Travaux Pratiques de Scurisation Linux

Denis Ducamp / Herv Schauer Consultants

9 dcembre 1999 Reproduction strictement interdite

1. Introduction
Ces travaux pratiques vont aborder les deux points suivants :

Scurisation complte d'un serveur sous Linux et mise en place d'un serveur WWW Apache. Mise en place d'un FireWall sous Linux avec IPchain.

2. Scurisation complte d'un serveur sous Linux

Scurit rseau Restriction des accs privilgis Journalisation Divers : fichiers et mots de passe

2.1 Scurit rseau

Installer ssh / ssf Commenter ou protger par tcp-wrapper chaque service dans inetd.conf Nettoyer l'arborescence /etc/rc.d/

2.2 Restriction des accs privilgis

Limiter la liste des terminaux dans /etc/securetty Complter /etc/ftpusers Complter /etc/sshd_config Utiliser calife et / ou sudo

2.3 Journalisation

Complter /etc/syslogd.conf Installer la comptabilit Grer les journaux

2.4 Divers

Scuriser les fichiers o Programmes suid et sgid : find / -type f \( -perm -04000 -o -perm -02000 \) o Fichiers en criture pour tout le monde : find / -perm -2 ! -type l -ls o Fichiers sans propritaire : find / -nouser -o -nogroup -ls

Scuriser les mots de passe o Protection shadow o Chiffrement MD5 o Durcissement

3. Mise en place d'un serveur WWW Apache

Installation d'openssl Installation de modssl Installation et configuration d'apache Cration d'un certificat

3.1 Installation d'openssl

$ cd /usr/src $ tar xzvf openssl-0.9.4.tar.gz $ cd openssl-0.9.4 $ ./config $ make # make install

3.2 Installation de modssl

$ cd /usr/src $ tar xzvf apache_1.3.9.tar.gz $ tar xzvf mod_ssl-2.4.9-1.3.9.tar.gz $ cd mod_ssl-2.4.9-1.3.9 $ ./configure --with-apache=../apache_1.3.9

3.3 Installation d'apache

$ cd /usr/src/apache_1.3.9 $ SSL_BASE=SYSTEM ./configure --enable-module=ssl --enable-module=info --disable-module=cgi --disable-module=actions $ make $ make certificate TYPE=custom # make install

3.4 Cration d'un certificat

STEP 0: Decide the signature algorithm used for certificates Signature Algorithm ((R)SA or (D)SA) [R]: STEP 1: Generating RSA private key for CA (1024 bit) [ca.key] STEP 2: Generating X.509 certificate signing request for CA [ca.csr]
1. Country Name 2. State or Province Name 3. Locality Name Perret (2 letter code) [XY]:FR (full name) [Snake Desert]:. (eg, city) [Snake Town]:Levallois-

4. Organization Name (eg, company) Ltd]:GroarWare 5. Organizational Unit Name (eg, section) Authority]:Sined 6. Common Name (eg, CA name) CA 7. Email Address (eg, name@FQDN) [ca@snakeoil.dom]:ducamp@formule.hsc.fr 8. Certificate Validity (days)

[Snake Oil, [Certificate [Snake Oil CA]:GroarWare

[365]:

STEP 3: Generating X.509 certificate for CA signed by itself [ca.crt] STEP 4: Generating RSA private key for SERVER (1024 bit) [server.key] STEP 5: Generating X.509 certificate signing request for SERVER [server.csr]
1. Country Name (2 letter code) 2. State or Province Name (full name) 3. Locality Name (eg, city) Perret 4. Organization Name (eg, company) Ltd]:GroarWare 5. Organizational Unit Name (eg, section) 6. Common Name (eg, FQDN) [www.snakeoil.dom]:formule.hsc.fr 7. Email Address (eg, name@fqdn) [www@snakeoil.dom]::ducamp@formule.hsc.fr 8. Certificate Validity (days) [XY]:FR [Snake Desert]:. [Snake Town]:Levallois[Snake Oil, [Webserver Team]:Sined

[365]:

STEP 6: Generating X.509 certificate signed by own CA [server.crt] STEP 7: Enrypting RSA private key of CA with a pass phrase for security [ca.key] Encrypt the private key now? [Y/n]: Fine, you're using an encrypted private key. STEP 8: Enrypting RSA private key of SERVER with a pass phrase for security [server.key] Encrypt the private key now? [Y/n]: n Please notice this fact and do this on your own risk. RESULT: CA and Server Certification Files

3.5 Configuration d'apache

supprimer les lignes <IfDefine SSL> et les lignes </IfDefine> correspondantes de /usr/local/apache/conf/httpd.conf . Changer le port 8080 en port 80 et le port 8443 en 443 Lancer apachectl start Contenu de /usr/local/apache/logs/ssl_engine_log :
[30/Nov/1999 10:35:51 32728] [info] Server: Apache/1.3.9, Interface: mod_ssl/2.4.9, Library: OpenSSL/0.9.4 [30/Nov/1999 10:35:51 32728] [info] Init: 1st startup round (still not detached)

