22 Appendix D: Sample scripts/utilities

• NT Scripts
• UNIX Scripts
• Diverse scripts
• SunOS 4.x: Cleaning up file permissions
• Solaris 2.4: cleaning up file permissions
• Hardening:
  • Introduction
• SunOS 4.x: installing a Firewall host
• Solaris 2.7: installing a Firewall host
• Solaris 2.4/5: installing a Firewall host
• SUSE Linux: installing a firewall host
• Web Server Best Practices
• Setting up anonymous ftp on Solaris 2.x

NT Scripts

I apologise, but none of the these scripts are not yet ready for release..

Script to clean up NT
Script to send SMTP email from NT (not yet tested)
Script to monitor an NT server for changes

UNIX Scripts

Here's a few scripts that I found useful in UNIX admin:

A /etc/syslog.conf (tested on SunOS 4.1.3, 5.2-5.7) that is very useful for centralising logs to loghost and dividing up the different log types into separate files.

rotate_log is a perl script from Steven C. Simmons, that I modified slightly. It a great tool for compress, archiving, trimming the logs generated by syslog (for example). I run it from cron to trim all text based logs.

monitor_processes.pl checks to see if a list of processes are running. If not, send a message to syslog (if syslog is not running, send a mail). [syslogd is monitored even if not listed]. The list is given on the command line, but also has defaults. Runs on solaris 1 &2.

killproc is a perl script that will kill a process give it's name (or regular expression). Useful for killing in scripts, rdist and for killing runaway forks (with hundreds of processes). Won't kill textedits or rdist sessions. Runs on IRIX, SunOS, Solaris.

wtrim.pl is a perl script from Rahul Dhesi that is very useful for trimming wtmp[x] files are keeping a specified number or records. I recommend you run it at the end of December each year. Tested on SunOS/Solaris.

monitor_socket.pl is a perl script that can be used to monitor for unexpected Satan or Sybase (or any other) socket connections. It just sits waiting on the socket and emails the contents of attempted connections to the system administrator. A part of any intruder detection system..

check_mounts.sh is a bourne shell script that uses showmount -a to see who is mounting what NFS exported filesystems, and compare it with the list the last time the script ran and notifies root. For use on NFS servers. To initialise, showmount -a >/var/tmp/.mount_ref then call check_mounts.sh regularly from cron.

kill_baddies.pl is useful for enforcing what "trusted host" files are allowed. It also requires a configuration file monitor_conf.pl
1. report & wipe ALL hosts.equiv, .exrc
2. report & wipe .rhosts except (see wanted() function)
3. Also move all files which start with ".." to STRANGE.$FILENAME
4. Check number of network interfaces (less than 2 except for datacenter servers) and check that interface is not in promiscous mode.
Tested on: Perl 4 + SunOS 4.1.3, 5.2, 5.3, 5.4, Perl 5 + SunOS 5.4, 5.5

SunOS 4.x: Cleaning up file permissions

Make sure you understand this script before executing it! This script was test on SunOS 4.1.3.

chmod 644 /etc/utmp /etc/sm /etc/sm.bak /etc/state /etc/mtab /etc/motd /etc/syslog.pid
chmod 644 /etc/aliases
chmod 0755 /usr/kvm/crash
chmod 0700 /bin/chsh /usr/etc/etherfind /usr/etc/devinfo
chmod u-s /usr/etc/restore
chmod 0644 /vmunix
chmod 000 /usr/ucb/rdist
chown root.wheel /vmunix
chmod o-r /var/spool/cron/crontabs/*

(TBD: /dev/kmem) 

Solaris 2.4: cleaning up file permissions

Make sure you understand this script before executing it! This script was tested on Solaris 2.4.

chmod 644 /var/adm/utmp /etc/motd /etc/syslog.pid /etc/mail/aliases
chmod 0700 /usr/sbin/snoop /usr/sbin/devinfo
chmod 0755 /usr/kvm/crash
chmod o-r /var/spool/cron/crontabs/*
chown root /etc/mail/aliases
chmod 000 /bin/rdist
chmod o-rx /etc/security
chmod o-rx /etc/dt
chmod o-w /usr/adm/spellhist
chmod og-rwx /usr/adm/vold.log /usr/adm/log/asppp.log /.rhosts
chmod 1777 /tmp /var/tmp
touch /var/adm/loginlog; chmod 600 /var/adm/loginlog; chown root.sys /var/adm/loginlog 
 
 

Hardening

Hardening is the process of securely installing/configuring hosts to be resistant to attack. Hardening issues are discussed in the section Firewall Configuration issues.

