Security (Wheezy)

From Hexwiki
Revision as of 21:13, 9 May 2014 by Vekseid (talk | contribs) (Created page with "Security is a process, not a state. On the plus side, a lot of stuff from my earlier documentation on this has become the default in Wheezy. It is certainly made easier by not...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Security is a process, not a state. On the plus side, a lot of stuff from my earlier documentation on this has become the default in Wheezy. It is certainly made easier by not being the only one doing it.

/etc/inittab

# Since we're not using X, can enable all ttys, or alternately prep
# them all and comment most out. 
# Each one takes up about ~160kb of RAM while idle, so not a huge
# drain, and is the sort of thing swap is actually for on a server.
1:2345:respawn:/sbin/getty 38400 tty1
2:23:respawn:/sbin/getty 38400 tty2
3:23:respawn:/sbin/getty 38400 tty3
4:23:respawn:/sbin/getty 38400 tty4
5:23:respawn:/sbin/getty 38400 tty5
6:23:respawn:/sbin/getty 38400 tty6
7:23:respawn:/sbin/getty 38400 tty7
8:23:respawn:/sbin/getty 38400 tty8
9:23:respawn:/sbin/getty 38400 tty9
10:23:respawn:/sbin/getty 38400 tty10
11:23:respawn:/sbin/getty 38400 tty11
12:23:respawn:/sbin/getty 38400 tty12
# ...

# You can disable ctrl+alt+del from console. Note that this might block
# remote soft reboot software.
# What to do when CTRL-ALT-DEL is pressed.
#ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now

/etc/securetty

# /etc/securetty: list of terminals on which root is allowed to login.
# See securetty(5) and login(1).
# I end up deleting the vast majority of these, leaving only the ones below.
console
# Virtual consoles
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
tty12

/etc/security/limits.conf

#<domain>      <type>  <item>         <value>
# The main thing to note here are the core dumps
# and mysql's memory access. The latter is a
# legacy element.
#
*               soft    core            0
*               hard    core            -
*               -       maxlogins       3
*               -       memlock         2048
*               -       msgqueue        1048576
*               -       nofile          8192
*               -       nproc           256
*               -       sigpending      16384
*               -       stack           8192
mysql           -       maxlogins       0
mysql           -       memlock         33554432
root            -       maxlogins       -
root            -       memlock         33554432
root            -       nproc           -

/etc/host.conf

Read hosts first, then try a domain lookup if that fails. I am far more likely to be trying to override something when I put something in my hosts file.

order hosts,bind
multi on
nospoof on
spoofalert on

/etc/login.defs

  • LOG_OK_LOGINS yes
  • SULOG_FILE /var/log/sulog
  • CHFN_RESTRICT frwh
    • Don't ask me why I bother with this, I could not tell you : p
  • SHA_CRYPT_MIN_ROUNDS 65536
    • Or higher. Just remember what you are setting it to.

PAM

  1. Install the libpam-tmpdir package, if you have not already.
  2. /etc/pam.d/common-auth
    1. Remove nullok_secure from the auth line
  3. /etc/pam.d/su
    1. Uncomment and add group=wheel:
    2. auth required pam_wheel.so group=wheel
    3. Make sure root is part of the wheel group as precaution
  4. /etc/pam.d/common-password
    1. add 'rounds=65536' to the password line:
    2. password [success=1 default=ignore] pam_unix.so obscure sha512 rounds=65536
  5. Regenerate root, administrator passwords

Directory and file Permissions

find / -perm -2000 -group 0

This should only return directories. /var/cache/man in particular.

chmod 0700 /root /lost+found
chmod 0751 /etc /home /etc/ssh/
chmod 0750 /mnt /boot /etc/rsyslog.d/ /etc/cron.d/ /etc/cron.hourly/ /etc/cron.daily/ /etc/cron.weekly/ /etc/cron.monthly/
chmod 0750 /storage /innodb

Or whatever you choose your database/general directories to be. I dislike /opt and /srv, at least for things that I will be dedicating entire hard drives to (or most of them).

chgrp staff /storage

Or whatever again.

chmod 0640 /etc/crontab /etc/fstab /etc/inittab /etc/securetty /etc/ssh/sshd_config /etc/rsyslog.conf

Clear out unnecessary setuid binaries:

find / -perm -4000 -user 0

Only /bin/su is absolutely necessary.

  • /sbin/pam-tmpdir-helper is needed if you are using the pam tmpdir module above
  • suexec if you are still using Apache
  • screen needs setuid if using in multi-user mode.
  • sudo if you use that. Since this is a server, I find the idea of typing 'sudo' before a million commands highly annoying, personally. sudo is very much a thing for work/home machines, in my opinion.
  • ping and ping6 are somewhat annoying to leave as non-suid, but see below.

On a default Wheezy install:

chmod u-s /usr/bin/passwd /usr/bin/chsh /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/chfn /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/lib/pt_chown /bin/mount /bin/umount

and

chmod u-s /sbin/mount.nfs

If using nfs

To let a specific group of users (staff, here) use ping and ping6

chmod 4750 /bin/ping /bin/ping6
chgrp staff /bin/ping /bin/ping6

Remove sound support

If much of the above straddles the 'security' line this probably crosses it. Still, if I hear my server that means something bad has happened.

To get sound modules:

lsmod | grep snd 

Blacklist these, along with pcspkr, in a file like /etc/modprobe.d/blacklist.conf:

# /etc/modprobe.d/sound-blacklist.conf
# Hear no evil.
blacklist pcspkr
blacklist snd_pcm
blacklist snd_timer
blacklist snd_page_alloc
blacklist snd
blacklist snd-pcsp
blacklist soundcore

ninja

ninja is a nifty little package that kills things that inappropriately escalate to root. It is far from perfect, but I have tried to hone my configuration over the years.

/etc/ninja/whitelist

/bin/su:wheel:
/usr/bin/sudo:wheel:
/usr/bin/sudoedit:wheel:
/usr/bin/screen:mcusers:

Obviously, set screen to whomever is going to be using it accordingly. I use it for Minecraft, personally.

/etc/ninja/ninja.conf

  • group = 70
    • Your wheel group
  • interval = 0
    • You may wish to set interval to 1 as it does use some cpu. This likely renders it pointless, however.
  • proc_scan_offset = 300
  • no_kill = yes
  • no_kill_ppid = yes
    • above two are for during testing only.

Run

ps --ppid 1

to get init ids. Still haven't figured out how to whitelist rc, debian-start or ntpdate, unfortunately, so I have not been able to force this system-wide yet.

ninjalert.sh

#!/bin/sh
mail -s "ninja triggered by user $1" root vekseid@gmail.com <<EOF
ninja activated on process escalation by user $1
EOF

Add to ninja.conf

rkhunter

As of Wheezy, the only one that has been updated.

  1. Install rkhunter and unhide
  2. In /etc/rkhunter.conf
    1. MAIL-ON-WARNING - add email addresses
    2. DISABLE_TESTS - reenable hidden_procs, suspscan
      1. We've installed unhide and /tmp and /var/tmp should be mounted tmpfs
    3. SCRIPTWHITELIST=/sbin/chkconfig
      1. I think this false positive got fixed, so you may want to skip it and see if it triggers.