is a very decent free virus scanner with
automatic update• Download it from: http://www.grisoft.com• Registration needed, use a “disposable” e-
mail address just in case, but no report of spamming yet
• Free version could well disappear due to the current IT business context: enjoy while it lasts
• Commercial virus scanner: Sophos highly recommended: http://www.sophos.com
– much less problems than with McAfee, Norton– free updates
16 AIT ITServAIT ITServ
2. Basic Security How-To2.2. Rule #1: Install and configure carefully
2. Basic Security How-To2.2. Rule #1: Install and configure carefully• Windows 2000 (cont.)
– Remove Outlook Express in any caseThere is no good reason to have it on a server
– Install an alternate web browserMozilla a good choice:
http://www.mozilla.org– IE is quite difficult to remove completely
• make it a policy not to use it• better: use Windows ACLs to prevent
usage (details upon request)
17 AIT ITServAIT ITServ
2. Basic Security How-To2.2. Rule #1: Install and configure carefully
2. Basic Security How-To2.2. Rule #1: Install and configure carefully• Red Hat Linux installation
– Use an up-to-date distribution: Red Hat Linux 7.2 at least, never 7.0 or earlier
• not a file server: do not install: nfs*, samba, portmap• not a name server: do not install: bind* • not a mail server: do not install: imap, sendmail• not a web server: do not install: apache*• not a DB server: do not install: MySQL*, postgresql*• unless specific need, do not install: dhcpd,
finger.server, anonftp, bootparamsd …
– Uninstalling a Linux RPM package:# rpm -e --nodeps packagename ...
18 AIT ITServAIT ITServ
2. Basic Security How-To2.2. Rule #1: Install and configure carefully
2. Basic Security How-To2.2. Rule #1: Install and configure carefully• Unix configuration: Disable all services not
needed– Services started by connection: file /etc/inetd.conf
finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd
comment out unwanted services by adding ‘#’:
#finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd
Should be commented out unless specific need:ftp, telnet, shell, login, exec, talk, ntalk, imap, pop-2, pop-3, finger, auth, gopher, time, linuxconf (Linux-specific) … almost all lines
• Red Hat 7.1+ uses xinetd.conf, can be managed by chkconfig (see next slide)
19 AIT ITServAIT ITServ
2. Basic Security How-To2.2. Rule #1: Install and configure carefully
2. Basic Security How-To2.2. Rule #1: Install and configure carefully• Disable all services not needed
– Services started at boot time: start-up scripts• Details vary a lot from Unix to Unix• Red Hat Linux start-up scripts are controlled using
chkconfig command:# chkconfig --list list all services# chkconfig service off disable a service# chkconfig service on enable a service– Unless needed, you should disable: sendmail (if not
mail server), portmap, nfs, nfslock, netfs, all r*d (rusersd …), all yp* (ypbind…), lpd, samba, identd, named (if not name server), httpd (if not web server), snmpd, xfs, amd
20 AIT ITServAIT ITServ
2. Basic Security How-To2.2. Rule #1: Install and configure carefully
2. Basic Security How-To2.2. Rule #1: Install and configure carefully
– Unix start-up scripts (cont.)• Most other Unix (and Linux too): rename files in rcN.d (N
= 2, 3…) directories. Solaris has /etc/rcN.d. E.g.:# cd /etc/r2c.d# mv S73nfs.client _S73nfs.client– E.g. for Solaris, you should disable: S73nfs.client, S74autofs,
S80lp, S88sendmail (if not mail server), S15nfs.server, S76snmpx, S77dmi
• Other kind of Unix: use administration tools– FreeBSD: /stand/sysinstall “Do post-install configuration”– HP-UX: sam– AIX: smit– Refer to documentation, but target should be to disable
NFS, RPC, remote printing, SNMP, SMTP server...
21 AIT ITServAIT ITServ
2. Basic Security How-To2.2. Rule #1: Install and configure carefully
2. Basic Security How-To2.2. Rule #1: Install and configure carefully• Enforce a strict login/password policy
– one person = one login account, do not use shared accounts (“operator”, project account…)
– minimise root/administrator account usage: only when needed, not for daily work
– require correct passwords• no password = login name• no default password (especially empty!)• no password = name of department• no password = nickname• no single words found in a dictionary• etc… Everyone knows this already!
