Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - Pillus

Pages: [1]
Tutorials / Custom Kernel+Grsec+PaX HOWTO
« on: March 29, 2011, 12:51:56 pm »
Adding a tutorial from one of the ChaseNET admins, with his permission ofcourse :)


Copyright (c) 2010 Declan Williams.
    Permission is granted to copy, distribute and/or modify this document
    under the terms of the GNU Free Documentation License, Version 1.2
    or any later version published by the Free Software Foundation;
    with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
    A copy of the license is included here

Custom Kernel+Grsec+PaX HOWTO

First, draw up hardware lists to make sure you build in all the required support into the kernel.
I recommend disabling LKM to help prevent kernel level rootkits.
I also recommend putting PaX on the highest settings, and enabling the features to stop writing to /proc/kmsg and other areas nasties abuse.
Also, use a hardened toolchain throughout installation of applications on your machine,Though you will have to compile your applications.
 Recommendations: Gentoo Hardened Project.
 Recommended Grsecurity settings:
Code: [Select]
Security Options ->
   Grsecurity ->
      Security Level (High)
Address Space Protection
[*] Deny writing to /dev/kmem, /dev/mem, and /dev/port //kmem can be used to insert rootkits
[*] Disable Privileged I/O //Enable if you use X11 etc, disable for servers.
[*] Removed addresses from /proc/<pid>/[smaps|maps|stat] //Speaks for itself
[*] Deter exploit bruteforcing //You definitely want this one
[*] Hide kernel symbols //Again, no reason for legit to see this
      Role Based Access Control ->
[ ] Disable RBAC System //This is fantastic, do NOT disable it,use it
[*] Hide kernel processes //No legit reason to see these in production.
        (3) Maximum tries before password lockout
          (3600) Time to wait after max password tries, in seconds //That's an hour, pick as appropriate
Filesystem Protections
[*] Proc restrictions //Proc has lots of useful info, to attackers too.
[*] Restrict /proc to user only //Makes sure the user can only see their own processes, and hids network info(like binded ports(can use to identify daemons to exploit))
[*] Allow special group //Certain GID that can see it all, choose wisely
[*] Additional Restrictions //Adds more restrictions, prevents users from seeing slabinfo and devinfo
[*] Linking Restrictions //Prevents /tmp race condition 'sploits, stops users from following symlinks from other users in world-write+t dirs, useful stuff
[*] FIFO Restrictions //Similar to above except FIFO pipes now, again nice to stop
[*] Runtime Read-only Mount Protection //Adds sysctl option to prevent new rw mounts, remounting rw, write on block devs, CHOOSE IF THIS APPLIES TO YOU
[*] Chroot Jail Restrictions //You want ALL of these, hardens your chroots by defeating common bypass methods completely.
      Kernel Auditing ->
          [*] Log execs within chroot //Just in case they're doing the naughty.
[*] Ptrace logging //Shouldn't be done on a production system, useful to attackers, you want to know this
          [*] /proc/<pid>/ipaddr support //Tells you the IP the process was executed by, again useful to know
[*] Denied RWX MMAP/MPROT logging //Tells you if something tripped PAX_MPROTECT
Executable Protections
[*] Enforce RLIMIT_NPROC on execs //If the user is limited, it'll be checked also during execve(), usually it's just fork()
[*] DMESG Restrictions //Stops non-super reading the last 4kb of messages in the kernel buffer.
[*] Deter ptrace-based process snooping //Monitoring tools that use ptrace will be mitigated if they try to do it to an already running process
[*] Trusted Path Execution(TPE) //Good stuff, can stop users running stuff in their own directories etc depending on the following selections
[ ] Partially restrict all non-root //Doesn't usually apply, check first if you prefer that option.
[*] Invert GID option //Now it applies to everyone except given GID, choose wisely
      Network Protections ->
[*] Larger entropy pools //Makes things more random and therefore decreases predictability(very important in network security)
[*] TCP/UDP blackhole and LAST_ACK DoS prevention //Prevents resets and destination-unreachable being sent back to unbinded ports.
          [*] Socket restrictions ->
            [*] Deny any sockets to group ->
               [no-net GID] GID to deny all sockets for

Recommended PaX settings:
Code: [Select]
Security options ->
   PaX ->
      Non-executable pages ->
         [ ] Emulate trampolines //can break shit, but also poses a risk if enabled.
         [*] Disallow ELF text relocations
      Miscellaneous hardening features ->
         [*] Sanitize all freed memory //Erases pages when not used, stops sensitive info remaining in memory long enough to be stolen

From there, you will also want to remove the /dev/kmem device in character devices, remove any functionality and drivers you do not need, then go into kernel hacking and remove all debugging options available.
 Make sure you have's public key:
Code: [Select]
% gpg --keyserver --recv-keys 0x517D0F0E
% wget
% gpg --import spender-gpg-key.asc

 Download latest release(bz2+bz2.sign files):
Code: [Select]
% lynx
% gpg --verify linux-2.6.*.bz2.sign linux-2.6.*.bz2
% tar xvjpf ./linux-2.6.*

