Friday, March 9, 2012

RHEL/CentOS Server Security

As a part of the sys admin's job, it is important to take a few extra minutes to go through and properly secure a newly installed Linux server. These steps include enabling SELinux on the machine, configuring the firewall, and setting user permissions. There are however additional steps one should take in order to secure their server. One would be to tune and secure kernel parameters, set limits on kernel dumps, prevent IPv6 from loading if you company is not using it, and turning off unnecessary services.

Networking 
First, lets take a look at configuring kernel parameters to prevent network based attacks. These include disallowing intruders to alter routing tables and source routed packets, preventing an intruder from configuring the server to become a router, and turning on reverse path filtering. To change these settings edit the /etc/sysctl.conf file and enter:
    net.ipv4.conf.all.accept_source_route = 0 
    net.ipv4.conf.all.accept_redirects = 0 
    net.ipv4.conf.all.secure_redirects = 0 
    net.ipv4.conf.all.log_martians = 1 
    net.ipv4.conf.default.accept_source_route = 0 
    net.ipv4.conf.default.accept_redirects = 0 
    net.ipv4.conf.default.secure_redirects = 0 
    net.ipv4.icmp_echo_ignore_broadcasts = 1 
    net.ipv4.icmp_ignore_bogus_error_messages = 1 
    net.ipv4.tcp_syncookies = 1 
    net.ipv4.conf.all.rp_filter = 1 
   net.ipv4.conf.default.rp_filter = 1 

If you are currently running IPv6 at your company, here are a few kernel parameters to prevent network based attacks:
    net.ipv6.conf.default.router_solicitations = 0 
    net.ipv6.conf.default.accept_ra_rtr_pref = 0 
    net.ipv6.conf.default.accept_ra_pinfo = 0 
    net.ipv6.conf.default.accept_ra_defrtr = 0 
    net.ipv6.conf.default.autoconf = 0 
    net.ipv6.conf.default.dad_transmits = 0 
    net.ipv6.conf.default.max_addresses = 1 

To make these settings effective without rebooting the server type sysctl -p 

We can go a step further by disabling unused network functions such as IPv6 and prevent self assigned addressing.

To detect whether or not IPv6 is running on a server type: ifconfig | grep inet6 which will return:
    inet6 addr: fe80::240:5ff:fe32:ef19/64 Scope:Link 
    inet6 addr: ::1/128 Scope:Host 
    inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link 
To prevent IPv6 from loading, run the following command:
    echo install ipv6 /bin/true > /etc/modprobe.d/ipv6 
Then add the following lines to /etc/sysconfig/network:
    NETWORKING_IPV6=no 
    IPV6INIT=no 
This will deactivate the IPv6 protocol from running on the server.

To prevent self assigned addressing on network cards, open the /etc/sysconfig/network file and add:
    NOZEROCONF=yes 
  
Server security 
Turning off the ability to create core dumps is important as intruders can use this to gather information about running services and configurations in order to exploit them. To do so, edit the /etc/security/limits.conf file and insert:
    * hard core 0 
 We should also prevent setuid programs from creating these as well:
    sysctl -w fs.suid_dumpable=0 

There are also built in kernel features which can help protect against buffer overflow attacks. These features are turned on by default, however these kernel parameters should be enabled in case they have been turned off:
    sysctl -w kernel.exec-shield=1 
    sysctl -w kernel.randomize_va_space=1 
These settings ensure randomization of the stack and memory regions, which are refereed to as the ExecShield.

There are many services which are running on a default installation which include cups, sendmail, isdn, bluetooth, and many others. If these services are not being used on the server then they should be turned off and configured not to start up on a reboot. To do so we can run the following bash script:
for i in acpid autofs avahi-daemon luetooth cups firstboot gpm hidd ip6tables sendmail exim xfs xinetd yum-updatesd rhnsd pcscd readahead_early readahead_later apmd hplip isdn ip6tables mcstrans 
    do 
    service $i stop 
    chkconfig $i off 
    done 

Your services will vary depending on the installation. We should also ensure that X does not run on reboot, placing the server in run level three. To do so, edit the /etc/inittab file and change id:5:initdefault: to id:3:initdefault:

