 You sir you Nick Okay, well I Know the stragglers all of them, sir What's that? Okay, you let me know if you can't hear me, okay? Let me know if you can't hear me. I'm losing my voice. I've been I've been talking I've been hanging out of this then parties at Defconn until Well, anybody know when the last party let out was it about 5 a.m. Or 6 a.m. Anyway So I'm kind of losing my voice, but we'll we'll we'll get by Anyway, so I'm gonna talk today about Bastille Linux Has anybody here been in the room before has anybody been seen me see me talk about Bastille at a previous Defconn Okay, well that's kind of cool. Okay, there's not a huge mental repeats But there's some so you know in terms of introducing it, so you guys should still be happy. It should be fun What's that? Okay, so I'm supposed to remind you all that we're being recorded. I'm not sure why Maybe I think they've had a few people streaking through the through the talks Yeah, I wish Okay, so anyway Bastille Linux who's who's used it in here or download at least because lots people download I'm sure never use it Okay, so for the rest of you, here's the best deal in exist It's a security hardening script for Linux and Unix. I'll talk about what a hardening script does why you want one why it's useful But now we're working on Red Hat 7 3 and Mandrake 8 2 and Turbo Linux 7 0 and Sousa 7 2 and Debian 2 and NHPU X 11 11 0 11 I whatever and And that's a lot more than last year because last year I just came up and said Red Hat and Mandrake But it turns out a bunch of people have all been helping out Sometimes they port it and they don't tell me about it. I find out about it later Sometimes they ported and send me an email and just like hey, I ported Bastille. Hope you don't mind. It's like no, that's really great Thanks, guys I'm going for more operating systems next the easiest way to vote on your choice of next operating system Okay, this is really geek conference if I'm sitting here telling you guys you should vote on operating systems but but okay The next few words that we're expecting to do are we know we're gonna do Solaris Solaris is definitely gonna be a fun one Because I think that operating systems actually getting worse with each release. I don't know how many of you've seen Solaris 9 but It's it's and it's nice. It's functional, but it's really functional. So Yeah, okay We're talking about open BSD some many open BSD developers in here Okay, I can tell because no one's throwing anything. Yeah in the back. Okay. Well, he can't throw that far. I hope so anyway Yeah, I didn't really think about hardening open BSD until until really recently because it's the thing is open BSD is that the Operating system that probably you know is darn near the best in terms of off-the-shelf operating systems that everyone can They start out with really good defaults. They very rarely know their big slogan is something like Six years or was something like six years without a without a without a root hole in the default install And now it's like I think it's six years with only one root hole in the default install No, that's really really good I'd like to listen people ask me, you know, vendors are getting better with settings He ever not gonna have to write the steel not if they keep going the way they are I mean most of them, you know six years with only one remote route in the default install That's that's that's really good because I think I think red hat has, you know one every year one every, you know Maybe one every six months with red hat 62. They were like what three I think they were there were two two remote root holes or three remote root holes We'll do Just one of you in this room is one so they're gonna they're gonna take out handcuffs. He just won't let me know It's all good No, it's not I promise Okay, anyway, so that's really good for open BSD we might we might do a little bit of hardening But there's not a whole lot we can do but there is apparently an SSH worm That's this is the SSH worm in a patch you and it's running around rooting and reading up the BSD boxes right now Okay We've talked about free BSD Somebody finally gave me my first set of free BSD CDs or my first set that are actually that are actually current So we might have to do free BSD We'll see A lot of people tell me, you know, I tried up a steal, but it was just so ugly It was just so you know, it's just so hard to run when it first came out. We got a gooey So yeah, yeah, the gooey's even really they're even we're even like making the gooey really cool One of these days I'm gonna get around to doing like a web front end So you don't have to be able to like install packages to get the gooey to work Boom little little web server pop-up on your box the best deal run a web client Anyone who wants to talk to me about web application security can know why it took me this long to get there But you know, we're gonna do that. But yeah, we got a little gooey It tells you like shows you a deal is basically it shows you a question says hey, do you want to do this? Okay, it tells you here's why you might want to here's why you don't want to and Let's you answer and you get to go through all these different modules and it tells you what you've changed And I'll talk about how it works so In general I guess one of the things I want to say is when we created best deal the first question was we're trying to make a hardening Sure if we're trying to make the best hardening script for red hat There's all the stuff we want to do the problem is if you do everything you think of especially back when best deal Is originally first written you break stuff for everybody. Okay one example was I mean it seems obvious Let's turn off telnet and put open and put SSH on instead But how many but how many users when they try to tell it to a box and we really confused the telnet doesn't work anymore say My steel broke my system and they're gonna you know, and they're gonna uninstall the steel, you know, they're gonna undo it and stuff So what we figured out was we should ask people questions about what it is that we should do Hey, you know, I'd like to I'd like to remove telnet. Is that okay? And that was a really good idea But all of a sudden we realized that there were lots of people who maybe wouldn't make the decision We'd want them to you know, they'd say telnet's good. I've used telnet. So that's great. I love telnet So we got to say listen telnet's bad. Why is telling that bad? Well first If you're on the same land as me in some other we're or some other weird or some other conditions Then when you when you tell that to her from a machine, then I'll steal your password and then it was like oh by the way So people are like, you know, of course people are gonna say like I got Kerberos. It's like, well, that's fun Yeah, Kerberos telnet still take over your session So you guys know about session takeover with telnet Okay. Yeah, some people