DNS Server

Security / Hardening
Linux OS - Fedora 14 / RHEL

Copyright Erwin L. Carrow This work is the intellectual property of the author. Permission is granted for this material to be shared for
non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is
given that the copying is by permission of the author and other identified entities. To disseminate otherwise or to republish requires
written permission from the author. Videos and specific graphics presented are not for public distribution.
9/3/2011 Cyber Defense Security Presentation 1
Session Guide
Erwin Carrow
IT Audit Director; M.Div., MSIS, CISSP, INFOSEC, CCAI, CCNP, CCSP,
CQS, CCNA, LCP, LCI, OCM, MCSE, MCP+I, LSS Green Belt, etc.
Board of Regents, University System of Georgia; Office of Internal Audit
and Compliance
270 Washington Street S.W., Ste. 7087 Atlanta, GA 30334
(404)657-9890 Office, (678)644-3526 Cell, (404)463-0699 Fax
Email: ecarrow@google.com erwin.carrow@usg.edu
ecarrow@gmail.com
http://www.linkedin.com/in/ecarrow
http://twitter.com/ecarrow
Skype: erwin.louis.carrow

9/3/2011 Cyber Defense Security Presentation 2

 Session Agenda
DNS Server Security & Hardening: Down and Dirty(4 slides)
Other DNS information included for
your review (not elaborated on)
Internet threats & associated risks (2
slides)
DNS Service (3 slides)
Connecting hosts to services:
protocols, transmission, network
topology, & service request resolution
Controls to mitigate DNS service
disruption (3 slides)
DNS How-to (7 slides)
Installation & configuration
DNS Hardening - local file system,
application, managing access control
Network topology, architecture, &
exchange
Helpful Hints (4 Slides)

9/3/2011 Cyber Defense Security Presentation 3

Key Takeaways
Understand what High-level requirements are needed
to secure a DNS server and access to service (lectures focus)
Slides for Individual Review (not elaborated on, but How-to provided)
Recognize common DNS services threats
Recognize the basic components & network topology for
the implementation of a secure DNS service
Understand how to install, configure, secure, &
administrate DNS service
Helpful hints that apply to any network service
implementation

9/3/2011 Cyber Defense Security Presentation 4

DNS Security & Hardening Local System (1 of 4)
Define, Discuss, Demonstrate, & Do
Configuring Service
Partitioning, Quotas, & ACLs
chroot / Jail application
tcpwrappers
PAM (Pluggable Authentication Modules)
SELinux http://fedoraproject.org/wiki/SELinux
IPTables (local Firewall)
Key Setup, Exchange, & Management
Local User Account Management
Limit remote service admin access
File permissions / mitigate escalation
Limit service access
Manage interdepend services e.g., at & cron
Patch Management
Manage DNS Service Logs
Audit System Activity
9/3/2011 Cyber Defense Security Presentation 5
DNS Security & Hardening - Network (2 of 4)
Define, Discuss, Demonstrate, & Do
Manage User Identity & Access Control
Limit Other Services
NIC / routing: edit /etc/sysctl.conf
Run-levels / interactive boot
Uninstall or disable all services not needed
Configure & Secure NTP Exchanges
Define Server Role & Responsibility within
Network Topology
DNS Zone & Records Management
Deployment, Queries, & Replication
In-band versus Out-of-band
Manage Key Exchange
TSIG Update Exchanges
DNSSEC Validate Sites & SOA

Network Proxy, Firewall, & IDS / IPS

Manage Service(s) Logs
9/3/2011 Cyber Defense Security Presentation 6
DNS Security & Hardening: Network Topology (3 of 4)
Define, Discuss, Demonstrate, & Do

9/3/2011 Cyber Defense Security Presentation 7

Summary: DNS Security & Hardening (4 of 4)
Define, Discuss, Demonstrate, & Do
Local System Configuration
Fence in the DNS playground
Limit ownership & access
Monitor Activity
Network Deployment & Topology
Security Threat Gateway (Firewall, Proxy, IDS /IPS,
etc.)
Limit services, access, & disable routing functions
Manage Request & Responses (Internal & External
Server to Client)
Zone or Record corruption
IP Spoofing
Cache Poisoning
Buffer Overflow patch
Data interception / Impersonation
Track & Manage the Bouncing Bits & Bytes!
Vulnerability Matrix & Security Advisories
https://www.isc.org/software/bind/security/matrix
https://www.isc.org/advisories
9/3/2011 Cyber Defense Security Presentation 8
Thank You for Your Patience & Participation -
Any Questions?
Gain a basic understanding of the requirements
for securing and hardening a DNS server

