SSH means Secure Shell. With origin SSH is a replacement of the Berkeley R * orders such as rsh, rlogin or CCP considered as far from sure. SSH uses to make safe the transmission a tunnel crypté between the 2 machines. SSH quickly exceeded all waitings and it became a replacement interesting for telnet or ftp when they are necessary for regular users having an account on the machine in their offering an access method remotely highly protected and supported very well. In particular OpenSSH is a free and re-coded version protocol SSH and provides a customer and a waiter for many Unix platforms. It is him whom we now will use for the configuration of SSH.
First of all we will publish the file of configuration of the daemon sshd.
($:~)=> ee /etc/ssh/sshd_config
# This is ssh server systemwide configuration file.
Port 22
# avoid SSHv1 subjected to several vulnerabilities Protocol 2,1
# when you copy this file for your jail to use think of putting # here alias your jail.
# preferred order of the authentification and encryption algorithms Ciphers blowfish-cbc,aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour MACs hmac-sha1,hmac-md5,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
# sending of a message after an interval given # and deconnexion after several sendings KeepAlive yes ClientAliveInterval 30 ClientAliveCountMax 5
# to avoid the imitations flooding A of the repeated attempts at connection, # we install a kind of quotas on the level of the management of connections. # 10 for the number of connections not auhentifiees, 40 for the percentage of # refusal after the first number reached, and 50 meaning that at the end of 50 # tentative any connection not authentifiee is refusee. MaxStartups 10:40:50
# here we eliminate the vulnerabilites dregs with the files ~/.rhosts and # ~/.shosts and has their relations of confidence. IgnoreRhosts yes
# verifier permissions and ownership of the files and of/home before accepting # a login StrictModes yes
X11Forwarding no X11DisplayOffset 10 PrintMotd yes
# Syslog SyslogFacility AUTH LogLevel DEBUG
# Below us privilegions the use of cles RSA and DSA for # authentification instead of the password PasswordAuthentication no
# if you choississez to put the preceding option has yes, add that below # to prohibit passwords empty # PermitEmptyPasswords No
# decontaminates the authentification s/key SkeyAuthentication No KbdInteractiveAuthentication yes ChallengeResponseAuthentication No
# these blocks are relative has authentification Kerberos # KerberosAuthentication No # KerberosOrLocalPasswd yes # AFSTokenPassing No # KerberosTicketCleanup No # Kerberos TGT Passing does only work with the AFS kaserver # KerberosTgtPassing yes
PermitRootLogin no CheckMail yes UseLogin yes
# we do not recommend it because of its relative experimentalite but this # line allows you the case echeant to use sftp. # Subsystem sftp/usr/libexec/sftp-server
It does not remain us now than has to publish the file rc.conf once again in order to make sure that sshd will launch out well to the demarrage. We thus transform the line sshd_enable="NO "into sshd_enable="YES" and also adjoinions we to him the line sshd_flags="-4 "in order to limit the use has IPv4 connections. To generate your keys it will then be enough for you to carry out ssh-keygen; although this one is of out and already used by rc.network with sshd_enable.
You will be able to finally decide not to offer of Shell to your distant users. This can be to carry out using chpass or of chsh while specifying like Shell/sbin/nologin.
($:~)=> chsh -s /sbin/nologin user
2.6. logging
We now will lean we on facilitate that us FreeBSD in the logging of the various activities system and user offers. We more particularly will study the system accounting, the system logging and the analysis of these logs by means automate.
Under FreeBSD, we have the possibility of activating the system accounting which makes it possible to us to record and to recapitulate the orders carried out and allows us to store information detailed on the resources system used, their distribution between the users, and to supervise the system. With this intention, we have accton and of its. Accton makes it possible to activate or of desactiver the system accounting
($:~)=> accton /var/account/acct
We specifions here a file towards which redirects give them accounting will be, for desactiver it is enough to executer the same order without the file in argument. To consult give them accounting it is enough to executer its with a classification by user
($:~)=> sa -u
We thus obtain detaillées statistics of the system activity by users. You can also serve to you as the option rc.conf accounting_enable="YES "with the same effect.
