System Security Guide
From UGP-Wiki
[edit] Operating System Recommendation and Software Requirement
We recommend that you install CentOS 5.2 for any production system. After install, you must install yum-security packages and software required to setup UC Grid:
yum -y install tar sed zlib make perl sudo postgresql gcc yum update yum -y install yum-security yum -y update --security # Run that command in /etc/cron.weekly
[edit] Security Setup Principal
1. The Appliance Node should only open ports to the Portal
in hosts.allow add: all: your.portal.hostname
2. Portal should only open the web service ports(80,443,8082,9443). All other ports should be filtered.
[edit] Disable Unnecessary Services (All)
To enhance security and free system resources on the system we need to disable any services that are not required. The following script will disable all unnecessary services:
#!/bin/bash # Services for Full installation of CentOS 5.2 services="acpid anacron apmd atd auditd autofs avahi-daemon bluetooth cpuspeed crond cups firstboot gpm haldaemon hidd hplip ip6tables irqbalance isdn kdump kudzu libvirtd lm_sensors lvm2-monitor mcstrans mdmonitor messagebus microcode_ctl modclusterd netfs nfslock pcscd portmap readahead_early restorecond ricci rpcgssd rpcidmapd sendmail setroubleshoot smartd xend xendomains yum-updatesd" for service in $services; do service $service stop chkconfig $service off done
Since the UC Grid appliance requires NFS mounted user home directory, it requires the following service be turned on: autofs.
chkconfig autofs on /etc/init.d/autofs restart
[edit] Kernel Tunable Security Parameters (All)
The following list shows tunable kernel parameters you can use to secure your Linux server against attacks.
For each tunable kernel parameters I will show the entry that needs to be added to the /etc/sysctl.conf configuration file to make the change permanent after reboots. To activate the configured kernel parameters immediately at runtime, use:
sysctl -p
Enable TCP SYN Cookie Protection
A "SYN Attack" is a denial of service attack that consumes all the resources on a machine. Any server that is connected to a network is potentially subject to this attack.
To enable TCP SYN Cookie Protection, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.tcp_syncookies = 1
Disable IP Source Routing
Source Routing is used to specify a path or route through the network from source to destination. This feature can be used by network people for diagnosing problems. However, if an intruder was able to send a source routed packet into the network, then he could intercept the replies and your server might not know that it's not communicating with a trusted server.
To enable Source Route Verification, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.conf.all.accept_source_route = 0
Disable ICMP Redirect Acceptance
ICMP redirects are used by routers to tell the server that there is a better path to other networks than the one chosen by the server. However, an intruder could potentially use ICMP redirect packets to alter the hosts's routing table by causing traffic to use a path you didn't intend.
To disable ICMP Redirect Acceptance, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.conf.all.accept_redirects = 0
Enable IP Spoofing Protection
IP spoofing is a technique where an intruder sends out packets which claim to be from another host by manipulating the source address. IP spoofing is very often used for denial of service attacks. For more information on IP Spoofing, I recommend the article IP Spoofing: Understanding the basics.
To enable IP Spoofing Protection, turn on Source Address Verification. Edit the /etc/sysctl.conf file and add the following line:
net.ipv4.conf.all.rp_filter = 1
Enable Ignoring to ICMP Requests
If you want or need Linux to ignore ping requests, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.icmp_echo_ignore_all = 1
This cannot be done in many environments.
Enable Ignoring Broadcasts Request
If you want or need Linux to ignore broadcast requests, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.icmp_echo_ignore_broadcasts = 1
Enable Bad Error Message Protection
To alert you about bad error messages in the network, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.icmp_ignore_bogus_error_responses = 1
Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packets
To turn on logging for Spoofed Packets, Source Routed Packets, and Redirect Packets, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.conf.all.log_martians = 1
In summary, please add the following to /etc/sysctl.conf, and run sysctl -p
#Disable ICMP Redirect Acceptance net.ipv4.conf.all.accept_redirects = 0 # enable ignoring to icmp request net.ipv4.icmp_echo_ignore_all = 1 # enable ignoring broardcasts request net.ipv4.icmp_echo_ignore_broadcasts = 1 # enable bad error message protection net.ipv4.icmp_ignore_bogus_error_responses = 1 #Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packets net.ipv4.conf.all.log_martians = 1
[edit] Securing SSH (All)
Many network services like telnet, rlogin, and rsh are vulnerable to eavesdropping which is one of several reasons why SSH should be used instead. Red Hat's default configuration for SSH meets the security requirements for many environments. However, there are a few parameters in /etc/ssh/sshd_config that you may want to change on RHEL and other Linux systems.
The chapter Restricting System Access from Servers and Networks shows how direct logins can be disabled for shared and system accounts including root. But it's prudent to disable direct root logins at the SSH level as well.
PermitRootLogin no
Also ensure to have privilege separation enabled where the daemon is split into two parts. With privilege separation a small part of the code runs as root and the rest of the code runs in a chroot jail environment. Note that on older RHEL systems this feature can break some functionality, for example see Preventing Accidental Denial of Service.