9/3/2011 Cyber Defense Security Presentation 9

Helpful Resources
Linux Server Security by Michael D. Bauer; OReilly
DNS and BIND by Paul Albitz & Cricket Liu; OReilly
Understanding Data Communications by Gilbert Held; Addison-
Wesley
Local Area Network by David A Stamper; Prentice Hall
Trouble shooting TCP/IP by Mark A. Miller; M&T Books
TCP/IP Running a Successful Network by Kevin Washburn & Jim
Evans; Addison-Wesley
ISC BIND page on DNSSEC -
http://www.isc.org/software/bind/dnssec
DNSSEC deployment at the root zone - http://www.root-
dnssec.org/
DNSSEC information for .org - http://www.pir.org/dnssec/
ENISA Good Practices Guide for Deploying DNSSEC -
http://www.enisa.europa.eu/act/res/technologies/tech/gpgdnssec
9/3/2011 Cyber Defense Security Presentation 10
Appendix: Other Useful Information for Review
Security Threat (2 slides)
DNS Services (3 slides)
Security and tools for hardening DNS (3 slides)
Network Topology and Services
DNS Server (8 slides)
Installation
Setup / Configuration
Security & Administration
Helpful Hints (4 slides)

9/3/2011 Cyber Defense Security Presentation 11

Security Threat (1 of 2)
Define, Discuss, Demonstrate, & Do
Functional characteristic: security, monitor , & mitigate malicious
attempts to malign or disrupt network services
There are four general categories of security threats to the network:
Unstructured threats, Structured threats, External threats, & Internal
threats
http://ptgmedia.pearsoncmg.com/images/1587131625/samplechapter/158
7131625content.pdf
Classes of Attacks: Reconnaissance attacks, Access attacks, Denial of
service attacks, & Worms, Viruses, and Trojan horses
All of the following can be used to compromise your system: packet
sniffers, IP weaknesses, password attacks, DoS or DDoS, man-in-the-
middle attacks, application layer attacks ,trust exploitation, port
redirection , virus, Trojan horse, operator error & worms

9/3/2011 Cyber Defense Security Presentation 12

Security Threat - Attack vs. Knowledge (2 of 2)
Define, Discuss, Demonstrate, & Do
Intruder Knowledge Attacks
High crimeware / SSL-evading malware APT
stealth / advanced scanning
distributed DOS
browser anti-forensics
sniffers attacks command & control
sweepers
S web attacks
automated probes/scans
K packet spoofing DOS
back doors worms
I disabling audits network attacks against DNS, SNMP, etc
L GUI tools
Trojans
L spoofing session hijacking
viruses exploiting known vulnerabilities
password cracking
self-replicating code
password guessing
Low
1980 1985 1990 1995 2000 2005 2010
Tool Capabilities and Ease of Use
9/3/2011 Cyber Defense Security Presentation 13
DNS Services: Protocols, Topology, & Resolution
Define, Discuss, Demonstrate, & Do (1 of 3)
Domain Name Service (DNS) provides IP address and Fully
Qualified Domain Name (FQDN) request information to host
Type/Role: Authoritative, Recursive / Master (auth.), Slave (auth.,
load balancing & redundancy, Caching (no auth. name to IP
resolution), Forwarding (no auth.)
DHCP can dynamically populate DNS host records
Dynamic Host Control Protocol (DHCP) provides IP address,
default router gateway, DNS, WINS, and other service information
requested by host to enable connectivity to various internal and
external resources
Typically applied and configured to support organization intranet
Can be implemented locally to a specific broadcast domain or
request forwarded through a relay agent
Host broadcast request & responds to 1st DHCP server response
received
Host leases information & requires a periodic renewal
Renewal request sent to initial DHCP server via unicast, if no
response broadcast for service request