22 AIT ITServAIT ITServ
2. Basic Security How-To2.2. Rule #1: Install and configure carefully
2. Basic Security How-To2.2. Rule #1: Install and configure carefully• Have a strict policy on remote administration
– Only when really needed and from a very little number of client workstations (see “filtering”)
– On Unix, do not allow direct remote login to root: log in as normal user and use su or better sudo
– Use only standard tools and well-known ones– Avoid home-made web-based admin tools – Good Unix web-based administration tool: Webmin
http://www.webmin.com/
• Do not use telnet and FTP !
23 AIT ITServAIT ITServ
2. Basic Security How-To2.2. Rule #1: Install and configure carefully
2. Basic Security How-To2.2. Rule #1: Install and configure carefully• Remote administration (cont.)
– Require strong encryption and authentication• Unix: install and use SSH (“encrypted telnet”), not
standard telnet– ssh server part of Linux and FreeBSD– for other Unix: download from http://www.openssh.org/– ready-to-install binaries for Solaris at:
http://www.sunfreeware.com/– freeware Windows SSH client (terminal emulator): TeraTerm
Pro with SSH extensionhttp://hp.vector.co.jp/authors/VA002416/teraterm.htmlhttp://www.zip.com.au/~roca/ttssh.html
– SSH can do file upload/download too: use freeware WinSCP client for Windows (http://winscp.vse.cz/eng/)
24 AIT ITServAIT ITServ
2. Basic Security How-To2.2. Rule #1: Install and configure carefully
2. Basic Security How-To2.2. Rule #1: Install and configure carefully• Remote administration (cont.)
– Require strong encryption and authentication• Windows: use recent version of PC Anywhere with
encryption set at least to “PCAnywhere”
• Windows Remote Desktop has encryption always on• Avoid VNC (freeware PCAnywhere-like) except over an
encrypted tunnel
25 AIT ITServAIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date• Fact: off the CD un-patched installation of
Red Hat Linux or Windows + IIS put on the Internet usually hacked within 3 weeks
• All standard O/S distributions have many serious security holes: apply critical patches
• Check vendor web site once a week for new vulnerabilities or subscribe to alert mailing lists: CERT, Securityfocus, SANS...
• Information in next slides to be outdated very soon...
26 AIT ITServAIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date• Windows (W2K) servers
– CodeRed and Nimda exploit bugs in IIS that have been known since May 2001“There’s no patch for negligence and laziness”
– Microsoftr ef er ence page f or Ni mda:http://www.microsoft.com/technet/security/topics/Nimda.asp
– SQLslammer exploits bug in MS-SQL that has been known since July 2002
– Microsoft reference page for SQLslammer:http://www.microsoft.com/security/slammer.asp
– Microsoft starting point page for security:http://www.microsoft.com/technet/security/
27 AIT ITServAIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date• Windows (W2K) servers (cont.)
– Bringing up a (reasonably) safe (to external attac ks at least) Windows 2 0 0 0 server is simple:
• 1) Install Windows and IIS (correctly, #1see rule )
• 2 ) Install Service Pack 32000http://www.microsoft.com/windows /downloads/servic
/
• - -3) InstallHotfixesMS02 052, MS02 065,-03001MS
-://..//// .
28 AIT ITServAIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date• Windows (W2K) servers (cont.)
• - - 4) If your server has MS SQL, install MS SQL SP MMMMMMM MM MMMM MMM3 (: , )
http://www.microsoft.com/sql/downloads/2000/sp3.asp
• 5 ) ’ !Don t forget to patch Internet Explorer too MM MMM 6 1SP and patch it
http://www.microsoft.com/windows/ie/downloads/critical/ie6sp1/http://www.microsoft.com/technet/security/bulletin/MS03-004.asp
• 6) Reminder: remove Outlook Express!MMMMM MM no good reason to have it on a server.
29 AIT ITServAIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date• Windows (W2K) servers (cont.)
– Ifi nf ect ed:• Backupdata, f or mat , r ei nst al l and patch!