We also have has our provision the syslog family. First of all we have syslogd which enables us to record the error messages and other messages systems in the repertoire/var/log. To activate it, we once again publish rc.conf to add the following entrees to it
syslogd_enable="YES" syslogd_flags="-ss -m 0"
We have moreover adds flags making so that the daemon syslog functions in secure mode without possibility of log or transmission since the exterior. Then for afiner the recording of the messages, we will publish/etc/syslog.conf. Syslog.conf possede a whole syntax particuliere:
O The blocks of directives are classes by program O the directives are form facility.level followed destination of the messages which can as well be a file as a user or a peripheral.
Different the facility is:
- AUTH, brings back the messages of the comprising system of authorization of the programs such as login, known or getty
- AUTHPRIV, is similar A AUTH but makes it possible to limit the reading of the file of log
- CRON, relates to the daemon cron approaches low
- DAEMON, relates to the daemon system which does not beneficient a field facility dedié
- ftp, refers to the daemon ftpd and tftpd - KERN, brings back the messages generes by the kernel in kerneland by process kernel
- LPR, is relative A all the peripheriques ones and tools for impression such as lpr, lpc, lpd - MALL, allows loguer the relative messages with NEWS, similar A MALL but for Usenet
- SECURITY, concerns under systems of safety such as IPF or ipfw
- SYSLOG, relates to the messages generés by syslogd itself
- TO USE Messages generated by random to use processes. This is the default facility to identify yew none is specified.
- UUCP, designe the facility referring itself has the pile Unix-to-Unix Copy Program
- local0 with local7, desigent variable facility which can be used punctually by certain softwares
- * asterisque the represente here the whole of the entrees precedentes
Follow-ups of the field level:
- EMERG, alert general, generally diffused with all the users
- ALERT, designe an alarm necessitant an immediate attention/correction
- CRIT, critical conditions such as problems the peripheriques ones
- ERR, relating to the error messages - WARNING, relating to the messages of basic alarms
- NOTE, designe an event not forcing in connection with an error but which can require a management particuliere
- INFORMATION, genere of simple messages for information purposes
- DEBUG, is referred has messages making it possible to look further into the comprehension of the operation of a software and thus possibly of the debugger in the event of problem
- NONE, allows desactiver this field
We can also use operators of comparison like < (smaller than), = (equal), and > (larger than) in order to preciser several levels of logging for same a facility.
# configuration syslog to be added in the jail #!apache #*.* /var/log/access_log #!bind #*.* /var/log/named
To prevenir the exponential increase in the files of logs set up higher, we have has our provision newsyslog which allows creer a new file of log and to even file it (Z for gzip or J for bzip2), of specifier how much additional files of log are authorize (count), from which size (size in KB) or how long (time) to file - what can as well be a intervale as a date, or rights of its files (mode). We can thus obtain a logical filing on the level of space and time and more easily gérable by the administrator. Note that the hour of filing is encodée according to the format ISO 8601 which gives us:
ccyymmddThhmmss 20010915 000000 or, September 15, 2001 at midnight. This format which can be to simplify by withdrawing the superfluous fields.
Finally you have the possibility of specifying a way to obtain the PID of a particular daemon as well as the possibility of sending a signal to him (HUP by defect) allowing to avoid the conflicts around the file of log.
