Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   CentOS (http://www.linux-archive.org/centos/)
-   -   Hardening CentOS by removing "hacker" tools (http://www.linux-archive.org/centos/102205-hardening-centos-removing-hacker-tools.html)

John R Pierce 06-06-2008 11:32 PM

Hardening CentOS by removing "hacker" tools
 
Have a search on google for NSA Hardening RHEL5, you will find a very
good document (pdf) which will help you start you're hardening.



http://www.nsa.gov/snac/downloads_redhat.cfm?MenuID=scg10.3.1.1
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Scott Silva 06-06-2008 11:44 PM

Hardening CentOS by removing "hacker" tools
 
on 6-6-2008 4:28 PM Ruslan Sivak spake the following:

Dennis McLeod wrote:
They basically detect port
scans and add a firewall rule to temporarily block that ip. Does
anyone know what tool that is?


Also disabling remote login as root should help.

Russ




Fail2ban, is what you are looking for, I think....

http://www.fail2ban.org/wiki/index.php/Main_Page

Dennis

____________________________________________



Sweet, actually this looks more like what I wanted, but rackspace said
wasn't available. This bans the ips if there are a lot of password
failures.


There is also another tool which bans ips for port scans. I think it's
been discontinued, but perhaps there is another one out there?


Russ

I think that was portsentry.
http://sourceforge.net/projects/sentrytools/


--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Ruslan Sivak 06-06-2008 11:52 PM

Hardening CentOS by removing "hacker" tools
 
Scott Silva wrote:

on 6-6-2008 4:28 PM Ruslan Sivak spake the following:

Dennis McLeod wrote:
They basically detect port
scans and add a firewall rule to temporarily block that ip. Does
anyone know what tool that is?


Also disabling remote login as root should help.

Russ




Fail2ban, is what you are looking for, I think....

http://www.fail2ban.org/wiki/index.php/Main_Page

Dennis

____________________________________________



Sweet, actually this looks more like what I wanted, but rackspace
said wasn't available. This bans the ips if there are a lot of
password failures.


There is also another tool which bans ips for port scans. I think
it's been discontinued, but perhaps there is another one out there?


Russ

I think that was portsentry.
http://sourceforge.net/projects/sentrytools/




Yep, that's it. The keyword being was. I believe I tried installing it
in the past with no success. Is there another project that took over,
or is there a way to install this still?


Russ


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Luke S Crawford 06-06-2008 11:54 PM

Hardening CentOS by removing "hacker" tools
 
"Filipe Brandenburger" <filbranden@gmail.com> writes:
> My boss asked me to harden a CentOS box by removing "hacker" tools,
> such as nmap, tcpdump, nc (netcat), telnet, etc.

Removing network tools does not make it harder to break into the box,
however, it can make it harder to do something with it once you are in.
removing those tools might help keep an infection from spreading, but it
wont protect the box itself. (also, just installing the programs just
means that if your box get compromised, the hacker needs to install
some new packages. Not difficult, even without root- the attacker
can install to the compromised user homedir.)

It sounds like your boss doesn't know much about this. you have 2
choices... You can do what he says (largely useless.) or you can try to
educate yourself (and your boss) on ways to actually make your systems more
secure.

I would advise the latter course, personally, - if the boss is a good
boss, he will listen to his technical people.

here are the basics:

First, turn off all daemons you don't need. if it's not running, you
don't need to worry if there is a security hole in it.

