System Security Guide

From UC Grid Wiki
Jump to: navigation, search

Operating System Recommendation and Software Requirement

We recommend that you install CentOS 5.2 for any production system. After install, you must install yum-security packages and software required to setup UC Grid:

   yum -y install tar sed zlib make perl sudo postgresql gcc 

   yum update
   yum -y install yum-security
   yum -y update --security   # Run that command in /etc/cron.weekly  

Security Setup Principal

1. The Appliance Node should only open ports to the Portal

  in hosts.allow add:  all: your.portal.hostname

2. Portal should only open the web service ports(80,443,8082,9443). All other ports should be filtered.


Disable Unnecessary Services (All)

To enhance security and free system resources on the system we need to disable any services that are not required. The following script will disable all unnecessary services:

#!/bin/bash

# Services for Full installation of CentOS 5.2 
services="acpid anacron apmd atd auditd autofs avahi-daemon bluetooth cpuspeed crond cups firstboot gpm haldaemon hidd hplip ip6tables irqbalance isdn kdump kudzu libvirtd lm_sensors lvm2-monitor mcstrans mdmonitor messagebus microcode_ctl modclusterd netfs nfslock pcscd portmap readahead_early restorecond ricci rpcgssd rpcidmapd sendmail setroubleshoot smartd xend xendomains yum-updatesd"

for service in $services; do
  service  $service stop
  chkconfig $service off
done

Since the UC Grid appliance requires NFS mounted user home directory, it requires the following service be turned on: autofs.

  chkconfig autofs on
  /etc/init.d/autofs restart

Kernel Tunable Security Parameters (All)

The following list shows tunable kernel parameters you can use to secure your Linux server against attacks.

For each tunable kernel parameters I will show the entry that needs to be added to the /etc/sysctl.conf configuration file to make the change permanent after reboots. To activate the configured kernel parameters immediately at runtime, use:


   sysctl -p


Enable TCP SYN Cookie Protection

A "SYN Attack" is a denial of service attack that consumes all the resources on a machine. Any server that is connected to a network is potentially subject to this attack.

To enable TCP SYN Cookie Protection, edit the /etc/sysctl.conf file and add the following line:

 net.ipv4.tcp_syncookies = 1


Disable IP Source Routing

Source Routing is used to specify a path or route through the network from source to destination. This feature can be used by network people for diagnosing problems. However, if an intruder was able to send a source routed packet into the network, then he could intercept the replies and your server might not know that it's not communicating with a trusted server.

To enable Source Route Verification, edit the /etc/sysctl.conf file and add the following line:

 net.ipv4.conf.all.accept_source_route = 0


Disable ICMP Redirect Acceptance

ICMP redirects are used by routers to tell the server that there is a better path to other networks than the one chosen by the server. However, an intruder could potentially use ICMP redirect packets to alter the hosts's routing table by causing traffic to use a path you didn't intend.

To disable ICMP Redirect Acceptance, edit the /etc/sysctl.conf file and add the following line:

 net.ipv4.conf.all.accept_redirects = 0


Enable IP Spoofing Protection

IP spoofing is a technique where an intruder sends out packets which claim to be from another host by manipulating the source address. IP spoofing is very often used for denial of service attacks. For more information on IP Spoofing, I recommend the article IP Spoofing: Understanding the basics.

To enable IP Spoofing Protection, turn on Source Address Verification. Edit the /etc/sysctl.conf file and add the following line:

 net.ipv4.conf.all.rp_filter = 1


Enable Ignoring to ICMP Requests

If you want or need Linux to ignore ping requests, edit the /etc/sysctl.conf file and add the following line:

 net.ipv4.icmp_echo_ignore_all = 1

This cannot be done in many environments.

Enable Ignoring Broadcasts Request

If you want or need Linux to ignore broadcast requests, edit the /etc/sysctl.conf file and add the following line:

 net.ipv4.icmp_echo_ignore_broadcasts = 1


Enable Bad Error Message Protection

To alert you about bad error messages in the network, edit the /etc/sysctl.conf file and add the following line:

 net.ipv4.icmp_ignore_bogus_error_responses = 1


Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packets

To turn on logging for Spoofed Packets, Source Routed Packets, and Redirect Packets, edit the /etc/sysctl.conf file and add the following line:

 net.ipv4.conf.all.log_martians = 1


In summary, please add the following to /etc/sysctl.conf, and run sysctl -p


#Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
# enable ignoring to icmp request
net.ipv4.icmp_echo_ignore_all = 1
# enable ignoring broardcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# enable bad error message protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
#Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1

Securing SSH (All)

Many network services like telnet, rlogin, and rsh are vulnerable to eavesdropping which is one of several reasons why SSH should be used instead. Red Hat's default configuration for SSH meets the security requirements for many environments. However, there are a few parameters in /etc/ssh/sshd_config that you may want to change on RHEL and other Linux systems.

The chapter Restricting System Access from Servers and Networks shows how direct logins can be disabled for shared and system accounts including root. But it's prudent to disable direct root logins at the SSH level as well.

PermitRootLogin no


Also ensure to have privilege separation enabled where the daemon is split into two parts. With privilege separation a small part of the code runs as root and the rest of the code runs in a chroot jail environment. Note that on older RHEL systems this feature can break some functionality, for example see Preventing Accidental Denial of Service.

