30.5 IPFilter and Bastille

     

30.5 IPFilter and Bastille

HP-UX IPFilter is a stateful system firewall that filters IP packets to control packet flow in or out of a machine. It works as a security defense by decreasing the number of exposure points on a machine.

HP-UX IPFilter is based on ipfilter v3.5 alpha 5 from the Open Source community. At the heart of the configuration is a set of rules to control whether packets are allowed into or out of a machine. Its key benefits can be summarized as follows :

  • Protects an individual host on an intranet against internal attacks.

  • Protects an individual host on an intranet against external attacks that have breached perimeter defenses.

  • Provides an alternative to the restricted configuration of Internet Services.

  • Protects a bastion host on the perimeter or in the DMZ .

IPFilter is available for HP-UX 11.0 and 11i (version 1, 1.6, and 2.0) as a free download from http://software.hp.com - Security and Manageability. We look at a basic configuration to limit access to particular services.

HP-UX Bastille is a security hardening/lockdown tool that can be used to enhance the security of the HP-UX operating system. It provides customized lockdown on a system-by-system basis by encoding functionality similar to the Bastion Host white paper, which is available at http://www.hp.com/products1/unix/operating/infolibrary/whitepapers/building_a_bastion_host.pdf and which is included in Appendix E. (Read this document; it is exceptionally good!) It also provides other hardening/lockdown checklists.

Bastille was originally developed by the Open Source community for use on Linux systems. Here are some of its key features:

  • Configures daemons and system settings to be more secure.

  • Turns off unneeded services such as pwgrd .

  • Helps create chroot jails that partially limit the vulnerability of common Internet services such as Web servers and DNS.

  • User interface designed to educate users.

  • Configures Security Patch Check to run automatically.

  • Configures an IPFilter-based firewall.

  • Includes a "revert" feature that returns the security configuration to the state before Bastille was run.

Like IPFilter, HP-UX Bastille is available for free download from http://software.hp.com - Security and Manageability. As you can see, Bastille has a built-in feature to include an IPFilter firewall. You do not need to use both of these utilities together; however, if you are looking at hardening a particular server, then it makes sense to consider both free products.

Let's start by having a quick look at IPFilter.

30.5.1 Installing IPFilter

Installing the software requires a reboot even though the software introduces a DLKM into the system:

 

 root@hpeos004[.root]  swlist -l fileset -a is_reboot -d @ /software/11i-PA/IPFilter  # Initializing... # Contacting target "hpeos004"... # # Target:  hpeos004:/software/11i-PA/IPFilter # # IPF-HP   IPF-HP.IPF-DEMO       false   IPF-HP.IPF-MAN        false   IPF-HP.IPF-MIN        false   IPF-HP.IPF-MIN        false   IPF-HP.IPF2-DLKM      true   IPF-HP.IPF2-DLKM      true # PFIL-HP   PFIL-HP.PFIL-MIN      false   PFIL-HP.PFIL2-DLKM    true   PFIL-HP.PFIL2-DLKM    true root@hpeos004[.root] 

Once installed, we need to check that the DLKM modules ( pfil and ipf ) are LOADED .

 

 root@hpeos004[.root]  kmadmin -s  Name            ID      Status          Type ===================================================== krm             1       UNLOADED        WSIO rng             2       LOADED          WSIO pfil            3       LOADED          STREAMS ipf             4       LOADED          WSIO root@hpeos004[.root] 

We now need to establish a set of rules for blocking or passing packets to and from this particular host.

30.5.2 Basic IPFilter rules

The default rules file for IPFilter is /etc/opt/ipf/ipf.conf . By default, it is empty:

 

 root@hpeos004[.root]  ll /etc/opt/ipf/ipf.conf  -rw-r--r--   1 root       sys              0 Oct 17 12:38 /etc/opt/ipf/ipf.conf root@hpeos004[.root] 

IPFilter is started automatically (see /etc/rc.config.d/ipfconf and /sbin/init.d/ipfboot ), which means that we have no rules to apply, i.e., we are blocking no LAN cards, IP addresses, protocols, or port numbers .