I think a good firewall is useful... it saves your ass if you
accidentally leave a daemon running that you don't need, or if
the new guy starts up a demon that you weren't running before, or if
you need a daemon to be accessibly to the office but not the world. use the
centos iptables default setup- make sure you can take the box offline,
then change the, default to 'reject' and then open things
up one service at a time until your system works again.

third, subscribe to the announce list for your distro- and check it
every day. apply security updates immediately (you can't just do this
with cron; some require reboots)

also, make sure that PermitRootLogin is set to no in /etc/ssh/sshd_config
- all of the successful brute-force attacks I've seen have been against
the root user. Brute-forcing other users is more difficult, as the
attacker (usually an automated process) needs to first obtain the
username; if you watch /var/log/secure you see a lot more attempts at root
than others.

if you use applications that are not provided by your distro's standard
distribution, subscribe to the mailing lists for those, as well.

the idea being that the majority of hacks are known exploits... if you
watch the mailing lists, you can at least solve the known problems
soon after they become generally known.

those are the minimum steps you need to take... it's thousands of times
better than nothing. these are the 'easy' steps that get you a lot
of security while minimally interfering with usability


going beyond here, you must recognize that in the optimal case, there
is a tradeoff between usability and security. this is the optimal
case; sometimes you can make things less usable without increasing
security.


Beyond here, look at selinux, look at mounting all user-accessible partitions
(/tmp, /home/ and /var) as noexec and ensuring that nobody but root can
write anywhere else... - it doesn't help if you get rooted, but it
makes things mildly more difficult for a local user to run a local root
exploit.

some people remove development tools, because many people transport exploit
code as c source code to the box, compile it and then execute it.

many other things can be done... but don't bother until you take down
unnecessary demons, put up a firewall, subscribe to the announce lists
for your distro, and disable remote root login.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

"Matt Shields" 06-07-2008 12:03 AM

Hardening CentOS by removing "hacker" tools
 
On Fri, Jun 6, 2008 at 7:54 PM, Luke S Crawford <lsc@prgmr.com> wrote:
> "Filipe Brandenburger" <filbranden@gmail.com> writes:
>> My boss asked me to harden a CentOS box by removing "hacker" tools,
>> such as nmap, tcpdump, nc (netcat), telnet, etc.
>
> Removing network tools does not make it harder to break into the box,
> however, it can make it harder to do something with it once you are in.
> removing those tools might help keep an infection from spreading, but it
> wont protect the box itself. (also, just installing the programs just
> means that if your box get compromised, the hacker needs to install
> some new packages. Not difficult, even without root- the attacker
> can install to the compromised user homedir.)

But removing networking would :)

--
-matt
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Jim Wildman 06-07-2008 02:09 AM

Hardening CentOS by removing "hacker" tools
 
On Fri, 6 Jun 2008, Filipe Brandenburger wrote:


Hi,

My boss asked me to harden a CentOS box by removing "hacker" tools,
such as nmap, tcpdump, nc (netcat), telnet, etc.

I would like to know which list of packages would you remove from a
base install. I would appreciate if someone could point me to a
"standard" way of doing this. I know there are procedures for
hardening a machine (I remember reading about Bastille Linux) but I
don't know how effective they are and if they include the removal of
such tools in their procedures.

Any advice would be very appreciated!

Thanks,
Filipe


Assuming from the question that a) the box is already installed and b)
the application for which it exists is installed via a well formed
rpm...

(Tell your boss the box or the app may go down unexpectedly while
you're doing this. This will almost certainly happen if condition b) is
not met. And the app may not come back up right when you reboot the box
or restart the app. Definitely schedule a power cycle or two for after
you think you're done. Maybe freshen up your resume too. Probably
should mention to the boss that if the app has gone through any internal
certification process, you are probably going to invalidate it and he
needs to talk to the development/enduser folks to schedule a recert.)

rpm -qa | sort > rpm.lst

look at the list, anything you don't know what it is, rpm -qi. Season
with a liberal dose of "man -k package;man <something" and
"less /usr/share/doc/<package>" If you think you probably don't need it

yum erase. If it doesn't try to erase the application or
something else necessary (like ssh or the kernel), say yes. Use yum not
rpm so you have a record in /var/log/yum.log of what you did. Maybe
start a screen session with history or a typescript session. Read
everything c.a.r.e.f.u.l.l.y and slowly. Don't multitask. If you're
really paranoid (twitch, twitch), run your application test suite after
each deletion (you do have a test suite, right???).

