22 Appendix D: Sample scripts/utilities
NT Scripts
I apologise, but none of the these scripts are not yet ready for
release..
Script to clean up NT
Script to send SMTP email from NT (not yet tested)
Script to monitor an NT server for changes
UNIX Scripts
Here's a few scripts that I found useful in UNIX
admin:
A /etc/syslog.conf
(tested on SunOS 4.1.3, 5.2-5.7) that is very useful for centralising logs to loghost
and dividing up the different log types into separate files.
rotate_log is a perl script from Steven C.
Simmons, that I modified slightly. It a great tool for compress, archiving, trimming the
logs generated by syslog (for example). I run it from cron to trim all text based logs.
monitor_processes.pl checks to
see if a list of processes are running. If not, send a message to syslog (if syslog is not
running, send a mail). [syslogd is monitored even if not listed]. The list is given on the
command line, but also has defaults. Runs on solaris 1 &2.
killproc is a perl script that will kill a
process give it's name (or regular expression). Useful for killing in scripts, rdist and
for killing runaway forks (with hundreds of processes). Won't kill textedits or rdist
sessions. Runs on IRIX, SunOS, Solaris.
wtrim.pl is a perl script from Rahul Dhesi
that is very useful for trimming wtmp[x] files are keeping a specified number or records.
I recommend you run it at the end of December each year. Tested on SunOS/Solaris.
monitor_socket.pl is a perl script
that can be used to monitor for unexpected Satan or Sybase (or any other) socket
connections. It just sits waiting on the socket and emails the contents of attempted
connections to the system administrator. A part of any intruder detection system..
check_mounts.sh is a bourne shell
script that uses showmount -a to see who is mounting what NFS exported filesystems, and
compare it with the list the last time the script ran and notifies root. For use on NFS
servers. To initialise, showmount -a >/var/tmp/.mount_ref then call check_mounts.sh
regularly from cron.
kill_baddies.pl is useful for
enforcing what "trusted host" files are allowed. It also requires a
configuration file monitor_conf.pl
1. report & wipe ALL hosts.equiv, .exrc
2. report & wipe .rhosts except (see wanted() function)
3. Also move all files which start with ".." to STRANGE.$FILENAME
4. Check number of network interfaces (less than 2 except for datacenter servers) and
check that interface is not in promiscous mode.
Tested on: Perl 4 + SunOS 4.1.3, 5.2, 5.3, 5.4, Perl 5 + SunOS 5.4, 5.5
SunOS 4.x: Cleaning up file permissions
Make sure you understand this script before executing it! This
script was test on SunOS 4.1.3.
chmod 644 /etc/utmp /etc/sm /etc/sm.bak /etc/state /etc/mtab
/etc/motd /etc/syslog.pid
chmod 644 /etc/aliases
chmod 0755 /usr/kvm/crash
chmod 0700 /bin/chsh /usr/etc/etherfind /usr/etc/devinfo
chmod u-s /usr/etc/restore
chmod 0644 /vmunix
chmod 000 /usr/ucb/rdist
chown root.wheel /vmunix
chmod o-r /var/spool/cron/crontabs/*
(TBD: /dev/kmem)
Solaris 2.4: cleaning up file permissions
Make sure you understand this script before executing it! This
script was tested on Solaris 2.4.
chmod 644 /var/adm/utmp /etc/motd /etc/syslog.pid /etc/mail/aliases
chmod 0700 /usr/sbin/snoop /usr/sbin/devinfo
chmod 0755 /usr/kvm/crash
chmod o-r /var/spool/cron/crontabs/*
chown root /etc/mail/aliases
chmod 000 /bin/rdist
chmod o-rx /etc/security
chmod o-rx /etc/dt
chmod o-w /usr/adm/spellhist
chmod og-rwx /usr/adm/vold.log /usr/adm/log/asppp.log /.rhosts
chmod 1777 /tmp /var/tmp
touch /var/adm/loginlog; chmod 600 /var/adm/loginlog; chown root.sys
/var/adm/loginlog
Hardening
Hardening is the process of securely installing/configuring hosts to
be resistant to attack. Hardening issues are discussed in the section Firewall Configuration issues.
CERT now also provide several useful firewall/hardening/intrusion
detection papers online:
- CERT Tech Tips: www.cert.org/tech_tips
Intrusion
Detection checklist, Recovering from a UNIX root
break-in,
UNIX
configuration guidelines, AUSCERT UNIX checklist, Packet filer rules - Security Improvement modules: Detecting Signs of
Intrusion, Security
for a Public Web Site, Security for IT Service
Contracts, Securing
Desktop Workstations, Preparing to Detect Signs
of Intrusion, Responding
to Intrusions, Securing
Network Servers, Deploying
Firewalls
Below concrete commands for hardening select operating systems are
listed.