 

 root@hpeos004[.root]  ipf -V  ipf: HP IP Filter: v3.5alpha5 (A.03.05.08) (368) Kernel: HP IP Filter: v3.5alpha5 (A.03.05.08) Running: yes Log Flags: 0 = none set Default: pass all, Logging: available Active list: 1 root@hpeos004[.root] 

One way to approach IPFilter is using a concept known as least privilege . This dictates that we block everything and then allow only specific entities access to the services they need. This could result in a very simple rules file of the following form:

 

 root@hpeos004[ipf]  pwd  /etc/opt/ipf root@hpeos004[ipf]  cat ipf.conf  block in all block out all root@hpeos004[ipf] 

To load this as the active ruleset, we use the ipf command:

 

 root@hpeos004[ipf]  ipf -Fa -f $PWD/ipf.conf  root@hpeos004[ipf] root@hpeos004[ipf]  ipfstat -io  block out from any to any block in from any to any root@hpeos004[ipf] root@hpeos004[ipf]  ping hpeos002 64 3  PING hpeos002: 64 byte packets ----hpeos002 PING Statistics---- 3 packets transmitted, 0 packets received, 100% packet loss root@hpeos004[ipf] 

Be very careful of this configuration, because this effect is immediate. No one will be able to communicate with any network service into or out of this machine. Be careful of the order of entries in the rules file. The last rule is the one that applies. Look at this simple example:

 

 root@hpeos004[ipf]  vi ipf.conf  block in proto icmp from any to any pass in proto icmp from any to any root@hpeos004[ipf] root@hpeos004[ipf]  ipf -Fa -f $PWD/ipf.conf  root@hpeos004[ipf]  ipfstat -io  empty list for ipfilter(out) block in proto icmp from any to any pass in proto icmp from any to any root@hpeos004[ipf] 

Can we ping a distant machine? Yes, because the pass rule is the last rule processed and is matches the packets in question. One way to get around this is to apply the quick rule optimizer:

 

 root@hpeos004[ipf]  vi ipf.conf  block in  quick  proto icmp from any to any pass in proto icmp from any to any root@hpeos004[ipf] root@hpeos004[ipf]  ipf -Fa -f $PWD/ipf.conf  root@hpeos004[ipf]  ipfstat -io  empty list for ipfilter(out) block in quick proto icmp from any to any pass in proto icmp from any to any root@hpeos004[ipf] 

The effect is that if we match a rule utilizing the quick keyword, no further ruleset matches are performed for that packet.

 

 root@hpeos004[ipf]  ping hpeos003 64 3  PING hpeos003: 64 byte packets ----hpeos003 PING Statistics---- 3 packets transmitted, 0 packets received, 100% packet loss root@hpeos004[ipf] 

Another important mechanism for improving the efficiency of IPFilter is to configure a rule that establishes an entry in the IPFilter kernel state table . If a packet matches an entry in the state table , it passes through the firewall without being checked against rulesets. This enhances the performance of the IPFilter system. IPFilter checks both inbound and outbound packets against the state table . If either an inbound or an outbound packet matches a session in the state table , it is not checked against the ruleset. In this configuration, I am applying a quick rule that will allow access to port 22 (used by Secure Shell). Once the initial SSH packets are received, a state table entry will be set up. The remainder of the SSH session continues without any further packets within the session being checked against the IPFilter ruleset.

 

 root@hpeos004[ipf]  vi ipf.conf  pass in quick proto tcp from any to 192.168.0.66/32 port = 22 keep state pass out quick proto tcp from any to any keep state block in  log  quick all block out  log  quick all root@hpeos004[ipf] root@hpeos004[ipf]  ipf -Fa -f $PWD/ipf.conf  root@hpeos004[ipf]  ipfstat -io  pass out quick proto tcp from any to any keep state block out log quick from any to any pass in quick proto tcp from any to 192.168.0.66/32 port = 22 keep state block in log quick from any to any root@hpeos004[ipf] 

First, notice that I have including logging of any attempts to access my server, which are blocked. This produces lots of output (the ipmon daemon sends its output to syslog ). It gives me an idea of who is trying to contact me and what services and protocols they are using. I would suggest turning on full blocked logging like this only if you are sure that's what you want to achieve.

The configuration above is blocking anything other than ssh access into this machine, and no one can use network services to leave this machine. I can now attempt a ssh session from another node:

 root@hpeos003[.root]  ssh 192.168.0.66  Last   successful login for root: Fri Oct 17 14:18:58 GMT0BST 2003 on console Last unsuccessful login for root: Fri Oct 17 14:22:53 GMT0BST 2003 Last login: Fri Oct 17 14:18:58 2003 from hpeos003 (c)Copyright 1983-2000 Hewlett-Packard Co.,  All Rights Reserved. (c)Copyright 1979, 1980, 1983, 1985-1993 The Regents of the Univ. of California (c)Copyright 1980, 1984, 1986 Novell, Inc. (c)Copyright 1986-1992 Sun Microsystems, Inc. (c)Copyright 1985, 1986, 1988 Massachusetts Institute of Technology (c)Copyright 1989-1993  The Open Software Foundation, Inc. (c)Copyright 1986 Digital Equipment Corp. (c)Copyright 1990 Motorola, Inc. (c)Copyright 1990, 1991, 1992 Cornell University (c)Copyright 1989-1991 The University of Maryland (c)Copyright 1988 Carnegie Mellon University (c)Copyright 1991-2000 Mentat Inc. (c)Copyright 1996 Morning Star Technologies, Inc. (c)Copyright 1996 Progressive Systems, Inc. (c)Copyright 1991-2000 Isogon Corporation, All Rights Reserved.                            RESTRICTED RIGHTS LEGEND Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in sub-paragraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause in DFARS 252.227-7013.                            Hewlett-Packard Company                            3000 Hanover Street                            Palo Alto, CA 94304 U.S.A. Rights for non-DOD U.S. Government Departments and Agencies are as set forth in FAR 52.227-19(c)(1,2). Value of TERM has been set to "dtterm". WARNING:  YOU ARE SUPERUSER !! Erase set to Delete Kill is Ctrl-U root@hpeos004[.root] 

Notice that I have specified an IP address on the ssh command line. The node hpeos004 is a multi- homed machine, so I may need to add additional entries if I want to allow access via other interfaces/IP addresses. I can now view the state table on node hpeos004 :

 

 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4         pkts 89 bytes 19856     49496 -> 22 2d8cc5c8:2b96789e 32768:32768         cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe         sbuf[0] [ 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
] sbuf[1] [
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
 root@hpeos004[ipf]  ipfstat -sl  192.168.0.65 -> 192.168.0.66 ttl 101338 pass 0x500a pr 6 state 4/4 pkts 89 bytes 19856 49496 -> 22 2d8cc5c8:2b96789e 32768:32768 cmsk 0000 smsk 0000 isc 0000000000000000 s0 2d8cbaa0/2b9663fe sbuf[0] [\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0] sbuf[1] [\0\0\0\0\0\0\0\0\0\0 \0\0\0\0\0\0] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf] 
] pass in quick keep state IPv4 pkt_flags & 2(b2) = b, pkt_options & ffffffff = 0 pkt_security & ffff = 0, pkt_auth & ffff = 0 interfaces: in lan1[0000000041fe3400] out -[0000000000000000] root@hpeos004[ipf]

If I had configured IP multiplexing on that interface and wanted to allow access to use ssh regardless of the IP address, I could have used a configuration that specifies the LAN card and not the IP Address:

 

 root@hpeos004[ipf]  cat ipf.conf  pass in quick on lan1 proto tcp from any to any port = 22 keep state pass out quick proto tcp from any to any keep state block in log quick all block out log quick all root@hpeos004[ipf] 

30.5.2.1 POINTS TO CONSIDER WHEN SETTING UP IPFILTER

There is an excellent white paper that is used extensively in the documentation for IPFilter and can be found at http://www.obfuscation.org/ipf or at a mirror site such as http://www.darkart.com/mirrors/www.obfuscation.org/ipf/ipf-howto.txt. (I found this site to be down quite a bit.)

You can set up a vast number of different configurations with IPFilter. We can't go into all of them here. However, here are some points worth considering:

  • Don't block all ICMP packet types. Some ICMP packet types are useful in routing algorithms. However, do you really want other servers to be able to ping you (ICMP packet type 0 = echo reply)?

  • IPFilter sits at a lower level in the networking stack than IPSec. You will have to allow the pass in and out of UDP port 500 that is used by IPSec. If using the IPFilter Network Address Translation (NAT) feature, you have to allow UDP in and out on port 4500.

  • Be careful which ports you block if you are running in a Serviceguard cluster. Serviceguard uses the following ports:

     

     hacl-qs 1238/tcp # High Availability (HA) Quorum Server clvm-cfg 1476/tcp # HA LVM configuration hacl-hb 5300/tcp # High Availability (HA) Cluster heartbeat hacl-hb 5300/udp # High Availability (HA) Cluster heartbeat hacl-gs 5301/tcp # HA Cluster General Services hacl-cfg 5302/tcp # HA Cluster TCP configuration hacl-cfg 5302/udp # HA Cluster UDP configuration hacl-probe 5303/tcp # HA Cluster TCP probe hacl-probe 5303/udp # HA Cluster UDP probe hacl-local 5304/tcp # HA Cluster commands hacl-test 5305/tcp # HA Cluster test hacl-dlm 5408/tcp # HA Cluster distributed lock manager 

    This list of HA services is not exhaustive. In addition, Serviceguard also uses dynamic ports (typically in the 49152 “65535 range) for some cluster services. If you have adjusted the dynamic port range using kernel tunable parameters, alter your rules accordingly . This list does not include all HA applications (such as Continentalclusters). New HA applications might be developed that use port numbers different from those listed above. You need to add new rules as appropriate to ensure that all HA applications run properly.