Better, google for "tiny centos" and build a new box with the minimum on
it. Then get the well formed application rpm from the vendor (evil laughter),
put it in a local repository and use yum to install it and it's

dependencies.

And do all the firewall, selinux, hosts.{allow,deny} and NSA stuff too.

------------------------------------------------------------------------
Jim Wildman, CISSP, RHCE jim@rossberry.com http://www.rossberry.com
"Society in every state is a blessing, but Government, even in its best
state, is a necessary evil; in its worst state, an intolerable one."
Thomas Paine
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

"Filipe Brandenburger" 06-07-2008 03:14 AM

Hardening CentOS by removing "hacker" tools
 
On Fri, Jun 6, 2008 at 7:54 PM, Luke S Crawford <lsc@prgmr.com> wrote:
> Removing network tools does not make it harder to break into the box,
> however, it can make it harder to do something with it once you are in.

That's the idea.

> (also, [not] installing the programs just
> means that if your box get compromised, the hacker needs to install
> some new packages. Not difficult, even without root- the attacker
> can install to the compromised user homedir.)

Not if /home and /tmp and /var/tmp are mounted with noexec,nodev,nosuid,...

> It sounds like your boss doesn't know much about this. you have 2
> choices... You can do what he says (largely useless.) or you can try to
> educate yourself (and your boss) on ways to actually make your systems more
> secure.

Actually his argument (with which I agree) is that no box is
uncompromisable. Once compromised, you want to limit what can be done
from that box to reach more critical and secure parts of your network.

Also, removing those tools certainly WON'T make the box LESS secure.

> First, turn off all daemons you don't need. if it's not running, you
> don't need to worry if there is a security hole in it.

This is a worry for this box because it will need to be particularly
exposed to the world (that's inherent to its role).

> I think a good firewall is useful...
> apply security updates immediately
> make sure that PermitRootLogin is set to no in /etc/ssh/sshd_config
> Beyond here, look at selinux, look at mounting all user-accessible partitions
> (/tmp, /home/ and /var) as noexec
> some people remove development tools, because many people transport exploit
> code as c source code to the box, compile it and then execute it.

Yes, I'm doing all of those, including SELinux, and I'm planning on
doing yet more (like chroot'ed SSH).

Thanks!
Filipe
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

"Filipe Brandenburger" 06-07-2008 03:17 AM

Hardening CentOS by removing "hacker" tools
 
On Fri, Jun 6, 2008 at 10:09 PM, Jim Wildman <jim@rossberry.com> wrote:
> Better, google for "tiny centos" and build a new box with the minimum on it.

Hmmm, that looks exactly like what I'm looking for! I'm actually
trying to find someone who has already done the tough work and could
give me some tips on what to expect on that path. I'll see what Google
has to offer and if I find something useful I'll post it here.

Thanks!
Filipe
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

06-07-2008 08:42 AM

Hardening CentOS by removing "hacker" tools
 
In article <4849C905.7090007@hogranch.com>,
John R Pierce <pierce@hogranch.com> wrote:
>
> > Have a search on google for NSA Hardening RHEL5, you will find a very
> > good document (pdf) which will help you start you're hardening.
> >
> >
> http://www.nsa.gov/snac/downloads_redhat.cfm?MenuID=scg10.3.1.1

That link fails, but the following two links work fine:

http://www.nsa.gov/snac/os/redhat/rhel5-pamphlet-i731.pdf

http://www.nsa.gov/snac/os/redhat/rhel5-guide-i731.pdf

Cheers
Tony
--
Tony Mountifield
Work: tony@softins.co.uk - http://www.softins.co.uk
Play: tony@mountifield.org - http://tony.mountifield.org
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


All times are GMT. The time now is 10:06 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.