An easy way interessante to be put in practice but little used consists of a synchronization NTP NTP means Network Time Protocol and allows has a machine customer to even synchronize her clock on a waiter of layer N him being synchronized on a waiter of higher layer or directly on a waiter of reference. The customer can as well decider synchronize himself has a waiter of reference directly. It is this pyramidal architecture which caracterise NTP Maintaining what can come well to make NTP in the system requirements of logging? And well in the future very near the correlation to log has the search for attacks or of information on attacks detectees by NESTS will be made manner centralisee and within this framework, an effective correlation must be based on a reliable timestamp and universal A a portion of network concernee. In addition the critical applications like waiters DNS or the waiters of services SMTP/NNTP providing a temporal reference has a user must be has the hour. To configure our machine customer, the configuration is extremement simple under FreeBSD. It is enough for us to publish rc.conf and to place the 2 following lines there
Lastly, there is a tool that does not make party of the system itself but which can prove largely useful in the monitoring and the audit of the network and the traffic, it is about Argus, one To that the Record Generation and Utilization System. Argus is a program userland acting in a way similar to a sniffer by capturing the traffic passing on an interface network and generating reports/ratios of audit. For the capture of the traffic, Argus is based on TCPdump and the libpcap. Concerning this tool, you will find a howto interesting on http://minithins.net or .http://www.hsc.fr/ressources/breves/argus_fr.html.en.
Cron is one of the most traditional Unix tools and most useful which are since it will enable us to launch a precise task on a precise date. Cron moreover is launched as of starting then turns automatically in daemon mode and reveille every minute to check if it has a task to carry out in the minute to come and, while passing, note any modification of the crontab. The crontab represente the file since which cron will seek information, the orders which it must carry out. Cron will seek this crontab in/var/cron/tab then/etc/crontab.
We publish rc.conf first of all in order to ensure us that cron launches out well. We check and if need be add the following line:
cron_enable="YES"
Then, to add new entries to cron, it is enough for us to publish the crontab. However, even if the crontab follows an obvious logic, it requires a certain syntax.
This syntax being accompanied by some quite practical options such as the indefinition (*), the lists (1,2,3,4) or the frequency is within one champ(0-23/2) or in a general way thanks to the options:
@reboot, for launching 3rd each starting @yearly or @annually, for an annual launching @monthly, a monthly launching @weekly, a weekly launching @daily or @midnight, for a daily launching and @hourly, a launching every hour.
($:~)=> ee/etc/crontab
# you have the possibility of specifier with which Shell executer the orders SHELL=/bin/sh # this option makes it possible to indicate has cron which to prevenir in the event of problem MAILTO=root # # update of the plugins Nessus each week @weekly nessus-update-plugins # checking of integrite mtree every week @weekly mtree -x -i -f bin.spec | mail -s 'mtree /bin \ results' root @weekly mtree -x -i -f sbin.spec | mail -s 'mtree /sbin \ results' root @weekly mtree -x -i -f libexec.spec | mail -s 'mtree \ /usr/libexec results' root @weekly mtree -x -i -f lib.spec | mail -s 'mtree /usr/lib \ results' root @weekly mtree -x -i -f sharelib.spec | mail -s 'mtree \ /usr/share/lib results' root @weekly mtree -x -i -f boot.spec | mail -s 'mtree /boot \ results' root # accompanied by a checking of the services by lsof @weekly lsof -niU # and of a checking KSEC @daily ksec -i interface -b -k -p # update ports tree only for the environment host @monthly make update PORTSFILE # newsyslog @hourly newsyslog # ntpdate daily if you have significant uptimes @daily ntpdate ntp-sop.inria.fr # launching of racoon to starting @reboot racoon -f /etc/racoon.conf
Here is, a useful crontab and maintenance in less!