9/3/2011 Cyber Defense Security Presentation 14

DNS Services: Protocols, Topology, & Resolution
Define, Discuss, Demonstrate, & Do (2 of 3)
Topology Structure
Nodes & Zones
Root Domains, Delegation of Authority, & Start of Authority,
Authority is delegated to lower levels in the hierarchy, each layer in the
hierarchy may delegate the authoritative control to the next lower
level
Domains (SOA) Start of Authority for FQDN, e.g., redhat.com where
one or more DNS server IP addresses are registered with Internet
Corporation for Assigned Numbers and Names (ICANN)
Sub-domains internally controlled DNS servers that segment
organization resources
Naming convention (FQDN)
Transmission methodology
Host request / resolver: /etc/nsswitch.conf, /etc/resolv.conf,
/etc/hosts
Server types & role: primary-master; secondary-slave; & caching-
only/forwarders
DNS resolution service
Iterative queries: sends FQDN and requests either IP Address of
Domain or FQDN of Authoritative DNS Server (typically hosts resolver
to primary DNS server and then DNS server to server exchanges until
resolution or invalid)
Recursive queries - sends FQDN to DNS server and asks for IP Address
of domain (similar to above)
Process: query, cache, & response
FQDN IP address
IP address FQDN (reverse lookup Domains)
Creates dynamic entries in DNS tables
Static entries DNS records for domain services
DHCP can be dynamically linked to local DNS for internal hostname
resolution

9/3/2011 Cyber Defense Security Presentation 15

DNS Services: Protocols, Topology, & Resolution
Define, Discuss, Demonstrate, & Do (3 of 3)
Answer the question: How will a server fit Content Management
into the big picture for the network? Zones - created to distinguish domains and
catalogue host records
DNS Server Service Role & Types of DB file / records characteristics:
Exchanges Name -
Master: (SOA) authoritative TTL Time to live (how long the record is
Slave: (SOA?) authoritative (replicate cached)
Master) or non-authoritative (partitioned Class - IN for Internet only record class
out or partial load-balancing) supported in DNS
Caching: non-authoritative; static or Type Per listing below
dynamic updates Data - content specific to record type
Forwarding: non-authoritative Record Types:
Network Topology Location Start of Authority (SOA) - information
Service query response service support for: that identifies the top of the zone and
External (Internet), DMZ, Internal other general properties
(Intranet), host based (Caching) Address (A or AAAA) IPv4/IPv6
http://www.dnsbl.info/dnsbl-list.php Canonical name (CNAME) - Alias
Host information (HINFO)
Mail exchange (MX) - mail server
Name server (NS) DNS servers
Pointer (PTR) - reverse lookup IP to
FQDN
Text (TXT)
Well-known services (WKS)

9/3/2011 Cyber Defense Security Presentation 16

DNS Service: Security Considerations
Define, Discuss, Demonstrate, & Do (1 of 3)
Where will the application physically reside on the local OS?
Partition type, quotas, & ACLs
Manage space allocation
Prevent hard links programs; facilitate precise control over mount options
limits user access or influence
Allow minimal privileges via mount options
Chroot Jail DNS application
If service compromised, limits user rights & privileges escalation - If local user
compromised limits influence on application
Function?
Runs a process with root directory other than /
$ /usr/sbin/chroot /home/user_name/existing_directory
Challenge is to include interdependent binaries / libraries files into the Jail environment
Once setup, change to location and start service or application
How will you manage DNSs local functional influence? Must manages
applications ability to influence overall system functionality!
SELinux (Alt. AppArmor)
http://web.mit.edu/rhel-doc/5/RHEL-5-manual/Deployment_Guide-en-US/ch-
selinux.html http://www.nsa.gov/research/selinux/index.shtml
http://hackinglinux.blogspot.com/2007/05/selinux-tutorial.html
PAM Pluggable Authentication Modules (Access Control)
http://www.linuxdocs.org/HOWTOs/User-Authentication-HOWTO/x101.html
How will you manage access to the service ?
TCPWrappers: /etc/hosts.allow & /etc/host.deny;
daemon_list:client_list:[:command]
Firewall local and remote settings: IPTables
Disable all on unneeded services!
Enable application auditing
Log Management monitor activity and events types!
9/3/2011 Cyber Defense Security Presentation 17
DNS Service: Security Considerations
Define, Discuss, Demonstrate, & Do (2 of 3)
DNS Service Access Control: Sample exploit
http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html
Access Control Lists (ACLs)
TSIG Transactions shared hashed key
DNSSEC: Relies on public/private key authentication. DNSSEC
specifications (RFC 4033, RFC 4034and RFC 4035 augmented with
others) answer three questions: Authentication - the DNS
responding really is the DNS that the request was sent to. Integrity -
the response is complete and nothing is missing or changed. Proof
of non-existence - if the DNS returns a status that the name does
not exist (NXDOMAIN) this response can be proven to have come
from the authoritative server. RHEL # dns-keygen edit
/etc/rndc.key [insert key] or RHEL/Fedora # rndc-confgen >
/etc/rndc.conf; rndc status
Use DNSSEC to verify recursive DNS results
Default DNS BIND configuration in RHEL 6
options {
dnssec-enable yes;
dnssec-validate yes;
};
In /etc/named.conf will set a trust anchor trust the root DNSKEY
managed-keys {
/* not the real root key */
. initial-key 257 3 5 BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEf
K3clRbGaTwSJxrGkxJWoZu6I7PzJu/E9
gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9
mZhkdUpd1Vso/HAdjNe8L;
};
Testing the validating recursive DNS server
# dig www.example.com +dnssec