do some people Fun tools really great ways to convince people at your at your site to get rid of telnet is Ettercap Okay, or desniff or hunt. Okay in the case of hunt was like one of the first tools let you like take over someone's telnet session Some of these tools are even kind of cute because you can throw stuff to the server and sit there and do stuff On the server you type separate messages just to the display like hey, this is your system and don't worry about this I just have to I just to change your password and read your email real quick. Don't worry about it So anyway, yeah, yeah, it's all so so we try to tell people why we want them to do things in the hope They'll bend to our will or at least, you know, they'll make an educated decision about why they're not doing it So the downside is that this means that your first best deal run if you have a lot to learn might take you about an hour Okay, on the other hand once you've been through it, or if you're already an expert it might take you five or ten minutes anyway, I'll We go through some of the stuff the best deal does in general and I'll talk about in specifics, I guess The first is best deal puts a firewall in the box and they could be a firewall for just a single system It could be the firewall for it could be the firewall. Who's phone is that? Okay, it could be a firewall for for the entire system or it could be a firewall for like, you know one or two networks We do a set you ID audit This is a very boring thing unless you're currently playing capture the flag over there Which case I've been told by the by the capture the flag for the people who set it up But they've marked like all the binary set you ID or something Set you ID. We'll talk about it, but it's not good to have that many binary set your idea Okay, what else is best deal do very informally it turns off stuff. You're not using okay unnecessary stuff That's anything you're not using or we can convince you not to use okay for all the stuff that's still there We try to tighten the configurations up and a lot of what we're adding is more stuff to tighten the configurations If anybody in this room was in my attacking and securing FTP talk You'll notice the best deals about to start doing a bunch of the stuff that I started telling y'all to do So if anybody wants a refund now Dude, I'm sorry Okay, the last thing as I said is we're gonna educate users and citizens and And not all admins have guns pointed at their booth at their boots But you know a good number of users do everyone will shoot themselves in the foot everyone will hang themselves to give themselves We'll give them enough rope Without education the nice thing as many of us are educated for everybody else. We'll try to teach you something while we're there Y'all having fun am I telling you stuff you already know On you on you on okay, so I'll try to go a little faster Okay, so first why do you why do you need a hardening script if you're at Defcon? You probably don't need to you'd probably don't need me answer this question Especially because if you're if you're not doing anything to harden your box You're running red hat 62 you've probably been rooted six times today Or it's morning so three The the basic question is that in general the defaults on an operating system are usually not set well for security Red hats getting better at that. So Laris is getting worse. Okay, why? As far as we can tell the recent vendors do this is partly because the users who are using these operating systems really wanted to be Easy to use they want to install and say okay install the web servers running and all that I just pushed up onto the web server and I'm ready to go. It's all good. Okay. Well, that's that's that's kind of nice The other issue is that the programmers who actually create these operating systems I worked for a vendor for a year. So the program I Understand these people who create these operating systems. They're like convenience I have found a number of a number of programmers who work for who work for For for vendors who don't set root passwords. It's just a you know, it's just like yeah, whatever. It's you know They might root the box. I'll just rebuild it. Are you build it every day? Anyway, what do I care? Often often neither of this set will will understand security by the way I'm not busting on users and lots of users will understand security But they're enough that don't that the vendors think you know I've got to make sure that I that I leave the box really really functional really loose and open Okay Again, why do you got a why do you what why do you need any security anyway? Well first it's you're targeted by cluful hackers Targeted by cluful hackers probably especially if you're here Okay often targeted by them because you're one you're one hop away from the place They're really trying to get to sometimes you're attacked by them You know sometimes you're attacked by them because they just really would like a place to store some files Why else we're targeted by script kids because we've got an IP address you got an IP address some some script kitty Just finally got a working exploit after downloading for finally gets a working exploit He gets a scanner that scans systems looking for vulnerable looking for vulnerable systems. He scans There's an auto-router that I there's an auto-router out there that generally scans class B's It's called auto who looks for looks at 65,000 536 addresses Whether or not they exist, but you know it'll go and check every single one what you do is you run this you give it a class B network it goes out it scans every single machine in the class B Okay, if it exists and it's vulnerable it automatically roots it for you Goes in roots the next one roots the next one roots the next one then hands you back a nice list It says you scan 65,000 hosts you owned 150 here. They are have a nice day, okay? So you're gonna get hit by script kitties just because they scanned your part of the network Okay, if you're on the at-home network you see this every day Okay, you're targeted by worms slightly smarter than script kitties But they're but they're but they're fully automated and the nice part is automation But the level of automation in most homes means they really aren't that bright They're they're they're generally you know, they're generally looking for very specific things We can defeat the worms with hardening because worms don't have any ability to adapt I mean it's like script kitties, but yeah worms don't have any ability to adapt if they if they find themselves in a system They thought they're supposed to be root and they end up as user, you know as user They often, you know can't do anything. They're not they're not set to say oh, I don't ever what do I do now? They just they just get pretty stymied or they're also easy to defeat because you can do things like change headers So they're like, you know like I'm