If you don’t patch, you will get infected again• Donotrelyon“cleaners”: theycannothandl e 100%of i nf ect i on var i ant s• Rest or e your dat a• CheckallyourHTML and J avascr i pt fi l es: del et e al l ad
dedlinkst o *.EML fi l es• *DeleteanyREADME.EMLor .EXE fi l e i n your dat a
30 AIT ITServAIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date• Windows (W2K)servers (cont.)
– Use automated tools to check against latest security patches
– Windows automatic update (installed with SP3), in the Control Panel• + already installed
• + easy to use
• - gives little control over what is installed
31 AIT ITServAIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
– MicrosoftHotFi x Checker (newver si on)http://www.microsoft.com/technet/security/tools/
hfnetchk.asp
•+ can scan your network from a single point
•+ on-line checking: always up-to-date (well, nearly)
• + just tells you what you should install, doesn’t install anything
•+ can run on both NT4/IIS4, W2K/IIS5, XP/IIS6
• - command-line console application
32 AIT ITServAIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
– Microsoft “Hot Fix Checker” (cont.)1) Download and install
Can install anywhere, suggested:
C:\Program Files\Hotfix Checker
33 AIT ITServAIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
– Microsoft “Hot Fix Checker” (cont.)
2) Open “Command Prompt” window
Do not run from Explorer
34 AIT ITServAIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
– Microsoft “Hot Fix Checker” (cont.)3) Change directory where installed:
cd “\Program Files\Hotfix Checker”
4) Run program
hfnetchk -v -z -s 1 -nosum
35 AIT ITServAIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
– Microsoft “Hot Fix Checker” (cont.)5) Check results: look for “Patch not found MSXX-YY”
36 AIT ITServAIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
– Microsoft “Hot Fix Checker” (cont.)
6) Search returned missing patches MSXX-YY on Microsoft Technet security site http://www.microsoft.com/technet/security/
7) Install them !
Options described in detail at:303215http://support.microsoft.com/support/kb/articles/q / / .
MMM
37 AIT ITServAIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
– Shavlik ’s HFNetChkPro• improved version of Microsoft’s tool with
GUI, much easier to use• not free, but free “Lite” version for
networks up to 50 nodeshttp://www.shavlik.com/pHFNetChkLT.aspx
38 AIT ITServAIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date• Linux servers: Red Hat covered in this
presentation, other distributions similar– Check:
http://www.redhat.com/apps/support/errata/
– Review all Security Errata (=bugs!)– At least, install all update RPMs mentioning
“remote root” or “remote compromise” in the description, and all related to:
kernel, ftpd, wu-ftpd, lpd, lprng, rpc, portmap,sendmail, pop, imap, linuxconf, [open]ssh, apache
39 AIT ITServAIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date• Linux servers (cont.)
– How to install an updated RPM on Red Hat Linux:1) download RPM e.g. wu-ftpd-2.6.0-14.6x.i386.rpm2) type:
# rpm -Uvh name-of-RPMe.g.:# rpm -Uvh wu-ftpd-2.6.0-14.6x.i386.rpm
Other useful commands:• rpm -q -a lists installed RPMs• rpm -ivh name-of-RPM installs a RPM• rpm -e --nodeps name-of-RPM uninstalls a RPM• rpm -V name-of-RPM checks an installed RPM
40 AIT ITServAIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
– Most critical vulnerabilities in Red Hat Linux 7.x:
• OpenSSH (ssh server and client)http://rhn.redhat.com/errata/RHSA-2002-043.htm
• OpenSSL (used by Apache)https://rhn.redhat.com/errata/RHSA-2002-155.html
• Kernelhttp://rhn.redhat.com/errata/RHSA-2001-130.htmlhttp://rhn.redhat.com/errata/RHSA-2003-098.html
• BIND (DNS server)http://rhn.redhat.com/errata/RHSA-2001-007.html
• LprNG (print server)http://rhn.redhat.com/errata/RHSA-2000-065.html
41 AIT ITServAIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
– Most critical vulnerabilities in Red Hat Linux 7.x (cont.):
• xntp3 (time daemon)http://rhn.redhat.com/errata/RHSA-2001-045.html
• telnetd (telnet server)http://rhn.redhat.com/errata/RHSA-2001-099.html
• ucd-snmp-utils (SNMP server)http://rhn.redhat.com/errata/RHSA-2001-163.html
• sendmail (SMTP server)http://rhn.redhat.com/errata/RHSA-2003-073.html
Some may only apply to 7.0, 7.1 or 7.2, check the web pages
42 AIT ITServAIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
– Most critical vulnerabilities in Red Hat Linux 8.0:
• Kernelhttp://rhn.redhat.com/errata/RHSA-2003-098.html
• sendmail (SMTP server)http://rhn.redhat.com/errata/RHSA-2003-073.html
• Apache, mod_ssl, PHPhttp://rhn.redhat.com/errata/RHSA-2002-222.html
43 AIT ITServAIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
– Use automatic update• register to Red Hat Network (needed):
# up2date --register• configure the update agent to your
preferences:# up2date --configure
• run full update:# up2date -u
• use option --nox for non-GUI (text)• Full documentation at:
http://rhn.redhat.com/help/basic/index.html
44 AIT ITServAIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date• Sun Solaris (on Sun hardware or PC)
– Check:http://sunsolve.sun.comClick on “Security Bulletin Archive”
– Install Recommended Patch BundlesClick on “Recommended & Security Patches”
according to platform (SPARC or x86) and version• 2.6 = 5.6• 2.7 = 5.7 = 7 Sun likes confusing version• 2.8 = 5.8 = 8 numbering...