9/3/2011 Cyber Defense Security Presentation 18

DNS Service: Security Considerations
Define, Discuss, Demonstrate, & Do (3 of 3)
Authoritative Server: Configuration Overview
Create a normal DNS zone file (1)
Generate the zone-signing key and key-signing key (2)
Add DNSKEY records for both keys to the zone file (3)
Sign the zone (creates RRSIG and NSEC/NSEC3) (4)
Point /etc/named.conf at the signed zone file (5)
Reload the zone (6)
Provide DS record for zone's KSK to your parent zone
(7)
(1) Set up DNSSEC with each signed zone having its
own directory, and zone file has same name as zone
/var/named/example.com/example.com would be the
zone file for the zone example.com
Directory and zone file needs to be readable by group
named, have SELinux type named_zone_t
(2) Generating the ZSK and KSK
Change to the zone file's directory in /var/named
# cd /var/named/example.com/
Create the zone-signing key (ZSK)
# dnssec-keygen example.com
Create the key-signing key (KSK)
# dnssec-keygen -fk example.com
Both dnssec-keygen commands should add the -3
option if you want to use NSEC3 records
(3) Add the keys to the zone file
Each command results in two key pair files
Kexample.com+005+00000.{key,private}
Add the public key files to the zone file
cat *.key >> /var/named/example.com/example.com
9/3/2011 Cyber Defense Security Presentation
(4) Manually sign the zone file
Sign the zone manually:
dnssec-signzone example.com
Add -3 option if you want NSEC3 records
Active keys in the zone are automatically used
Creates example.com.signed file
BIND 9.7 has a number of new features to support
automatic signing on dynamic update, key rotation
management, and so on...see the documentation in
/usr/share/doc/bind-9.7*/arm/
(5) Update zone directive and reload zone
Zone directive in /etc/named.conf needs to be pointed at
the signed file
zone example.com IN {
type master;
file example.com/example.com.signed;
};
(6) Reload the zone to make changes take effect
# service named reload | rndc reload
(7) Provide DS record to parent zone operator
If the parent zone is DNSSEC signed and ready,
provide your zone's DS record to your registrar
You can generate it from your zone file if necessary
# cd /var/named/example.com/
# dnssec-dsfromkey -f example.com
Creates dsset-example.com. file containing DS records
http://www.redhat.com/promo/summit/2010/
presentations/taste_of_training/Summit_2010
_DNSSEC.pdf
19
Network Services: Protocols, Topology, & Resolution
Define, Discuss, Demonstrate, & Do

9/3/2011 Cyber Defense Security Presentation 20

DNS Server Install, Setup, & Administration (1 of 7)
Define, Discuss, Demonstrate, & Do
Client / Server: Resolver settings
How will queries be made?
Resolution priority & precedence search method - edit local system
files /etc/nsswitch.conf; /etc/hosts; /etc/resolv.conf
Consider who the DNS server will support (internal/external)
Only serve DNS for those types
Segregate support requirements dont do both in one server
instance
Do not arbitrarily allow zone transfers or do recursion
Partition and ACL setup:
Install & configure ACL
# yum install acl
Edit /etc/fstab
/dev/dhc1 /var/named ext4 defaults,acl 1 2
# mount t ext o acl, remount /dev/hdc1 /var/named
Apply security via getfacl & setfacl
# setfacl m u:named:rwx /var/named

Prevent hard links to setuid programs

Specify precise control over mount options
Allow minimal privileges via mount options
Modify /etc/fstab: noexec on everything possible; nodev
everywhere except / and chroot partitions; nosetuid everywhere
except /
Consider making /var/tmp link to /tmp, or maybe mount bind
option
GUI Management Utility - http://www.webmin.com/