  • There are several examples of ipf.conf files listed in /opt/ipf/examples . Use these as a starting point for your configuration.

  • Consider using the mkfilters command (you need to install Perl if you want to use it), which can build a very basic firewall configuration (see /opt/ipf/examples/firewall for more details).

30.5.3 Installing HP-UX Bastille

HP-UX Bastille requires Perl 5.6.1E or higher. (The most recent version of Perl for HP-UX can be found at http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=PERL.) Neither Bastille nor Perl requires a reboot to install. Once installed, you can run bastille either interactively ( bastille , bastille “x or bastille “c ) or non-interactively ( bastille “b , InteractiveBastille ).

One aspect of Bastille is the file /etc/opt/sec_mgmt/bastille/ipf.customrules , which can form the basis if an IPFilter ruleset for hardening a system. When you run Bastille, it checks whether your DISPLAY environment variable has been set up. If so, you can interact with Bastille in that way. Figure 30-13 is the screen you will see.

Figure 30-13. HP-UX Bastille.
graphics/30fig18.jpg

The questions deal with the following issues:

  • Patches

    - Set up cron to run security_patch_check regularly.

    - You are asked the time of day to set up an appropriate cron job.

  • File Permissions

    - Set the sticky-bit on world- writeable directories.

  • Account Security

    - Set the default umask .

    - The default chosen by Bastille is 077.

    - Password protect single-user mode.

    • Bastille converts your system to a Trusted System in order to achieve this.

    - Enable auditing of admin , login , and moddac events.

    • Bastille converts your system to a Trusted System in order to achieve this.

    - Password aging

    • Maximum number of days a password is valid (default=182, rounded to weeks for non-Trusted Systems).

    • Minimum number of days between password changes (default=7 rounded to weeks for non-Trusted Systems).

    • Warning period before a password is changed (default=28 days).

      - This requires the system to be converted to a Trusted System.

    - Disallow root logins from any network tty .

  • SecureInetd

    - Disable telnetd service.

    - Disable ftp / ftpd services.

    - Disable login , shell , and exec services.

    - Disable tftp service.

    - Disable ntalk service.

    - Disable ident service.

    - Disable daytime , discard , chargen , and echo services.

    - Disable time service (not NTP).

    - Disable kshell and klogin services.

    - Disable dtspcd , cmsd , and ttdbserver services.

    - Disable recserv service.

    - Disable print service.

    - Create Authorized Use Only message to be displayed at login time: the file /etc/issue . You can also add an authorized user comment in this message as well.

  • Miscellaneous Daemons

    - Disable NFS Server.

    - Disable NFS Client.

    - Disable SNMP.

    - Disable ptydaemon .

    - Disable pwgrd .

    - Disable remote X logins ( XDMCP ).

  • Sendmail

    - Disable sendmail from running in daemon mode.

    - Run sendmail every 15 minutes to manage the mail queue.

    - Disable the VRFY and EXPN sendmail commands.

  • Apache

    - Run Apache Web server in a chroot jail.

  • FTP

    - Disable system account login via the WU-FTPD daemon.

  • HP-UX

    - Disable programs executing programs directly from their stack (buffer-overflow problems).

    - Disable swagentd from allowing read access from remote machines.

    - Set up recommended ndd parameters:

     

     ip_forward_directed_broadcasts                            1   =>   0 ip_forward_src_routed  1   =>   0 ip_forwarding  2   =>   0 ip_ire_gw_probe  1   =>   0 ip_pmtu_strategy  2   =>   1 ip_send_redirects  1   =>   0 ip_send_source_quench  1   =>   0 tcp_conn_request_max 20   =>   4096 tcp_syn_rcvd_max500   =>   1000 

    - Create a TODO list to help run a port scan.

    - Provide more information about other HP tools for protection.

    - Are you willing to mail your config file and TODO list to HP?

  • IPFilter

    - Should Bastille set up a basic ipf.conf file for basic firewall protection?