– Free download: no need for a support contract
45 AIT ITServAIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date• Sun Solaris (cont.)
– How to install patch bundle (e.g. for Solaris 7):1) download zip file2) unzip it in a temporary directory (100Mb++)
# unzip 7_Recommended.zip3) start the automatic installation script (as root)
# cd 7_Recommended# ./install_cluster
4) wait for a long time5) reboot
46 AIT ITServAIT ITServ
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date
2. Basic Security How-To2.3. Rule #2: Keep your software up-to-date• Special care for name servers
– All versions of BIND (standard Unix DNS name server) prior to 8.2.3 final released version have severe security bugs allowing remote root compromise
– Updates for Red Hat Linux and recommended patch bundles for Sun Solaris take care of this
or:– Compile and install BIND version 8.2.4 at least
(9.1 OK but requires migration work) from:http://www.isc.org/
47 AIT ITServAIT ITServ
2. Basic Security How-To2.4. Rule #3: Servers are not workstations2. Basic Security How-To2.4. Rule #3: Servers are not workstations
• Buy new machines for servers, or do full re-format, re-install if you recycle h/w
• Do not use workstations to bring up network services (file server, web server…)
• Convince your staff not to use servers as workstations– No web browsing except trusted sites, and not using IE
except when browsing Microsoft’s sites– On Windows, no e-mail activity, especially not using Outlook– No installation of any program not directly related to server
operation and administration– Avoid program development on server whenever possible
48 AIT ITServAIT ITServ
2. Basic Security How-To2.5. Rule #4: Monitor your servers and network
2. Basic Security How-To2.5. Rule #4: Monitor your servers and network• Any sudden change in load is suspicious• Monitor the traffic on your link to the Internet
– If you have manageable switches (support SNMP), bring up MRTG to show per-port traffic
Real case: huge rise of the outgoing traffic = scans being launched from a compromised server
49 AIT ITServAIT ITServ
2. Basic Security How-To2.5. Rule #4: Monitor your servers and network
2. Basic Security How-To2.5. Rule #4: Monitor your servers and network• Monitor CPU load on your servers
– Task Manager on Windows (Ctrl-Alt-Del, click on “Task Manager” button)