looking for a woo box You know for woo ftpd built on this built with this version. It's a different version must not be vulnerable Doesn't even try just just says must not be vulnerable and moves on a lot of that's just for speed But you get targeted by worms By the way, I guess I shouldn't have to answer this I shouldn't have to answer shouldn't talk about the slide at the dafcon conference Why are script kitties rooting your box? Well, they wanted for everything you can think of they wanted to run IRC Bots off of they wanted to run an IRC server on they wanted to to put up files and you know They wanted to use it to exchange divics movies or MP3s or or you know, I don't know maybe some girls number You know, there's like okay one number that's passed around among them all it's fake She changed it months ago stop it guys They wanted to use other machine they wanted they want to use it along with 150 other hosts They got from that auto rotor to to fire off to to D to D DOS some site who knows which one they want to brag about how many machines they've owned today and You can come up with any other use anything you want a box for they want a box for anything that you anything You can think somebody might want a box for it's one of them probably wants a box for that And I the thing about being a script kiddies It's really really easy any of us can be one we have to drop a lot of clue and then just go and start downloading You know scripts from scripts from the internet Okay Best deal how's it work best deal is like I said before we're turning stuff off So first is trying to minimize points of entry. Okay remove attack vectors from attackers Okay, one possibility is turn off network demons. Okay, we all we've all seen this just about every single article on hardening says You know, we're gonna turn off all the network demon another part is we'll take the we'll take programs So if somebody steals an account on the box, maybe because somebody's using telnet at this conference and their account got stolen You know, we want to actually turn off the we wanted We want to take the programs that they could that somebody could access with a stolen account And if if any of them have privileging us, you know if they had a vulnerability could give that privilege away And they will maybe we'll shut them down and maybe we'll take away their privilege Maybe we'll configure them so they're harder to hit And that's the that's the other side of things a lot of times a lot of times what we're trying to protect against Isn't isn't just someone who remotely remotely hits your box It's the person who gets to your box through something else Maybe they got in through the web server and I gave them use a web But maybe they stole that maybe they stole a password maybe they stole a password during a telnet session I did I did a talk at black hat on on securing on attacking and securing FTP and Somebody raised their hand at the at the end of the class because I talked about how FTP sucks because you lose You use a name and password if you're walking in like that and he said actually during your during your talk I stole I got I got three accounts of passwords from people FTP on the wireless network So anyway, so so stolen accounts happens especially clear So there are set you ID programs on your box And they what they the general purpose of those things is to let people who aren't root do things that only root can do That might be doing things like mounting the floppy drive It might be doing things like changing the password file to edit your own password But in general these set your ID programs give an ordinary user root privilege for something very very very specific and It's it's bad if there's a hole in one of those security vulnerability in one of them because often a non-route user gets Just straight out of that Are there any questions my going too fast not too fast am I going too slow? No, okay Okay, cool Does that still work or more importantly does hardening work? Okay, hardening hasn't taken hard hardening hasn't gotten extremely popular just yet at least not and I don't think in a lot of mainstream areas Well best deal is a simple hardening script It was something that was written because I went and did an audit of red hat 6-0 and wanted to kind of share it And it was written before either most or all of those vulnerabilities of red hat 6-0 were discovered I can either stop or contain just about all of them which was which was pretty cool I mean, I'm not trying to I'm not trying to to best deals horn or anything like that I'm trying to point out this is whether you're doing it by hand or you're using a program to do it This stuff is extremely effective Vulnerabilities in red hat 6-0 bind to the remote route. Okay with that case. We either turn bind off for you Okay, or we could run it as a non-route user stuck in a charute prison Which is a little directory doesn't have much in it Okay, you can't really escalate privilege from a charute prison if you get stuck in there as a non-route user Because there's nothing around there. No vulnerable programs around generally to exploit So we could contain bind which was kind of cool because there was some pretty there was some pretty fun worms running around That you know if any of you have red hat 6-0 you're on CTF and they just gave you red hat 6-2 Then you're probably getting hit by bind attacks and we could we could at least contain them Who FTPD? Darling I have a whole talk on vulnerabilities and we were FTPD We were able to we could we could turn it off. We could shut down particular modes Basically do a little bit of hardening to make it harder just to just to leave it you know leave it so it doesn't get hit User helper was another fun one. It was a local route exploit It was a set you ID program if you were on the box already you could get rude out of that It shut that off LPD and send out a weird interaction and again those could either shut off or we made it so that the big issue Is generally you came in through send mail and it turns out most of the boxes running send mail They'll actually have to run send mail in the network because I'm not receiving mail. They're just sending it back out So you can turn that stuff up dumping or store was a great one Okay, I've talked I talked about what set you ID programs do dump in a store where programs could be run by anybody Okay, they were set you ID roots They gave you root access on they gave you they gave you root abilities on the box so you can run backups That's really nice. You want to let people run backups But you don't generally want to let ordinary users run your backups for you You don't want to let the web server on your backups for you Just leave that to cis admins so we could turn those off and generally recommend a very strongly that we did and So if you ran it if you ran Bastille in red hat 6 0 6 1 6 2 when each of these became when each of these