9/3/2011 Cyber Defense Security Presentation 21

DNS Server Install, Setup, & Administration (2 of 7)
Define, Discuss, Demonstrate, & Do
Identify type of server and location
Master, Slave, Caching, or Forwarding
Server setup:
Install bind, bind-utils, bind-chroot [jail application], caching-
nameserver [RHEL - install for cache server function], system-
config-bind
Network interface configuration:
Define & apply static IP address to interface
Modify /etc/sysconfig/network-scripts/ifcfg-ethX; PEERDNS=no
Modify /etc/host; place host name to IP address of resources for DNS
lookups [optional]
Modify /etc/resolv.conf; insert at beginning of file nameserver 127.0.0.1
Security considerations
Chroot / Jail application due to ever changing & challenging security issues
# yum install bind-chroot /var/named/chroot/etc/named.conf
Copy dependent binaries & libraries into chroot directory and manage links
Edit /etc/sysconfig/named directory and change it to /var/named/chroot
Modify /etc/sysconfig/named file and set ROOTDIR shell variable to
/var/named/chroot, e.g., ROOTDIR=/var/named/chroot
Test - do inode comparison
# ls /var/named/chroot/var/named
# ls ldi /var/named/chroot/var/named
# ls ldi /var/named
# service named start
# ls ldi /var/named/chroot/var/named [should now reflect the
/var/named inode]
9/3/2011 Cyber Defense Security Presentation 22
DNS Server Install, Setup, & Administration (3 of 7)
Define, Discuss, Demonstrate, & Do
More security considerations http://www.puschitz.com/SecuringLinux.shtml
Modify / edit Firewall & SELinux settings: allow TCP & UDP port 53
Secure transaction exchange:
TSIGs signatures hashed key exchange to support secure record exchange / replication
Time synchronization is critical if TSIG exchange fails check time
Split Horizon server / Proxy Server place in DMZ; internal versus external name
resolution can support two different query types, not recommended
Logs /var/log/messages [assume DNS chroot]
# mk /var/named/chroot/var/log
# chmod 744 /var/named/chroot/var/log/bind
# chown named /var/named/chroot/var/log/bind
# ls ld /var/named/chroot/var/log/bind
NTP Time services must be properly configured and secured

9/3/2011 Cyber Defense Security Presentation 23

DNS Server Install, Setup, & Administration (4 of 7)
Define, Discuss, Demonstrate, & Do
Server Service
Init & start # chkconfig named on; service named start
Service modification # service network [stop | start | restart ]
RHEL configuration test - # service named configtest
Documentation
http://www.zytrax.com/books/dns/
file:///usr/share/doc/bind-9.7.2/arm/Bv9ARM.html
Server configuration:
Edit/etc/named.conf
See /usr/share/doc/bind*/sample/ for example named configuration
files
RHEL and Fedora have distinctions [see page 786 for details]
Determine type/role of DNS server(s) per topology design or
requirements Master, Slave, or Caching
Modify settings
Create Zones: root domains, local global domains, & reverse lookup
domain
Configure security exchange methods & keys
Populate domains with appropriate static records, e.g., name
server (NS), mail server (MX), host records (A/AAAA), services
records (IP and service port specific), reverse loop up record
(PTR) etc.
Restart services
Zones information located in /var/named

9/3/2011 Cyber Defense Security Presentation 24

DNS: Server Install, Setup, & Administration (5 of 7)
Define, Discuss, Demonstrate, & Do
Only common references below, e.g., change below files system locations to jailed DNS file
locations
Caching-Only Server yum install y caching-nameserver
# cp /etc/named.caching-nameserver.conf /etc/named.conf
Slave zone files # ls /var/named/slaves
Manually pull Master file to Slave # dig t axfr zone_name.com @servername
RHEL6 /var/named not writable zone modifications /var/named/dynamic and then update
/etc/named.conf
Local System Security Settings
ACL
Define an ACL directive acl local-net { 127.0.0.1; 192.168.1.0/24; };
Place in named.conf allow-transfer { local-net; }; allow-query { local-net; };
User Access
DNS files owned by application named user and not root!
# chown root:named /etc/named/*; chown root:named /var/named/*;
IPTables Firewall security settings general settings provided
# iptables I INPUT 5 p udp m udp dport 53 j ACCEPT
# iptables I INPUT 5 p tcp m tcp dport 53 j ACCEPT
# iptables I INPUT 5 p udp m udp dport 953 j ACCEPT [rndc key exchange]
# service iptables save; service iptables restart
SELinux
# getsebool a | grep named_dis
# setsebool P named_disable_trans=1
# chcon t named_conf_t /etc/named.conf
# ls Z /etc | grep named.conf

