Hardening UNIX Applications (draft notes)

Secure installation of UNIX Server Applications

By Seán Boran

This article discusses securely installing well known applications like FTP, DNS and Email.  For each category, a list or tips and products are provided. General guidelines for all applications are also presented.

  1. Preparation
  2. General Guidelines
  3. FTP servers (ftpd)
  4. DNS servers
  5. HTTP servers
  6. Email Clients
  7. Email servers (SMTP): sendmail, postfix, smap
  8. Additional Notes: IDS | saveit | ntp

References
Changes to this article


1. Preparation

If you use the C-Shell, the following will make editing easier and enable history functions:

csh;
setenv TERM vt100; setenv VISUAL vi; setenv EDITOR vi;
set filec; set history=40; alias h history; alias ls 'ls -aF \!*';


General Guidelines

The following is a general checklist to consider daemons/applications :

FTP servers (ftpd)

Which FTP server should you use?

Tips for FTPD configuration:

DNS servers

Hardening on BIND is described in a separate paper. See [13].

HTTP servers

General notes:


Email Clients (SMTP)

On UNIX and Linux, sendmail is invariably installed as an email server, running as a daemon. Many users/sysadmin think that sendmail needs to run as a daemon on email clients and servers alike.

The sendmail daemon does not need to run on an 'Email Client'.

This erroneous vendor installation behaviour seems to be a default that goes back 15 years, it is difficult to understand why vendors have not corrected this. Few email servers are needed in an organisation, the default should be to only send email, since most hosts are workstations or servers that do not need an SMTP server. Running sendmail as a daemon, increase security risks:

So how is an email client set up? Assuming we want to deliver all email from our workstation to one SMTP server, the steps are:

1. Define the mail server: add an entry with the email server name and IP address to /etc/hosts. Then add an alias 'mailhost' for this machine. There should also be an entry for the workstation, and workstation.DOMAINNAME.

2. Configure sendmail.cf (in /etc or /etc/mail), so that all email is sent via 'mailhost':

DSmailhost
DRmailhost
DHmailhost
O FallbackMXhost=mailhost

3. Stop the sendmail daemon from starting automatically

mv /etc/rc2.d/S88sendmail /etc/rc2.d/.no_S88sendmail

and kill the current daemon

4. Add appropriate aliases to /etc/mail/aliases, for example:

root: Your.Name@Yourcompany.com

5. If email cannot be delivered immediately (due to server congestion for example), add the following entry to the root crontab to check for and send queued email every hour:

## process the email Q
0 * * * 1-5 /usr/lib/sendmail -q

6. Finally, test that email is being correctly delivered, by sending an empty test email to 'root' (or some other local alias) and to your usual Email address. The '-v' option is added to mailx so that we see the complete dialog with the email server, to convince us that it really is working correctly.

mailx -v -s test_email root </dev/null
mailx -v -s test_email John.Doe@YourCompany.com </dev/null

Troubleshooting: look carefully at the output of the mailx commands above, and any error emails received in the root mailbox. Check that a 'ping' to mailhost works as expected. The SMTP server may be configured only to accept emails from known workstations or workstations with a particular domain (in which case /etc/resolv.conf - DNS must be setup correctly and the workstation must use the same hostname as is listed in DNS)

Hopefully Sun and other vendors will wake up and stop the sendmail daemon by default in future OS releases, it would certainly help reduce the number of unwitting open email relays on the Internet.

 

Email servers & Gateways (SMTP)

If you really need to receive Email (i.e. run an SMTP server), it's not a trivial task. Refer to [16]. Here a few brief notes are provided.

  1. Configure anti-relaying, anti-spam options
  2. Consider anti-virus and content checking
  3. Use a secure front to sendmail on Internet gateways (with its anti-relaying patches) end like
  4. A few quick tips on Sendmail:
  5. A few quick tips on Postfix:
    Postfix is a very interesting SMTP server, from both a security and flexibility standpoint. I waited years to move over from sendmail, I wish I had done so sooner, it really is simpler, more secure and not so painful to move over.

    The main configuration files are typical in /etc/postfix, the big fish is /etc/postfix/main.cf.
    To view non-default settings (i.e. out config): postconf -n
    To show default values: postconf -d

    Some example settings for relay and spam protection are listed in postconf-n.txt
    Most of the postfix elements can be chrooted. It worked fine for me on Solaris by running the script examples/chroot-setup/Solaris2 and then editing /etc/postfix/master.cf so that all non pipe or local daemons had 'chroot=Y'.