– The top command on Unix
• Look for unusual processes running– Become familiar with the names of the
processes running on your server during normal operations
– Check for any new process running– If so, find what it is
50 AIT ITServAIT ITServ
2. Basic Security How-To2.5. Rule #4: Monitor your servers and network
2. Basic Security How-To2.5. Rule #4: Monitor your servers and network• Look for unusual processes (cont.)
– Windows: use Processes list of Task Manager
51 AIT ITServAIT ITServ
2. Basic Security How-To2.5. Rule #4: Monitor your servers and network
2. Basic Security How-To2.5. Rule #4: Monitor your servers and network• Look for unusual processes (cont.)
– Unix: use ps command• Linux, FreeBSD: ps -auxww• Solaris, HP-UX, AIX: ps -ef
# ps -auxww
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMANDroot 1 0.0 0.0 344 80 ? S Jan17 2:20 init [3]root 2 0.0 0.0 0 0 ? SW Jan17 0:03 [kflushd]root 3 0.0 0.0 0 0 ? SW Jan17 6:53 [kupdate]root 4 0.0 0.0 0 0 ? SW Jan17 0:00 [kpiod]root 5 0.0 0.0 0 0 ? SW Jan17 0:04 [kswapd]
52 AIT ITServAIT ITServ
2. Basic Security How-To2.5. Rule #4: Monitor your servers and network
2. Basic Security How-To2.5. Rule #4: Monitor your servers and network• Look for automatically started programs
– Linux (Red Hat): check for new or modified scripts in /etc/rc.d and below
– Windows: use REGEDIT to look at keys:\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run
or run MSCONFIG and look at the “Startup” tab
• Look for new user names– Windows: check with the User Manager– Unix: check /etc/passwd file
53 AIT ITServAIT ITServ
2. Basic Security How-To2.6. Rule #5: Do network filtering2. Basic Security How-To2.6. Rule #5: Do network filtering
• Filtering is:– Letting only the network traffic that you
need pass through, blocking all the restE.g.: SMTP, POP, IMAP to a mail server
and/or– Blocking all the traffic that you know you
don’t need, letting all the rest pass throughE.g.: Windows file sharing
54 AIT ITServAIT ITServ
2. Basic Security How-To2.6. Rule #5: Do network filtering2. Basic Security How-To2.6. Rule #5: Do network filtering
• Simple guidelines for minimal filtering– Implement multiple-level filtering– On router, block all LAN-only traffic: file
sharing, printer sharing, database access
Internet
Mail server
Web server
NFS
POPRouter
= block
55 AIT ITServAIT ITServ
2. Basic Security How-To2.6. Rule #5: Do network filtering2. Basic Security How-To2.6. Rule #5: Do network filtering
• Guidelines (cont.)– On server, allow only legitimate traffic to
pass• SMTP, POP, IMAP on a mail server• HTTP, HTTPS on a web server• Domain on a name server
Router
Internet
Mail server
Web server
NFS
POP
= block
56 AIT ITServAIT ITServ
2. Basic Security How-To2.6. Rule #5: Do network filtering2. Basic Security How-To2.6. Rule #5: Do network filtering
• Filtering on router– Block dangerous protocols– Let the rest pass through– More refined filtering can be done
• Filter on source and destination• Filter on direction of connection
– Done globally by ITServ• On border interfaces (Internet & others)• Between AIT networks (schools, labs, entities)• Details upon request
57 AIT ITServAIT ITServ
2. Basic Security How-To2.6. Rule #5: Do network filtering2. Basic Security How-To2.6. Rule #5: Do network filtering
• How to implement filtering on server ?– Use TCP Wrappers by Wietse Wenema
• Standard for Linux and FreeBSD• Download, compile and install for other Unix
– ftp://ftp.porcupine.org/pub/security/index.html#software– http://www.sunfreeware.com has pre-compiled binaries
for Sun Solaris– install into /etc/inetd.conf (more help upon request)
– TCP Wrappers configuration in two files• hosts.allow (in /etc or /usr/local/etc)
– which service (port number) is allowed– from which IP address / network
58 AIT ITServAIT ITServ
2. Basic Security How-To2.6. Rule #5: Do network filtering2. Basic Security How-To2.6. Rule #5: Do network filtering
• How to implement filtering on server ?– TCP Wrappers configuration (cont.)
• hosts.allow (cont.)– Format is:daemon_name : IP address[netmask] …– Examples:
FTP only from a given address:ftpd : 203.159.12.34SSH only from AIT networks:sshd : 203.159.0.0/255.255.0.0 192.41.70.0/255.255.255.0 POP from anywherepopper : ALL
59 AIT ITServAIT ITServ
2. Basic Security How-To2.6. Rule #5: Do network filtering2. Basic Security How-To2.6. Rule #5: Do network filtering
• How to implement filtering on server ?– TCP Wrappers configuration (cont.)
• hosts.deny (in /etc or /usr/local/etc)– What is not allowed– Must have a single line:
ALL: ALL– Do not leave empty (=> allow everything!)
– FreeBSD TCP wrappers have a single configuration file (hosts.allow)
• adds “: allow” or “: deny” at end of line
60 AIT ITServAIT ITServ
3. Useful links and resources3. Useful links and resources
• Security alert news– http://www.cert.org– http://www.sans.org– http://xforce.iss.net– http://www.securityfocus.com– http://www.linuxsecurity.com/advisories
• Information and checklists– 20SANS “Top Most Critical Internet Security Vulnera
” ://../20.
• Free automated network scanner available !