CERT now also provide several useful firewall/hardening/intrusion detection papers online:

• CERT Tech Tips: www.cert.org/tech_tips
• 
  Intrusion Detection checklist,  Recovering from a UNIX root break-in,
  UNIX configuration guidelines, AUSCERT UNIX checklist, Packet filer rules
• Security Improvement modules: Detecting Signs of Intrusion, Security for a Public Web Site, Security for IT Service Contracts, Securing Desktop Workstations, Preparing to Detect Signs of Intrusion, Responding to Intrusions, Securing Network Servers, Deploying Firewalls

Below concrete commands for hardening select operating systems are listed.

SunOS 4.x: installing a Firewall host

Well, there's no script here, but this is what needs to be done:

1. In /etc/rc.local, switch off sendmail, rpc, automounter, NFS client & server, YP
2. In /etc/rc, switch off lpd
3. In /etc/inetd.conf, disable: rexd, tftp, exec, uucp, finger, systat, netstat, rusersd, echo, discard, daytime, chargen, telnet, rlogin and rsh.
4. Install ssh for login access. Access is restricted (/etc/sshd_config) to named hosts with known public keys (RSA authentication). Rhosts authentication is disabled. 
 

Solaris 2.7: installing a Firewall host

The following is a checklist for securely installing a Solaris 2.7 host for use in a firewall (it is expected that only one or two services will run on this host).

Install & harden the OS without connecting the network, or in single user mode. Only connect the system to the firewall net once it has been tested. Before connecting it to any network where there are users, run tripwire to take a snapshot (see below).

1. When installing the OS, e.g. via "boot cdrom - install"
   • Install the minimum "user" bundle, set hostname, IP parameters, timezone, etc. Don't enable NIS or NFS.
   • I suggest partitioning the disk to have, say, 200MB swap, 200MB root, 1GB /usr and the rest on /opt.
     • Consider a separate, large /var filesystem for log/news/http/proxy servers.
     • Mount /usr and /opt read-only (in /etc/vfstab with "ro" option) when all programs are in place. This reduces the risk of trojan horses and unauthorised modifications.
     • Mount other partitions nosuid (SUID programs cannot assume other identities).
       In /etc/vfstab, mount root with "remount,nosuid", /var with "nosuid"
       Test it first though, you may have some problems.
   • Don't enable power management
   • Set a strong password for root. Remove any user accounts unless absolutely. Ensure all accounts are either blocked, removed or have a strong password.
2. Install the recommended & security patches from Sun Get the Patchdiag tool from Sunsolve and run it to see what patches are needed, then download & install the missing ones. Check the status of your patches with PatchDiag once per month.
3. Switch off unnecessary services:
     # NFS:
     mv /etc/rc2.d/S73nfs.client               /etc/rc2.d/.S73nfs.client
     mv /etc/rc2.d/K28nfs.server             /etc/rc2.d/.K28nfs.server
     mv /etc/rc3.d/S15nfs.server             /etc/rc3.d/.S15nfs.server
     mv /etc/dfs/dfstab                               /etc/dfs/.dfstab
   
