AusCERTUNIXandLinuxSecurityChecklistv3.

0
Date:13February2007
OriginalURL:https://www.auscert.org.au/render.html?cid=1937&it=5816

81,;DQG/LQX[6HFXULW\&KHFNOLVWY
AusCERTpublicrelease20070725

,QWURGXFWLRQ
ThisdocumenthasbeenpublishedbytheAustralianComputerEmergencyResponseTeam(AusCERT).
ItprovidesachecklistofstepstoimprovethesecurityofUNIXandLinuxsystems.Weencourage
systemadministratorstoreviewallsectionsofthisdocumentandifappropriatemodifytheirsystems
tofixpotentialweaknesses.
Thechecklistisstructuredtofollowthelifecycleofasystem,fromplanningandinstallationto
recoveryandmaintenance.SectionsAtoGofthechecklistarebestappliedtoasystembeforeitis
connectedtothenetworkforthefirsttime.Inaddition,thechecklistcanbereappliedonaregular
basis,toauditconformance.
Notwoorganisationsarethesame,soinapplyingthechecklistconsiderationshouldbegiventothe
appropriatenessofeachactiontoyourparticularsituation.Ratherthanenforcingasingleconfiguration,
thischecklistwillidentifythespecificchoicesandpossiblesecuritycontrolsthatshouldbeconsidered
ateachstage.
Operatingsystemspecificfootnotesthroughoutthedocumentoffersomeadditionalinformationtohelp
withapplyingthesestepsonspecificUNIXandLinuxvariants.
Themostcurrentversionofthisdocumentisavailableathttp://www.auscert.org.au/1935
Wewillcontinuetoupdatethischecklist.Anycommentsshouldbedirectedviaemailto
DXVFHUW#DXVFHUWRUJDX.
Beforeusingthisdocument,pleaseensureyouhavethelatestversion.Newversionsofthischecklist
willbeavailableviatheURLlistedaboveandshouldbecheckedforperiodically.
Disclaimer
AusCERTadvisesthatthisinformationisprovidedwithoutwarrantysitesshouldensurethatactions
andprocedurestakenfrominformationinthisdocumentareverifiedandinaccordancewithsecurity
policiesthatareinplacewithintheirorganisation.Listingofsoftwareproductsortoolswithinthis
documentdoesnotconstituteendorsementbyAusCERTorTheUniversityofQueensland.

&RQWHQWV
A.DetermineAppropriateSecurity
B.Installation
C.PatchandUpdate
D.Minimise
E.SecureBaseOS
F.SecureMajorServices
G.AddMonitoringCapability
H.ConnecttoNet
I.TestBackup/RebuildStrategy
J.Maintain
References

$'HWHUPLQH$SSURSULDWH6HFXULW\
Applyyourorganisation'sinformationsecuritypolicytoguidethedecisionsmadeinthissection.

A.1Computerrole

Firstdecideonanddocumenttheroleofthiscomputer.Thismeansspecifyingexactlywhich
servicesthecomputerwillprovide.
Examplecomputerrolesare:
emailserverandemailvirus/spamscanner
userworkstationforwordprocessing,emailandwebbrowsing
combinedwebserver/databaseserver

A.2Assesssecurityneedsofeachkindofdatahandled
Thesecuritymeasuresappropriateforthiscomputerwilldependgreatlyonwhatinformation
willbestoredonit,orpassthroughit.
ForInternetconnectedcomputers,evenforunimportantdata,acertainbaselinelevelof
securitywillberequired,tostopthiscomputerbeingusedasaplatformtoattackfurtherinto
thenetworkorotherexternalnetworks.
Thefollowingstepswillhelptodeterminethesecurityneedsofthissystem:
1.Dataonthissystem
Consideringthecomputerrole,identifyeachkindofinformationthatwillbehandledbythis
computer.Examplesare:
officeemails
clientpersonaldata
privatekeysandcertificates
sourcecodebeingdevelopedinhouse
Thelistshouldalsoidentifyinformationsuchasuserpasswords,whichmaybetypedinto
thiscomputerbutwhichalsogiveaccesstoothersystemsthatusethesamepassword.
2.Threats
Considerthepotentialthreatstoeachkindofinformationidentifiedabove.Whichclassesof
attackerwillbemotivatedtoread,modifyordisableeachofthesekindsofdata?
Considerationofthethreatshouldincludebothtargetedandindiscriminateattacks.
Targetedattacks:
Targetedattacksrefertothosewhereattackersmayspecificallytargetyourbusinessor
yourcustomers.Dependingonthekindofinformationprocessed,threatsmayinclude
maliciouschangesbyadisgruntledinsider,adenialofserviceattackforthepurposeof
extortion,orindustrialespionageorsabotage.
Indiscriminateattacks:
AllcomputersontheInternetaresubjecttothesethreats.Someorganisationsbelievethat
theirsystemswillnotbeofinteresttoattackersthisisincorrect.Attackersareinterestedin
controllingyourcomputersforanumberofreasons,includingtolaunchattacksonother
organisations,tosendspam,ortocaptureusers'authenticationcredentials.
3.Impactsifthreatsarerealised
Foreachofthethreatscenarios,estimatetheimpactonyourorganisationiftheattackis
realised.
Thecostmaybemeasuredinmoney/time/reputation
4.Determineacceptablerisk
Basedonthepotentialimpacts,determinewhatlevelofriskcanbeaccepted.Such
determinationofriskacceptancelevelsshouldbedoneinconjunctionwithsenior
management.

Makingexplicitthethreatsandimpactsinthiswaywillhighlightwhattheprioritiesshouldbe
forprotectingeachkindofinformationonthesystem.
FororganisationswithlittledependenceonITandnocriticaldatathesestepscanbedone
informally.Otherwise,considerdoingtheassessmentinwriting,integratedwiththerisk
assessmentfortheoverallnetwork.
Moreformalriskmanagementframeworksareavailabletoassistwiththis,suchasOCTAVE
(http://www.cert.org/octave).

IntheAustraliancontext,guidelinesforinformationsecurityriskmanagementareprovidedby
HB231:2004,availablefromStandardsAustralia.

A.3Trustrelationships
Identifyingtrustrelationshipswilldeterminewhetherthesecurityofthiscomputeris
appropriaterelativetoothercomputers.Forexample,asecureconfigurationisuselessifa
UNIXserverismanagedfromdaytodayusingaworkstationcontrolledbyanattacker.
Belowarethreequestionstoasktodeterminethetrustrelationships:
1.Whichsystemsdoesthiscomputertrust?
Thesewillincludethefollowing:
Workstationsusedtoadministerthiscomputere.g.bySSHorwebinterface
Authenticationservers(e.g.kerberosorLDAPservers)
Backupservers(e.g.duringarestore).
Thosesystemsmustbemadeatleastassecureasthiscomputer.
2.Whichcomputerstrustintegrityofdataservedupbythiscomputer?
Forexample:
Authenticationclients,ifthisisanauthenticationserver
Computersthatmaybeadministeredfromthiscomputer
Workstations,ifthisisafileserver.
Thiscomputermustbemadeatleastassecureasthosesystems.
3.Whichcomputerstrustthiscomputertomaintainconfidentialityofdata?
Thesemayinclude:
PeerVPNendpoints
Databaseclients.
Thiscomputermustbemadeatleastassecureasthosesystems.

A.4Uptimerequirementsandimpactifthesearenotmet
Considerhowreliablethiscomputerisexpectedtobe,andwhattheimpactwillbeifthese
uptimerequirementsarenotmet.
Thiscanincludeissuessuchasthefollowing:
Willworkintheorganisationbeaffectedifthiscomputerfails?
Arespecificservicelevelsrequiredbycontract?
Willbusinessbelostifcustomerscannotaccessawebsite?
TheseuptimerequirementswillalsoinfluencetheBackup/RebuildStrategychosenlaterin
sectionI.

