Bastille
Bastille benötigt perl-tk.
Links
Installation
apt-get install bastille
The firewall is controlled by /etc/init.d/bastille-firewall. The configuration file is
/etc/Bastille/bastille-firewall.cfg
which you may modify. After it has been installed, you can then test the firewall by using
/etc/init.d/bastille-firewall start
and (to remove all firewall rules)
/etc/init.d/bastille-firewall stop
Once you have a configuration that will work on your system, you can make it run at every normal boot-up by
# /usr/sbin/update-rc.d bastille-firewall start 40 S . stop 89 0 6 . # /etc/init.d/bastille-firewall start
Hardening-Vorschläge:
- more restrictive permissions on the administration utilities? [N] (which include linuxconf, fsck, ifconfig, runlevel and portmap)
- SUID-Flag für Programme entfernen:
- (u)mount
- ping
- at
- disable clear-text Utils: r*
- password-aging
- restrict cron to admin-users
- default umask:
002 - Everyone can read your files & people in your group can alter them. 022 - Everyone can read your files, but no one can write to them. 027 - Only people in your group can read your files, no one can write to them 077 - No one on the system can read or write your files.
- disable root-login on all ttys?
- disable Strg-Alt-Entf Reboots?
- Password-protect single-user-mode
- Would you like to set a default-deny on TCP Wrappers and xinetd?
- disable telnet
- disable inetd ftp-service?
- Display unathorized-use messages at login?
- restrict gcc to root
- put limits on resource usage? (anti dos)
- restrict console-acces to a small group of user accounts?
- additional logging → Loghost
- restrict privileged daemons
- install TMP/TEMP-Dir Scripts? (/tmp are often used in dangerous ways)
- install firewall-Script? (Helper for FW-rules)1024: = 1024 and higher ports 1024:1048 sind ranges
- DNS-Server? blank if /etc/resolv.conf
- public Interfaces
- audit-Services
- tcp
- udp
- allow services?
- tcp: 80 8080 22 53
- udp: 53
- force passive ftp? yes
- Block Services?
- TCP (watch
lsof -i) - UDP
- allowed ICMP-Types: estination-unreachable echo-reply time-exceeded
- source-verification (anti-spoffing)
- REJECT or DENY ?
- allowed outbound ICMP-Types: destination-unreachable time-exceeded
- enable FW at boot-time?
/etc/Bastille/config
# Q: Would you like to set more restrictive permissions on the administration utilities? [N] FilePermissions.generalperms_1_1=„Y“
# Q: Would you like to disable SUID status for mount/umount? FilePermissions.suidmount=„Y“
# Q: Would you like to disable SUID status for ping? [Y] FilePermissions.suidping=„N“
# Q: Would you like to disable SUID status for at? [Y] FilePermissions.suidat=„Y“
# Q: Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y] AccountSecurity.protectrhost=„Y“
# Q: Would you like to enforce password aging? [Y] AccountSecurity.passwdage=„N“
# Q: Would you like to restrict the use of cron to administrative accounts? [Y] AccountSecurity.cronuser=„N“
# Q: Do you want to set the default umask? [Y] AccountSecurity.umaskyn=„Y“
# Q: What umask would you like to set for users on the system? [077] AccountSecurity.umask=„077“
# Q: Should we disallow root login on all ttys? [N] AccountSecurity.rootttylogins=„N“
# Q: Would you like to disable CTRL-ALT-DELETE rebooting? [N] BootSecurity.secureinittab=„N“
# Q: Would you like to password protect single-user mode? [Y] BootSecurity.passsum=„N“
# Q: Would you like to set a default-deny on TCP Wrappers and xinetd? [N] SecureInetd.tcpd_default_deny=„N“
# Q: Should Bastille ensure the telnet service does not run on this system? [y] SecureInetd.deactivate_telnet=„Y“
# Q: Should Bastille ensure inetd's FTP service does not run on this system? [y] SecureInetd.deactivate_ftp=„Y“
# Q: Would you like to display „Authorized Use“ messages at log-in time? [Y] SecureInetd.banners=„N“
# Q: Would you like to disable the gcc compiler? [N] DisableUserTools.compiler=„Y“
# Q: Would you like to put limits on system resource usage? [N] ConfigureMiscPAM.limitsconf=„N“
# Q: Should we restrict console access to a small group of user accounts? [N] ConfigureMiscPAM.consolelogin=„N“
# Q: Would you like to add additional logging? [Y] Logging.morelogging=„N“
# Q: Would you like to install TMPDIR/TMP scripts? [N] TMPDIR.tmpdir=„N“
# Q: Would you like to run the packet filtering script? [N] Firewall.ip_intro=„Y“
# Q: Do you need the advanced networking options? Firewall.ip_advnetwork=„N“
# Q: DNS Servers: [0.0.0.0/0] Firewall.ip_b_dns=„0.0.0.0/0“
# Q: Public interfaces: [eth+ ppp+ slip+] Firewall.ip_b_publiciface=„eth0“
# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh] Firewall.ip_b_tcpaudit=„telnet ftp imap imaps pop3 pop3s mysql ftp finger sunrpc exec login linuxconf ssh“
# Q: UDP services to audit: [31337] Firewall.ip_b_udpaudit=““
# Q: ICMP services to audit: [ ] Firewall.ip_b_icmpaudit=““
# Q: TCP service names or port numbers to allow on public interfaces: [ ] Firewall.ip_b_publictcp=„80 8080 22 53“
# Q: UDP service names or port numbers to allow on public interfaces: [ ] Firewall.ip_b_publicudp=„53“
# Q: Force passive mode? [N] Firewall.ip_b_passiveftp=„Y“
# Q: TCP services to block: [2049 2065:2090 6000:6020 7100] Firewall.ip_b_tcpblock=““
# Q: UDP services to block: [2049 6770] Firewall.ip_b_udpblock=““
# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded] Firewall.ip_b_icmpallowed=„destination-unreachable echo-reply time-exceeded“
# Q: Enable source address verification? [Y] Firewall.ip_b_srcaddr=„Y“
# Q: Reject method: [DENY] Firewall.ip_b_rejectmethod=„DENY“
# Q: Interfaces for DHCP queries: [ ] Firewall.ip_b_dhcpiface=““
# Q: NTP servers to query: [ ] Firewall.ip_b_ntpsrv=„ntps1-0.cs.tu-berlin.de“
# Q: ICMP types to disallow outbound: [destination-unreachable time-exceeded] Firewall.ip_b_icmpout=„destination-unreachable time-exceeded“
# Q: Should Bastille run the firewall and enable it at boot time? [N] Firewall.ip_enable_firewall=„N“
News
