Bastille-Linux

ArticleCategory:

System Administration

AuthorImage:

TranslationInfo:

Original in fr Frédéric Raynal

fr to en Georges Tarbouriech

AboutTheAuthor:

Fr�d�ric Raynal is preparing a thesis about computed image tattooing at the INRIA (Institut National de Recherche en Informatique et Automatique). He is also involved in Bastille-Linux development.

Abstract:

Released at the beginning of June, Bastille-Linux version 1.1 is not a new Linux distribution but a set of scripts to better protect your system against potential vulnerabilities. The authors approach is quite educational and we can learn a lot when installing these scripts.

ArticleIllustration:

[Illustration]

ArticleBody:

Introduction

With regards to security, Linux is much better than other operating systems. Nevertheless, every distribution is different from the other one concerning this matter. Bastille-Linux provides you with means to protect your system. It was initially written for RedHat but the last version works with other distributions too.

The project is managed by Jon Lasser (main coordinator) and Jay Beale (main developer). Many other developers, software designers and beta-testers are involved as well.

First of all, let's make it clear: Bastille-Linux is NOT a new Linux distribution! It's a set of scripts, written in perl intended to improve Linux security.

Security, means here computer security: how to avoid that unwanted people access your machine? Bastille-Linux gives a part of the answer by modifying the initial installation of your Linux distribution.

A basic task for every SysAdmin is to know the users needs, not only to comply with them, but also to avoid to keep running network unused programs... to be able to contain network security holes. One of my mentors used to say: the least you do, the better ;-] Of course, he was talking about algorithm complexity, but this is applicable to network administration: abundance of goods does harm as it gives more attack places. To reduce vulnerability just install what you really need.

Bastille-Linux tries to reduce the possibilities for an attack. To reach this goal, the software designers have a very educational approach: they explain what to do, step by step.

Presentation

At the moment of this writing, Bastille-Linux is in version 1.1.0, released in the first half of June.

Apart from its obvious usefulness, Bastille-Linux is extremely educational. The scripts ask detailed and acurate questions. Here, the developers try to teach the user. They explain the question context and the results of the available answers. This makes Bastille-Linux an easy to use tool.

For more advanced users, the source code, written in perl, is a model of clarity (yes, it's possible ;-) : every comment describes the way the action is working.r

Here are a few features of version 1.1.0 :

Bastille-Linux has different modules. Let's say 4 general modules and those dedicated to particular purposes ( software such as sendmail, FTP, ... or like boot or useless daemons)

The general modules are used for:

  1. Firewall installation
  2. System software update
  3. Audit on SUID-root programs
  4. Deactivating and restricting useless services
The other modules concern more specific aspect. Some of them are dedicated to security holes opened by bad configured software (sendmail or FTP for instance), some others modify the configuration of a few services in a less permissive way (PAM, syslog, ...)

Some security functions cascade and offer different protection levels (this is against my mentors principles ... but you have to emancipate one day ;-) You must protect every service or every potential security hole by any means. Thus, if one fails, the other ones keep protecting your system.


 
 


Installation or "let's go for a walk into the scripts while the wolf is not there"

Previous versions of Bastille-Linux only worked on new systems this is not true for the latest one. However, we must say what Bastille does is useless (almost) if your system has already been used. Thus, it's recommended, for security reason and not because of the software, to install Bastille-Linux on a new system (freshly installed). You've been warned, so let's go to the serious side: the installation!

Bastille-Linux is available as tarball .tgz at bastille-linux.sourceforge.net. This archive is only 134 Ko. Once downloaded, extract it (tar xzf Bastille-1.1.0.tgz).

Four scripts manage Bastille-Linux :

To install Bastille-Linux, you must be root since the scripts will modify configuration files. Then, to install, execute InteractiveBastille.pl first. Next, answer the set of questions (detailed a bit further down). Last, run BackEnd.pl and it's done! A backtrace of the changes can be found in the /root/Bastille/undo directory.

A few notes before you begin.