     mv /etc/rc2.d/S88sendmail              /etc/rc2.d/.S88sendmail
     mv /etc/rc2.d/S74autofs                     /etc/rc2.d/.S74autofs  [automounter]
     mv /etc/rc2.d/S80lp                            /etc/rc2.d/.S80lp          [unless printer attached]
     mv /etc/rc2.d/S80spc                         /etc/rc2.d/.S80spc        [printing]
     mv /etc/rc2.d/S71rpc                          /etc/rc2.d/.S71rpc       [ideally, but may be needed, e.g. for Disksuite]
     mv /etc/rc2.d/S30sysid.net               /etc/rc2.d/.S30sysid.net
     mv /etc/rc2.d/S71sysid.sys               /etc/rc2.d/.S71sysid.sys
     mv /etc/rc2.d/S72autoinstall             /etc/rc2.d/.S72autoinstall
     mv /etc/rc2.d/S93cacheos.finish      /etc/rc2.d/.S93cacheos.finish
     mv /etc/rc2.d/S73cachefs.daemon  /etc/rc2.d/.S73cachefs.daemon
     mv /etc/rc2.d/S80PRESERVE         /etc/rc2.d/.S80PRESERVE
     mv /etc/rc2.d/S85power                     /etc/rc2.d/.S85power
     mv /etc/rc2.d/S76nscd                      /etc/rc2.d/.S76nscd
     mv /etc/rc2.d/S99dtlogin                   /etc/rc2.d/.S99dtlogin
     mv /etc/rc2.d/K07snmpdx                  /etc/rc2.d/.K07snmpdx
     mv /etc/rc2.d/K07dmi                         /etc/rc2.d/.K07dmi
     mv /etc/rc2.d/S47asppp                     /etc/rc2.d/.S47asppp
     mv /etc/rc2.d/S74xntpd                       /etc/rc2.d/.S74xntpd
     mv /etc/rc2.d/S89bdconfig                 /etc/rc2.d/.S89bdconfig
     mv /etc/rc2.d/S70uucp                        /etc/rc2.d/.S70uucp
     # rc3.d:
     mv /etc/rc3.d/S76snmpdx                 /etc/rc3.d/.S76snmpdx   [unless need net. management]
     mv /etc/rc3.d/S77dmi                          /etc/rc3.d/.S77dmi   
                    Even more secure is to delete the above files altogether...
4. Disable ip forwarding and source routing, if there is more than one interface, by adding the following to the end of /etc/init.d/inetinit:
     ## hardening
     ndd -set /dev/ip ip_forward_directed_broadcasts 0
     ndd -set /dev/ip ip_forward_src_routed 0
     ndd -set /dev/ip ip_forwarding 0
5. /etc/init.d/inetsvc:
   • Turn off multicasting in , by commenting the lines around:
               route add 224.0.0.0.
   • Add add "-t" to the inetd startup line to enable connection logging:
               /usr/sbin/inetd -s -t
6. Configure /etc/hosts with a list of critical machines (which you don't want resolved via DNS), don't forget the mailhost and loghost aliases (see below). If hosts are not suposed to send email outside the subnet, don't configure the mailhost alias.
7. Use default routes (add the IP address of the router to /etc/defaultrouter, or create a startup file in /etc/rc2.d/S99static_routes using the "route" command).
8. inetd.conf:
   • disable: rexd, tftp, exec, uucp, finger, systat, netstat, rusersd, echo, discard, daytime, chargen, telnet, rlogin and rsh (use SSH for remote login).