2.8. ipfw and natd
In this chapter we will approach a mechanism of safety extremely used nowadays, namely the firewalling. The firewalling can result in several aspects going of the packet filtering sober but effective to the complexes but useful proxies applicatifs. In order to illustrate our remarks and to apply the firewalling to our system, us utiliseronts ipfw delivered with FreeBSD and which we activated thanks to some options kernel with the whole beginning of our configuration. Many people are let allure by IPFilter. The generally advanced reason is its behavior known as stateful which must make it possible to follow a connection in order to carry out a better filtering on the whole of this connection. However ipfirewall is integrated directly into FreeBSD what already ensures us of good performances the level network. In addition, the option keep-state of ipfw implying the automatic creation of a state table allowing the follow-up of flows for the filtering of packages. The state table and the rules ipfw which go with, create for each package that ' match' a rule a new dynamic rule making it possible to follow - certainly in manner less meddles that IPFilter - and to authorize connection. With this intention, ipfw uses in particular for the OSI 4 a mechanism known as of lifetime which makes it possible to preserve an active dynamic rule on standby of a new package which will start again the decrementation of this lifetime. If the lifetime arrives at zero without new package, then the dynamic rule disappears and the packages are refused. The following entries sysctl enable you to specify the duration of the lifetime correspondent in each state TCP, UDP and others. Then you can configure the size of the table hashage intended for the dynamic rules of your ruleset, this modification taking effect only after a flush. Lastly, the last entry follows upon the application of a patch (http://people.freebsd.org/~cjc/ipfw_verbose_stable.patch) making it possible to further increase the verbosity of ipfw while adding to posting in the logs of the fields DiffServ, IP ID and TTL (in addition to the traditional addresses and ports source and destination), the fields ack number, sequence number and TCP flags.
Although they are not approached here even, will know that IPF lays out of similar entries once installed, under net.inet.ipf. *.
To see the currently observed rules and in particular the dynamic rules, enter:
($:~)=> ipfw show
Also do not forget to publish rc.conf in order to add to it the lines concerning the firewalling such as firewall_enable="YES ", firewall_quiet="YES ", firewall_logging="YES "and firewall_type="simple". To insert rules in the ruleset, you can either publish the simple section of/etc/rc.firewall, or to use the order ipfw according to the following diagram
ipfw command action from to
- the orders can be ' add' to add a rule, ' delete' individually to remove a rule and ' flush' for the totality of the rules, like ' show' or ' list' to have the current rules. Each rule must have a single number to avoid confusion and the rules are classified according to the order of the matching.
- the actions can be ' allow' to let pass a package, deny it to silently refuse and ' reject' to send an ICMP host unreachable (spécifiable error with the actions ' unreach' and ' reset '), ' check-state' in order to check a correspondence with the dynamic rules, or ' fwd' followed IP and possibly of the port if you have IP routables. We also have the possibility of logger - as single or additional action with the preceding ones - with ' log' to which you can add ' logamount' for overwriter option IPFIREWALL_VERBOSE_LIMIT.
- the protocols can be ' all' or ' ip' to make correspond all the protocols, or the name or number of the protocol wished in accordance with/etc/protocols.
- We can then specify the source after the field ' from ', the destination after the field ' to' as well as the ports right after the address source or of destination. Also note the presence of ' me' allowing to recover the IP of our firewall since ifconfig what proves very useful in the event of dynamic configuration. Lastly, for the ports or the addresses, IPFW supports from now on the logical operators.
- the key words ifspec allowing us to work on the interfaces. We can for example specify the matching packages only in ingress with ' in' and egress with ' out ', or the interfaces checked with ' via' followed interface, recv to check only the interface of reception and xmit to check only the interface of sending.
- For the stateful inspection, ' keep-state' announces a dynamic follow-up for this filter, ' setup' matche the packages with flag SYN only, ' etablished' relates to the packages with flags ACK or RST. But you can also specify ' ipoptions' (lssr, ssrr, rr, ts) or ' tcpoptions' (mss, window, DC, sack, ts) as well as ' tcpflags' (fine, syn, rst, psh, ack and urg) or ' icmptypes' (0, 3, 4, 5, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18). Lastly, the key word ' limit' was introduced recently (4.5-release) to make it possible to limit the number of simultaneous connections per association for a filter, this by specifying the address and/or the port source, the address and/or the wearing of destination then the limit of connections. Will know finally that you can on the level of the firewall itself filter the users via the options ' uid' and ' gid' followed by their value.