SunOS 4.x: installing a Firewall host
Well, there's no script here, but this is what needs to be done:
1. In /etc/rc.local, switch off sendmail, rpc, automounter, NFS
client & server, YP
2. In /etc/rc, switch off lpd
3. In /etc/inetd.conf, disable: rexd, tftp, exec, uucp, finger, systat, netstat, rusersd,
echo, discard, daytime, chargen, telnet, rlogin and rsh.
4. Install ssh for login access. Access is restricted (/etc/sshd_config) to named
hosts with known public keys (RSA authentication). Rhosts authentication is
disabled.
This section has been replaced by a newer article on Hardening Solaris for SecurityPortal.
The following switches off all unnecessary (& historically holey)
services on a Firewall host. Tested on 2.4/2.5. Mostly OK for 2.6 too.
Note that although sendmail is not running as a daemon, the
binary is still present and email can be sent from (but not received by) the host. The
only host that needs to receive email, the mail gateway, should use smap or an
equivalent to minimise sendmail risks.
- When installing the OS, install the minimum packages needed (pkginfo
will list installed packages). For example avoid compilers and X11/Openlook/Tooltalk of no
GUIs are needed..
- When partitioning the disk, consider a separate, large /var for
syslog/news/HTTP proxy servers. Also that /usr can be mounted read-only (if it is
in a separate partition). If possible, all partitions should be mounted either read-only
or nosuid (SUID programs cannot assume other identities).
- Install the recommended & security patches from Sun Get the Patchdiag tool from Sunsolve and run it to see what patches are needed,
then download & install the missing ones. Check the status of your patches with
PatchDiag once per month.
- Run the script for cleaning up Solaris 2 in the previous section.
- Switch off unnecessary services (sendmail, automounter, NFS client,
lp and rpc).
mv /etc/rc2.d/S88sendmail /etc/rc2.d/.S88sendmail
mv /etc/rc2.d/S74autofs /etc/rc2.d/.S74autofs
mv /etc/rc2.d/S73nfs.client /etc/rc2.d/.S73nfs.client
mv /etc/rc2.d/K60nfs.server /etc/rc2.d/.K60nfs.server
mv /etc/rc3.d/S15nfs.server /etc/rc3.d/.S15nfs.server
mv /etc/dfs/dfstab /etc/dfs/.dfstab
mv /etc/rc2.d/S80lp /etc/rc2.d/.S80lp
mv /etc/rc2.d/S71rpc /etc/rc2.d/.S71rpc
mv /etc/rc2.d/S30sysid.net /etc/rc2.d/.S30sysid.net
mv /etc/rc2.d/S71sysid.sys /etc/rc2.d/.S71sysid.sys
mv /etc/rc2.d/S72autoinstall /etc/rc2.d/.S72autoinstall
mv /etc/rc2.d/S93cacheos.finish /etc/rc2.d/.S93cacheos.finish
mv /etc/rc2.d/S80PRESERVE /etc/rc2.d/.S80PRESERVE
mv /etc/rc2.d/S47asppp /etc/rc2.d/.S47asppp
mv /etc/rc2.d/S92volmgt
/etc/rc2.d/.S92volmgt
[assuming you have no CD] bdconfig
mv /etc/rc2.d/S89bdconfig
/etc/rc2.d/.S89bdconfig
[assuming you no serial devices]
Even
more secure is to delete the above files altogether...
- Turn off multicasting in /etc/init.d/inetsvc, by commenting the line
with:
route add 224.0.0.0.
Add add "-t" to the inetd startup line to enable connection logging:
/usr/sbin/inetd -s -t
- Consider enabling crash dumps for post motem analysis (may help
debugging after a crash, but will increase reboot time). Uncomment the lines as follows in
/etc/init.d/sysetup:
##
## Enable savecore (default is disabled)
##
if [ ! -d /var/crash/Žuname -nŽ ]
then mkdir -p /var/crash/Žuname -nŽ
fi
echo 'checking for crash dump...\c '
savecore /var/crash/Žuname -nŽ
echo ' '
- Configure /etc/hosts with a list of critical machines (which you
don't want resolved via DNS).