9/3/2011 Cyber Defense Security Presentation 25

DNS: Server Key Exchange Setup (6 of 7)
Define, Discuss, Demonstrate, & Do [RHEL]
Only common references below, e.g., change below files system locations to jailed DNS file locations
Modify named.conf and insert include /etc/rndc.key;
Create key # dns-keygen
[Fedora $ /usr/sbin/dnssec-keygen a hmac md5 b 512 n HOST keyname ]
$ cat Kkeyname.+243+14321.private similar as below see page 803
Create key file # vi /etc/rndc.key
key rndckey {
algorithm hmac-md5;
secret
aresrntynratbYjhjdslo863eWEDvOVCmdvfvb; [not a real key]
};
Create config file # rndc-confgen > /etc/rndc.conf
Edit /etc/rndc.conf paste in key content listed above
Edit named.conf & add
controls {
inet 127.0.0.1 port 953
allow {127.0.0.1; } keys { rndc.key; };
};
include etc/rndc.key
Change ownership of files
# chown root:named /etc/rndc.*
# chmod 400 /etc/rndc.*; service named configtest; service named restart; rndc status
# chcon t named_conf_t rndc.key rndc.conf;
Logs /var/log/bind; /var/log/messages

9/3/2011 Cyber Defense Security Presentation 26

DNS Service Security: Topology ACLs / Key Exchange (7 of 7)
Define, Discuss, Demonstrate, & Do

9/3/2011 Cyber Defense Security Presentation 27

DNS Server Helpful Hints for Setup & Administration (1 of 4)
Define, Discuss, Demonstrate, & Do
GUI - system-config-network; system-config-network-tui CLI Configure Service & Status
CLI Query Resolver # service --status-all state of service
on system
$ dig fully_qualify_domain_hostname; dig x
ip_address; dig t MX # service service_name [stop | start |
fully_qualify_domain_hostname restart| status]
$ host ip_address; hostname; nslookup FQDN or # chkconfig service_name [on | off]
IP_ADD; ping FQDN or IP_ADD; whois domain_name # service service_name configtest
(lookup info for hostname or ip address) # netstat -tupl (internet services on a
CLI Configure Interface & Routes system); netstat tup (active
$ ifconfig interface up|down connections to/from system); netstat -
Check out $ ethtool eth0 must be installed
tanp | grep LISTEN
Server: static configuration per node w/ host FQDN, host IP, Troubleshooting methodology: start
subnet mask, default gateway, & DNS server IP with local host remote host or service
$ ip Check local interface (hostname,
# ip addr add 1.2.3.4/24 brd + dev eth0 (add or delete IP & ifconfig, iwconfig, ping, netstat)
subnet mask) Check local gateway, route or shout?
# ip route add default via 1.2.3.254 (add or delete default (ping, route, traceroute)
gateway change default to network address to create a static Check local services ACLs, firewall,
route)
proxy, DNS, file share, etc. (netstat, dig,
# ip link set dev eth0 up (bring interface up or down) hosts, nslookup)
# ip addr show; ip -s link; ip route show; hostname i;
Check remote host services or resources
ip or route commands (ping, finger, jwhois, lynx, nmap, mtr,
# route add default gw 192.168.1.1 [destination address] eth0 browsers)
[interface on the same network as destination gateway
address] Key file locations: /sbin;
Edit related files: etc/sysconfig/network-scripts; /etc/sysconfig/network;
http://lartc.org/howto/lartc.rpdb.multiple-links.html /etc/sysconfig/network-scripts;
http://www.itsyourip.com/Linux/howto-add-a-persistent-
/etc/init.d/network start, restart, or
static-route-in-redhat-enterprise-linux/ stop

