SC-300 SECURITY TIPS DNS: Do not allow unrestricted zone transfers, which typically give hackers a blueprint of your network. Do not include internal hosts on your external DNS, since each host can be looked up individually and this gives the hacker a picture of your private network. Of special interest are hostnames such as test, which imply a machine with little concern for security. Do not use the HINFO record to advertise your configuration. Block TCP Port 53 at the firewall for all but the slave servers. Use IP addresses for your servers in configuration files. They change rarely and thus limit damage if your DNS server is compromised. NIS: If possible, switch to NIS+. If not, move the source files to a subdirectory, rather than using /etc. Remove the entry for root. Use a different root password on every computer. Edit /var/yp/securenets to restrict use to an unexpected domainname. Re-compile ypserv to use tcp_wrappers. SNMP: If you are not using it, disable it. Do not use a guessable community name. There is a buffer overflow vulnerability in snmpXdmid, see http://www.cert.org/advisories/CA-2001-05.html INFORMATION SERVICES: Disable anything in /etc/inetd.conf that you may not require. Disable anything you do not recognize or understand. For sure, disable finger, tftp and ident. SENDMAIL: Use the very latest version of sendmail, or consider using qmail (which was designed with security top of mind). /etc/mail/sendmail.cf, add Onovrfy,noexpn,needmailhelo,restrictmailq Test for debug commands, by using telnet to port 25. Enter these commands and be sure they are not recognized: wiz debug kill /etc/mail/aliases, comment out the line decode: "|/usr/bin/uudecode" Limit the configuration of the mail server so that is in not useful to attack the rest of your network when it is compromised. POP3 requires the password sent each time the user checks for mail, so the password is sent cleartext, every few minutes. Use different passwords for mail. If possible, use APOP instead, which uses MD5. SCRIPTS: Whenever possible, arrange scripts to run not as root (especially cron jobs). Begin every script with a PATH statement listing secure directories. Consider the effects of unusual filenames, such as foo;`gotcha` When a command is executed with the filename as a parameter, the shell separates this into two statements due to the semi-colon. gotcha is then run by root ! VI .exrc is an initialization file for vi and the search order is the current directory first, so a nasty trap is: ! (cp /bin/ksh /tmp/.secret; chmod 4755 /tmp/.secret) & This can be avoided by declaring an environment variable: EXINIT="set noexrc" ROUTING: Use static routing and disable the dynamic routing protocols. MISCELLANEOUS: Create hard links to .sh_history files. Hackers will delete these to cover their tracks, but the links will likely not be noticed. DEFENSIVE SOFTWARE Tdetect watches for packets with TTL=1, since software such as traceroute 1.4a5 by Michael Schiffman permit specifying a port number so that it will work through many firewalls. ftp.deva.net/pub/sources/networking/ids/tdect-0.2.tar.gz Network Flight Recorder is a commercial product that includes the ability to detect ping sweeps. Black ICE is a commercial product that will detect TCP port scans. www.networkice.com INTERESTING SECURITY SITES www.pgci.ca/fingerprinting.html PCGI Inc. (security consultants) www.securityfocus.com BUGTRAQ mailing list www.wwdsi.com/saint SAINT (commercial Satan) www.utexas.edu/cc/unix/software/npasswd Password quality www.yak.net/skey single use passwords www.2600.net/phrack/p49-14.html buffer overflow ftp://qiclab.scn.rain.com/pub/security/xinetd replacement of inetd www-genome.wi.mit.eud/WWW/faqs/www-security-faq.html www.primus.com/staff/paulp/cgi-security hoohoo.ncsa.uiuc.edu/cgi/security.html www.cs.purdue.edu/coast/hotlist.html#securi01