[30/Nov/1999 10:35:51 32728] [info] Init: Initializing OpenSSL library [30/Nov/1999 10:35:51 32728] [info] Init: Loading certificate & private key of SSL-aware server formule.hsc.fr:443 [30/Nov/1999 10:35:51 32728] [info] Init: Generating temporary RSA private keys (512/1024 bits) [30/Nov/1999 10:35:53 32728] [info] Init: Configuring temporary DH parameters (512/1024 bits) [30/Nov/1999 10:35:53 32729] [info] Init: 2nd startup round (already detached) [30/Nov/1999 10:35:53 32729] [info] Init: Reinitializing OpenSSL library [30/Nov/1999 10:35:54 32729] [info] Init: Seeding PRNG with 512 bytes of entropy [30/Nov/1999 10:35:54 32729] [info] Init: Configuring temporary RSA private keys (512/1024 bits) [30/Nov/1999 10:35:54 32729] [info] Init: Configuring temporary DH parameters (512/1024 bits) [30/Nov/1999 10:35:54 32729] [info] Init: Initializing (virtual) servers for SSL [30/Nov/1999 10:35:54 32729] [info] Init: Configuring server formule.hsc.fr:443 for SSL protocol

3.6 Tests

avec openssl :
$ /usr/local/ssl/bin/openssl s_client -connect localhost:443 ... --SSL handshake has read 1329 bytes and written 299 bytes --New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 1024 bit ... --HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Tue, 30 Nov 1999 09:42:26 GMT Server: Apache/1.3.9 (Unix) mod_ssl/2.4.9 OpenSSL/0.9.4 Last-Modified: Mon, 29 Nov 1999 16:44:17 GMT ETag: "97bfc-a71-3842ad61" Accept-Ranges: bytes Content-Length: 2673 Connection: close Content-Type: text/html closed

avec Netscape

4. Mise en place d'un FireWall sous Linux avec IPchain

Initialisation Accepter un flux local Autoriser un flux Autoriser un flux avec masquage d'adresse Sauvegarde / restauration Divers : anti-spoofing et IP forwarding / masquerading

4.1 Initialisation

Modifier les politiques par dfaut : o # ipchains -P input DENY o # ipchains -P output DENY o # ipchains -P forward DENY Supprimer toutes les chaines : ipchains -F Mettre zro tous les compteurs : ipchains -Z

4.2 Accepter un flux local

En entre : serveur WEB # ipchains -A input -i eth0 -p TCP -s 0/0 1024: -d 192.70.106.33 80 -j ACCEPT # ipchains -A output -i eth0 -p TCP -s 192.70.106.33 80 -d 0/0 1024: ! -y -j ACCEPT

En sortie : relais SQUID / client WEB # ipchains -A output -i eth0 -p TCP -s 192.70.106.33 1024: -j ACCEPT # ipchains -A input -i eth0 -p TCP -s 0/0 1024: -d 192.70.106.33 80 ! -y -j ACCEPT

4.3 Autoriser un flux

Mthode 1 # ipchains -A forward -p TCP -s 192.70.106/24 1024: -d 0/0 80 -j ACCEPT # ipchains -A forward -p TCP -s 0/0 80 -d 192.70.106/24 1024: ! -y -j ACCEPT

Mthode 2 # ipchains -A forward -p TCP -s 0/0 80 -d 192.70.106/24 1024: -y -j REJECT # ipchains -b -A forward -p TCP -s 0 192.70.106/24 1024: -d 0/0 80 -j ACCEPT

4.4 Autoriser un flux avec masquage d'adresse

Mthode 1 # ipchains -A forward -p TCP -s 192.168/16 1024: -d 0/0 80 -j MASQ

# ipchains -A forward -p TCP -s 0/0 80 -d 192.168/16 1024: ! -y -j MASQ

Mthode 2 # ipchains -A forward -p TCP -s 0/0 80 -d 192.168/16 1024: -y -j REJECT # ipchains -b -A forward -p TCP -s 0 192.168/16 1024: -d 0/0 80 -j MASQ

4.5 Sauvegarde / restauration

# /sbin/ipchains-save # /sbin/ipchains-restore

4.6 Divers

Anti-spoofing : excuter le plus tt possible.

# This is the best method: turn on Source Address Verification

and get

# spoof protection on all current and future interfaces. if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo -n "Setting up IP spoofing protection..." for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done echo "done." else echo PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED. echo "CONTROL-D will exit from this shell and continue system startup." echo # Start a single user shell on the console /sbin/sulogin $CONSOLE fi

IP forwarding / masquerading : excuter le plus tard possible.

# echo 1 > /proc/sys/net/ipv4/ip_forward