9/3/2011 Cyber Defense Security Presentation 28

DNS Server Helpful Hints for Network Settings (2 of 4)
Define, Discuss, Demonstrate, & Do
Disabling unnecessary daemons that are Listening Edit /etc/sysctl.conf settings
Locate the pid in the netstat command
cat /proc/<pid>/cmdline
If not full path, run which or locate to find utility
rpm -qf full_path_of_daemon
rpm -e package_name
If difficult to remove due to dependencies:
chkconfig <service> off
tcp_wrappers
Even if iptables is in use, configure this just in case
Set /etc/hosts.deny to ALL: ALL
Many daemons compiled with support
Find by using: egrep libwrap /usr/bin/* /usr/sbin/*
| sort
For each program found, use its base name to set
expected access rights (if there are any)Example:
smbd: 192.168.1.
http://linuxhelp.blogspot.com/2005/10/using-tcp-
wrappers-to-secure-linux.html
init
Disable interactive boot by editing
/etc/sysconfig/init
Make PROMPT=no to disable
Also add password to single user mode. Edit
/etc/inittab
Add the following ~~:S:wait:/sbin/sulogin
9/3/2011 Cyber Defense Security Presentation
Don't reply to broadcasts. Prevents joining a smurf
attack
net.ipv4.icmp_echo_ignore_broadcasts = 1
Enable protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1
Enable syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 1
Log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
Don't allow source routed packets
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
Turn on reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
Don't allow outsiders to alter the routing tables
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
Don't pass traffic between networks or act as a
router
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
29
DNS Server Helpful Hints for Network Settings (3 of 4)
Define, Discuss, Demonstrate, & Do
at & cron
Only allow root and people with
verified need to run cron jobs
Setup cron.allow and cron.deny
Setup equivalents if you have 'at'
installed
sshd
Enable only ssh2 protocol
If multi-homed, consider if it needs to
listen on all addresses or just one
Do not allow root logins
Consider adding group permission for
logins, AllowGroups wheel
MySQL
If database is used internally to
machine, make it listen on localhost
Change passwords
Apache
Remove all unneeded modules
Use mod_security to weed out
injection attacks
Set correct SE Linux Booleans to
maintain functionality and protection
9/3/2011 Cyber Defense Security Presentation
SELinux
Leave enabled and in enforcing mode
Does not affect daemons it doesn't know
about - unless they are started in a confined
domain (note earlier suggestions for chroot
changes)
Provides a behavioral model that known
applications should be
following
Can stop attacks before they become
complete system breaches
Use targeted policy
Strict and MLS should be used only if you
need that kind of protection
Do boolean lockdown
Review all booleans and set appropriately
getsebool -a
Generally, to secure the machine, look at
things that are set to on and change to
off if they do not apply
30
DNS Server Helpful Hints for Network Settings (4 of 4)
Define, Discuss, Demonstrate, & Do
SELinux Boolean Lockdown
# getsebool -a | grep ' on'
allow_daemons_dump_core --> on
allow_daemons_use_tty --> on
allow_execmem --> on
allow_execstack --> on
allow_gadmin_exec_content --> on
allow_gssd_read_tmp --> on
allow_kerberos --> on
allow_mounton_anydir --> on
allow_postfix_local_write_mail_spool --> on
allow_staff_exec_content --> on
allow_sysadm_exec_content --> on
allow_unconfined_exec_content --> on
allow_unlabeled_packets --> on
allow_user_exec_content --> on
allow_xserver_execmem --> on
allow_zebra_write_config --> on
browser_confine_xguest --> on
httpd_builtin_scripting --> on
httpd_enable_cgi --> on
httpd_enable_homedirs --> on
httpd_tty_comm --> on
httpd_unified --> on
read_default_t --> on
spamd_enable_home_dirs --> on
user_ping --> on
9/3/2011 Cyber Defense Security Presentation
Access Control
Do not allow root logins
This messes up the audit system since root is a shared
account
sshd and gdm have settings to disallow root login
pam_tally2
This is used to lockout an account for consecutive failed login
attempts
pam_access
Used to forbid logins from certain locations, consoles, and
accounts
/etc/security/access.conf controls its config
pam_time
Used to forbid logins during non-business hours
/etc/security/time.conf controls its config
pam_limits
Used to limit maximum concurrent sessions and other user
restrictions
/etc/security/limits.conf controls its config
pam_loginuid
Used for all entry point daemons to set the task's loginuid
and session identifier. loginuid and session ID are inherited
by all processes at fork Limit access to su command
Edit /etc/pam.d/su
Uncomment the line saying require wheel to allow uid
change auth required pam_wheel.so use_uid
http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-
i731.pdf
http://people.redhat.com/sgrubb/files/hardening-
rhel5.pdf
31