A.5Determineminimalsoftwarepackagesrequiredforrole
FromtheroledeterminedinA.1,documentwhichprogramsareneededtofullyimplementthis
role.Thisincludesanyextralibrariesorsupportsoftwarethatthemainsoftwareneeds.
Laterinthischecklist,installedsoftwarewillbeminimisedtojustthesoftwaredetermined
here.

A.6Determineminimalnetaccessrequiredforrole
DocumentwhichTCPandUDPportnumbersthiscomputerwillneedtocommunicateonto
performitsrole,includingthedirection(inoroutbound).
Whereappropriate,alsorecordwhichspecificcomputersthisonewillbecommunicatingwith
foreachservice.
Laterinthischecklist,networkaccesswillberestrictedtoonlythisrequiredaccess.

%,QVWDOODWLRQ

%,QVWDOODWLRQ
B.1Installfromtrustedmedia
IfinstallingtheoperatingsystemfromdownloadedISOimages,Useatrustworthycomputerto
checktheintegrityoftheinstallCDsaftertheyareburnt,usingahash(MD5/SHA1/other)or
detachedPGPsignature.AnexamplecommandtochecktheMD5hashofaCDunderLinux
wouldbe:
GGLI GHYFGURPEV N_PGVXP
IfusingMD5orSHA1hashes,makesurethatthelistofhashesitselfcomesfromatrusted
source(eitherdigitallysigned(preferably)orfromatrustedSSLauthenticatedwebsite).

B.2InstallwhilenotconnectedtotheInternet
InstalltheoperatingsystemwhilenotconnectedtotheInternet.Foranetworkinstallationof
multiplemachines,itispreferabletouseanisolatedstagingnetworkduringtheinitial
installation.

B.3Useseparatepartitions
Creatingseparatepartitionsfordifferentpartsofthefilesystemallows:
moreflexibilityinapplyingdifferentmountoptionstodifferentpartsofthehierarchy,to
restricttheuseoffiles(asdescribedbelowinE.5.2)
avoidingdenialofservicebydiskspaceexhaustion(e.g.logfiles)
hardlinksarepreventedfromcrossingpartitionboundaries.
UseseparatepartitionsforXVUYDUWPSandKRPH.Goodplanningofthepartition
schemeisessential.

B.4Installminimalsoftware
Whenmakingselectionsduringtheinstallationprocess,installonlythesoftwaresetsrequired
forthiscomputer'srole,asdeterminedinA.5
Installationgeneralnotes:Solaris,HPUX,AIX

&$SSO\DOO3DWFKHVDQG8SGDWHV
EnsuringthelatestpatchesandupdatesareappliediscrucialtosecurityasUNIXsystemswith
unpatchedpublicvulnerabilitiesarequicklycompromisedbyattackers.

C.1Initiallyapplypatcheswhileoffline
Afterthefirstinstall,considerapplyingpatchesandupdateswhiledisconnectedfromthe
network,either:
1. fromaCDcontainingthepatches,or
2. onatrustedstagingnetworkdisconnectedfromtheInternet.
IfupdatingdirectlyovertheInternetisreallynecessary,thenfirstinstallandconfigurea
restrictivehostfirewall(seeH.1)onthenewsystem,allowingonlytheconnectionsrequiredfor
updating.(OftenDNSplusoneofHTTP,HTTPSorSSHoutboundisallthatisrequired.)Inthis
case,aftertheinitialupdatingiscomplete,thehostcanthenbedisconnectedfromthenetwork
untiltheremainingstepsinsectionsDtoHhavebeencompletedtobringthesystemtothe
appropriatelevelofsecurity.
Doalsopatchandupdateanythirdpartysoftwareinstalled.

C.2Verifyintegrityofallpatchesandupdates
Beforeinstallinganypatchesorupdatesthathavebeendownloaded,checkthattheyhavenot
beenmodified.
Onsomesystems,digitalsignaturesonpatchesorupdatesmaybeverifiedautomatically
bythepackagetool.

PatchesorupdatesforsomeothersystemsmaybePGPsigned.Thesesignaturescanbe
verifiedusingGnuPG,availablewithyoursystemorfromhttp://www.gnupg.org
IfadigitalsignatureisnotavailablebutanMD5orSHAhashis,thenusethistoverify
theintegrityofthepatch/update.
ForthoseoperatingsystemsthatdonotcomewithanMD5tool,afreeimplementationis
availableathttp://www.fourmilab.ch/md5
RedHat/Fedora, Solaris

C.3Subscribetomailingliststokeepuptodate
Ensurethatyouaresubscribedtothe"announce"and"security"mailinglistsforeachvendorof
softwarethatyouusetoensurethatyouhaverapidnotificationoffuturepatchesandsecurity
updates(seeJ.1).
Ifautomaticupdatechecksand/orautomaticapplicationofupdatesareavailable,alsoconsider
whetherusingthisisappropriateforyoursituation.
SomeotherstepsrecommendedtobereadyforfuturepatchingaredescribedinsectionJ
(Maintain).
Patchinggeneralnotes:HPUX

'0LQLPLVH
Aftertheinitialinstallationiscomplete,minimisetheamountofsoftwarethatispresentbyuninstalling
ordisablingtheunneededsoftwarepackages,leavingaminimalsetofsoftware.Ideally,onlythe
softwarethatwillbeusedinperformingthecomputer'srole,asdecidedinA.1above,shouldremain.
Checkthedependenciesbetweensoftwarepackagestodeterminewhichlibrariesandhelpersoftware
arealsorequiredfortherole.

D.1Minimisenetworkservices
D.1.1Locateservicesandremoveordisable
UseQHWVWDWtofindalllisteningnetworkservices.
Alsousethepscommandtoviewwhichprocessesarerunningbydefaulton
startup.
Preferablyuninstallanyservicesthatarenotrequired
Otherwisedisablethembyeditingorremovingtherelevantstartupscripts
FreeBSD, AIX

D.1.2Minimiseinetd/xinetd
Ifnoneoftheservicesintheinetdconfigurationareneededthendisableinetd
completely,
Otherwise,disableallnonneededservicesintheconfiguration.
Solaris, HPUX

D.1.3MinimiseportmapperandRPCservices
Disabletheportmapservicecompletelyunlessitisnecessaryforthesystemtoperform
itsrole.UsuallyamachinethatdoesnotuseNFSorNIS/NIS+doesnotneedportmap,
howevertherearesomeothersoftwarepackagesthatmayneeditsuchasFAM(on
IRIXorLinux),mcserv,dracdandseveralSolarisspecificservices.
Disableanynonrequiredservicesthatareregisteredwiththeportmapperonstartup.
TocheckforregisteredRPCservices,usethecommand:XVUELQUSFLQIRS
Onsystemsthattracksoftwarepackagedependencies,thatgivesanevenmore
convenientwaytoidentifyanypackagesthatdependontheportmapper.
SeealsosectionF.7foradviceonconfiguringRPC.