61 AIT ITServAIT ITServ
3. Useful links and resources3. Useful links and resources
• Information and checklists (cont.)– 60NSA “The Minute Network Security Guide”
-http://nsa2.www.conxion.com/support/guides/sd7.pdf
• Linux– Securing and Optimizing Linux Red Hat Edition -
A Hands on Guidehttp://www.linuxdoc.org/guides.html#securing_linux
– Securing Linux Servers for Service Providers (IBM document)http://www.ibm.com/linux/Securing_Linux_Servers_xSP_hil_.
62 AIT ITServAIT ITServ
3. Useful links and resources3. Useful links and resources
• Linux (cont.)– Linux security checklists
http://www.uga.edu/ucns/wsg/security/linuxchecklist.htmlhttp://www.wfu.edu/~rbhm/linux.html
– TrinityOS Guide to Configuring Linuxhttp://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS/mHTML/TrinityOS-m.htmlParts 8.7 to 8.10 especially explain Linux security configuration in great detail
• Windows– Microsoft’s Security Site
http://www.microsoft.com/technet/security/
63 AIT ITServAIT ITServ
3. Useful links and resources3. Useful links and resources
• Windows sites (cont.)– NT4 / IIS4 Security Checklist
http://www.microsoft.com/technet/security/iischk.asp
– W2K / IIS5 Security Checklisthttp://www.microsoft.com/technet/security/iis5chk.asp
• Sun Solaris– Solaris Network Hardening
http://ist.uwaterloo.ca/security/howto/2000-09-19/Includes a tool to automate configuration
– YASSP (Yet Another Solaris Security Package)http://www.yassp.org/
64 AIT ITServAIT ITServ
3. Useful links and resources3. Useful links and resources
• Free Security tools (mostly Unix)– Nessus Security Scanner
http://www.nessus.org
– Web-based simple port scannerhttp://www.ntsecurity.com/scan.asp
– Snort Intrusion Detection System (IDS)http://www.snort.org
• Runs on Windows too
– SANS “Top 20” vulnerability scannerhttp://www.cisecurity.org/scanning_tool.html
• Runs on Unix only• Can scan vulnerabilities of Unix and Windows servers
65 AIT ITServAIT ITServ
3. Useful links and resources3. Useful links and resources
• Free Security tools (Windows)– SwatIt Windows trojan remover
http://lockdowncorp.com/bots/downloadswatit.htm
– Foundstone ’s Windows forensics toolboxhttp://www.foundstone.com/knowledge/free_tools.html
– PrcView process viewerGives much info about DLLs used, how process has been startedhttp://www.teamcti.com/pview/prcview.htm
66 AIT ITServAIT ITServ
3. Useful links and resources3. Useful links and resources
• Miscellaneous– Lance Spitzner's white papers
http://www.enteract.com/~lspitz/papers.html
– The Center for Internet Securityhttp://www.cisecurity.com
67 AIT ITServAIT ITServ
4. ITServ plans 4. ITServ plans
• What we know by now:– Filtering at the border of the AIT network is
only a part of the solution (can’t address all threats)
– Maintaining security easily becomes an almost full-time job for all but the smallest networks inside AIT
– Not all labs/schools/entities have the right people with enough free time to do it
– All that is a lot of duplicated efforts, duplicated investments and duplicated downloads
68 AIT ITServAIT ITServ
4. ITServ plans 4. ITServ plans
• Our goals:– Establish a global standard of security for all AIT
• standardisation of environments• validation of servers• fully enforced configuration and update policies
– Rely more on standards and policies observed by all entities inside AIT and less on tight global filtering and on corrective blocking of IP addresses inside AIT
– Provide extensive local resources and consulting
69 AIT ITServAIT ITServ
4. ITServ plans 4. ITServ plans
• Our goals (cont.):– Provide centralised services than entities
inside AIT can use without loosing control over their servers and/or contents
• proper configuration• real dedicated firewall, possibly intrusion detection• 24-hour monitoring, regular auditing• software updates• clearly defined, dependable
– The most efficient way: an Internet Data Centre at ITServ for co-location and hosting
70 AIT ITServAIT ITServ
4. ITServ plans 4. ITServ plans
• What we need:– Clearly identified people in charge of IT security in
all AIT entities, willing to co-operate– A honest acceptance and support of the common
goals and the means to reach them:• standardise vs. “I like Linux DebDrakeHatGNUXYZ only”• commitment to dedicate enough resources (time)• actual usage of local resources vs. “magic tools”• willingness to “outsource” what can not be managed
locally due to lack of resources vs. “I absolutely want this server in my office”
• accept servers and services being audited and validated
71 AIT ITServAIT ITServ
4. ITServ plans4.1. Local resources 4. ITServ plans4.1. Local resources For a limited number of supported operating
systems and environments:• Local cache of all critical patches
– much faster downloads– save Internet bandwidth
• Local “CERT-like” web site to announce vulnerabilities– summarised and targeted at supported
environments: much easier to read– links to local downloads
• Local alert mailing lists
72 AIT ITServAIT ITServ
4. ITServ plans4.1. Local resources 4. ITServ plans4.1. Local resources
• Campus license for selected critical security software, with local downloads
• Windows anti-virus software a priority– local download and possibly
transparent/automated installation– local and automatic updates– very cost-effective
73 AIT ITServAIT ITServ
4. ITServ plans4.2. Support and consulting4. ITServ plans4.2. Support and consulting
• Provide installation manuals with configuration guidelines tuned to AIT environment for supported O.S.