had Vulnerabilities you got past them entirely GPM was another one if you were on the console you could get rude out of that and again We turned it off and turn off because most people don't even know it's running and and they're not using it either Y'all having fun a little bit, okay Most speakers have come by yet, I'm sorry We missed the one in nmh we missed the one in man and those were hard so We just missed them Okay, so one of the things I wonder is who the heck is using this deal I have no idea how many people are using it because people just download it the download of must they put it up on Websites and the father people download it from them So we have no idea for a while Mandrax salt had their distribution and talk with the red hat about integrating it And they're actually getting better in general SGI was signed with Anybody here from garden? I've heard some some appliance with garden to actually use this best deal And we know that probably somewhere around a hundred thousand people use it We don't know how many because we're just we just don't have any way to track it But there are a lot of people using it. It turns out to be pretty useful I want to show you what we what what kind of capabilities we had and where we're and where we're going with it The first is the in our in our recent two dollar release we started making best deals smarter So it wouldn't ask you questions about stuff that wasn't on your system It's still gonna do that a little bit but not very much So if you haven't installed a package, it shouldn't ask you, you know, can I harden this package if it doesn't find send No, I won't ask you send no questions. If it doesn't find put them set you ID rude It won't ask you if they can turn them off We got the whole gooey thing going on which was which was as I said really nice. It's it's really good for Really good for making things easy And we made a we made our configuration file a minute so you could reuse the things So what you do is you you can you can take the steel and you can run at once You can answer all the questions you can take that config file and then go and carry it over to a hundred to a hundred Identical lab systems work on other things We're trying to make it so that you can take a configuration file and like you know from red hat and try to use it on HPX or something, but that's really hard actually What I want to do is show you what we're doing And and and what we're going to be doing if you're hearing this talk And tell you about the 2.0 release but about what we've really what we're releasing the next two days There are beta releases up, but go for the stable one But you know I'm gonna tell you where we're what we're doing the next in the next few days And then what we're doing for the next few months and the next few months is where I start taking a lot of a lot of new Content a lot of new hardening steps and trying to integrate them We're also trying to get on Solaris because they really need the help Okay, I told you we can we can set up a firewall in the box It can be default and I which is nice and strong it can be for a single machine or it can be for a mass grading network They're adding a TMZ to that right now So it's it's actually it's actually pretty useful Mandrake Mandrake soft actually shipped a firewall that use best deal best deals firewall and it says that as the fire As the main firewall program Anyway, this is kind of nice because if you have a machine that you've hardened Or you haven't hardened as much the firewall adds an additional layer of protection catches a lot of the stuff that you might have missed Okay, well one of the things I'm one of the things I always get asked is well wait a second You're gonna tell me all the stuff you turned on you put up a firewall You don't need to turn them off Well the issue is the fire will might fail or the programs were turning off might Accidentally come back on so it's kind of the best. It's really good idea to do both Because it's called defense in depth and the idea is basically if you've got you know If you've got anything you're trying to protect it You're really nice to be protecting like say two three four ways because if any of those layers fails Okay, if any of those layers fails and you have another one protecting you okay? Firewall vendors, you know from yesteryear wouldn't love me saying this but you know This is this is kind of this is this is the basic thing That's really that really makes it a lot harder for someone to nail your system Okay, so the next time that someone says oh, there's been a bug in that There's been a bug in the Linux firewall encode you can send anything through you won't have to necessarily you know You're hardening still you're doing both. So you won't have to be like oh my god. I'm screwed. Okay We do things we do a we do a foul permissions audit This is I think I like to talk about the most boring areas of computer security This is you know of hardening a system. This is number three three on the top ten is Definitely edited screw now with foul permissions I was really going to try and do a talk this year on On how bad foul permissions can let someone root your box really easily? I know it sounds boring, but I'll give you the real live example I I found a system where I got in as user nobody because there's somebody set up in our hosts They got me in as user nobody and it turned out the file permissions on them on the File permissions on the cron tab directory where all the world a con where all the con tab files are we're really weak So I need so so user nobody along with a few other users I was able to get later on could write to them so if you can write to the if you can write to the crontab directory What do you do? Well, you change roots crontab file one minute from now Hey roots crawling the crons gonna run. It's gonna say our root asked me to bind a to bind a shell a Root shell the port 666. Yeah, okay I'll do that it runs and you know all of a sudden now you tell that into the system You went from nobody to root just because somebody had a just because the vendor of this operating system Originally set really weak permissions on a few directories So we do a file permissions on it and try to stop them from doing really dumb things like that I told you about set you ID there One of the examples I often use is user, but I'm gonna name another one I remember I was working at a I was working at an all-cellarist shop a while ago and And I want we knew we had a bunch of stolen accounts University happens all the time people using telemetry can't take talent away So their accounts are gonna get stolen, but we started tracking some of the stolen accounts and inside a pager that paged me Whenever this guy came on with a given account name. Okay, and so, you know, I got a page one day and I ran over to my terminal I'm sitting there watching his session and the guy is you know, he's he's