D.1.4Notesonparticularnetworkservices

D.1.4Notesonparticularnetworkservices
Removeordisablethe"r"commands
ThisincludesUORJLQGUVKGUFPGUH[HFGUERRWGUTXRWDGUVWDWG
UXVHUVGUZDOOGandUH[G.Theseservicesareinadequatelyauthenticated.Itis
bettertoremovetheseanduseSSHandVFSinstead.
NotethespecialcaseofUV\QF,whichisnotoneofthetraditional"r"commands.
UV\QFisusefulandwhilebydefaultitprovidesauthenticationofconnectionsand
transferreddata,itsnativeauthenticationisnotstrongsowhereUV\QFisrequired
itisrecommendedtorunitoverSSH.
Removeordisablefingerd
Removeordisablefingerdifpresent.Apartfromthepossibilityofasoftware
vulnerability,fingerdallowsanattackertoenumerateusernamesonthesystem
andtodeterminethetimingandfrequencyofsystemadministratorlogins.
Removeordisabletftpd
Donotusetftpd(trivialfiletransferprotocol)unlessunavoidable.
Iftftpdisrequiredforthecomputer'srole,createaseparatepartitiontostorethe
filestobeservedbytftpandlimitthetftpdaemontothedirectorywherethis
partitionismounted.
Ensurethatthefilesinthetftpareaarenotwritable,unlessthisisrequiredfor
thesystem'srole.
TFTPisnotauthenticated,sotoprotectdevicesusingTFTP,itishighly
recommendedonlytoallowitoveratrustednetwork,suchasatrusted
managementnetworkforconfiguringnetworkdevicesandnotoverthemainLAN.
DisableSNMPdaemon
Ifpresentbydefault,disableanySNMPdaemonunlessthisisreallyrequiredfor
theroleofthecomputer.
Solaris, AIX

D.2Disableallunnecessarystartupscripts
Thewaystartupscriptsareusedtostartserviceswhenthesystembootsisdifferenton
differentvariantsofUNIX.Seeyourvendor'sdocumentationforspecificdetails.
OnBSDstylesystems,thefileUFFRQIorUFFRQIORFDOcanbeeditedtochangewhich
serviceswillbestarted.Somesystemshavefurtherstartupscriptslocatedin
XVUORFDOHWFUFG
OnSystemVstylesystems,theservicestobestartedeachhaveascriptwithanentryunder
HWFLQLWGorHWFUFGLQLWG
UseSVatthisstagetoviewtheprocessesrunningbydefault.Understandthepurposeofeach
processanddisableitinthestartupscriptsifitisnotneeded.
Solaris, AIX

D.3MinimiseSetUID/SetGIDprograms
ProgramswhichareSetUIDorSetGIDaregoodcandidatesforremovalbecauseanybugsin
theseprogramsarelikelytohaveasecurityimpact,allowinganattackerwhoalreadyhas
accesstothesystemtoelevateprivelegesandincreasetheircontrol.Thestepsbeloware
particularlyimportantformultiusersystems,suchaswebhostingserverswithmultiple
accounts.
LocateSetUID/SetGIDprogramsusingacommandsuchasILQGSHUPOV
Preferablyuninstallthemifnotneeded
OtherwisedisabletheSUIDorSGIDbit,sothattheprogramisonlygiventheprivileges
oftheuserrunningit.Notethatinsomecasesthiscanmeanthattheprogramwillthen
onlyworkwhenrunbyroot.
IfSetUID/SetGIDprogramsreallyneedtobeusedbyotherusers,thenconsiderrestrictingwho
canrunthembygroupmembership:

createanewgroupforthisprogram
changethegroupownershipofthebinarytothisnewgroup
changethepermissionsofthebinarytodenyexecutepermissionforOthers(FKPRGRU[)
addtheuserswhomustusethisprogramtothenewgroup.
NeverallowSetUIDshellscripts.
Debian, Solaris OpenBSD

D.4Otherminimisation
IfagraphicaluserinterfaceisnotrequiredonthiscomputerthenconsidernotinstallingtheX
windowsystem,aswellasdesktopenvironmentssuchasCDE,GnomeandKDE.
Thereasonisthatthesearelarge,complexsoftwaresystemswithcomponentsthatmustrun
withprivilegedaccesstothecomputer'shardware.
IfIPv6isnotbeingused,thenconsideralsoturningofftheIPv6stack.
OpenBSD

Minimisegeneralnotes:Solaris,HPUX,AIX

(6HFXUH%DVH26
E.1Physical,consoleandbootsecurity
Checkthatphysicalaccesstothecomputerisrestrictedappropriately.Regardlessofwhat
configurationisused,anattackerwithphysicalaccesstothecomputercaninmostcasestake
fullcontrolofthesystem.
Thatsaid,thefollowingcontrolsshouldbeconsideredtoincreasethedifficultyofthewalkin
attack:
DisablebootingfromanyremovablemediabyconfiguringtheBIOSorEEPROM.
SetapasswordtopreventchangestotheseBIOSorEEPROMsettings.
Ensurethebootloaderdoesnotallowbootingtosingleusermodewithoutapassword.
Considerdisablinganyspecialhotkeysthatdroptheconsoleintoadebuggingmode.
Forsituationswhereaccessispublic,suchasaninternetcafeorsharedcomputerlab,these
measuresareessential.Forothersituationsthesemeasurescanbeconsideredbasedon
physicalsecurity.
Solaris, HPUX, FreeBSD, OpenBSD

E.2UserLogons
E.2.1AccountAdministration
ConsiderhavingapaperUserRegistrationFormforeachuseronthesystem.Thisform
includesasectionthattheusersigns,statingthattheyhavereadyoursecuritypolicyor
acceptableusepolicyandwhattheconsequencesareiftheycontravenethepolicy.
Considerrequiringthatusersphysicallyidentifythemselvesbeforegrantingany
requestsregardingaccounts(e.g.,beforecreatingauseraccountorresetting
passwords).
Haveadocumentedprocessforwhenstaffleave,toensurethatdormantaccountscan
notoccur.
Haveaprocessforstafftransfersandrolechanges,toensurethatappropriatechanges
aremadetotheuser'sauthorisationandaccessrightsonthesystem.
Notewhendisablingaccounts:
Ingeneral,besidessettingtheaccountstodisabledordeletingthementirelyitisalso
necessaryto:
searchforandremoveallfilesownedbythatUID(incasetheUIDgets
reallocatedtoanewuser)
checkthattheaccountshavenoFURQorDWjobs

usepstocheckforandkillanyprocessesrunningunderthatUID.

E.2.2Specialaccounts
Ensurethattherearenosharedaccountsotherthanroot.(i.e.morethanoneperson
shouldnotknowthepasswordtoanaccount)
Disableanyguestaccounts(accountsthatcanbeusedwithoutanyauthentication)and
donotcreateguestaccounts.(Note:Evennow,somesystemscomepreconfiguredwith
guestaccounts.)
Disableanydefaultvendoraccountsshippedwiththeoperatingsystemthatcanbe
loggedinto.Thismayneedtoberecheckedafteranupgrade.
Notethatdefaultaccountsmaysometimesbeaddedduringinstallationofthirdparty
softwareapplications,sotheseshouldbecheckedforafterinstallation.
Disableaccountswithnopasswordwhichexecuteasinglecommand,forexampleV\QF.
Ensurenonfunctionalloginshells(suchasELQIDOVHorVELQQRORJLQ)areassigned
tosystemaccountssuchasbinanddaemon.Thereisnoneedtoremovethedefault
systemaccountsbutitisimportantthattheycannotbeloggedinto.
IRIX

E.2.3Rootaccount
E.2.3.1Rootpassword
Restrictthenumberofpeoplewhoknowtherootpassword.

