User Tools

Site Tools


middleware:devel:security

Securing the Desktop - Middleware Guidelines

General Rules

  • Your desktop must be firewalled to accept only traffic from the VT network, typically defined as:
    128.173.0.0/16 198.82.0.0/16

    See discussion below on further restricting access from the residence halls.

    • It is expected that developers will use the VT VPN to access services such as SSH and HTTP. No services should be available to the world.
  • Do not run services you don't need. If you rarely or never remotely access your desktop, the SSH service should not be running.
  • Encryption of sensitive data is required. The following is a sample of data that should be considered sensitive:
    • passwords
    • personal information
    • private keys
  • Your data should be backed up daily. You may request an external hard drive for this purpose or use the IT supported Tivoli service.
    • care should be taken to ensure any sensitive data is encrypted on back ups
  • RSA keys used for login must be encrypted with a passphrase and that passphrase must be at least 20 characters long.
  • When in the office, but away from your desk, your desktop must be locked to prevent unauthorized access.
  • When out of the office, your desktop must be logged out of.
    • There are extenuating circumstances which may require a task to run over night and prevent logging out. Be aware of the security implications in these cases.
    • Consider turning your desktop off when out of the office

Windows

Antivirus

Use Microsoft security essentials: http://www.microsoft.com/security_essentials/

Firewall

Turn it on: Control Panel→System and Security→Windows Firewall

Linux

Overview

There are many articles available on securing the Linux Desktop. This document seeks to distill from these a set of recommended best-practices to be used for the Middleware group.

Backups

Backups are useful not only to restore accidental deletion, but also to restore your system should it be compromised. Tivoli TSM should be used to do automatic, nightly incremental backups.

Instructions are here http://computing.vt.edu/security_and_viruses/network_backup/

Note that Ubuntu is not a supported platform.

Backups should be scheduled while the machine is inactive and while all users are logged out. There are several methods of doing this including running 'sudo dsmcad' in the startup manager or root crontab. To run the scheduler from the client, use 'nohup dsmc sched'.

Partitioning

It makes sense to partition your disk so that the system files and /home are on different partitions so that the OS may be upgraded without impacting your install. Use of the Backup feature above also makes upgrades a little less painful.

Firewall: iptables

Use 'iptables' to filter I/O, DROPping rather than REJECTing unwanted packets to avoid sending error conditions back to a potential attacker.

In particular, Middleware desktops should be using a filter that drops all packets from everywhere that isn't on the VT VPN, also disallowing all traffic from residence-hall IP addresses:

A sample iptables file follows:

#
# IPTables rules 
# Adapted from VT UAS/Systems Engineering group default ruleset
#
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[0:0] -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
[0:0] -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
[0:0] -A OUTPUT -d 128.173.13.100 -p tcp -m tcp --dport 80 -j DNAT --to-destination 128.173.13.100:8080
[0:0] -A OUTPUT -d 128.173.13.100 -p tcp -m tcp --dport 443 -j DNAT --to-destination 128.173.13.100:8443
COMMIT

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:block - [0:0]
[0:0] -A INPUT -j block
[0:0] -A FORWARD -j block
[0:0] -A block -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A block -s 127.0.0.1 -j ACCEPT
[0:0] -A block -s 128.173.13.100 -j ACCEPT

# Allow SSH from VT network excluding residence halls
[0:0] -A block -s 198.82.56.0/21 -p tcp -m tcp --dport 42767 -j LOG --log-prefix "IPTables SSH" --log-level 7
[0:0] -A block -s 198.82.64.0/18 -p tcp -m tcp --dport 42767 -j LOG --log-prefix "IPTables SSH" --log-level 7
[0:0] -A block -s 198.82.56.0/21 -p tcp -m tcp --dport 42767 -j DROP
[0:0] -A block -s 198.82.64.0/18 -p tcp -m tcp --dport 42767 -j DROP
[0:0] -A block -s 198.82.0.0/16  -p tcp -m tcp --dport 42767 -j ACCEPT
[0:0] -A block -s 128.173.0.0/16 -p tcp -m tcp --dport 42767 -j ACCEPT

# Allow HTTP/S traffic from VT networks
[0:0] -A block -s 198.82/16 -p tcp -m tcp --dport 8080 -j ACCEPT
[0:0] -A block -s 198.82/16 -p tcp -m tcp --dport 8443 -j ACCEPT
[0:0] -A block -s 198.82/16 -p tcp -m tcp --dport 9443 -j ACCEPT
[0:0] -A block -s 128.173/16 -p tcp -m tcp --dport 8080 -j ACCEPT
[0:0] -A block -s 128.173/16 -p tcp -m tcp --dport 8443 -j ACCEPT
[0:0] -A block -s 128.173/16 -p tcp -m tcp --dport 9443 -j ACCEPT