 Move the folder:
Code: [Select]
% sudo mv -R ./linux-2.6.*/ /usr/src/
 Create new Symlink:
Code: [Select]
% sudo ln -s /usr/src/linux-2.6.<version here>/ /usr/src/linux
 Get the grsec patch and sign for your kernel:
Code: [Select]
% lynx
 Verify the patch:
Code: [Select]
% gpg --verify ./grsecurity*.patch.sig ./grsecurity*.patch
 Move the patch:
Code: [Select]
% sudo mv ./grsecurity*.patch /usr/src/linux
 Change dir:
Code: [Select]
% cd /usr/src/linux
 Patch the kernel:
Code: [Select]
% patch -p1<./grsecurity*.patch
 Escalate privs:
Code: [Select]
% sudo -i

You're going to want to harden your flags for this.
Code: [Select]
$ export CFLAGS="-O2 -pipe -fomit-frame-pointer -DFORTIFY_SOURCE_2 -fstack-protector -fPIE -fPIC"
$ export CXXFLAGS="${CFLAGS}"
$ export LDFLAGS="-z relro -pie"

 Make the config file:
Code: [Select]
$ make menuconfig
Code: [Select]
$ make gconfig
Code: [Select]
$ make xconfig
 After doing so, and saving, make the kernel:
Code: [Select]
$ make
 If using lkm, then make the modules:
Code: [Select]
$ make modules_install
 Then install the kernel:
Code: [Select]
$ make install
 Modify your GRUB configuration as required:
Code: [Select]
$ vi /boot/grub/menu.lst
Code: [Select]
$ reboot
 If all is well, download gradm and the .sig, else repeat the steps previously shown from menuconfig onwards.
Code: [Select]
% lynx
% gpg --verify ./gradm*.gz.sig ./gradm*.gz
% tar xvf ./gradm*.gz

 Then we make it:
Code: [Select]
% cd ./gradm2
% make
% sudo make install

 Then download paxutils:
Code: [Select]
% wget
% tar xvjpf ./pax-utils*.bz2
% cd ./pax-utils*/
% make
% sudo make install

 Then we cleanup
Code: [Select]
% cd ../
% rm -rf ./gradm2/
% rm -rf ./pax-utils*/
% rm -rf ./linux-2.6*/
% rm ./grsec*
% rm ./gradm*
% rm ./linux-2.6.*
% rm ./pax-utils*.bz2
% cd /usr/src/linux
% sudo make clean
% cd

From here it's recommended to make sure all your userland is compiled with the hardened flags and stripped of all debugging information etc,
and that you set up RBAC using the links below.

To check for any badly compilec processes(no RELRO, stack canary etc), then check out this brilliant script
 All done, for further resources in regards to PAX, GRSecurity etc, checkout the gentoo hardened project:
 Hope this has been somewhat useful, la revedere.

Tutorials / Linux (Web)server security
« on: March 28, 2011, 02:06:40 pm »
Here's one of my tutorials on linux security. It's not FULLY finished yet, and will get edited. But most of it is there already ;) Have fun.

I wanted to post a few tips on how you can easily secure your network on a debian based distro,

All written by us and is a part of tutorials i post on chasenet, please don't copy this without asking!

In this tutorial we will be using CSF/LFD (IPtable integrated firewalls), PSAD for anti portscans and DDoS-Deflate for protection against (D)DoS attacks, for more security on your server. We will also be using a webinterface on some places instead of console to make things easier for beginners as well, for this i choosed webmin, as it is intergrated into everything you can do on a linux system.

Before we start we would need to install apache/php and mysql on your server as well, not going to much into that you can read about how to easily do that on a debian based system HERE:
Code: [Select]
Please also try to use an updated debian system so we don't have any crash on dependencies.
In some cases you might want to get the build-essential package as well
Code: [Select]
apt-get install build-essentialYou will also have to get syslog-ng for logging.
Code: [Select]
apt-get install syslog-ng

First step:
Installing webmin,

We start of with our web interface for easy management and set up of the firewall etc:
Code: [Select]
Installing webmin with:
Code: [Select]
dpkg -i webmin_1.500_all.deb
If you get an error saying you don't have all the dependencies just run:
Code: [Select]
apt-get -f install
So after this has installed itself you can easily access your webinterface by going to this address:
Code: [Select]
If this now display a login page you have done it right.

Now we can start the fun part of setting up the firewall

Step two:
Installing and configuring CSF firewall

Downloading CSF:
Code: [Select]
Untar the package:
Code: [Select]
tar xvzf csf.tgz
Switch to the csf directory
Code: [Select]
cd csf
And just run the install script:
Code: [Select]
If this completed without errors we can now load csf into webmin.

Loading the module:
Log into your webmin interface and go to Webmin > Webmin Configuration > Webmin Modules.
On local file you fill in the path to the webmin module installed by csf,
Code: [Select]
/etc/csf/csfwebmin.tgzAnd press Install Module.

If this goes well you will now see "ConfigServer Security & Firewall" Under the SYSTEM tab in webmin.