E.2.3.2Nodirectrootlogins
Considernotallowingroottodirectlyloginoverthenetwork.Instead,require
firsttologonasanordinaryuser,thenusesudoorelsesutoroot.
Reasons:
1. Foraccountability.Thisisparticularlyimportantifthereismorethanone
personwhologsontothiscomputer.
2. Italsomakesanattackerdomoreworktogettoroot.
Secureterminals:
TherelevantconfigurationfilemaybecalledHWFWW\V,HWFGHIDXOWORJLQ,
HWFVHFXULW\orHWFVHFXUHWW\dependingonthesystem.Seethemanual
pagesforfileformatandusageinformation.
Checkthatthesecureoptionisremovedfromanylocalentriesthatdon'tneed
rootlogincapabilities.Thesecureoptionshouldberemovedfromconsoleifyou
donotwantuserstobeabletorebootinsingleusermode.[Note:Thisdoesnot
affectusabilityoftheVXcommand.]
Ifitisnotalreadythedefault,considerusingaspecialgroup(suchastheZKHHO
grouponBSDsystems)torestrictwhichuserscanuseVXtobecomeroot.

E.2.4PATHadvice
Checkthatthecurrentdirectory"."isnotinthe3$7+.Notethatanemptystringis
interpretedtomeanthesameas"."soalsomakesurethe3$7+doesnotcontainany
emptystrings.Forexample,thefollowing3$7+isinsecure:
VELQELQXVUVELQXVUELQThis3$7+adviceisespeciallyimportantfortheroot
account.
Ensurethatdirectorieswritablebyotherusersarenotspecifiedbeforesystem
directoriesinauser's3$7+,andcheckthatnofilesinthe3$7+ofausercanbe
modifiedbyotherusers.
Dospecifyabsolutepathnameswhenwritingscriptsandcronjobs.
(e.g.ELQVX,ELQILQG,ELQSDVVZG.)Thisistoensurethatevenifscriptsgetrun
inanenvironmentwithadifferent3$7+,theycannotbetrickedintoexecutinga
maliciousprogram.Onewaytoaddressthisisexplicitlytosetthe3$7+variableatthe
startofthescript,givingitaminimallistofdirectories.
Note:whenusingVX,itisgoodpracticetousethedashparameter,i.e."ELQVX"to
resettheenvironment.Whilethisdoesnotgiveanysignificantprotectioniftheuser
accountwerecompromised,itdoespreventbadenvironmentvariablesfrombeing

unintentionallyinheritedbytheprivilegedshell.

E.2.5Usersessioncontrols
Considerenforcingdiskusagequotasonuseraccounts,byenablingquotasupportfor
individualusersorbyusingtheresourcelimitsPAMmodulewhereavailable.
Considerusingtheresourcelimitingfeaturesofauser'slogonshelltorestrictthe
maximummemory/processes/CPUtimeused.Forshstyleshells(sh,bash,ksh)usethe
XOLPLWcommand.Forcshstyleshells(csh,tcsh)usetheOLPLWcommand.
Evaluatetheotherfacilitiesprovidedbyyouroperatingsystemtoputconditionsonuser
logonaccess,limitremoteaccess,controluserresourceusageandenforceother
policiesonusersessionssuchaslogging/accounting.Thesefeaturesvarysignificantly
betweendifferentUNIXvariants,socheckthedocumentationforyoursystem.
Considerconfiguringuserloginsessionstologoutautomaticallyafteracertainperiodof
inactivity,inparticularfortherootuser.Todothis,settheappropriatevariableinyour
shell'sstartupfiles.
Forcsh:VHWUDXWRORJRXW (15minutes)
Forbash:W\SHVHWU70287 (15minutes=900seconds)
HPUX, FreeBSD, AIX

E.3Authentication
E.3.1Passwordauthentication
E.3.1.1Evaluatetwofactorauthentication
Considerthebenefitandcostofusingonetimepasswordsheets,securitytokens
orsmartcardsinsteadofrelyingonreusablepasswordsalone.
Passwordsdonotscalewellinanetworkbecauselackoftrustbetweendomains
requiresdifferentpasswords.Inpracticethisresultsinuserseitherchoosingbad
passwords,reusingpasswordswithmultiplesystemsorcompanies,orwriting
themdown.Thevariousformsoftwofactorauthenticationofferananswerto
this.

E.3.1.2Shadowpasswords
MostUNIXsystemsnowuseashadowpasswordschemebydefault.Afewmay
notseenotesbelow.Usingtheshadowpasswordschemeisimportantbecause
itensuresthatthepasswordhashesarenotworldreadable.Thispreventssimple
dictionaryandbruteforceattacksbeingappliedtogetthepasswordsfromthe
hashes.
Enablepasswordshadowingifitisnotonbydefault.SeeOSspecificfootnotes
fordetails.
HPUX, AIX, IRIX

E.3.1.3Ensureallaccountshavepasswordsoraredisabled.
Verifythatallaccountshavepasswords.(i.e.thepasswordfieldisnotempty)
CheckNIS+passwordstoo,ifyouhavethem.
Debian

E.3.1.4PasswordPolicy
Haveaclearpasswordpolicyforyourorganisation.SeetheAusCERTAdvisory
SA93.04forguidelinesondevelopingpasswordpolicies.

E.3.1.5Enforcepasswordcomplexity
Checkifyouroperatingsystemhasabuiltinwaytoconfigurerequirementson
passwordcomplexity,suchasminimumpasswordlengths,requirementsfor
numbersandsymbols,etc.
ForPAMsystemsthiscanbedonebyaPAMmodule.IfyourPAMenabledsystem
doesnothavesuchamodule,youcanusethepam_passwdqcmoduleavailable
fromhttp://www.openwall.com/passwdqc/whichsupportsLinux,Solaris,
FreeBSDandHPUX.

Foramultiusersystemwhichdoesnothaveanymechanismforenforcing
difficultpasswords,passwordauditingisdiscussedinsectionJ.7.3
HPUX AIX

E.3.1.6Passwordageingandpasswordhistory
Considerenforcingpasswordaging,sothatuserswillneedtochangepasswords
afteracertainmaximumperiodoftime.
Beawarethatusingtooshortachangeperiodwillprobablyjustresultin
userscircumventingpolicybywritingpasswordsdown.
Considerenforcingapasswordhistory,sothatusersdonotreuserecently
usedpasswords.
Notethatifusingahistory,aminimumperiodbetweenpasswordchanges
mayalsobenecessary,sothatpeopledonotrapidlycyclethrough
passwordstogetaroundthehistory/ageingrestrictions.
HPUX

E.3.2Onetimepasswords
Evaluatetheuseofonetimepasswordsforremoteconnections.Incertainsituations
thismechanismcanbemoresecurethanpublickeyauthenticationorreusable
passwords.
Forexample,amalicioustrojanonaclientmachinecaneasilycapturepasswords,
secretkeysandtheirpassphrasestoobtainongoingremoteaccesstoanaccount.In
contrast,whereonetimepasswordsareusedatrojanwouldhavetohijackalegitimate
session,andtheattackerwillthenhavetogotomoretroubletomaintainongoing
accesstothecompromisedaccount.
Notesifusingonetimepasswords:
Generatethemasterkeyorpasswordlistswhileloggedonattheconsoleofa
trustworthymachine.
Ensureusersareawaretheymustnotstorepasswordlistsonorneartheir
computer.
Minimisethenumberofonetimepasswordsprintedandgiventoeachuseratany
onetime.
OPIEisacommonlyusedfreeimplementation,availableathttp://inner.net/opie
PAMmodulesimplementingonetimepasswordsarealsoavailable.