     Even better disable everything and use only SSH for login access.
   • If you really want to use inetd services, then use them with the FWTK netacl or tcp wrappers.
   • See notes on configuring ftpd.
9. Install standard tools:
   • gzip , e.g. from sunfreeware.com
   • SSH for login access. Configure (/etc/sshd_config - sample here) the ssh daemon so that access is restricted to named hosts with known public keys (/etc/scp /etc/ssh_known_hosts) and rhosts authentication is disabled. Use .shosts rather than .rhosts, if remote admin is needed.
   • Rdistd for remote file sync. Use rdist only over SSH.
   • Perl 5 (for scripting): I install it in /opt/gnu & create a link to /bin/perl.
   • top for process monitoring , e.g. from sunfreeware.com
   • Monitoring scripts: Install monitor_processes.pl and add a root cron entry:
     ## Check that important processes are running:
     0,30 8-19 * * 1-5 /secure/monitor_processes.pl inetd sshd named httpd
10. Configure environment:
    • .cshrc,.login,.profile, Cshrc, Login
    • /etc/mail/aliases (at least point root correctly), set mailhost in /etc/hosts and test email with:
      mailx -v -s test_email root </dev/null
    • Syslog logging: Split up log analysis according to the example syslog.conf which enables more logging than the default and splits up services into separate logfile. Designate one machine as the loghost (in /etc/hosts) or log locally.
    • Syslog "loghost": give it a whopping great disk for logs.
      Create enmpty logs 7 set permissions:
          cd /var/log; touch daemonlog authlog kernlog userlog maillog lprlog cronlog newslog locallog alertlog;
          chmod 600 daemonlog authlog kernlog userlog maillog lprlog cronlog newslog locallog alertlog;
          kill -1 `pgrep syslogd`
      Use rotate_log to prune & compress logs, add the root cron entries:
      ## Prune syslog logs weekly, keeping the last 6 months or so:
      55 23 * * 6 /secure/rotate_log -L /var/log -c -m 600 -M 400 -c -s -n 40 alertlog
      55 23 * * 6 /secure/rotate_log -L /var/log -c -m 600 -M 400 -c -s -n 40 authlog
      55 23 * * 6 /secure/rotate_log -L /var/log -c -m 600 -M 400 -c -s -n 20 cronlog
      55 23 * * 6 /secure/rotate_log -L /var/log -c -m 600 -M 400 -c -s -n 40 daemonlog
      55 23 * * 6 /secure/rotate_log -L /var/log -c -m 600 -M 400 -c -s -n 40 kernlog
      55 23 * * 6 /secure/rotate_log -L /var/log -c -m 600 -M 400 -c -s -n 40 locallog
      55 23 * * 6 /secure/rotate_log -L /var/log -c -m 600 -M 400 -c -s -n 20 newslog
      55 23 * * 6 /secure/rotate_log -L /var/log -c -m 600 -M 400 -c -s -n 40 userlog
      55 23 * * 6 /secure/rotate_log -L /var/log -c -m 600 -M 400 -c -s -n 10 lprlog
      55 23 * * 6 /secure/rotate_log -L /var/log -c -m 600 -M 400 -c -s -n 20 maillog
      # Reset syslog daemon (this could be done by
      0,15,30 0 * * 0 kill -HUP `cat /etc/syslog.pid`
      