  1. You're supposed to run the script from the /root/Bastille directory ... this will change in a future version and then you'll be able to execute it from any place (may be, it's already true by the time you read this)
  2. Two modules allow account creation ... as soon as you installed shadow passwords on your system. This is the default installation, but check that /etc/passwd doesn't hold passwords, that you must be root to access /etc/shadow and that this last file really holds the passwords!
  3. Bastille-Linux doesn't yet manage links between modules, like in kernel configuration (this will be available in a future version). Take care of the answers given in a module and to their consequences. Thus, you could tell IPChains module to close port 2049 and keep NFS in the list of active daemons from MiscellaneousDaemons module (NFS uses this port).

Step by step

Let's have a look at the questions asked by Bastille-Linux to understand the different steps. The letter between [ ] shows the default answer (N -> No, Y -> Yes).

IPChains

This module is used to configure a firewall. Even if it isn't compulsory for system protection, this allows to control network traffic from and to the machine. The firewall traffic control is not enough, you must as well reconfigure the daemons (remember, different security levels are not useless).

This script works in a very good way. It takes into account 2 network interfaces: the one communicating with the outside, and the one communicating with the local network. The goal is to determine the services available to the machines and to stop the others. The default is to refuse everything coming from the outside. Next, the script defines the rules to make some services available. Certains selected services.

The script manages TCP, UDP and ICMP protocols. It provides lists of services to watch or to avoid for each protocol. It would be too long to detail here Bastille-Linux approach to install a firewall, but reading the script and its comments help a lot. However a minimum knowledge is required to use this module.


 

PatchDownload

Updates are important to maintain system integrity. During the last few months, bind and piranha, (for instance) have had big security problems. They have been corrected quickly: with the source code being public, some people immediately wrote patches.

Unfortunately, this script doesn't work very well. It's rather complex since you must determine the installed packages, and among them, the ones to updated. Next, you must download the patch, check it hasn't been altered (either by hackers or the transfer) before installing it. This really depends on the distribution you use.

At the moment, Jay Beale recommends to manually execute this step but not to neglect it. A more functional version of this module is under development and should be available very soon.

FilePermissions

This module is based on a document from the SANS team. The aim is to determine the programs only available to root (or root group member), the ones needing to keep SUID bit, etc ...

AccountSecurity

Hacking often begins with user account (or system account) commitment.   A few simple steps make the task harder and allow to detect intrusion.

BootSecurity

The options provided in this module concern the physical security of the machine. This is to correct security holes of previous versions. Anyone having a physical access to the console was able to get a privileged access (i.e. root). Running LILO in single mode, (LILO : linux single) allowed to get a brand new shell belonging to root;-P

Obviously, that isn't enough. To physically protect a computer, the BIOS must be password-protected, the hard disk must be the only boot device, the box must be locked to prevent someone from adding his own hard disk... This is of course the paranoid behaviour and you don't need to do that without a very good reason.

From a sofware point of view, some restrictions provide a good compromise compared to the above mentioned:

SecureInetd

The goal of this module is to restrict and deactivate superfluous services. Hackers are easily able to find security holes in any privileged service, then you must restrict both service and privilege.

For instance, a mistake in RedHat6.0 DNS allows to remotely become root. Deactivating this service or reducing privileges protects from this annoyance.

Some protocols, such as the already mentioned r-commands but ftp or telnet too, are quite vulnerable. Others allow to get information (finger or identd for example) on the machine accounts, etc ... Many of these services are managed by tcp_wrapper  which allows to control who accesses a given service (by means of /etc/hosts.{allow, deny}) files. Then, once the wrapper decided the client was allowed to access the service, it sends the request to the corresponding server.

This part is still a bit rigid and should be changed in future versions.

Before continuing, let's remember that the network relies on a client-server model. Thus, you must know if you are on the client side or on the server side of each service. For instance, stopping the web server doesn't prevent you from browsing the web: your browser is a client.
 

DisableUserTools

This short module, is essential on a server. Usually, a hacker accesses a machine using a normal user account. Then, he recompiles a few programs on that machine to exploit its weaknesses. This module deactivates the machine C compiler for every user but root.

Then, if this machine is only a server on which no one has to compile anything, remove the compiler.

ConfigureMiscPAM

The aim of this module is to limit the risks of Deny of service attacks - these attacks freeze a system overloading it (ie: to fill a partition with core files, ping of death, etc ...)