E.3.3PAMPluggableAuthenticationModules
OnmanyUNIXsystems,PAMisthemainframeworkforauthentication,andwillbe
operationalbydefault.
PAMisprovidedbydefaultonLinux,FreeBSD,Solaris,HPUXandAIX.
TofindoutifagivenexecutableusesPAM,executethecommandOGGSDWKWR
H[HFXWDEOHILOH!.Forexample,theresultingoutputforXVUELQORJLQona
FreeBSD6.xsystem:
OGGXVUELQORJLQ
XVUELQORJLQ
OLEXWLOVR !OLEOLEXWLOVR[
OLESDPVR !XVUOLEOLESDPVR[
OLEFVR !OLEOLEFVR[D

Notethelibpam.so.3,thisshowstheprogramislinkedwithPAM.
Dependingonthesystem,PAMmaybeconfiguredwiththefileHWFSDPFRQIorwith
individualconfigurationfilesinHWFSDPG.PAMisveryflexibleanditispossibleto
requiremorethanoneauthenticationmethod.
CheckthatPAMisconfiguredtodenyaccessbydefaultamisconfiguredservicemay
resultinanattempttoauthenticateusingalesssecuremechanism,orevenno
authenticationatall.
IfcontemplatinganychangetothePAMconfigurationbecarefulthattheeffectis
understood,soasnottoleavethesysteminaninsecurestate.
EnforceyourpasswordpolicyusingPAM,asdiscussedinE.3.1
ConsiderenforcinguserresourcelimitswithPAM:Thismaybedoneusingthe

SDPBOLPLWVVRmodulewithconfigurationinHWFOLPLWVFRQIwhereavailable.
Linux, Solaris, OpenBSD

E.3.4NIS/NIS+
DonotuseNIS.Itisinherentlyinsecureonanuntrustednetwork.Itisforthisreason
andothersthatNISwassupercededbythemoresecureNIS+.
UseLDAPinsteadtoachievethesamegoalofcentralizeddirectoryservices.Ifonly
authenticationisrequired,thenKerberoscanbeconsideredasanotheralternative.
NIS+ismuchmoresecurethanNIS,butisonlyfullyimplementedonafewUNIX
variants.SunhasannouncedEndofFeaturestatusforNIS+,andsuggeststhat
customersmigratetoLDAP.

E.3.5LDAP
LDAPisaprotocolforaccessingonlinedirectoryservices.Inthespecialcasewhere
LDAPisusedtodistributeauthenticationdatathesecurityoftheLDAPserverandits
configurationbecomecritical.
ForauthenticationtotheLDAPserveritselfconsiderusingclientsidecertificatesor
Kerberos.Alternatively,asabareminimumuseSASLDIGESTMD5authentication.
VerifythatcommunicationwiththeLDAPserverisprotectedbyTLS,sothatdataisnot
transmittedintheclear.
FortheUNIXsystem'sauthenticationdata,ifsupportedbytheLDAPserveruseSHA1
(preferably)orMD5passwordhashesratherthantheweakerUNIXcrypthashesor
plaintextpasswords.
EnsurethatLDAPaccesscontrolsarecorrectforallattributesthatcontainauthentication
credentialsorothersensitivedata.Inparticular,passwordhashesshouldnotbe
readablebyotherusers,whetherauthenticatedornot.

E.4AccessControl
E.4.1FilePermissions
E.4.1.1Permissionsforkeyfilesanddirectories
Ensurethatsystemconfigurationandruntimefilesareownedbyrootandarenot
writablebyotherusers.Afewexamplesofsuchfilesare:
startupscripts(UF andLQLWGfiles),
anyfirewallconfigurationfiles,
HWFSURILOHHWFKRVWVDOORZHWFPWDE
HWFXWPSYDUDGPZWPS(orYDUORJZWPS),
HWFV\VORJSLG(orYDUUXQV\VORJSLG)

Ensurethatlogfiles(usuallylocatedinYDUORJorYDUDGP)areonly
writablebyroot.
Ensurethatthefilesholdingthekernelandanykernelmodulesareownedby
root,havegroupownershipsettogroupid0andpermissionsthatpreventthem
beingwrittentobyanynonrootusers.
Ensurethattherearenounexpectedworldwritablefilesordirectoriesonyour
system.UsetheILQGcommandtolocatethese,forexample
ILQGW\SHGSHUPOVwilllocateworldwritabledirectories.
EnsurethestickybitissetonWPS,YDUWPSandanyotherworldwritable
directoriesthatexist.Thisisoftendenotedbya"t"inthelastcolumnof
permissionswhenlistingwithOVOG
Makealistofthenonrootowneddirectoriesoutsideoftheuserhomearea,
using
ILQGSDWKKRPHSUXQHRW\SHGXLGOV
andensurethatthereisnothingunexpected.InparticularHWFXVUHWF
ELQXVUELQVELQXVUVELQWPSandYDUWPSshouldallbeowned
byroot.
Somesystemsshipfilesanddirectoriesownedbyuser"bin"(or"sys").This

variesfromsystemtosystemandmayhavesecurityimplications,especiallyif
filesystemsareexportedwithNFS.Changeallnonsetuidfilesandallnonsetgid
filesanddirectoriesownedby"bin"thatareworldreadablebutnotworldor
groupwritabletobeownedbyrootinstead,withgroupownershipbygroupid0.
Solaris

E.4.1.2Protectprogramsusedbyroot
Anybinarythatmightgetrunasroot,aswellasallparentdirectoriesofthat
binary,mustbeownedbyrootandalsonotbewritablebyanyotheruseror
group.Thismeans:
anyprogramusedbysystemstartupscripts
anyprogramusedbydaemons
anyprogramusedinrootcronjobs
anyprograminroot'sPATH
anyprogramusedinroot'sshellstartupscripts
anyprogramexecutedinturnbytheprogramsabove.
aswellasallparentdirectoriesoftheseprograms.
Ensurethatroot'sPATHissecure,asdescribedinsectionE.2.4.
Ensureroot'sloginfilesdonotsourceanyotherfilesnotownedbyrootorwhich
aregrouporworldwritable.
Ensurerootcronjobfilesdonotsourceanyotherfilesnotownedbyrootor
whicharegrouporworldwritable.
Checkthecontentsofthefollowingfilesfortherootaccount.Anyprogramsor
scriptsreferencedinthesefilesshouldhavethepermissionsrecommended
above:
aORJLQaSURILOHaEDVKUFaFVKUFandsimilarshell
initializationfiles
aORJRXWandsimilarsessioncleanupfiles

ProgramconfigurationfilesinthehomedirectorysuchasYLPUFand
H[UF
FURQWDEandDWentries

scriptsandprogramsonNFSpartitions
HWFUF andsimilarsystemstartupandshutdownscripts.

Ifanyprogramsorscriptsrunbythesefilesusefurtherprogramsorscriptsthen
thosealsoneedtobesecure.
DonotallowanyshellscriptstobeSetUID.

E.4.1.3Protectdirectorieswrittentobyroot
Theadviceinthissectionalsoappliestoprotectingotherdaemonorserver
accounts.
Anypredictablynamedfilescreatedbyscripts,daemons,serverprocesses,or
cronjobsMUSTbeinadirectorythatisnonwritablebylessprivilegedusersand
groups.Thisincludesdirectoriesusedforlogging.
Otherwise,asymlinkattackmaybeusedtoescalateprivilegesfrom
unprivilegedusertoamoreprivilegedone,suchasroot.
Scriptsandprogramsthatneedtocreatefilesinadirectorywritablebyothers,
suchasWPS,musttakespecialprecautionstocreatethefileatomically.Ifyour
organisation'ssystemadministrationscriptsneedtousetemporaryfiles,referto
theSecureProgrammingforLinuxandUnixHOWTOforadiscussionondoing
thissecurelyinshellscripts,PerlandC.

E.4.1.4Groupmembership
TherearetwodifferentschemesinuseforarrangingUNIXgroups,andthese
leadtodifferentrecommendationsforhomedirectorypermissionsandumask.
1.Traditionalgroupscheme
Inthisschememostusersbelongtoacommongroupbydefault,suchasthe
group"users".ThisisthedefaultonOpenBSD,Slackware,...