    Postfix tutorial (french)- Hervé Schauer Consultants
    http://www.hsc.fr/ressources/cours/postfix/ 

    Postfix -- the Sendmail Replacement - Martin Zahn (nice diagrams, clear instructions)
    http://www.akadia.com/services/postfix_mta.html

    Configuring Postfix as backup MX host - Martin Zahn
    http://www.akadia.com/services/postfix_mx_backup.html

    Using Postfix for Secure SMTP Gateways - Linux Journal (brief overview)
    http://www.linuxjournal.com/lj-issues/issue78/4241.html

    Postfix FAQ
    http://www.agamemnon.net/documents/postfix/faq.html

    pflogsumm.pl http://jimsun.linxnet.com/postfix_contrib.html 

    How UCE Actually Works - mengwong
    http://www.mengwong.com/misc/postfix-uce-guide.txt 

    Filtering E-Mail with Postfix and Procmail, Part Two - Brian Hatch
    http://online.securityfocus.com/infocus/1598 

 

Further reading

The OpenAntiVirus Project
http://www.openantivirus.org
http://www.openantivirus.org/av-unix_e.txt


Additional Notes

This article has been very specific, in the interest of making it practical. However, each security administrator has his own methods and each site has different requirements.


References

[1]  
[2] Sunworld security columns
www.sunworld.com/sunworldonline/common/swol-backissues-columns.html
Solaris Security FAQ www.sunworld.com/common/security-faq.html
Padded Cells: www.sunworld.com/swol-01-1999/swol-01-security.html
Tripwire: sunworld.com/sunworldonline/swol-02-2000/swol-02-security.html?0306a
[3] Saveit  script: Original spanish version: saveit-sp.sh, my tweaked version: saveit (less verbose messages, fix for OpenBSD, english translations, if target exists save with a time postfix).
[4]  
[5] Tripwire:
Free version V1.2 ftp.cerias.purdue.edu/pub/tools/unix/ids/tripwire (last updated in 1994).
Commercial Version www.tripwiresecurity.com (starts at $495.-/server) also runs on NT.
OpenSource Version www.tripwire.org Linux only
Sunworld article sunworld.com/sunworldonline/swol-02-2000/swol-02-security.html?0306a
Samhain
samhain.sourceforge.net
[6]  Sample tools for analysing logs:
Logcheck www.psionic.com/abacus/logcheck (see also my improved version of logcheck.sh, a zip with my improvements and solaris binaries and a local copy of the original logcheck-1_1.tar.gz)
Swatch  ftp.stanford.edu/general/security-tools/swatch
[7] All About SSH PartI and Part II,
[7a] ftp.cs.hut.fi/pub/ssh
[8] Jail Chroot Project: New tool for creating chroot jails (sounds nice, but I've not yet tried it)
www.gsyc.inf.uc3m.es/~assman/jail/configuring/3.html 
[9]  
[10]  
[11]  
[12] Securing Apache and HTTPD servers
[13] Articles on hardening and chroot'ing BIND8 and 9: bind_hardening.html
BIND sources and home page: www.isc.org/products/BIND
Testing Domains: www.ip-plus.net/tools/dns_check_set_en.html
[14] Wietse Venema's tools and papers (tcp wrapper, rpcbind/portmapper, postfix, Satan, ....) ftp.porcupine.org/pub/security/index.html
[15]  
[16] Tools

Useful articles:

[17] syslog replacements:
syslog-ng www.balabit.hu/products/syslog-ng (tcp connections, content filtering, encryption, authentication)
secure syslog  www.core-sdi.com/english/slogging/ssyslog.html
Nsyslogd coombs.anu.edu.au/~avalon/nsyslog.html (tcp connections & SSL)
[18] Security Advisories: www.cert.org, www.first.orgwww.ciac.org
CERT provide several useful firewall/hardening/intrusion detection papers online www.cert.org/tech_tips.
Technical Discussion of advisories: www.SecurityFocus.com/sun
[19] Security Newsletters: SecurityFocus, SANS.
[20] IPfilter, IP Filter Based Firewalls HOWTO, Firewalling with IPF, Introduction to IP Filter
[21] Sun's Routing Support Document/FAQ is an old, but comprehensive overview of routing, how it works in Solaris and how to configure/debug routing.

Changes to this article

18.Aug.00 sb First version pulled from RH & Solaris Hardening notes, extended with Yassp info.
 Constant minor updates since then...


Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2001, Seán Boran, All Rights Reserved, Last Update: 08 Oktober, 2002