    • /etc/resolv.conf: add domain name & DNS servers, if needed. Also add a DNS entry for "hosts" in /etc/nsswitch.conf.
    • /etc/default/su changes: enable SU logging to console and /var/adm/sulog
11. Reboot.
    Now ps -e should show a small process list:
       PID TTY TIME CMD
       0 ? 0:00 sched
       1 ? 0:00 init
       2 ? 0:00 pageout
       3 ? 0:09 fsflush
       156 ? 0:00 ttymon
       152 ? 0:00 sac
       447 ? 0:06 sshd
       88 ? 0:00 inetd
       98 ? 0:00 cron
       136 ? 0:00 utmpd
       605 ? 0:00 syslogd
       175 console 0:00 ttymon
       469 pts/1 0:00 csh
       466 ? 0:01 sshd
       625 pts/1 0:00 ps
    and netstat -a should show a minimum of network connections (e.g. only SSH).
12. Crons
       1)  Remove unnecessary crons:     
                    rm /var/spool/cron/crontabs/{lp,sys,adm}
            Don't delete the adm cron if you want sar performance collection or accounting .
       2) Since sendmail is disabled above, it would be a good idea to setup a root cron
            job to check for  undelivered mail, e.g            
                             0 * * * * /usr/lib/sendmail -q
            Note that although sendmail is not running as a daemon, the binary is still
            present and email can be sent from (but not received by) the host. The only
            host that needs to receive email, the mail gateway, should use smap or an
            equivalent to minimise sendmail risks.
        3) Disable the Solaris log pruning (& other) lines in the root cron, since you're doing it yourself.:
               #10 3 * * 0,4 /etc/cron.d/logchecker
               #10 3 * * 0 /usr/lib/newsyslog 
               #15 3 * * 0 /usr/lib/fs/nfs/nfsfind
               #1 2 * * * [ -x /usr/sbin/rtc ] && /usr/sbin/rtc -c > /dev/null 2>&1
               #30 3 * * * [ -x /usr/lib/gss/gsscred_clean ] && /usr/lib/gss/gsscred_clean
        4) Set date once a day with a reliable source using rdate (you may prefer NTP, it's more accurate, nut complex and uses bandwidth & and additional process):
               ## Synchronise the time:
               0 * * * * /usr/bin/rdate YOURTIMEHOST  >/dev/null 2>&1
         5) Pruning of login & other logs:
               ## Empty login/logout records at year end
               0 0 31 12 * /secure/wtrim.pl wtmp
               20 0 0 31 12 * /secure/wtrim.pl wtmpx 20
               # Solaris 2.x logs:
               0 4 * * 6 /secure/rotate_log -L /var/adm -c -m 640 -M 440 -c -s -n 30 loginlog
               0 4 * * 6 /secure/rotate_log -L /var/adm -c -m 640 -M 440 -c -s -n 30 sulog
               0 4 * * 6 /secure/rotate_log -L /var/adm -c -m 640 -M 440 -c -s -n 2 vold.log
               0 4 * * 6 /secure/rotate_cron
13. DNS servers: install the latest public BIND version. See DNS notes.
14. File permissions: tighten permissions, and restrict certain tools to root or disable:
    chmod 0500 /usr/sbin/snoop /usr/sbin/devinfo
    chmod o-r /var/spool/cron/crontabs/*
    chmod 000 /bin/rdist
    chmod o-rx /etc/security
    chmod og-rwx /var/adm/vold.log /usr/adm/log/asppp.log
    chmod 400 /.shosts /etc/sshd_config /etc/ssh_known_hosts
    touch /var/adm/loginlog; chmod 600 /var/adm/loginlog; /usr/ucb/chown root.sys /var/adm/loginlog 
15. Disable the volume manager [assuming you are finished with the CD - otherwise keep it if CD used frequently]:
           mv /etc/rc2.d/S92volmgt /etc/rc2.d/.S92volmgt    
16. Documentation:
    • Document configuration changes in /etc/mods, update after each change, with date, author, files affected, description.
    • Set login banners to warn users about unauthorised access (you'll need this if you want to prosecute intruders). For Telnet and SSH, use /etc/motd. For FTP, use wu-ftp and setup a banner in /etc/ftpaccess.
17. At this stage install tripwire and initialise it's database and run regular checks to monitor for changes (see sample script trip_host.sh). If possible keep the tripwire master database on another machine or write-once media. Even better, copy tripwire & it's database and run it automatically at regular intervals using SSH. This makes it difficult for an attacker to know that tripwire is being used to check the system.
18. Test in detail: what works, what can be done, what is forbidden. Check log entries. Does the system behave as expected?