Step three:
Configuring ConfigServer Security & Firewall

Go to the ConfigServer Security & Firewall tab in webmin and press "Firewall Configuration"
For this tutorial we will just fill out the easiest part of the configuration but feel free to explore more of the big potentials of CSF.

Change these areas of the config,

Stop running CSF in testmode:
Code: [Select]
Set the open ports (here we will just fill in what we need at the moment)
Code: [Select]
TCP_IN=21,22,80,10000 21 for ftp, 22 for ssh, 80 for the www and 10000 for webmin (the last one here is very important to remember)
Code: [Select]
Changing ICMP requests (optional) This will disable ping requests and answers. I personaly like to set this to off, so no specific ping attacks can be made with special packets.
Code: [Select]
Code: [Select]
Protection against synflood (for webservers etc)
Code: [Select]
Protection against portfloods
Code: [Select]
That should be all, scroll down to the end and press CHANGE to save all the changes you have made to the config.

The usage of CSF will be explained in another tutorial later on, but the interface is very easy to understand. "View iptable logs" To see what csf have banned and why, "View LFD logs" to see what it has picked up as suspicious processes, who has logged in through ssh and if any portscans have been detected.

Step four:
Installing PSAD

As mentioned before, you would need to have syslog-ng installed before running psad properly, with this done, let's start!

Download and install psad:
Code: [Select]
apt-get install psad
Setup syslog-ng to log things from PSAD (You don't need to use nano if you like other editing tools better.
Code: [Select]
nano /etc/syslog-ng/syslog-ng.conf
Search for the "# pipes" Section and add this to the list:
Code: [Select]
destination psadpipe { pipe("/var/lib/psad/psadfifo"); };
Search for the "# filters" section of the config and add this line
Code: [Select]
filter f_kerninfo { facility(kern); };
And all the way on the bottom of the config, add these lines:
Code: [Select]
log {

Restart syslog-ng:
Code: [Select]
/etc/init.d/syslog-ng restart
Now we have the logging in place, and we can start configure psad:
Code: [Select]
nano /etc/psad/psad.conf
The most important parts will be these, fill them in with your own information:
Your email address
Code: [Select]
EMAIL_ADDRESSESYour Hostname (like http://localhost)
Code: [Select]
HOSTNAMESet home_net to not used:
Code: [Select]
HOME_NET                NOT_USED;  ### only one interface on boxIf you want to set ports to ignore on scans you can do it like this (optional):
Code: [Select]
IGNORE_PORTS                tcp/88, udp/3000;For IDS and iptable support:
Code: [Select]
ENABLE_AUTO_IDS             Y;

Now save and close the config.
Restart PSAD:
Code: [Select]
/etc/init.d/psad restart
Now all we need is to add two iptable rules so psad can use iptable logging, done with these two commands:
Code: [Select]
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG

That was all for PSAD, it should now be up and running and scan reports can be made using this command:
Code: [Select]
psad -S

Step five:
Setting up DDoS-Deflate is easier than you think, with just a few commands and changes,
Downloading and installing DDoS-Deflate:
Code: [Select]
chmod 0700

To configure ddos deflate you will need to do a few small changes:
Open up the script in your favourite editor,
Code: [Select]
nano /usr/local/ddos/ddos.shScroll down to add_to_cron() and you will find 2x of these lines
Code: [Select]
service crond restartChange it to:
Code: [Select]
service cron restartSave and close the script and open up the ddos.conf:
Code: [Select]
nano /usr/local/ddos/ddos.confHere you can change how ddos should react in different situations and you can put your own config on these lines,

How often the script is going to run (minutes):
Code: [Select]
FREQ=1Number of connections a user will need to have at the same time before he get's banned by the script:
Code: [Select]
NO_OF_CONNECTIONS=30Set this to 0 to use IPtables since we don't use APF:
Code: [Select]
APF_BAN=0Kill connections or not:
Code: [Select]
KILL=1If you want emails of the banned IP's then set your email inside the "":
Code: [Select]
Now save and close the config and run this command to add the script to crontab so it runs every minute:
Code: [Select]
/usr/local/ddos/ --cron
A few extra things you might want to add to your linux servers for extra functionality against (D)DoS attacks:
Enable SYN_Cookies:
Code: [Select]
sysctl -w net.ipv4.tcp_syncookies=1Increase the Connection backlog, allowing more connections
Code: [Select]
sysctl -w net.ipv4.tcp_max_syn_backlog=2048
If you want to make it permanent just add them to the sysctl config in the /etc/sysctl dir so it will stay like that even after reboots.

And that's everything you need to set up a bit more security on your linux box, even if it's at home or on your server. Feel free to read around on the different documentation (provided by a google search) and implement more secure solutions and take use of all the other nice features these tools have.

If you have any questions please PM me or post here.

Not finished implemented in the guide yet:
Gresecurity and PAX - Added

Pages: [1]

Intern0t SoldierX SecurityOverride programisiai
Want to be here? Contact Ande, Factionwars or Kulverstukas on the forum or at IRC.