UsePrivilegeSeparation yes


Since SSH protocol version 1 is not as secure you may want to limit the protocol to version 2 only:

Protocol 2


You may also want to prevent SSH from setting up TCP port and X11 forwarding if you don't need it:

AllowTcpForwarding no X11Forwarding no


Ensure the StrictModes directive is enabled which checks file permissions and ownerships of some important files in the user's home directory like ~/.ssh, ~/.ssh/authorized_keys etc. If any checks fail, the user won't be able to login.

StrictModes yes


Ensure that all host-based authentications are disabled. These methods should be avoided as primary authentication.

IgnoreRhosts yes HostbasedAuthentication no RhostsRSAAuthentication no


Disable sftp if it's not needed:

  1. Subsystem sftp /usr/lib/misc/sftp-server


After changing any directives make sure to restart the sshd daemon:

/etc/init.d/sshd restart


In summary, change parameters in /etc/ssh/sshd_config as follows:

 
PermitRootLogin no
UsePrivilegeSeparation yes
Protocol 2
AllowTcpForwarding no
X11Forwarding no
StrictModes yes
IgnoreRhosts yes
HostbasedAuthentication no
RhostsRSAAuthentication no

Appliance iptables setup

in /etc/sysconfig/iptables

-A RH-Firewall-1-INPUT -s CampusPortalHostname -j ACCEPT
-A RH-Firewall-1-INPUT -s portal.ucgrid.org -j ACCEPT
-A RH-Firewall-1-INPUT -s NSFServerHostname -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

You have add more VNC port forwarding. See:How to setup Interactive Applications

Portal iptables setup

In /etc/sysconfig/iptables

Make sure you only open web server port to the world, all other ports should be closed or filtered.


*filter
 
...

# filter postgres port
-A RH-Firewall-1-INPUT -s CampusPortalHostIP -m state --state NEW -m tcp -p tcp --dport 5432 -j ACCEPT
-A RH-Firewall-1-INPUT -s 127.0.0.1 -m state --state NEW -m tcp -p tcp --dport 5432 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5432 -j DROP

# filter mysql port

-A RH-Firewall-1-INPUT -s CampusPortalHostIP -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -s 127.0.0.1 -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j DROP

# filter SSH port
-A RH-Firewall-1-INPUT -s LocalDesktopIP -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 127.0.0.1 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DROP

# filter 8009 port
-A RH-Firewall-1-INPUT -s CampusPortalHostIP -m state --state NEW -m tcp -p tcp --dport 8009 -j ACCEPT
-A RH-Firewall-1-INPUT -s 127.0.0.1 -m state --state NEW -m tcp -p tcp --dport 8009 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8009 -j DROP


# filter 8443 Globus Toolkit port
-A RH-Firewall-1-INPUT -s CampusPortalHostIP -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT
-A RH-Firewall-1-INPUT -s Appliance1HostIP -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT
-A RH-Firewall-1-INPUT -s Appliance2HostIP -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT
-A RH-Firewall-1-INPUT -s portal.ucgrid.org -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT

COMMIT

*nat

# add port forwarding 

:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d CampusPortalHostIP -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8082
-A OUTPUT -d CampusPortalHostIP -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8082
-A OUTPUT -d 127.0.0.1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8082
-A PREROUTING -d CampusPortalHostIP -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 9443
-A OUTPUT -d CampusPortalHostIP -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 9443
-A OUTPUT -d 127.0.0.1 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 9443

# vnc port forwarding setup
.... 

COMMIT

To see how to setup VNC port forwarding, Please see:How to setup Interactive Applications

Securing Postfix (Portal Only)

Portal has to be able to send mail. We recommend to use postfix to send mail instead of sendmail.

First you need to install postfix: yum install postfix

Postfix is a replacement for Sendmail which has several security advantages over Sendmail. Postfix consists of several small programs that perform their own small task. And almost all programs run in a chroot jail. These are just a few examples why Postfix is recommended over Sendmail.

Linux servers that are not dedicated mail or relay servers should not accept external emails. However, it is important for production servers to send local emails to a relay server.

Before you continue on a Red Hat system, make sure Postfix is activated using the following command:

alternatives --set mta /usr/sbin/sendmail.postfix

The following parameters in /etc/postfix/main.cf should be set to ensure that Postfix accepts only local emails for delivery:

  mydestination = $myhostname, localhost.$mydomain, localhost
  inet_interfaces = localhost

The parameter mydestination lists all domains to receive emails for. The parameter inet_interfaces specifies the network to liston on.

Once you've configured Postfix, restart the mail system with the following command:

/etc/init.d/sendmail stop
/sbin/chkconfig sendmail off
/sbin/chkconfig postfix on
/etc/init.d/postfix restart

To verify whether Postfix is still listening for incoming network request, you can run one of the following commands from another node:

nmap -sT -p 25 <remode_node>
telnet <remote_node> 25

Don't run these commands on the local host since Postfix is supposed to accept connections from the local node.

Turn off Apache Server Signature (Portal Only)

It is better not allow the hacker to find out your apache server version. You can turn the signature off by editing /etc/httpd/conf/httpd.conf

ServerSignature Off


Globus Toolkit Firewall Howto

http://dev.globus.org/wiki/FirewallHowTo


Credits

Securing and Hardening Red Hat Linux Production Systems A Practical Guide to Basic Linux Security in Production Enterprise Environments Written by Werner Puschitz http://www.puschitz.com/SecuringLinux.shtml