To obtain the totality of the fields and in particular a description of the use of dummynet like basic traffic shapper, defer to the page of man of ipfw. But in this field we recommendons you really ALTQ developed within the framework of the project KAME (and thus regularly mergé) in particular implementing disciplines CBQ, WFQ/SFQ or HFSC as well as algorithms RED and its alternatives RIO or Blue and finally extensions ECN, RSVP (with CBQ and HFSC) as well as a support for the DiffServ model. More information on the site of ALTQ, .http://www.csl.sony.co.jp/person/kjc/software.html#ALTQ. The final integration of ALTQ to the hand tree FreeBSD is in hand for the release 5.0
Note to finish some with the orders ipfw which there exists interesting a patch since FreeBSD 4.3 known as lifetime which makes it possible to impose a timeout on a transmission via a rule of the firewall which will block it once this timeout reached. This patch not being integrated into the basic system, we will not be delayed on its use. You will be able to find all information necessary to the installation of the patch and the use of new the keyword with .http://www.aarongifford.com/computers/ipfwpatch.html.
When you launch your machine with the options activating the firewall for the first time, approximately 200 basic rules are automatically generated. We thus start by purging our rules:
($:~)=> ipfw flush
In the beginning of the ruleset, we define some variables as the order ipfw with the option - Q for a discrete output, the mask of our internal network, the address of our jail, and our interfaces of entry and exit.
Us kids then on the interface of entry all packages with for source a reservée address not routable or the address of our internal network, and we journalize these cases express spoofing. These addresses are indexed on the site of the IANA and in the RFC 1918.
Then we make diverge the traffic to pass by natd for the translation of addresses and ports towards our private addresses. This rule is followed checking of each package against the state table to know if it belongs or not to an already accepted connection. We can then reject all the packages in established state TCP or fragments IP since they will be ensured not to belong to a connection in progress.
Then we authorize certain communications as DNS of which we will have taken again the addresses in/etc/revolv.conf, followed administration of the machine via SSH, and finally we authorize Racoon, Argus and Nessus to be communicated. For the customers behind the firewall, we also authorize at exit connections ftp, smtp, ssh, HTTP, pop3, NTP, IMAP like https, ircs, pop3s.
Then restrictions ICMP used as well in scanning in Back come. We let pass since the exterior the echo reply, destination unreachable, time exceeded, parameter problem, and timestamp reply. Towards the exterior, we authorize the echo request, time exceeded (fragment reassembly) and the timestamp request. With this, we have the minimum to ensure the path discovery, the checking of connectivity and detection
To now apply a filtering of packages to the services provides by a jail, we make as if it were a filtering on the environment host, only we substitute for it alias private jail which we filter while passing by the interface of loopback lo0.
During the creation of your rules, made attention with the order in which place them to you in your ruleset, with the interfaces to which they should be applied and with their destination. As specified by the implementations notes of ipfw(8), the number of times where a package is inspected varies: of once for the packages having an end locally and for the bridgés packages, with 2 times for the packages whose 2 ends are local or for the forwardés packages. The only manner of changing this behavior is through sysctl:
($:~)=> sysctl -w net.inet.ip.fw.one_pass=1
But be extremely careful in this case at the time of the writing of these rules not to let enter any package builds especially after analysis of the rules. To take into account all this information, it is to check that a package will be well inspected and at the good place.
To finish, we refuse any other traffic that that expressement to authorize and for more sureté. See below the final file/etc/rc.firewall.