PAM stands for "Pluggable Authentification Module". It's a library allowing the SysAdmin to select the type of users authentication for each application, the rights they have, the resources they can access, and so on.

Logging

syslog is one of the most important services to detect if a machine has been commited. This daemon records some system events. You can choose to change the level of recorded information.

It's remarkable that if you have a minimal number of running services, every problem will be pointed out quickly from /var/log files. On the other hand, if your system runs a lot of useless servers the /var/log files become very big and accordingly more difficult to manage (you then need to implement dedicated scripts).

This module adds new checks in the /etc/syslog.conf file.

MiscellaneousDaemons

Always in the concern of minimization, this module only activates the servers you really need at boot time. As a default, almost every service is useless and so deactivated. You can reactivate a service with the chkconfig command.
 
Services  Description
apmd Used to control laptops batteries.
NFS and samba To manage shared file systems ... even if quite useful on heterogeneous networks they are big security holes.
atd Everything atd does can be done with cron. too.
PCMCIA services If you own PCMCIA hardware, what is quite common on laptops but rather unusual on workstations.
dhcpd Server used to provide temporary IP addresses. This kind of service is either "offered" by Internet Service Providers (ISP) or used on a local network.
gpm Used while in console (text) mode to manage the mouse. Unless you often work in console mode, this service is useless.
news server Very few people need to run a news server on a machine ... usually, it's the ISP job.
routed As for the news server, it's the ISP job: it concerns your DNS. 
NIS Very useful service on a local network ... but origin of big security problems!!!
snmpd Server dedicated to network administration (statistics, management, users,...)
sendmail There is no need to run it as a daemon to allow you to send or receive mail. Furthermore, if you get your mail from your ISP through POP or IMAP, sendmail is useless and since this program has big security holes...

 

Sendmail

As previously mentioned, sendmail is a service to manage mail. Its history is full of security holes caused by the many tasks a mail server has to manage and the necessary privileges to achieve them (name resolution, syslog information, etc...). Apart from its weaknesses, sendmail allows to get information about a specific user on a given server. For instance, sendmail EXPN and VRFY commands allow someone to know if a specific user account exists.

sendmail as we said before, doesn't need to be run as a daemon to send and receive mail. For home users sendmail is probably quite useless since you can use any mail client (netscape, rmail, pine, mutt, etc...) to send your mail. To receive your mail, you can activate sendmail on a regular basis to check your mailbox.
 

RemoteAcces

It's often useful to be able to connect to a remote machine. We have seen that the r-commands allow this in an insecure way. Bastille-Linux suggests to download ssh. It's a software encrypting the data (and so the passwords) transferred through a connection.

You can use a software in which the session key length doesn't exceed 128 bit. Let's explain what a session key is. It's the key used to crypt the data.  This session key is built step by step by the client and the server: it comes from a key exchange protocol (Diffie-Hellman in most cases).  It consists in building a key from a piece of every member's key. Next, this session key is used to crypt the data according to a symetric algorithm (i.e.   the same key is used to encrypt and uncrypt the data). Thus, DES, used to encrypt Unix passwords, is a symetric algorithm with a 56 bit key.

Now, is a 128 bit key big enough to ensure transaction confidentiality and security: YES! Even if today DES is said "not so secure", the best attacks are not within range of CPU power that most people have. On the other hand, it's a mistake to believe a key of 2k length is twice more difficult to find than a key of k length. As a matter of fact, if the difficulty is exponential, it grows much faster than the key size. For a key of k length, it exists 2^k possible keys (and so 2^2k for a key of 2k length). Then, multiplying the key size by  2, we add  possible keys! When you notice the difficulty to break DES (56 bit), you can expect 128 bit keys to be inviolable (as soon as the encrypting/uncrypting algorithm doesn't hold security hole).  From an attack point of view,  to increase this limit  only makes the difficulty go from an "impossible level" to an "even more impossible level".

4 different software packages  provide with similar services :

  • ssh 1.2.x : a client-server system to establish encrypted connection.;
  • ssh 2.x : the same as the previous one but with less weakness and more possibilities;
  • OpenSSH : a similar version to the previous one but under BSD license;
  • ssf : like ssh, but accepted by French law. (This had to be said!)
  • The following modules still concern services. For them the policy may look surprising: you begin with privileges restriction and then you stop them. In spite of appearances, these two measures are not conflicting. These services can be reactivated, either incidentally or by undesirable people... then it seems better to restrict them.
     