UsePrivilegeSeparation yes
Since SSH protocol version 1 is not as secure you may want to limit the protocol to version 2 only:
Protocol 2
You may also want to prevent SSH from setting up TCP port and X11 forwarding if you don't need it:
AllowTcpForwarding no X11Forwarding no
Ensure the StrictModes directive is enabled which checks file permissions and ownerships of some important files in the user's home directory like ~/.ssh, ~/.ssh/authorized_keys etc. If any checks fail, the user won't be able to login.
StrictModes yes
Ensure that all host-based authentications are disabled. These methods should be avoided as primary authentication.
IgnoreRhosts yes HostbasedAuthentication no RhostsRSAAuthentication no
Disable sftp if it's not needed:
- Subsystem sftp /usr/lib/misc/sftp-server
After changing any directives make sure to restart the sshd daemon:
/etc/init.d/sshd restart
In summary, change parameters in /etc/ssh/sshd_config as follows:
PermitRootLogin no UsePrivilegeSeparation yes Protocol 2 AllowTcpForwarding no X11Forwarding no StrictModes yes IgnoreRhosts yes HostbasedAuthentication no RhostsRSAAuthentication no
[edit] Appliance iptables setup
in /etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -s CampusPortalHostname -j ACCEPT -A RH-Firewall-1-INPUT -s portal.ucgrid.org -j ACCEPT -A RH-Firewall-1-INPUT -s NSFServerHostname -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
You have add more VNC port forwarding. See:How to setup Interactive Applications
[edit] Portal iptables setup
In /etc/sysconfig/iptables
Make sure you only open web server port to the world, all other ports should be closed or filtered.
*filter ... # filter postgres port -A RH-Firewall-1-INPUT -s CampusPortalHostIP -m state --state NEW -m tcp -p tcp --dport 5432 -j ACCEPT -A RH-Firewall-1-INPUT -s 127.0.0.1 -m state --state NEW -m tcp -p tcp --dport 5432 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5432 -j DROP # filter mysql port -A RH-Firewall-1-INPUT -s CampusPortalHostIP -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT -A RH-Firewall-1-INPUT -s 127.0.0.1 -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j DROP # filter SSH port -A RH-Firewall-1-INPUT -s LocalDesktopIP -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -s 127.0.0.1 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DROP # filter 8009 port -A RH-Firewall-1-INPUT -s CampusPortalHostIP -m state --state NEW -m tcp -p tcp --dport 8009 -j ACCEPT -A RH-Firewall-1-INPUT -s 127.0.0.1 -m state --state NEW -m tcp -p tcp --dport 8009 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8009 -j DROP # filter 8443 Globus Toolkit port -A RH-Firewall-1-INPUT -s CampusPortalHostIP -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT -A RH-Firewall-1-INPUT -s Appliance1HostIP -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT -A RH-Firewall-1-INPUT -s Appliance2HostIP -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT -A RH-Firewall-1-INPUT -s portal.ucgrid.org -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT COMMIT *nat # add port forwarding :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -d CampusPortalHostIP -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8082 -A OUTPUT -d CampusPortalHostIP -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8082 -A OUTPUT -d 127.0.0.1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8082 -A PREROUTING -d CampusPortalHostIP -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 9443 -A OUTPUT -d CampusPortalHostIP -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 9443 -A OUTPUT -d 127.0.0.1 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 9443 # vnc port forwarding setup .... COMMIT
To see how to setup VNC port forwarding, Please see:How to setup Interactive Applications
[edit] Securing Postfix (Portal Only)
Portal has to be able to send mail. We recommend to use postfix to send mail instead of sendmail.
First you need to install postfix: yum install postfix
Postfix is a replacement for Sendmail which has several security advantages over Sendmail. Postfix consists of several small programs that perform their own small task. And almost all programs run in a chroot jail. These are just a few examples why Postfix is recommended over Sendmail.
Linux servers that are not dedicated mail or relay servers should not accept external emails. However, it is important for production servers to send local emails to a relay server.
Before you continue on a Red Hat system, make sure Postfix is activated using the following command:
alternatives --set mta /usr/sbin/sendmail.postfix
The following parameters in /etc/postfix/main.cf should be set to ensure that Postfix accepts only local emails for delivery:
mydestination = $myhostname, localhost.$mydomain, localhost inet_interfaces = localhost
The parameter mydestination lists all domains to receive emails for. The parameter inet_interfaces specifies the network to liston on.
Once you've configured Postfix, restart the mail system with the following command:
/etc/init.d/sendmail stop /sbin/chkconfig sendmail off /sbin/chkconfig postfix on /etc/init.d/postfix restart
To verify whether Postfix is still listening for incoming network request, you can run one of the following commands from another node:
nmap -sT -p 25 <remode_node> telnet <remote_node> 25
Don't run these commands on the local host since Postfix is supposed to accept connections from the local node.
[edit] Turn off Apache Server Signature (Portal Only)
It is better not allow the hacker to find out your apache server version. You can turn the signature off by editing /etc/httpd/conf/httpd.conf
ServerSignature Off
[edit] Globus Toolkit Firewall Howto
http://dev.globus.org/wiki/FirewallHowTo
[edit] Credits
Securing and Hardening Red Hat Linux Production Systems A Practical Guide to Basic Linux Security in Production Enterprise Environments Written by Werner Puschitz http://www.puschitz.com/SecuringLinux.shtml