sitting here compiling He's broad. He's he's FTP to next void up and that exploit is against PM config Okay, or PW config PM config it's an exploit is PM config which on so let us let you set the power management features Let's do things like suspend the machine or let you tell it to to spin down the hard disks or whatever It's this is okay So this program will set you ID root So if it was broken in some way and you could run it you'd get rude This program was set so everyone on the everyone on the system could run it. Okay, so he was bringing an exploit They was gonna he was gonna run the exploit the exploit was gonna run PM config He was gonna be rude was like that shouldn't be set you ID There shouldn't be anybody running on that but besides the system ends tappy tappy tappy By the time he finishes compiling his exploit. I've already turned off set you ID. He runs his exploit doesn't work He's like, okay must be broken and one who's off to the next system. Okay, the alternate version of that scenario is We haven't done a set you ID audit even one like right there as the guys there We haven't done any kind of set you ID audit. I'm at lunch, you know, no pager maybe and and what happens? Well, he runs his exploit and he causes a very bad day because the last time we had a rude compromise on that system We took I think it was 46 man hours Just to get the just to get everything going again That's not a rebuild. That's just that's just straight That's that's just straight from from from where we were make sure that we weren't totally in vulnerable in 8,000 different ways Okay, PM config never should have been set you ID root There's no reason that you need your ordinary users to be going and changing the power management features on on a server I can't think of a single one Okay, if you've got a user who needs to use that give them the root password If you don't want to give them the root password you sue you or something like that, you know Give them permit give them and only them permissions to use it put them in a group So let's set you ID audit actually saves a lot of people's bacons this way even though, you know being a permissions area It's like I said really really really really really boring I've given you a few slides real quick Each of the set you any programs that we turned off in the first version of this deal are here There's a star next to them if they've been vulnerable Okay, so you can just kind of you can just kind of see it's it's two on this slide Well, it's it's mount mount and you mount dump and restore. We're all vulnerable out of those Tracer out. Yeah, Tracer that are vulnerable. You're right. I should update that slide tracer out of the vulnerability Okay, out of these we know that the that that LPR The the I think the entire LP suite but at least one of the programs in the LP suite had it out of vulnerability The are the art tools that have vulnerability that was through some library. They link to okay Other stuff that steel does we're gonna we're gonna do we do we do a bunch of stuff We call account security anything to protect a user's account from being stolen do things like turn things Oh, we do things like turn things off. We're gonna let them use crons They can't go and run crime jobs necessarily We go and try that we go and set up past So that if the user goes on vacation for six months there, you know Well six months the end of that they're there, you know Maybe their their password expires and and somebody else can't steal it can't use their account while they're away Problem with the count is when they get stolen when people aren't away. They don't notice and they never tell us so Other stuff We make sure that our that rsh really doesn't work because rsh our login they really stink Just general stuff Boot security. I have a paper on my website. I have a paper on my website that tells you all the different ways You can route a red hat box With all the different ways you can route a red hot box if you have access to the keyboard It's they're sizable so best deal can protect some of them We can protect the you know all of the all of the five minute five minute roots in one minute roots Like where you reboot a system you type Linux single and it boots in a single user months that here's your shell And if you block that okay, we block that but if you can type of that prompt at all you type a Linux Init equals bin bash instead of learning the normal in it program It runs a shell as root hands are right to you either of those give you instant root on the red hat system It's been there for years. They're not changing it So best you will fix that for you. This is really really great when you're hanging out of the conference They put your laptop down for three minutes Okay What else we locked on i net d or x i net d turn off things like tell that an FTP tell that an FTP you're bad They're really bad. Please don't use them. Please try to get away from them ssh is good use ssh Okay, anything that tell that an FTP do Ssh mostly does except for anonymous except for anonymous, you know anonymous file transfer and you can do that with a web with a web server So don't use tell net and don't use FTP. Please please please Okay One of the things you'll notice as we go through here is returning all kinds of things off left and right Okay, if you look at if you if you look into my papers on hardening one of the things they all do is they say Okay, we're gonna turn off this function all right turn off this functionality The idea is the less you have going if you've got a system with one or two purposes And you can make it only serve those two purposes Well, it's really great because if there's functionality that ends up having a that ends up having a security vulnerability in it You you don't get hit because you didn't have that functionality turned on or you had some kind of restricted access on that And that goes a long way. So this is just applied minimalism go small less stuff Okay, we do some stuff with Pam on on Linux systems. We're gonna be doing doing stuff with Pam on Solaris systems The file says limit you see there is something that we're that we're that we're currently debating Because people are starting to you know transfer up DVDs to their to their hard drive and they get really upset when we say oh God you can't be making a file that big you must be trying to starve the hard disk and it's like no no my hard disk is a 140 bags not gonna happen Lots yeah Is it I'm sorry Is the purpose the file size limit to compete keep people from compiling exploits No, actually the purpose the file size limit is a is for DOS attacks There are a few there are a few things that if you go and take an old version of Unix There are a few things you can do you write a simple program which which you know There's a whenever almost all the time when a program wants to run another one doesn't go forking and exacting Okay forking