TBD:

• what is /dev/msglog ?
• Install only the exact packages needed (pkginfo will list currently installed packages). For example avoid compilers and X11/Openlook/Tooltalk if no GUIs are needed. See work in progress a packages_solaris2.7.htm .
• Other patches?
• savecore is enabled by default on 2.7,  see dumpadm man page.
  

Solaris 2.4/5: installing a Firewall host

The following switches off all unnecessary (& historically holey) services on a Firewall host. Tested on 2.4/2.5. Mostly OK for 2.6 too.

Note that although sendmail is not running as a daemon, the binary is still present and email can be sent from (but not received by) the host. The only host that needs to receive email, the mail gateway, should use smap or an equivalent to minimise sendmail risks.

1. When installing the OS, install the minimum packages needed (pkginfo will list installed packages). For example avoid compilers and X11/Openlook/Tooltalk of no GUIs are needed..
2. When partitioning the disk, consider a separate, large /var for syslog/news/HTTP proxy servers. Also that /usr can be mounted read-only (if it is in a separate partition). If possible, all partitions should be mounted either read-only or nosuid (SUID programs cannot assume other identities).
3. Install the recommended & security patches from Sun Get the Patchdiag tool from Sunsolve and run it to see what patches are needed, then download & install the missing ones. Check the status of your patches with PatchDiag once per month.
4. Run the script for cleaning up Solaris 2 in the previous section.
5. Switch off unnecessary services (sendmail, automounter, NFS client, lp and rpc).
     mv /etc/rc2.d/S88sendmail /etc/rc2.d/.S88sendmail
     mv /etc/rc2.d/S74autofs /etc/rc2.d/.S74autofs
     mv /etc/rc2.d/S73nfs.client /etc/rc2.d/.S73nfs.client
     mv /etc/rc2.d/K60nfs.server /etc/rc2.d/.K60nfs.server
     mv /etc/rc3.d/S15nfs.server /etc/rc3.d/.S15nfs.server
     mv /etc/dfs/dfstab /etc/dfs/.dfstab
     mv /etc/rc2.d/S80lp /etc/rc2.d/.S80lp
     mv /etc/rc2.d/S71rpc /etc/rc2.d/.S71rpc
     mv /etc/rc2.d/S30sysid.net /etc/rc2.d/.S30sysid.net
     mv /etc/rc2.d/S71sysid.sys /etc/rc2.d/.S71sysid.sys
     mv /etc/rc2.d/S72autoinstall /etc/rc2.d/.S72autoinstall
     mv /etc/rc2.d/S93cacheos.finish /etc/rc2.d/.S93cacheos.finish
     mv /etc/rc2.d/S80PRESERVE /etc/rc2.d/.S80PRESERVE
     mv /etc/rc2.d/S47asppp /etc/rc2.d/.S47asppp
     mv /etc/rc2.d/S92volmgt /etc/rc2.d/.S92volmgt                         [assuming you have no CD]   bdconfig
     mv /etc/rc2.d/S89bdconfig /etc/rc2.d/.S89bdconfig                   [assuming you no serial devices]
                  Even more secure is to delete the above files altogether...
6. Turn off multicasting in /etc/init.d/inetsvc, by commenting the line with:
             route add 224.0.0.0.
   Add add "-t" to the inetd startup line to enable connection logging:
             /usr/sbin/inetd -s -t
7. Consider enabling crash dumps for post motem analysis (may help debugging after a crash, but will increase reboot time). Uncomment the lines as follows in /etc/init.d/sysetup:
     ##
     ## Enable savecore (default is disabled)
     ##
     if [ ! -d /var/crash/´uname -n´ ]
        then mkdir -p /var/crash/´uname -n´
     fi
     echo 'checking for crash dump...\c '
     savecore /var/crash/´uname -n´
     echo ' '
8. Configure /etc/hosts with a list of critical machines (which you don't want resolved via DNS).
9. Use default routes (add the IP address of the router to /etc/defaultrouter, or create a startup file in /etc/rc2.d/S99static_routes using the "route" command).
10. Install SSH for login access. Configure (/etc/sshd_config - sample here) the ssh daemon so that access is restricted to named hosts with known public keys (/etc/scp /etc/ssh_known_hosts) and rhosts authentication is disabled. Use .shosts rather than .rhosts.
11. Configure environment files: .cshrc,.login,.profile, Cshrc, Login, /etc/mail/aliases, /etc/syslog.conf, /etc/resolv.conf /etc/default/su etc..
12. inetd.conf: disable: rexd, tftp, exec, uucp, finger, systat, netstat, rusersd, echo, discard, daytime, chargen, telnet, rlogin and rsh (use SSH for remote login).
    Even better disable everything and use only SSH for login access. If you really want to use inetd services, then use them with the FWTK netacl or tcp wrappers.
13. Crons
       1)  Remove unnecessary crons:     rm /var/spool/cron/crontabs/{lp,sys,adm}
            Don't delete the adm cron if you want sar performance collection or accounting .
       2) Since sendmail is disabled above, it would be a good idea to setup a root cron
           job to check for  undelivered mail, e.g             0 * * * * /usr/lib/sendmail -q
14. Reboot. Now ps -ef should show a small process list and netstat -a should show a minimum of network connections.
15. DNS servers: install the latest public BIND version. Ditto for mailgateways & sendmail but add SMAP.
16. Disable ip forwarding and source routing, if there is more than one interface, by adding the following to the end of /etc/init.d/inetinit:
    ndd -set /dev/ip ip_forward_directed_broadcasts 0
    ndd -set /dev/ip ip_forward_src_routed 0
    ndd -set /dev/ip ip_forwarding 0
17. Filesystems: in /etc/vfstab, mount root with "remount,nosuid", /var with "nosuid" and /usr with "ro" options.
    Optional [but difficult]: Mount all other filesystems either "ro" or "nosuid". This reduces the risk of trojan horses and unauthorised modifications. Test it first though, you may have some problems.
18. Logging: use the syslog.conf presented already. Designate one machine as the loghost and give it a whopping great disk (4GB) for logs. Use rotate_log.pl to prune & compress logs.
19. Log "su" attempts to the console and /var/adm/sulog: edit /etc/default/su.
20. Set a strong password for root. Remove any user accounts unless absolutely. Ensure all accounts are either blocked, removed or have a strong password.
21. Document configuration changes in /etc/mods, update after each change.
22. Test in detail: what works, what can be done, what is forbidden. Is it as expected?