- Use default routes (add the IP address of the router to
/etc/defaultrouter, or create a startup file in /etc/rc2.d/S99static_routes using the
"route" command).
- Install SSH for login access. Configure (/etc/sshd_config - sample here) the ssh daemon so that access is restricted to
named hosts with known public keys (/etc/scp /etc/ssh_known_hosts) and rhosts
authentication is disabled. Use .shosts rather than .rhosts.
- Configure environment files: .cshrc,.login,.profile, Cshrc, Login,
/etc/mail/aliases, /etc/syslog.conf, /etc/resolv.conf /etc/default/su etc..
- inetd.conf: disable: rexd, tftp, exec, uucp, finger, systat,
netstat, rusersd, echo, discard, daytime, chargen, telnet, rlogin and rsh (use SSH for
remote login).
Even better disable everything and use only SSH for login access. If you really
want to use inetd services, then use them with the FWTK netacl or tcp wrappers.
- Crons
1) Remove unnecessary crons: rm
/var/spool/cron/crontabs/{lp,sys,adm}
Don't delete the adm cron if you want sar
performance collection or accounting .
2) Since sendmail is disabled above, it would be a good idea to setup a root
cron
job to check for undelivered mail,
e.g 0 * * * *
/usr/lib/sendmail -q
- Reboot. Now ps -ef should show a small process list and netstat -a
should show a minimum of network connections.
- DNS servers: install the latest public BIND version. Ditto for
mailgateways & sendmail but add SMAP.
- Disable ip forwarding and source routing, if there is more than one
interface, by adding the following to the end of /etc/init.d/inetinit:
ndd -set /dev/ip ip_forward_directed_broadcasts 0
ndd -set /dev/ip ip_forward_src_routed 0
ndd -set /dev/ip ip_forwarding 0
- Filesystems: in /etc/vfstab, mount root with
"remount,nosuid", /var with "nosuid" and /usr with "ro"
options.
Optional [but difficult]: Mount all other filesystems either "ro" or
"nosuid". This reduces the risk of trojan horses and unauthorised modifications.
Test it first though, you may have some problems.
- Logging: use the syslog.conf presented already. Designate one machine
as the loghost and give it a whopping great disk (4GB) for logs. Use rotate_log.pl to
prune & compress logs.
- Log "su" attempts to the console and /var/adm/sulog: edit
/etc/default/su.
- Set a strong password for root. Remove any user accounts
unless absolutely. Ensure all accounts are either blocked, removed or have a strong
password.
- Document configuration changes in /etc/mods, update after each
change.
- Test in detail: what works, what can be done, what is forbidden. Is
it as expected?
=> At this stage install tripwire and initialise it's
database and run regular checks to minor for changes (see sample script trip_host.sh). If possible keep the tripwire master database on
another machine or write-once media. Even better, copy tripwire & it's database and
run it automatically at regular intervals using SSH. This makes it difficult for an
attacker to know that tripwire is being used to check the system.
SUSE Linux:
installing a firewall host (a few quick notes)
SUSE Linux 6 is easily hardened, for instance to shutdown all
network services except SSH, change the following defaults in /etc/rc.config and reboot.
START_INETD="no"
SMTP="no"
START_PORTMAP="no"
NFS_SERVER="no"
START_NAMED=no
START_HTTPD=no
START_NNTPD=no
START_SMB="no"
START_SQUID=no
START_DHCPD="no"
- Then restrict SSH access by changing the AllowHosts entries at the
bottom of /etc/sshd_config. Add known Public Keys to /etc/sshd_known_hosts.
- Make sure that all accounts in /etc/shadow have a blocked password
except root or other admin accounts. Use good passwords.
- Suse also offers a nice file permissions checking tool, I've not yet
tried it out, but it looks good. The following are extracts from /etc/rc.config.:
# SuSEconfig can call chkstat to check permissions and ownerships for
# files and directories (using /etc/permissions).
# Setting to "set" will correct it, "warn" produces
warnings, if
# something strange is found. Disable this feature with "no".
#
CHECK_PERMISSIONS=set
# S.u.S.E. Linux contains two different configurations for
# chkstat. The differences can be found in /etc/permissions.secure
# and /etc/permissions.easy. If you create your own configuration
# (e.g. permissions.foo), you can enter the extension here as well.
#
# (easy/secure local foo whateveryouwant).
#
PERMISSION_SECURITY="easy local"
Web Server Best Practices
A very useful high level summary from the CIAC bulletin J-O42 of how to secure an Internet Webserver,
be it UNIX or NT. The bulletin is available from CIAC or a locally formatted version.