Once you have answered the questions in each section of the interface, it will create a configuration file /etc/opt/sec_mgmt/bastille/config :

 

 root@hpeos004[bastille]  pwd  /etc/opt/sec_mgmt/bastille root@hpeos004[bastille]  ll  total 440 -rw-------   1 root       sys              0 Oct 17 16:48 .nodisclaimer -r--r--r--   1 bin        bin         214920 May 21 23:09 Questions.txt -rw-------   1 root       sys           4674 Oct 17 17:02 config -r--r--r--   1 bin        bin            814 May 21 23:09 ipf.customrules -r--r--r--   1 bin        bin            967 May 21 23:09 jail.bind.hpux -r--r--r--   1 bin        bin            804 May 21 23:09 jail.bind9.hpux -r--r--r--   1 bin        bin           1625 May 21 23:09 jail.generic.hpux root@hpeos004[bastille] root@hpeos004[bastille]  more config  # Q:  Enter the maximum number of days between password changes: AccountSecurity.PASSWORD_MAXDAYS="182" # Q:  Enter the minimum number of days between password changes. AccountSecurity.PASSWORD_MINDAYS="7" # Q:  Enter the number of days a user will be warned that their password will expire. AccountSecurity.PASSWORD_WARNDAYS="28" # Q:  Should Bastille disallow root logins from network tty's? [N] AccountSecurity.create_securetty="N" # Q:  Do you want to setup password policies? AccountSecurity.passwordpolicies="Y" # Q:  Would you like to password protect single-user mode? AccountSecurity.single_user_password="Y" # Q:  Do you want basic system security auditing enabled? AccountSecurity.system_auditing="Y" # Q:  What umask would you like to set for users on the system? [077] AccountSecurity.umask="077" # Q:  Do you want to set the default umask? [Y] AccountSecurity.umaskyn="Y" # Q:  Would you like to chroot your Apache Server? [N] Apache.chrootapache="Y" # Q:  Would you like to disallow ftpd system account logins? FTP.ftpusers="Y" config (21%) 

Running bastille “b performs all necessary modifications based on your responses to the questions asked in the interface.

 root@hpeos004[bastille]  bastille -b  NOTE:    Entering Critical Code Execution.          Bastille has disabled keyboard interrupts. NOTE:    Bastille is scanning the system configuration... Bastille is now locking down your system in accordance with your answers in the "config" file. Please be patient as some modules may take a number of minutes, depending on the speed of your machine. Executing File Permissions Specific Configuration Executing Account Security Specific Configuration Executing Inetd Specific Configuration Executing Daemon Specific Configuration Executing Sendmail Specific Configuration Executing Apache Specific Configuration Executing FTP Specific Configuration Executing HP-UX's Security Patch Check Configuration Executing IPFilter Configuration Executing HP-UX Specific Configuration WARNING: An attempt to get the network host entry for "hpeos113"          failed. This may result in denial of access to users and          agents at this host. Check the spelling of this name, then          your "/etc/hosts" file, or your "/etc/resolv.conf" file and          DNS resolver configuration. The nslookup program may be          helpful in isolating this problem. WARNING: An attempt to get the network host entry for "hpeos113"          failed. This may result in denial of access to users and          agents at this host. Check the spelling of this name, then          your "/etc/hosts" file, or your "/etc/resolv.conf" file and          DNS resolver configuration. The nslookup program may be          helpful in isolating this problem. Please check /var/opt/sec_mgmt/bastille/TODO.txt for further instructions on how to secure your system. root@hpeos004[bastille] 

You should now review the TODO.txt file mentioned above. One important aspect of this is that your system may require a reboot, i.e., if you changed the executable_stack kernel parameter. You should also check the action-log and error-log files:

 

 root@hpeos004[bastille]  ll /var/opt/sec_mgmt/bastille/log  total 530 -rw-------   1 root       sys         261255 Oct 17 17:43 action-log -rw-------   1 root       sys             98 Oct 17 16:54 error-log root@hpeos004[bastille] 

Please be careful when locking down your system. It is designed to make your system impregnable. This means that you may find it difficult to log in as well.

30.5.4 Conclusions on IPFilter and Bastille

IPFilter and HP-UX Bastille are two new(ish) tools for HP-UX that can go some way to locking down your system. IPFilter in particular should be studied closely. The simple configurations seen here will not suffice in all but a limited, few configurations. The simple configuration supplied by HP-UX Bastille can also be considered only a starting point. The products are not the only solution that HP-UX offers for system and network security. Appendix E contains a copy of the document Building a Bastion Host Using HP-UX 11 . This offers some additional excellent ideas for locking down a server. Another good starting point is the web site http://www.hp.com/security.



HP-UX CSE(c) Official Study Guide and Desk Reference
HP-UX CSE(c) Official Study Guide and Desk Reference
ISBN: N/A
EAN: N/A
Year: 2006
Pages: 434

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net