=> At this stage install tripwire and initialise it's database and run regular checks to minor for changes (see sample script trip_host.sh). If possible keep the tripwire master database on another machine or write-once media. Even better, copy tripwire & it's database and run it automatically at regular intervals using SSH. This makes it difficult for an attacker to know that tripwire is being used to check the system.

SUSE Linux: installing a firewall host (a few quick notes)

SUSE Linux 6 is easily hardened, for instance to shutdown all network services except SSH, change the following defaults in /etc/rc.config and reboot.

START_INETD="no"
SMTP="no"
START_PORTMAP="no"
NFS_SERVER="no"
START_NAMED=no
START_HTTPD=no
START_NNTPD=no
START_SMB="no"
START_SQUID=no
START_DHCPD="no"

• Then restrict SSH access by changing the AllowHosts entries at the bottom of /etc/sshd_config. Add known Public Keys to /etc/sshd_known_hosts.
• Make sure that all accounts in /etc/shadow have a blocked password except root or other admin accounts. Use good passwords.
• Suse also offers a nice file permissions checking tool, I've not yet tried it out, but it looks good. The following are extracts from /etc/rc.config.:
• 
  # SuSEconfig can call chkstat to check permissions and ownerships for
  # files and directories (using /etc/permissions).
  # Setting to "set" will correct it, "warn" produces warnings, if
  # something strange is found. Disable this feature with "no".
  #
  CHECK_PERMISSIONS=set
  # S.u.S.E. Linux contains two different configurations for
  # chkstat. The differences can be found in /etc/permissions.secure
  # and /etc/permissions.easy. If you create your own configuration
  # (e.g. permissions.foo), you can enter the extension here as well.
  #
  # (easy/secure local foo whateveryouwant).
  #
  PERMISSION_SECURITY="easy local"

Web Server Best Practices

A very useful high level summary from the CIAC bulletin J-O42 of how to secure an Internet Webserver, be it UNIX or NT. The bulletin is available from CIAC or a locally formatted version.
 