• Provide security check-lists (more usable than Microsoft’s) with verification tools
• On-demand security auditing– network scanning, possibly real-time (from
AIT Intranet web)– on-site auditing with written report upon
request
74 AIT ITServAIT ITServ
4. ITServ plans4.2. Support and consulting4. ITServ plans4.2. Support and consulting
• Emergency assistance in case of intrusion– evaluate damage– save important information to track down
source (computer forensics)– help cleaning or re-install machine while
preserving data– final written report with probable causes of
intrusion, to avoid the same mistakes being done again
75 AIT ITServAIT ITServ
4. ITServ plans4.3. Services4. ITServ plans4.3. Services• AIT Internet Data Centre in ITServ building
– co-location of Internet/Intranet servers– shared hosting of Internet servers (mostly web)– provides reliable operation of your servers:
• power, air conditioning• 24-hr operator staff to watch servers, reboot,
restart service• network-based disk back-up facility• web-based real-time monitoring of service
availability (e.g. HTTP server up/down)
76 AIT ITServAIT ITServ
4. ITServ plans4.3. Services4. ITServ plans4.3. Services• AIT Internet Data Centre (cont.)
– provides secure environment:• full-featured firewall (not simple port filtering)• O/S installation & hardening service available• software updates installation service• web-based detailed network traffic statistics
and real-time monitoring, alert generation in case of abnormally high traffic
• preventive regular auditing (scanning) to detect anomalies
• possibly: IDS, content-based filtering
77 AIT ITServAIT ITServ
4. ITServ plans4.3. Services4. ITServ plans4.3. Services
• AIT Internet Data Centre (cont.)– preserves full control over your equipment
• remote administration (SSH, PC Anywhere, remote desktop…)
• physical access whenever needed• personalised per-server policy on the
firewall, agreed upon and modifiable via on-line requests
78 AIT ITServAIT ITServ
4. ITServ plans4.4. Policies4. ITServ plans4.4. Policies• Standardisation of server environment to a
set of supported O.S./server software and versions– installed based used as a start (fill questionnaire!)– reduced to a smaller set (negotiation)– open-source O.S. and software preferred– extensive assistance for migration if needed
• Mandatory anti-virus software on all Windows servers and desktops– campus-wide license– transparent and automatic installation and update
79 AIT ITServAIT ITServ
4. ITServ plans4.4. Policies4. ITServ plans4.4. Policies
• Validation and continuous auditing of servers– audit before opening service to the Internet– exclude usage as a workstation– committed delay to do audit
• LAN network services really LAN-only– phase-out cross-network Windows file sharing– provide safer alternatives– help labs to migrate
80 AIT ITServAIT ITServ
4. ITServ plans4.4. Policies4. ITServ plans4.4. Policies• Formal but fast and efficient
communication for all security-related issues– web-based “ticket processing” system with 2-
way interactivity– full information on what is being done and why– formal incident reporting and archival
• Regular meetings with designated IT Security Managers in all entities– attendance required– the place where policies will be elaborated
81 AIT ITServAIT ITServ
AIT ITServ & Lab Supervisors Meeting AIT ITServ & Lab Supervisors Meeting
• Thank you very much for your attention
• Now let’s talk!