Saturday, March 3, 2012

GPG Keys

​GnuPG is used to encrypt and sign email messages and files. First you need to create the GPG key:
Generating Keys
-----------------------------------------------------------
$ gpg --gen-key
-----------------------------------------------------------
Select option 5 for RSA and then type the encryption level.
-----------------------------------------------------------
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? 5
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
-----------------------------------------------------------
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
............................+++++
...........+++++
gpg: key 7C11053D marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 4 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 4u
pub 4096R/7C11053D 2009-10-12
Key fingerprint = EE6B C53F A665 593C 3607 FEE1 F984 2AF9 7C11 053D
uid Jason Brown (Example)
-----------------------------------------------------------
pub 4096R/7C11053D created: 2009-10-12 expires: never usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). Jason Brown (Example)
Command> addkey
You need a passphrase to unlock the secret key for
user: "Jason Brown (Example) "
4096-bit RSA key, ID 7C11053D, created 2009-10-12
-----------------------------------------------------------
Enter in your passphrase and then select option 6 for 'RSA (encrypt only)'. It will then ask for a key size and key expiration, use the same settings as in the first section. Once complete you will have a new key for encryption.
-----------------------------------------------------------
pub 4096R/7C11053D created: 2009-10-12 expires: never usage: SC
trust: ultimate validity: ultimate
sub 4096R/55D59203 created: 2009-10-12 expires: never usage: E
[ultimate] (1). Jason Brown (Example)
-----------------------------------------------------------
Now type save to exit:
-----------------------------------------------------------
Command> save
-----------------------------------------------------------
GPG Key Backup
Once your keys have been generated, you will need to export both the public and private keys and store them for safe keeping. To export your public key:
----------------------------------------------------------
$ gpg --export -a [email protected] > example-pub.key
----------------------------------------------------------
You can then create a tar backup of these two keys and encrypt them with a passphrase.
----------------------------------------------------------
$ tar -cvf gpgkeys.tar example-priv.key example-pub.key
$ gpg -c --cipher-algo aes256 gpgkeys.tar
----------------------------------------------------------
Then enter in a strong password. This will allow you to retrieve your keys if you do not have your public/private key pair installed on a machine. Once this is done you will need to securely delete your keys leaving just the tarball. This is important as someone can compromise your keys.
----------------------------------------------------------
$ for i in gpgkeys.tar example-priv.key example-pub.key
>do
>shred -n 100 -z -u -v $i
>done
----------------------------------------------------------
Retrieving Public Keys
To search for a persons key type:
----------------------------------------------------------
$ gpg --search-keys [email protected]
----------------------------------------------------------
As this is an example and a fake email address, this will not return any results. Had this been a real address you will see a list of email addresses with numbers along the side. To request the public key of that person, type the number and hit 'enter' and it will retreive the public.
Encrypting Files to Other Users
To encrypt a file to a different user you must first have that users public key. To check type:
----------------------------------------------------------
$ gpg --list-keys
pub 4096R/7C11053D 2009-10-12
uid Jason Brown (Example)
sub 4096R/55D59203 2009-10-12
----------------------------------------------------------
I will encrypt a file to myself. The '-e' option is to tell it to encrypt and the '-r' is the recipient or public key of the person you want to give the file to.
----------------------------------------------------------
$ gpg -e -r [email protected] ssn.txt
----------------------------------------------------------
To decrypt the file, the receipient must have their public key installed on the machine. Then type:
----------------------------------------------------------
$ gpg --output ssn.txt --decrypt ssn.txt.gpg
----------------------------------------------------------
Where '--output' is the name of the decrypted file and '--decrypt' is the file being decrypted.
You may also want to digitally sign the file you are encrypting, to do so type:
----------------------------------------------------------
$ gpg --detach-sig ssn.txt.gpg
----------------------------------------------------------
And to verify the signature file:
----------------------------------------------------------
$ gpg --verify ssn.txt.gpg
gpg: Signature made Mon 12 Oct 2009 02:21:26 PM EDT using DSA key ID 7C11053D
gpg: Good signature from "Jason Brown (Example) "
----------------------------------------------------------