# Allow TSM server for Tivoli backup service
[0:0] -A block -s 198.82.162.92 -p tcp -m tcp --dport 1500 -j ACCEPT

[0:0] -A block -p icmp --icmp-type echo-request -j ACCEPT
[0:0] -A block -p icmp --icmp-type fragmentation-needed -j ACCEPT
[0:0] -A block -p icmp --icmp-type time-exceeded -j ACCEPT
[0:0] -A block -d 128.173.15.255 -j DROP
[0:0] -A block -d 255.255.255.255 -j DROP
[0:0] -A block -d 224.0.0.1 -j DROP  
[0:0] -A block -p tcp -m tcp --dport 135 -j DROP
[0:0] -A block -p tcp -m tcp --dport 137 -j DROP
[0:0] -A block -p udp -m udp --dport 137 -j DROP
[0:0] -A block -p tcp -m tcp --dport 138 -j DROP
[0:0] -A block -p udp -m udp --dport 138 -j DROP
[0:0] -A block -p tcp -m tcp --dport 139 -j DROP
[0:0] -A block -p udp -m udp --dport 139 -j DROP
[0:0] -A block -p tcp -m tcp --dport 445 -j DROP
[0:0] -A block -p tcp -m tcp --dport 1023 -j DROP
[0:0] -A block -p tcp -m tcp --dport 1025 -j DROP
[0:0] -A block -p tcp -m tcp --dport 1433 -j DROP
[0:0] -A block -p udp -m udp --dport 1434 -j DROP
[0:0] -A block -p tcp -m tcp --dport 2745 -j DROP
[0:0] -A block -p tcp -m tcp --dport 3127 -j DROP
[0:0] -A block -p tcp -m tcp --dport 5000 -j DROP
[0:0] -A block -p tcp -m tcp --dport 5554 -j DROP
[0:0] -A block -p tcp -m tcp --dport 6129 -j DROP
[0:0] -A block -p tcp -m tcp --dport 9898 -j DROP
[0:0] -A block -s 198.82.161.8 -p tcp -m tcp --sport 25 --tcp-flags RST,ACK RST,ACK -j DROP
[0:0] -A block -j LOG --log-prefix "BLOCKED " --log-level 7
[0:0] -A block -j DROP
COMMIT

Kernel Security Parameters

There is a good discussion here about the parameters available in /etc/sysctl.conf that are tunable to shut off some common network vulnerabilities: http://www.puschitz.com/SecuringLinux.shtml#KernelTunableSecurityParameters

Turn off Un-needed Services

FTP, Telnet, rlogin (rsh), sendmail, et.al typically aren't needed on desktop machines. Remove the packages from the system: Apt-get remove or rpm-e

Detecting Listening Network Ports

One of the most important tasks is to detect and close network ports that are not needed. 

To get a list of listening network ports (TCP and UDP sockets), you can run the following command: # netstat -tulp also, you can do a port scan from a remote server # nmap -sTU <remote_host>

Don't Start Unneeded Services

One of the most important tasks is to remove any network services from the system startup process that are not needed. 

You can list all services which are started at bootup using the following command: chkconfig –list |grep on

Review Inittab and Boot Scripts

You do want to ensure that your iptables are loaded every time the system starts, as early as possible. Check other boot scripts to ensure they do not attempt to start services that aren't needed (q.v. Above).

Secure SSH

/etc/ssh/sshd_config – set PermitRootLogin no. Also change default port from 22 to something large and random

Use Snort in NIDS Mode

“Snort can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.”

In intrusion detection mode, the program will monitor network traffic and analyze it against a ruleset defined by the user. The program will then perform a specific action based on what has been identified.

Snort have rulesets available from their site.

http://www.snort.org/start/download

Use BotHunter

BotHunter is based on snort, and is an excellent tool for detection of botnet activity. http://www.bothunter.net/download.html

Encrypt Your Data

Use a TrueCrypt volume and mount it at a known point to hold sensitive server data. Unmount the volume when not in use. Tivoli TSM backup client can be used to backup this data - see Details.

Ubuntu allows users to encrypt their entire home directory. As of this writing this is accomplished via eCryptfs, as if the user had used the '–encrypt-home' command-line switch on adduser. eCryptfs works differently from TrueCrypt in that it encrypts each individual file and does not act as a container, as TrueCrypt does. eCryptfs encrypts filenames and their contents but maintains the directory structure. This can cause issues with Tivoli TSM backups: TSM has only 1k for file-name storage, and wants the entire path for every file. Since eCrtyptfs encrypts the file names, they can be very long, and at a certain depth will overflow the 1k buffer. This will cause backups of files (or directories, if the filename is a directory) to fail. Note that when this happens, TSM will fail the individual file backup but will still finish with a BACKUP_SUCCEEDED code. If using dsmcad, the user would get a 'success' email even though files/directories were not backed up due to this issue.

There are solutions to this problem; neither is perfect. One is to only back up specific directories and take care that the file name tree does not get too long for TSM to handle. This takes ongoing maintenance and care when adding new directories or files. The other is to not encrypt the file names in the directory tree, rendering them much shorter (but providing accurate file names should an attacker be looking for a specific file).

Retiring Machines

Use DBAN and/or a physical degausser to ensure data on the hard disc is unrecoverable.

Logging Out When the System is not Needed

Ensure that system is not running unneeded services when unattended. Note that logging out of the system may not stop some daemons.

Scripts for verifying these action items

Write scripts to verify these items. Simulate attacks with metasploit, et.al. to expose vulnerabilities.

Note that this is a living document and will require ongoing maintenance.

References

http://www.puschitz.com/SecuringLinux.shtml (A nice pocket reference, but take the password-aging instructions with a grain of salt)

http://www.unixmen.com/linux-tutorials/1623-9-best-practices-to-secure-your-linux-desktop-and-server (above recommends a mailer that sends email on root access; however we have disabled our mail programs so as cool as this would be, we can't do it)

middleware/devel/security.txt · Last modified: 2015/06/01 12:02 (external edit)