2.UserPrivateGroupscheme
InthisschemeaseparategroupiscreatedinHWFJURXSVforeachuser.The
usershouldbetheonlymemberofthatgroup.Thisschememakesworkingon
groupprojectseasier,asusersdonotneedtousetheumaskcommandwhen
workinginacommonprojectdirectory.ThisisthedefaultonFreeBSD,RedHat,
Debian,...
Donotusethelegacyfeatureofpasswordprotectedgroups.Itisinsecure
becausetheHWFJURXSfileisnotshadowed,sohashesareworldreadable.
HPUX

E.4.1.5umaskforusers
Auser'sumaskdeterminesthedefaultpermissionsonnewfilescreatedbythe
user.Notethatunlikefilepermissions,theumaskshowswhichpermissionbits
arenotallowed,e.g.aumaskof777meansnoaccess.
Ensuretheumaskforeachuserissettoarestrictivevaluewithintheuser's
shellstartupscripts.TheappropriateumaskwilldependonwhetheraUser
PrivateGroupschemeisused.Ifthetraditionalgroupschemeisbeingused,
ensureaumaskof077or027issetintheusers'shellstartupscripts.
Aweakerumaskof007isacceptableiftheUserPrivateGroupschemeisbeing
used.

E.4.1.6Permissionsforuserhomedirectories
Ensureuserhomedirectoriesareownedbytheuser,andarenotwritablebyany
otheruserorgroup.
Ifthetraditionalgroupschemeisinuse,thegroupownershiponhome
directoriesmaybesettothecommongroup,soensurethatthedirectoryisnot
groupwritable.
IftheUserPrivateGroupschemeisinuse,thegroupownershiponhome
directoriesshouldbesettotheuser'sprivategroup.
Foreitherscheme,considersettingpermissionsonhomedirectoriesto700to
preventotherpeoplefromviewingthecontentsbydefault.

E.4.2Filesystemattributes
Considerusingfileattributesifyouroperatingsystemsupportsthem.
systembinariesandkeyconfigurationfilescanbemadeimmutable,
logfilescanbemadeappendonly.
Linux, FreeBSD

E.4.3RoleBasedAccessControl
ConsiderusingRoleBasedAccessControl(RBAC)tosplittheroleofroot,ifavailablefor
yoursystem.(SeeOSspecificfootnotes)
Thisreducestheriskofafrequentlyusedallpowerfulrootaccountthatcancontrolthe
wholemachineifcompromised.
Inanenvironmentwithmultiplesystemadministrators,RBACcanalsogivetheabilityto
splitadministrationpowersamongseveralpeopleifdesired.
Linux, Solaris, HPUX, AIX

E.4.4sudo
ThesudoutilityisavailableforpracticallyallUNIXvariantsandcanhelpminimisethe
needtousetherootaccount.
Forsystemsadministeredbymorethanoneperson,sudocanalsobehelpfultosplitthe
powerofroottosomeextentiffullRoleBasedAccessControlisnotavailable.
sudoallowsusersorgroupsofuserstoexecutespecificauthorizedcommandsas
anotheruser,suchastherootuser.Itrequiresunprivilegeduserstoentertheirown
userpasswordinordertoexecuteprivilegedcommands.Thisenablesadministrative
taskstobedistributedamongdifferentusers,whilelimitingthedistributionoftheroot
password.

Also,sudocanbeconfiguredtologeachaccess(orattemptedaccess)tocommandsby
users,enablingsomeauditingofusers'privilegedactions.
Exercisecautionwhenconfiguringsudo.Evenifauserisonlygrantedaccesstoexecute
onespecificprogramwithrootprivileges,ifthatprogramcanbemadetospawnashell
orrunothercommands(e.g.manytexteditorscandothis),thentheusercanexecute
arbitrarycommandsasrootusingtheirsudoaccess,andthisusagemaynotbelogged.
Itcanbedifficulttodeterminewhichprogramsmaygrantunintendedaccessor
privilegeescalation.Thisiswhypermittinganextremelylimitedsetofcommandsis
preferable.

E.4.5Considermandatoryaccesscontrolfeatures
Mandatoryaccesscontrolallowsallaccessestodataonthesystemtobecontrolledbya
sitepolicyratherthanuserdiscretion.Dependingonwhichpolicymodelisused,thiscan
beaimedatpreventinganattackerfromleakingconfidentialinformationfromthe
system,oratpreventinganattackerfrommakingunauthorisedchanges,evenafter
subvertingsoftwareonthesystem.
Mandatoryaccesscontrolimplementationsusuallyalsoprovidemorereliableandfine
grainedauditingofaccessevents.
Someoperatingsystemsoffermandatoryaccesscontrolanddatalabellingas
optionalfeatures.
Otheroperatingsystemsinsteadhaveaseparate"trusted"versionwhich
implementsthesefeatures.
Considerthebenefitsandcostsofinstallingandenablingthesetrustedoperatingsystem
featuresifavailable.Notethatsomeofthesecontrolsmayimpactsoftware
compatibilityandusability,soenforcingthesewillnotbeusefultoallorganisations.
Forsystemswheremandatoryaccesscontrolisenabledbydefault,verifythatthe
currentconfigurationistheappropriateoneforyoursituation.
Linux

E.5Other
E.5.1Cron
Ensurethatthepermissionsforroot'scrontabaresetto600andthattheownerissetto
root.
Considernotallowingregularuserstoaddcronjobs.

E.5.2Mountoptions
ChoosingtouseseparatepartitionsasrecommendedinsectionB.3nowallowsflexibility
formountoptions.
ConfigurethemountoptionsQRVXLGQRGHYandQRH[HFforYDUandWPSinyour
HWFIVWDEorYIVWDEfile.
Foruserhomepartitions,useQRVXLGandQRGHYandconsiderusingQRH[HF.
MountexternalfilesystemswiththeQRVXLGandQRGHYoptions.Thisincludesboth
removablemediasuchasCDsandUSBdrivesaswellasnetworkfilesystems.Consider
alsousingtheQRH[HFandreadonlyoptionsforthesefilesystemswherepractical.
AIX

E.5.3Nonexecutememoryprotection
Installandturnonnonexecutablestackprotectionifavailableforyouroperating
system.Thismakesbufferoverflowbugsmoredifficultforattackerstoexploit.
Someimplementationsalsoprovidenonexecuteprotectionforothermemoryregions
suchastheheap,orprovidebroaderprotectionensuringthatmemoryregionsarenot
bothwritableandexecutable.
Solaris, HPUX, AIX

E.5.4Umaskforstartupscripts
Ensurethatanystartupscriptsuseaumaskof022orbetter.Thisshouldalreadybethe

caseforvendorsuppliedstartupscripts.

E.5.5.netrcfiles
aQHWUFisafileusedbyIWSandbyUH[HFtoautomatefiletransfersandremote
execution.

DonotuseQHWUFfiles.InsteaduseSSHandVFS,orrsyncoverSSHifautomatedfile
transfersorexecutionarerequired.
SecureBaseOSgeneralnotes:Linux,Solaris,HPUX,FreeBSD,OpenBSD,AIX

)6HFXUH0DMRU6HUYLFHV
F.1Confinement
Serverprocessescanbeconfinedwithreducedaccesstothesystem,sothatifthesoftware
misbehavesoriscompromisedthedamageislimited.Thefacilitiesavailabletodothisvaryon
differentUNIXsystems.

F.1.1Runningunderanunprivilegedaccount
Ensurethatservicesrununderunprivilegedaccountswherepossible.
Manyservicesdothisautomatically,howeversomewillrunasrootbydefaultandwill
needtobeconfiguredmanually.