    DNS

    A DNS (Domain Name Server) allows to link an IP address and a machine name and vice versa. For instance, the address 198.186.203.36 corresponds to www.bastille-linux.org. The main function of this server is called BIND. Lately, a DoS type attack against BIND has been found. You can avoid it only giving DNS access to a small group of directories (you can change the root directory - default to / - with the chroot command before executing a command or a script).

    Let's add a few technical details before explaining Bastille-Linux behaviour. The daemon managing this service is called named. Its configuration comes from  the /etc/named.conf file.
     

    Apache

    Apache is the most used web server on the Internet. Such a server is only useful in two cases:
    1. to host a site: for this you need a fixed IP address. ISPs have such addresses but it isn't normally true for their clients
    2. to check your own web pages: in that case, you just have to launch the server (/etc/rc.d/init.d/httpd start) when needed.
    The configuration file sfor this daemon can be found in /etc/httpd/conf. A web server as any other server, can become a true invitation to visit your machine, perhaps to damage it, if it is badly configured. This can become a bit annoying in some cases. Let's say a bank for instance, if the customers names are readable (perhaps their passwords)... just go and visit www.kitetoa.com, you won't regret it ;-) ( Translator's note: Unfortunately, French only!)
     

    Printing

    Only one question: will you be printing from your machine? If the answer is no, Bastille-Linux deactivates the lpd daemon and removes the SUID bit from lpr and lprm. =============

    FTP

    From a security point of view, FTP can be the source of many problems. For example, when initiating a connection, passwords are transferred in clear text. The same holds for the data, it is dangerous if it is sensitive data (financial or medical data...)

    Furthermore, lately security holes have been found in wu-ftpd. If you need to leave that server running, Bastille-Linux allows to restrict some features.

    The file managing the FTP server access is /etc/ftpacces.

    A few more tricks and tips

    As I said before, Bastille-Linux is a great educational tool. Questions and comments are meaningful. When things are not so clear, many resources are available to find the right answer. The best way to learn about a given subject is to use the desired module.

    To do that, just backup the file containing the questions. Next, edit the Questions.txt file. Every module begins with the FILE keyword... just keep what you need.

    /root/Bastille >> cp Questions.txt Questions.txt-orig
    /root/Bastille >> emacs Questions.txt BackEnd.pl &
    /root/Bastille >> ./InteractiveBastille

    Of course Bastille-Linux measures are not enough to secure your system:

    1. no system is 100% secure;
    2. more measures are required to complete Bastille-Linux "work".
    Among these measures you can think of are log file analyzers, port scan detection (portsentry, snort, snplog, etc ...), using www.openwall.com kernel patch (non executable stack, directories /tmp and /proc rights restriction, etc...).

    It's a long and difficult way to secure a system. You must keep your self informed about security holes (by means of mailing lists such as bugtraq from securityfocus site, for example).

    Conclusion

    Bastille-Linux helps to secure a well known distribution . You could say: "then why use this one?" Sure ... but RedHat (Mandrake - they are quite similar) has some nice features. The aim of this article is not to promote (or to blame) a distribution. After all, the freedom of choice is one of the strength of free software. As a matter of fact this article has various goals. First, to show you the permanent worry of a sysadmin who lives in fear of seeing his network destroyed by some people yearning for shivers. On the other hand, this tool allows you to deeply visit the configuration of a Linux system. In this perspective, it's a good way, not only for newbies but for advanced users too, to discover the mystery of Linux configuration.

    The two fundamental and general concepts are minimalism and depth. Less running services means less security holes. For each of these services, various protections are better than one... but this is double-edged since a bad configured protection (or the conjunction of various) can turn against you.

    Last, let's mention the next version will be named BUS (Bastille Unix Security). It will be a clever mixture of Bastille-Linux and Msec (Mandrake Security Project), the later one being renamed to Usec (Unix Security Project).


     
     


    References



    Last modified: Mon Jun 12 16:40:50 CEST 2000