Setting up anonymous ftp on Solaris 2.x
Here a short description for setting up anonymous ftp on a Sun
Solaris 2.x. Note that the instructions in the in.ftpd man pages prior to Solaris 2.5 are
incorrect. The following steps are necessary
- Either login as root or get root by using the su command.
- Verify that there is a ftp user defined in the password table. In the
/etc/passwd file you should therefore find a similar entry to
ftp:x:200:200:FTP User:/export/ftp:/nosuchshell
and in your /etc/shadow file you should find something similar to
ftp:NP:::::::
It's important that a blocked password is assigned to the ftp user. - Set up a group with the name ftp in the /etc/group file, the entry
therefore should look like
ftp::200: - The script below assumes that /export/ftp is the home directory to
set up ftp, you may wish to use another directory by changing $ftphome. Make sure that
your preferred ftp home directory $ftphome (/export/ftp) doesn't exist, but that there is
a appropriate parent directory.
- Edit the shell script, ensure that $ftphome has the value of our
preferred ftp home directory. Then run the script (below).The script will generate all
necessary directories for providing an anonymous ftp service (etc, usr, usr/lib, pub) and
additionally two subdirectories of the pub directory, named upload and download, as
examples for user defined directories to hold data.
- The upload directory is an example for a directory in which an
anonymous user can also write (upload) data, so the ftp user or group needs write access.
The upload directory should somehow be protected against overfilling, either by setting a
appropriate disk quota on it or by using a dedicated filesystem for this directory or the
whole anonymous ftp service. Never, put $upload in the root filesystem.
- The /pub/download directory is an example for a directory
which is read only for anonymous users. It's very important that only root can write this
directory, whereas the ftp group can read it.
#!/bin/sh
#
# This is a short script to set up anonymous ftp on a Sun Solaris 2.x, run as root
#
# ftphome defines the home directory for anonymous ftp (change as needed).
ftphome="/export/ftp"
# Create needed directories
#---------------------------
# core directories
mkdir ${ftphome} ${ftphome}/usr ${ftphome}/usr/lib
mkdir ${ftphome}/bin ${ftphome}/etc ${ftphome}/dev
# user directories
mkdir ${ftphome}/pub ${ftphome}/pub/download ${ftphome}/pub/upload
# Setting up the directories
#---------------------------
cp /usr/bin/ls ${ftphome}/bin
# usr/lib
cp /usr/lib/ld.so* ${ftphome}/usr/lib
cp /usr/lib/libc.so.1 /usr/lib/libdl.so.1 ${ftphome}/usr/lib
cp /usr/lib/libintl.so.1 /usr/lib/libw.so.1 ${ftphome}/usr/lib
# etc
cp /etc/netconfig ${ftphome}/etc
sed -e 's/:[^:]*:/:*:/' /etc/passwd > ${ftphome}/etc/passwd
sed -e 's/:[^:]*:/:*:/' /etc/group > ${ftphome}/etc/group
# The following are needed for 'ls' to resolve NIS names
cp /usr/lib/libnsl.so.1 ${ftphome}/usr/lib
cp /usr/lib/straddr.so ${ftphome}/usr/lib
cp /etc/nsswitch.conf ${ftphome}/etc
# make device nodes. ticotsord and udp are necessary for
# 'ls' to resolve NIS names.
prefix="/dev"
for device in zero tcp udp ticotsord ; do
line=Žls -lL ${prefix}/${device} | sed -e 's/,//'Ž
major=Žecho $line | awk '{print $5}'Ž
minor=Žecho $line | awk '{print $6}'Ž
mknod ${ftphome}/dev/${device} c ${major} ${minor}
done
# Set owners and permissions
#---------------------------
chown -R root.root ${ftphome}
# should be ??
#chown -R root.ftp ${ftphome}
# bin
chmod 111 ${ftphome}/bin/ls ${ftphome}/bin
chown root ${ftphome}/bin
# usr/lib
chmod 555 ${ftphome}/usr/lib/lib*
# etc
chmod 444 ${ftphome}/etc/*
chmod 111 ${ftphome}/etc
chown root ${ftphome}/etc
# dev
chmod 666 ${ftphome}/dev/*
# pub
chmod 555 ${ftphome}/pub
chmod 755 ${ftphome}/pub/download
chown -R root.ftp ${ftphome}/pub/download
chmod 1777 ${ftphome}/pub/upload
chown -R ftp.ftp ${ftphome}/pub/upload
echo "done."