means it splits itself into two identical pieces And then one of the pieces run some other program the other one continues going on well you can do this fork We've already split into two pieces. You can have each of those fork and split into two more now with four Fork fork again. Okay. Now. We're at now. We're at eight or we're at 16 or eight Okay, then it goes, you know, then they all split and it's at 16 and they all split again It's 32 well if this continues on of all this fork and continues on you end up with You end up with tons and tons of processes and the system goes to start on the program It says oh, I'm not I can't start on the program. I have this table of all the processes on the system and it's full So, you know the next the next web connection that comes in won't won't work because you're your Your web server goes to start another web server. I can't do it or the next use of the logs And won't be able to get a shell because well, that's another process And you've already you've already exhausted the limit the file size issue is the same thing if we if we say People aren't allowed to write files bigger than 10 megabytes or bigger than a hundred megabytes or say a gig Then we could stop people from you know We can stop one of the other tax which is to drain the entire system of all its hard disk space believing well everything broken Any other questions? Y'all having fun or I'm gonna go faster slower Yeah question The the stuff that's Basically versions of operating systems. We work on a whole bunch of operating systems So we're covering red hat 6 0 through 7 3 and and some of the stuff that's specific to one of those won't get asked on On the ones. It's not specific to okay Like I said one of one of the issues is we're trying to make it so that if you don't tell that enabled We won't ask you about turning it off unless you're trying to run us in policy creation mode, okay? Yeah, so logging we put lots of extra logging. Yeah. Yeah in the back List all the ones we're boarding to now or we're on right now Red Hat 6 or Red Hat 6 1 Red Hat 6 2 Red Hat 7 0 is there 7 0 7 0 7 1 7 2 Mandrake 6 0 6 1 6 2 6 3 6 3. I think there was a 6 3 7 0 7 1 7 2 8 0 8 1 8 2 I think there might be an 8 3 and if it is we're on it W and current Suza whichever the slides I think 7 2 turbo 7 3 HP X 11 oh 11 11. That's what we're on Okay, yeah When the configuration files though mentioned earlier universal though to red hat to you know the universal among all the different red hats Etc. The issue is that what we've got right now is if you answer if you answer all the questions If we can get you to answer all the questions for say red hat when you be covered on across all of the red hats You're running if you answer the questions for 7 for red hat 7 1 and you run them on a red hat And you and you try to use that configuration red at 7 2 system and they're similar enough It'll work and it'll tell you if it's not going to work because you know we're checking for that. Yeah Upgrade path oh darn it You know there's this there's a there's this dirty little secret in the 1x world That's that most of the most of the RPM based operating systems don't exactly operate easily I mean you can do it but stuff starts breaking This is not what the vendors say but what I tend to say is if you want to upgrade a Can everyone hear me? Okay, what I tend to say that what I try to say as far as the What I try to say with with upgrading is you know whenever I upgrade my systems what I do is I'm Partitioned so I've got a home. I've got a home partition and I've got other partitions or maybe just one other partition for everything else Okay, so what I want to do is if I'm gonna if I'm an upgrade I actually just do a fresh reinstall on the on the on the normal partitions I leave my home directory alone so still keep all my data This is this is you know, this is one way to do it. It's what we do on a major West I don't know if anybody's tried going from like Salaris to six to Salaris to Salaris to eight But I think there might be an upgrade feature. I'm not sure how well that works. That's just it's four years apart I'm not sure the vendors are really that great at upgrading so with that said We have something to let you you know one of the issues is you can undo best deal and You know do your upgrade and redo best deal another is you can make the upgrade You can make the upgrade and rerun best deal and they'll use your old configuration file But really OS upgrades are just really hard to do. I mean, I don't I don't really think most of the vendors get it right so well And stuff just breaks Okay, I have a list of stuff we turn I have a list of stuff we turn off if it's start its head of vulnerability lately I think Samba should probably in that list Um GPM the new server maybe one of the routing game instead of vulnerability. It turns out what I'm trying to do with these stars I'm trying to show you how much of the stuff, you know How much of this stuff has had a vulnerability in the last in the last three years, okay? If you're running a three-year-old operating system, you're probably nailed Okay, if you're running a one-year-old operating system some of these some of these some of these you got hit by I mean, it's there are tons of vulnerabilities. That's why we patch Which is I think the number one most boring area of computer security But that's why we patch and it's why I try to get people to harden your systems Okay, especially because there are lots of the only ways we never hear about or maybe some of you do But I don't hear about until they get made public maybe a year later in the meantime In the meantime, there's no patch because nobody knows there's a problem. So we don't patch it Okay, hardening old harding will actually hardening has some chance of actually blocking the exploit anyway Okay, even while you're still vulnerable Does that make sense so that's I guess that's the biggest argument for hardening is it's just you know Lots of vulnerabilities you may or may not know about and you may heck you may be lazy about patches like 80% of us And so you may be getting you may be you may be vulnerable to a bunch of exploits Or at least to one major exploiting in a given time and it would really rock to have a hardening scripture to Have hardened the system personally so that that stuff doesn't work Okay One of some of the stuff we do I'm gonna I'm gonna go through the hardest the rest of the hardening steps send mail We try to we try to set send us doesn't listen on the network because if you're just sending mail off the box You don't need to send mail listening on the network. So we can turn that off We remove those recon commands that spammers can use expn and verify to find accounts on a box. Yeah in the back You a qmail guy Anybody in here write qmail Okay, okay to where that's great. Okay, why don't we replace send mail with something with something decent like