# reserved addresses ${fwcmd} add 201 deny log all from 192.168.0.0/16,172.16.0.0/12,10.0.0.0/8, 127.0.0.0/8,0.0.0.0/8,169.254.0.0/16,192.0.2.0/24,204.152.64.0/23, 224.0.0.0/3,${net}:${mask} to any in via ${extif}
# divert towards natd ${fwcmd} add 300 divert 8668 all from any to any in via ${extinf}
# checking compared to the state table ${fwcmd} add 400 check-state ${fwcmd} add 401 deny tcp from any to any in established ${fwcmd} add 402 deny ip from any to any in frag
# communication DNS, SSH, Racoon, Argus and Nessus ${fwcmd} add 403 allow udp from ${net}:${mask} to primary_DNS 53 in keep-state ${fwcmd} add 404 allow tcp from any to me 22 keep-state setup limit src-addr 5 ${fwcmd} add 405 allow udp from any 500 to any keep-state ${fwcmd} add 406 allow udp from any to any 500 keep-state ${fwcmd} add 407 allow tcp from any to any 561,3001 keep-state limit dst-addr 2
# communications towards traditional waiters ${fwcmd} add 408 allow tcp from ${net}:${mask} to any 20,21,22,25,80,110,123,143,443,994,995,6667 keep-state setup
# limitations ICMP (ping, Van Jacobson' S traceroute...) ${fwcmd} add 500 allow icmp from any to ${net}:${mask} in icmptypes 0,3,11,12,13,14 ${fwcmd} add 501 allow icmp from ${net}:${mask} to any out icmptypes 1,8,11 ${fwcmd} add 502 allow udp from ${net}:${mask} to any in 33400-33500 ${fwcmd} add 503 deny log icmp from any to any
# redirection services jail ${fwcmd} add 602 allow udp from any to ${jail} 53 in keep-state via lo0 ${fwcmd} add 603 allow tcp from any to ${jail} 80,443 in keep-state setup via lo0
# Restrictive stanza: everything not explicitely allowed is forbidden. ${fwcmd} add 900 deny log all from any to any ${fwcmd} add 901 deny log all from any to ${jail} via lo0
So that these rules are observed, you owe either redemarrer, or to start again init which will initialize these rules.
($:~)=> kill -HUP init
The NAT for Network Translation Adress is a mechanism in the beginning created for stage with the shortage of IP addresses available. It makes it possible to use a gateway which for each communication will redirect the transmissions between external addresses routables and addresses intern not routables by rewriting the corresponding headings and by storing information of correspondences in a hash table. Thus we use only one IP routable which is that of gateway NAT. The NAT is a mechanism of division of connection interesting but it will not make the deal in the event of load balancing since its method of queueing is based on Weighted Round Robin which serves in turn each tail on standby, but the NAT by WRR treats the priority according to the implementation DiffServ Assured Forwarding thus rejecting the packages low priority under strong constraints. Moreover the flow of congestion of the NAT is rather low, even more if you use natd which is userland involving a copy since the kernel towards the userland. Prefer ipnat/ipf modulates kernel for better performances of it.
The other couple being ipfw/natd, we now will see a basic configuration of natd in order to relay the requests of our host towards our jail or any other machine being behind our FreeBSD.
To start, we publish the file rc.conf to add the following lines to it
Thus natd will be launched to each starting with like file of configuration natd.rules, which we now will publish. For more information on the rules used, defer to the man page. We make only one rapid introduction in connection with our securized configuration. However, note that the redirection via natd can be done starting from the address with redirect_adress, by port with redirect_port and protocols with redirect_proto. A last rule can prove very useful for the users of IRC and ftp: the rule punch_fw followed basenumber:count respectively the number of the starting rule followed by the number of dynamic rules which can be created.
log yes deny_incoming no use_sockets yes # allocate a socket limiting the conflicts of ports # dynamic same_ports yes # try to use the same port for the translation verbose no port natd unregistered_only yes # NAT only for the addresses type RFC 1918 log_ipfw_denied yes # log packages not reinjected due to # blocking by ipfw (useful for debugger) # DNS redirect_port udp jail_IP_alias:53 public_IP_adress:53
# SSH on the second jail redirect_port tcp jail_user_IP_alias:22
# static NAT for other machines redirect_address internal_IP1 public_IP redirect_address internal_IP2 public_IP redirect_address internal_IP3 public_IP
Note that natd naturally integrates functionalities of follow-up of connections. Therefore, when you configure a footbridge to use natd, it is not really any more useful to use the stateful inspection on the level of ipfw. You can simply configure a static firewall and natd deals with the inspection of states for relayed connections. If you still smell the need to preserve rules keep-state, then the key word skipto returning to another rules can prove to be useful.