F.1.2usingchrootjails
chrootjailsarethemostcommonconfinementmechanism,availableonalmostallUNIX
andLinuxsystems.Thechroot(2)systemcallisusedtoconfinethedaemontoasmall
subtreeoftherealfilesystemanditappearstothatprocesstobetherootdirectory.
Anylibrariesthatthedaemonrequireswillalsoneedtobeputinsidethechroot
directorystructure.
Thesoftwareandfilesdeployedwithinthechrootenvironmentcanthenbeminimizedto
thoseonlyneededbythatspecificservice.
Manydaemonsnowhaveabuiltinconfigurationoptiontochrootthemselvestoa
specifieddirectoryafterstarting,whichismoreconvenientthanmanuallyusingthe
chrootcommandinastartupscript.
Beawarethatchrootisnotfoolproofifanattackerisabletogainrootprivileges
withinthechrootjail,thentherearepotentiallyseveralwaystheymaybreakout.

F.1.3Otherconfinementmechanisms
Severaloperatingsystemsprovidetheirownmoreadvancedmechanismsforconfining
processes.SeetheOSspecificfootnotesfordetailsonSolarisContainersandprivileges,
FreeBSDjailsandSELinuxTypeEnforcement.
Linux, Solaris, FreeBSD

F.2tcp_wrappers
Theprimarywaytorestrictaccessestothehost'sservicesbyIPaddressistouseahost
firewall,discussedinsectionH.1.However,manyUNIXandLinuxsystemsalsoprovidea
secondcontrol,intheformoftcp_wrappers.Thismayalreadybeinuseonyoursystemby
default.
tcp_wrappersdoesprovidesomeextraflexibilityifneededitcanbeconfiguredtorequire
reverseDNSlookupsorident(RFC931)lookups,allowsautomaticexecutionofscriptswhen
conditionsaremet,andcanalsoprovideimprovedloggingforservicesthatdonothave
adequateaccesslogsoftheirown.
Therearetwowaysthattcp_wrappersmaybeusedonthesystem:
Itispossibletoexplicitly"wrap"aservice,byrunningtheprogramWFSGtoaccept
connectionswhicharethenpassedtotheactualnetworkservice.
Morecommonlythough,thevendorhasalreadycompilednetworkservicestousethe
OLEZUDSlibrary.Inthiscasetherelevantdaemonwillenforcethetcp_wrappers
restrictionswhenacceptingconnections.

Themainconfigurationfilefortcp_wrappersisHWFKRVWVDOORZ
ExplicitlylisthostIPswhichareallowedaccesstotheservicesinthisfile.Atthebottomofthe
fileputDOODOOGHQ\todenyallotherIPaddresses.Therulesinthisfileworkona"first
matchwins"basis.
ThefileHWFKRVWVGHQ\mayalsobeused,thoughthisisnolongerrequired.
IfHWFKRVWVGHQ\ispresent,putDOODOOinthisfile.
HPUX

F.3Othergeneraladviceforservices
F.3.1Configureservicestolistenononeinterfaceonly.
Insteadofallowingservicestolistenonawildcardnetworkinterface,configurethemto
listenononlyonespecificIPaddresswherepossible.
Iftheserviceisonlyrequiredforuseonthelocalhost,thenitshouldlistenonlyonthe
loopbackinterfacewherepossible,withaddress127.0.0.1

F.3.2AddingSSLtoexistingservices
IfthisUNIXorLinuxsystemprovidesservicesthatinvolvesensitivedata,butthebuilt
inencryptionorauthenticationofthesoftwareisinadequate,thenconsiderusingstunnel
tosecuretheseservices.
stunnelisafreetoolthatcanbeusedtoaddTLS(orSSL)authenticationandencryption
capabilitiestoanyexistingclientandserverthatusesTCP.Forexample,itcanbeused
tosecureaccesstoPOP3,ortosecureanexistinginhouseapplicationthat
communicatesusingTCP.
Ifrequired,clientaccesstothewrappedservicecanalsobeauthenticatedusingclient
sidecertificates.
stunnelpackagesmaybeavailablefromtheOSvendor,orotherwisebydownloading
sourcefromhttp://www.stunnel.org/

F.4SSH
DonotloginviaSSHfromaninsecureworkstation.Contrarytopopularbelief,publickey
cryptographywillnotprotectyouindoingthis.WhereSSHisused,atrustrelationshipis
impliedtheSSHservercomputertruststhesecurityoftheSSHclientcomputer.
BeawarethatwhendoingXforwardingthroughSSH,thetrustrelationshipisalsoreversed
theworkstationrunningtheXdisplaymustalsotrustthecomputerrunningeachXprogram.
ThisisduetothecrossclientXattacksdescribedbelowinF.9.3
SuggestedconfigurationoptionsfortheOpenSSHsshdimplementation:
IntheconfigurationfileVVKGBFRQILJdouse:
3URWRFRO(theSSH1protocolhadweaknesses)
/LVWHQ$GGUHVV(bindtooneaddressonly)
3HUPLW5RRW/RJLQQR
/LVWHQ(considerusinganalternateport)
3HUPLW(PSW\3DVVZRUGVQR
$OORZ8VHUVRQHWZR#KRVWWKUHH

Disableotherauthenticationoptions.Inparticular,donotuse:
5KRVWV$XWKHQWLFDWLRQ
+RVW%DVHG$XWKHQWLFDWLRQ
5KRVWV56$$XWKHQWLFDWLRQ(notgoodforaccountability)

WhereSSHisusedbyscripts,configureSSHontheserversidetoallowexecutionofacertain
singlecommandonly.ThisisachievedusingaFRPPDQG directiveintheDXWKRUL]HGBNH\Vfile.
ManyUNIXandLinuxsystemsarecompromisedbyattackersthroughSSH,bysimplyusinga
dictionaryattackonpasswords.
Itisstronglyrecommendedtousepublickeyauthenticationinsteadofpasswords.Ifpassword
authenticationmustbeusedwithSSH,verifythatastrongpasswordpolicyisineffect,as
describedinE.3.1.

F.5Printing

F.5Printing
ThereareseveraldifferentdefaultprintingsystemssuppliedwithUNIXandLinuxsystems.The
threemostcommonoftheseareBSDstyleOSU(alsofoundonAIX),LPRngandCUPS.
Ingeneral,preventtheprintingservicefromlisteningtothenetworkunlessnecessaryforthis
computer'srole.
Ifanetworkprintingserviceispartofthiscomputer'srole,thendonotrelysolelyonIP
addressesforauthentication(forinstancetheKRVWVOSGfilewithlpdorLPRngisbasedonlyon
IPaddress.)

F.6RPC/portmapper
LookforthespecificfacilitiesprovidedbyyouroperatingsystemforsecuringRPCaccesswith
authenticationand/orencryption.ThesecurityfeaturesavailablevarygreatlybetweenUNIX
variants.
Beawarethatsomeolderportmapper/rpcbinddaemonsmayforwardRPCrequestsfrom
remotehosts,andmakethemappeartocomefromthelocalhost.