qmail or post fix? Yeah, it's a really good idea actually we try not to install software right now. We try to just harden what's there Post fix is making it on to a lot of them to Red Hat Mandrake, which is kind of nice I'd love to see it if qmail was also added to the was also out of the base to the base distributions We haven't tried configuring those Because we're trying out to install software because you wouldn't believe how amazingly hard it is to help people install software And to do it in a secure way the people who are really really you really really know their stuff say Your particular method of installing software isn't good, you know, because maybe you're not getting vendor keys Maybe you're not able to check with PGP on old operating systems I mean I'm able to check with PGP and all the on all the long non-linacies Okay, the people who are really new to this get upset because if the installation, you know If we tell them how to install software often they don't get it right They get really upset and they send us email or they just get rid of bestial We haven't helped them in the slightest bit because they got all upset they couldn't get a they couldn't get a package installed But no, I think I think I think you're right We should at least be putting we should at least be putting a screen in that says hey run qmail or post fix Because some else had a history and these guys really haven't Good enough for the for the for the alternative MTA zealots. I am one so yeah Okay, we're gonna table questions to the end of the presentation Anybody hate that idea? Okay, so we're tabling cool Okay, other stuff we do with send me we're gonna run as a non-route user via i-net d or x-net d If you do a bunch of permissions changing you can actually do this so send now does get hit it wasn't running as rude It was running as mail so somebody can actually go in and you know read everybody and change for these email But they don't have root on the system. This is darn useful thing. So we're gonna start doing it um Turn it out post fix slide, but no qmail slide. So I try to I always try to recommend the other MTA's Postfix is really post fix is a nice easy one because it's getting installed a lot of operating systems by default Postfix and qmail people will be probably be holding a small fight outside after this talk Or maybe we just all go out for beers So so you know, but yeah, think about going on all your systems think about going to post fix or qmail I think there are books on each of these now. There are more and more people who are trained on them It would definitely be definitely be great to be on it on a on a on an MTA on a mail transfer agent That actually was written with security in mind from the start instead of with you know The idea that we have to make 50 different kinds of mailing systems all work together. Okay DNS bind Historical note we secured bind before there were a bunch of remote route exploits before the worms came out That went around exploiting bind This is not a brag. This is a hey This is a really good idea harden it before you find out that it's vulnerable So when you do find out that it's vulnerable, hopefully you haven't already been hit. Okay Things we do to bind one is we chute it into a little directory that if somebody breaks into bind They can't get out of which means they can't really do much on the system Another thing we do is run as an independent user. This is just about continuing. We're trying to stop if someone does exploit We're trying to stop them from getting anywhere This is some other stuff we do we make it so that if you know if you've got a bind server It's just that's just for your you know Say your company's network of your home network other people outside of that network can't go inquiry to ask it questions And that's possibly passive attacks All they can do is ask your DNS server possibly about your zones. This is this is a really useful step This is the stuff from whenever I do a Attacking and securing DNS these are the steps that end up in there Do things like the zone transfers are always supposed to use by secondaries But zone transfers are what people like, you know, like me who are doing pen testing and love because you go and you ask some You ask some huge domain. Hey, just give me everything so I can read through it all and you know to my heart's content and figure out Everything I can about your site Well, you know, we should definitely shut this functionality off. So we do We also do things like we're gonna choose a random version string So if you've got a worm out there that's running around and it checks and it says all you've got bind I'm looking for I'm looking for bind 821 server. So you're running a 21 server, but your bind server answers back I'm bind 822. They say oh, I can't do that I can't exploit this ones that are attack a lot of the worms This is the way they work the check version strings change your version strings. You don't get hit Doesn't mean that we've actually saved you from being vulnerable. You're still vulnerable You just get attacked less often less often means unless you're somewhere here Which is an extremely hostile network that you generally might you might never get attacked by you might never get Get attacked by one of these worms. I never get attacked by one of these script kitties Another thing is views views let you do views are really cool Most people don't know about them views do what split with split brain or split horizon DNS did They give people who are on the inside of your internal network The whole list everything that's in your DNS files Okay, and they give people on the outside just the just the machines that they need to know about just your externally accessible machines like your your your web server your your mail server your DNS server your FTP server But they don't tell about like where all the printers are, you know, so no one ends up using your printers for bounce attacks More on that some other time Okay Apache we try to turn it off We try to bind it to a local to to to the local interface the idea being if you're just using your web servers of as a Development platform and nothing else then maybe you don't need it to listen to the network We turn off different functionality Apache like like, you know following symbolic links. We turn off things like server side includes CGI scripts most all the most all the ways that people that people nail web servers actually isn't through the web server itself It's through CGI scripts or whatever. It's on the box and if we can like disable them then they'll get used The last thing is we're going to try to remove all we're going to try to move as much of the weird functionality Most people don't know about from Apache because often if you remove it, you know There's there's a lot of stuff that we all have on our web servers We don't even know about it and just weird modules that the