|
|
|
|
.F. HOW DO I PROTECT A SYSTEM AGAINST DENIAL OF SERVICE ATTACKS? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .F.1. BASIC SECURITY PROTECTION ------------------------------- .F.1.1. INTRODUCTION -------------------- You can not make your system totally secured against denial of service attacks but for attacks from the outside you can do a lot. I put this work list together and hope that it can be of some use. .F.1.2. SECURITY PATCHES ------------------------ Always install the proper security patches. As for patch numbers I don't want to put them out, but that doesn't matter because you anyway want to check that you have all security patches installed, so get a list and check! Also note that patches change over time and that a solution suggested in security bulletins (i.e. CERT) often is somewhat temporary. .F.1.3. PORT SCANNING --------------------- Check which services you have. Don't check with the manual or some configuration file, instead scan the ports with sprobe or some other port scanner. Actual you should do this regualy to see that anyone don't have installed a service that you don't want on the system (could for example be service used for a pirate site). Disable every service that you don't need, could for example be rexd, fingerd, systat, netstat, rusersd, sprayd, pop3, uucpd, echo, chargen, tftp, exec, ufs, daytime, time... Any combination of echo, time, daytime and chargen is possible to get to loop. There is however no need to turn discard off. The discard service will just read a packet and discard it, so if you turn off it you will get more sensitive to denial of service and not the opposite. Actual can services be found on many systems that can be used for denial of service and brute force hacking without any logging. For example Stock rexec never logs anything. Most popd:s also don't log anything .F.1.4. CHECK THE OUTSIDE ATTACKS DESCRIBED IN THIS PAPER --------------------------------------------------------- Check that attacks described in this paper and look at the solution. Some attacks you should perform yourself to see if they apply to your system, for example: - Freezing up X-Windows. - Malicious use of telnet. - How to disable services. - SunOS kernel panic. - Attacking with lynx clients. - Crashing systems with ping from Windows 95 machines. That is stress test your system with several services and look at the effect. Note that Solaris 2.4 and later have a limit on the number of ICMP error messages (1 per 500 ms I think) that can cause problems then you test your system for some of the holes described in this paper. But you can easy solve this problem by executing this line: $ /usr/sbin/ndd -set /dev/ip ip_icmp_err_interval 0 .F.1.5. CHECK THE INSIDE ATTACKS DESCRIBED IN THIS PAPER -------------------------------------------------------- Check the inside attacks, although it is always possibly to crash the system from the inside you don't want it to be to easy. Also have several of the attacks applications besides denial of service, for example: - Crashing the X-Server: If stickybit is not set in /tmp a number of attacks to gain access can be performed. - Using resolv_host_conf: Could be used to expose confidential data like /etc/shadow. - Core dumped under wuftpd: Could be used to extract password-strings. If I don't have put out a solution I might have recommended son other paper. If not I don't know of a paper with a solution I feel that I can recommend. You should in these causes check with your company. .F.1.6. EXTRA SECURITY SYSTEMS ------------------------------ Also think about if you should install some extra security systems. The basic that you always should install is a logdaemon and a wrapper. A firewall could also be very good, but expensive. Free tools that can be found on the Internet is for example: TYPE: NAME: URL: LOGDAEMON NETLOG ftp://net.tamu.edu/pub/security/TAMU WRAPPER TCP WRAPPERS ftp://cert.org/pub/tools/tcp_wrappers FIREWALL TIS ftp://ftp.tis.com/pub/firewalls/toolkit Note that you should be very careful if building your own firewall with TIS or you might open up new and very bad security holes, but it is a very good security packer if you have some basic knowledge. It is also very good to replace services that you need, for example telnet, rlogin, rsh or whatever, with a tool like ssh. Ssh is free and can be found at URL: ftp://ftp.cs.hut.fi/pub/ssh The addresses I have put out are the central sites for distributing and I don't think that you should use any other except for CERT. For a long list on free general security tools I recommend: "FAQ: Computer Security Frequently Asked Questions". .F.1.7. MONITORING SECURITY --------------------------- Also monitor security regular, for example through examining system log files, history files... Even in a system without any extra security systems could several tools be found for monitoring, for example: - uptime - showmount - ps - netstat - finger (see the man text for more information). .F.1.8. KEEPING UP TO DATE -------------------------- It is very important to keep up to date with security problems. Also understand that then, for example CERT, warns for something it has often been dark-side public for sometime, so don't wait. The following resources that helps you keeping up to date can for example be found on the Internet: - CERT mailing list. Send an e-mail to cert@cert.org to be placed on the list. - Bugtraq mailing list. Send an e-mail to bugtraq-request@fc.net. - WWW-security mailing list. Send an e-mail to www-security@ns2.rutgers.edu. .F.1.9. READ SOMETHING BIGGER AND BETTER ---------------------------------------- Let's start with papers on the Internet. I am sorry to say that it is not very many good free papers that can be found, but here is a small collection and I am sorry if have have over looked a paper. (1) The Rainbow books is a long series of free books on computer security. US citizens can get the books from: INFOSEC AWARENESS OFFICE National Computer Security Center 9800 Savage Road Fort George G. Meader, MD 20755-600 We other just have to read the papers on the World Wide Web. Every paper can not however be found on the Internet. (2) "Improving the security of your Unix system" by Curry is also very nice if you need the very basic things. If you don't now anything about computer security you can't find a better start. (3) "The WWW security FAQ" by Stein is although it deal with W3-security the very best better on the Internet about computer security. (4) CERT have aklso published several good papers, for example: - Anonymous FTP Abuses. - Email Bombing and Spamming. - Spoofed/Forged Email. - Protecting yourself from password file attacks. I think however that the last paper have overlooked several things. (5) For a long list on papers I can recommend: "FAQ: Computer Security Frequently Asked Questions". (6) Also see section ".G. SUGGESTED READING" You should also get some big good commercial book, but I don't want to recommend any. .F.2. MONITORING PERFORMANCE ---------------------------- .F.2.1. INTRODUCTION -------------------- There is several commands and services that can be used for monitoring performance. And at least two good free programs can be found on Internet. .F.2.2. COMMANDS AND SERVICES ----------------------------- For more information read the man text. netstat Show network status. nfsstat Show NFS statistics. sar System activity reporter. vmstat Report virtual memory statistics. timex Time a command, report process data and system activity. time Time a simple command. truss Trace system calls and signals. uptime Show how long the system has been up. Note that if a public netstat server can be found you might be able to use netstat from the outside. netstat can also give information like tcp sequence numbers and much more. .F.2.3. PROGRAMS ---------------- Proctool: Proctool is a freely available tool for Solaris that monitors and controls processes. ftp://opcom.sun.ca/pub/binaries/ Top: Top might be a more simple program than Proctool, but is good enough. .F.2.4. ACCOUNTING ------------------ To monitor performance you have to collect information over a long period of time. All Unix systems have some sort of accounting logs to identify how much CPU time, memory each program uses. You should check your manual to see how to set this up. You could also invent your own account system by using crontab and a script with the commands you want to run. Let crontab run the script every day and compare the information once a week. You could for example let the script run the following commands: - netstat - iostat -D - vmstat [UP] |
|
|
|