 

Setting up anonymous ftp on Solaris 2.x

Here a short description for setting up anonymous ftp on a Sun Solaris 2.x. Note that the instructions in the in.ftpd man pages prior to Solaris 2.5 are incorrect. The following steps are necessary

• Either login as root or get root by using the su command.
• Verify that there is a ftp user defined in the password table. In the /etc/passwd file you should therefore find a similar entry to
• 
  ftp:x:200:200:FTP User:/export/ftp:/nosuchshell
  and in your /etc/shadow file you should find something similar to
  ftp:NP:::::::
  It's important that a blocked password is assigned to the ftp user.
• Set up a group with the name ftp in the /etc/group file, the entry therefore should look like
• 
  ftp::200:
• The script below assumes that /export/ftp is the home directory to set up ftp, you may wish to use another directory by changing $ftphome. Make sure that your preferred ftp home directory $ftphome (/export/ftp) doesn't exist, but that there is a appropriate parent directory.
• Edit the shell script, ensure that $ftphome has the value of our preferred ftp home directory. Then run the script (below).The script will generate all necessary directories for providing an anonymous ftp service (etc, usr, usr/lib, pub) and additionally two subdirectories of the pub directory, named upload and download, as examples for user defined directories to hold data.
• The upload directory is an example for a directory in which an anonymous user can also write (upload) data, so the ftp user or group needs write access. The upload directory should somehow be protected against overfilling, either by setting a appropriate disk quota on it or by using a dedicated filesystem for this directory or the whole anonymous ftp service. Never, put $upload in the root filesystem.
• The /pub/download directory is an example for a directory which is read only for anonymous users. It's very important that only root can write this directory, whereas the ftp group can read it.

#!/bin/sh
#
# This is a short script to set up anonymous ftp on a Sun Solaris 2.x, run as root
#
# ftphome defines the home directory for anonymous ftp (change as needed).
ftphome="/export/ftp"
# Create needed directories
#---------------------------
# core directories
mkdir ${ftphome} ${ftphome}/usr ${ftphome}/usr/lib
mkdir ${ftphome}/bin ${ftphome}/etc ${ftphome}/dev
# user directories
mkdir ${ftphome}/pub ${ftphome}/pub/download ${ftphome}/pub/upload
# Setting up the directories
#---------------------------
cp /usr/bin/ls ${ftphome}/bin
# usr/lib
cp /usr/lib/ld.so* ${ftphome}/usr/lib
cp /usr/lib/libc.so.1 /usr/lib/libdl.so.1 ${ftphome}/usr/lib
cp /usr/lib/libintl.so.1 /usr/lib/libw.so.1 ${ftphome}/usr/lib
# etc
cp /etc/netconfig ${ftphome}/etc
sed -e 's/:[^:]*:/:*:/' /etc/passwd > ${ftphome}/etc/passwd
sed -e 's/:[^:]*:/:*:/' /etc/group > ${ftphome}/etc/group
# The following are needed for 'ls' to resolve NIS names
cp /usr/lib/libnsl.so.1 ${ftphome}/usr/lib
cp /usr/lib/straddr.so ${ftphome}/usr/lib
cp /etc/nsswitch.conf ${ftphome}/etc
# make device nodes. ticotsord and udp are necessary for
# 'ls' to resolve NIS names.
prefix="/dev"
for device in zero tcp udp ticotsord ; do
line=´ls -lL ${prefix}/${device} | sed -e 's/,//'´
major=´echo $line | awk '{print $5}'´
minor=´echo $line | awk '{print $6}'´
mknod ${ftphome}/dev/${device} c ${major} ${minor}
done
# Set owners and permissions
#---------------------------
chown -R root.root ${ftphome}
# should be ??
#chown -R root.ftp ${ftphome}
# bin
chmod 111 ${ftphome}/bin/ls ${ftphome}/bin
chown root ${ftphome}/bin
# usr/lib
chmod 555 ${ftphome}/usr/lib/lib*
# etc
chmod 444 ${ftphome}/etc/*
chmod 111 ${ftphome}/etc
chown root ${ftphome}/etc
# dev
chmod 666 ${ftphome}/dev/*
# pub
chmod 555 ${ftphome}/pub
chmod 755 ${ftphome}/pub/download
chown -R root.ftp ${ftphome}/pub/download
chmod 1777 ${ftphome}/pub/upload
chown -R ftp.ftp ${ftphome}/pub/upload
echo "done."