vendor thought would be really useful to us And they're probably useful to us, but if they aren't we'll we'll turn them off for you FTP FTP stinks FTP really stinks I told you about using about about usernames and passwords being stolen FTP servers always get rooted all the time Why else is FTP bad? There are different there are nice tools out there. Let you steal people's files with while they're in transit I Recommend trying to replace it with with SFTP DS FTP. It's part of the SSH suite There are free clients for Windows and Mac and and Unix and web servers I'm losing tons of losing people off the side am I really born y'all I'm born okay FTP one of the things we do now is will you turn off will you turn off normal authenticated access? So we'll turn off we'll turn off anonymous mode This is all the stuff that I came up to add to that Because I had to write a paper and do a talk for this conference and in the process ended up making a nice long list okay Anybody who wants to can download that talk and find out why we're doing all this stuff But basically all this stuff is is removing functionality from FTP from the FTP demon that you may not be using Okay Well Eight so let me check on time to where we are We're actually doing fine on time are there any questions there's anybody want me to go into detail in this slide I thought we'd be out of time by now. Yeah Had The the question was we'd see Venom I had had a secure port mapper called RPC buying for Solaris Do we do we use anything like that? Actually, I think the Linux vendors are we're going to have to install that I think or We're gonna have to try to at least recommend it on the slayer systems when we're supporting those On redhead systems. It's already there. They're already using a port mapper that allows access control Yeah, actually, this is the question I just asked was it was The question was you said you're gonna be incorporating all the all the stuff you didn't your FTP talking to bestial What about the stuff that you're not gonna do, you know, you're gonna we actually are the nice feature called the to-do list Which says this is all the stuff that we didn't feel confident doing on our own like maybe installing a Q-mail guys You know, these are things you should do and it'll tell you what to do and maybe I'll tell you how Any other questions? Oh Stop leaving guys, I can't be that boring. Yeah I Was talking about putting a patch in a shrewd area. That's a really good idea. I think I may try to do that We haven't gotten to it yet. I haven't gotten to it yet. Any other questions? Yeah Mac OS 10, okay If anybody has deep pockets in here the first person to to buy me or lend me an OS 10 mission OS 10 capable machine gets a gets a full port of bestialed OS 10. I don't have a machine I don't have one that'll do it. So, you know The other possibility is if somebody who has one decides to help us port it then we'll get one So anybody who either has deep pockets has machine. They wouldn't mind lending to somebody or or or heck You know wants to help us port send me an email Send me an email seriously get on the discussion list. You want to help us port? I don't have a machine So it's gonna be once we're done porting it's gonna even slightly hard for me to certify it. Yeah in the back The question in the back is is Titan Yeah So Titan is an auditor Titan audits and then tells you what you know says hey you want to harden this stuff It's actually a really good program that came out way before us. They weren't ported to Linux when we came out But now they are They're doing Linux and previous D and Solaris. Yeah, I think we're talking about getting some of the auditing function on that The cool thing is the Center for Net Security writes, you know Distributes a distribute say an auditing program for Linux and red hat I mean Linux and HPX and Solaris It's an AI X and I actually write that thing so there's some possibility that what we'll do is we'll Distribute both together somehow and have the one audit and the other one fix so yeah The question is what about adding accounts for different services so that they can all run as instead of running as route They can run as that account. Oh, yeah, or is nobody we're trying to do that That's actually the DNS so when with the DNS thing we add a DNS user We run the DNS server as that user The idea is for everyone who's thought of running a everything is nobody what you really want It's not so much everything running as nobody but everything running is different users So if anybody takes over one user to take over the DNS server They can't necessarily use the you know, they can't go and modify the web servers files Or they can't go and you know do stuff as the web server user This can be really darn useful. So yeah, we do do that. We're gonna do it even more Please do it yourselves Yeah, any other questions Okay, time's basically up, but yeah, I'll take another question. Sure The question was we talk about a password protecting Lilo. Yeah, we do grub too. Yeah, and non slurs We're gonna we're gonna pass or protect e-prom so you can't you know You can't you can't take a CD and even and boot off the CD You can't modify the the boot process on slurs. Yeah, boot security boot security is really one of the hardest things to do But we can at least take some some basic steps to One minute roots in the five minute roots that you know You get as soon as you sit down in the keyboard on one of these any other questions Actually, I have one first real quick Do you all have fun at this talk? Y'all are kind of you know, I've had people leaking out to the side That's cool. Okay. Yeah, the question was Contact contact info Ah, I have the bottom of that as a website. Okay at the bottom of that as a website if you go to that website That's my website It should have my email address if you follow it long enough to my business, you'll find my phone number Don't call me work just to harass me. I know I call, you know, I know I busted on script kiddies They're in the audience. I'd really appreciate not getting phone calls if you do call me I'll just change my phone number. So please don't but yet now on the other hand If anybody wants to hire a higher independent consultant Hey, man, I'm there. So but yeah, no that actually that website I'm giving you there has a bunch of articles that are right in security And and conference talks where I can where I'm allowed to publish them there But they'll be published on there. There'll be links to there So one example is if you're in this room and you one of the many people who asked me about the FTP talk That I gave here if you missed the slides are the slides are at that site the updated slides are at that site. So Any other questions? I think we should let the next speaker let the next speaker get up here So I'll be around you can all you know, we can all hang out or whatever or you can all go and catch the next talk