F.7FileservicesNFS/AFS/Samba
F.7.1NFS
FilterNFStrafficattherouter,blockingTCP/UDPonport111andTCP/UDPonport
2049.Thiswillhelppreventmachinesnotonthelocalsubnetfromaccessingfile
systemsexportedbythishost.
BeawareofthetrustrelationshipsimpliedbythecurrentNFSconfiguration,to
determinewhatimpactanattackermayhaveiftheycompromisedorspoofedthe
identityofeithertheserverortheclient.ThisisparticularlyrelevantifNFSsessionsare
onlybeingauthenticatedbyIPaddress.
ConfigureNFStouseTCPratherthanUDP.ThisissupportedbyallNFS3
implementations.
ConsidertunnellingNFSoverSSHorstunneltoprovideauthenticationandencryption.
Configurestatd,mountdandlockdtobindtoafixedportnumberifpossiblesothat
configuringahostfirewallismorestraightforward.
ConfirmNFSisconfiguredtoacceptmountrequestsonlyfromportslessthan1024.This
isconfiguredbydefaultonsomeNFSimplementations,andmaybesetbythe'secure'
optiononexportsinothers.
Verifythatyourunaportmapperorrpcbindthatdoesnotforwardmountrequestsfrom
clients.WitholderportmappersamaliciousremoteNFSclientcouldaskthehost's
portmapperdaemontoforwardrequeststothemountdaemon,whichwouldthen
processtherequestasifitcamedirectlyfromthelocalhost.Ifafilesystemis
exportedtothelocalmachinethisthengivestheremoteclientunauthorisedaccessto
thefilesystem.
ConfigureHWFH[SRUWVorHWFGIVGIVWDEtoexporttheminimumsetoffilesystems
thatneedtobeexported.
Exportfilesystemsreadonly(UR)wheneverpossible.Seethemanualpageforexports
ordfstabformoreinformation.
Checkthatanyimportantexportedfilesthatclientsshouldnotbeabletomodifyare
ownedbyroot,andnotownedbybinoranyotheraccount.
EnsurethatfilesystemsareexportedwiththeURRWBVTXDVKorPDSURRWoption,tomap
roottoanunprivilegeduser.Withoutthis,anattackercontrollingrootononeofthe
clientswillalsobeabletoaccesstheserverasroot.
Confirmthatnofilesystemsareexportedunintentionallytotheworld.Invoke
VKRZPRXQWHtoverifywhatiscurrentlybeingexported.Ifrequired,add
DFFHVV optionorequivalentinHWFH[SRUWVtorestrictaccessbyIP.If
youmustspecifyhostnamesinsteadofIPs,thenexporttofullyqualifieddomainnames
only(i.e.use'machinename.domainname.com'ratherthanabbreviatingitto
'machinename').
Solaris

F.7.2Samba

F.7.2Samba

TheSambaserviceprovidesfilesystemandprintersharesusingtheCIFSprotocolthat
isalsousedinMicrosoftWindows.
IfusersinyourenvironmentauthenticatetoActiveDirectoryforotherservices,then
considerpointingtothesameADserverforSambaauthentication,setting
VHFXULW\ $'6
SeetheSambaHOWTOforfurtherdetailsonimplementingthis:HOWTO
Otherwise,configureyoursharesforuserlevelsecurityusingthe
VHFXULW\ XVHU
parameter.IncurrentversionsofSambathisisthedefault.
RequireatleastNTLM2authenticationasabareminimum,with
ODQPDQDXWK QR
QWOPDXWK QR
UHVWULFWDQRQ\PRXV 
JXHVWRN QR
Considerusingstrongerclientauthenticationmethods.Sambasupportsbetter
authenticationthroughKerberosorPluggableAuthenticationModules(PAM).
RestrictaccesstotheSambaservicewiththeparameters:
KRVWVDOORZ 
KRVWVGHQ\ 
ProtecttheSambaserviceswithfirewallrulestoensuretheycannotbeaccessedfrom
hostsoutsidethelocalnetwork.Sambausesports137and138(UDP)andports139and
445(TCP).

F.8Emailservice
CheckthatyourMailTransportAgent(mailserversoftware)isconfigurednottorelaymail
fromunauthenticatedhosts.Thishelpstopreventyourmailserverfrombeingmisusedtosend
bulkspam.Theopenrelaytestingpageathttp://www.abuse.net/relay.htmlcanassistintesting
this.

F.8.1Sendmail
OnmostUNIXandLinuxsystemsthedefaultMTAwillbeSendmail.Thissection
providesconfigurationrecommendationsspecificallyforSendmail,thoughthesame
configurationgoalscanbeappliedtootherMTAs.
Ifthiscomputerisnotamailserver,then:
DisableSMTPconnectionsfromothercomputersbyadding
$GGU toeach'$(021B237,216macrothatisinyourconfig.
Forexample:
'$(021B237,216C1DPH ,3Y)DPLO\ LQHW$GGU 

'$(021B237,216C1DPH ,3Y)DPLO\ LQHW$GGU 

)($785(CQRBGHIDXOWBPVD

'$(021B237,216C1DPH 06$3RUW $GGUHVV 

ConsiderdisablingthedaemonmodealtogetherbyremovingtheEGoptionfrom
thestartupscript.ThiswillstillallowmostlocalMailUserAgentstoinvokethe
sendmailbinarytosendmail.Inthiscase,douseaTPoptiontoensure
queuedoutboundmessagesarestillprocessed.
IfthisISamailserver,then:
EnsurefamiliaritywithSendmailaccesscontrolandantispamcontrolfeatures.
Seehttp://www.sendmail.org/m4/anti_spam.htmlforanoverview.
Ifitisreallynecessarytorelaymailfromroamingusersoutsideyourlocal
addressrange,thenconfigureSendmailtorequireSMTPAUTHforthese
connections.
Inbothcases:
Ifyoudonotrequireemailstobepipedtootherprogramsforprocessingthen
disableprogmailerfunctionalitywith
02',)<B0$,/(5B)/$*6C/2&$/
C_

Ifyoudorequirepipingemailtoprograms,useVPUVKtolimittheprogramsthat
canbeexecutedtoonlythoseprogramslinkedinthesmrshconfiguration

directory.Thiscanbeturnedonwith
)($785(CVPUVK
CXVUOLEH[HFVPUVK

(Thelocationofthesmrshbinarymayvaryondifferentsystems.)
Considersettingsendmailloggingtoaminimumloglevelof10.
Thiswillhelpdetectattemptedexploitationofsendmailvulnerabilitiesaswellas
loggingeachconnectionandtheusernameusedineachSMTPAUTH.Todothis
use:
GHILQHCFRQI/2*B/(9(/
C

HWFPDLODOLDVHV
checkthatanyprogramsexecutedfromthisfileareownedbyroot,have
permissions755andarestoredinthesmrshconfigurationdirectory,e.g.
HWFVPUVK

RememberthatitisnecessarytoregenerateVHQGPDLOFIand/or GEfilesandthen
restartsendmailforanychangestotakeeffect.

F.8.2MailserverMTAchoices
SendmailisthemostfullyfeaturedMTAsoftware.Ontheotherhanditisalsoalarge
andcomplexprogram.Thecomplexityleavesmorescopeforsecurityvulnerabilities
throughmisconfigurationorsoftwareflaws.
Ifthiscomputeracceptsemailfromothersystems,andSendmail'sextrafunctionalityis
notrequired,thenconsiderthebenefitsandcostsofusinganalternativetoSendmail
withamoresimpleandprivilegeseparateddesign.
qmailisareplacementforsendmaildesignedwithsecurityandcorrectnessasaprimary
goal,butimplementingamorelimitedsetoffeatures.Itisavailableat:
http://cr.yp.to/qmail.html
PostfixisanotherMailTransportAgentthathasbeendesignedtoavoidcommonsecurity
problems.Postfix'shomepageis:http://www.postfix.org

F.9TheXWindowSystem
F.9.1RestrictaccesstotheXserver
ConsiderconfiguringworkstationstodisablelisteningforincomingXsessionsoverthe
network.OnmanyoperatingsystemsthisisdonebyusingtheQROLVWHQWFSoptionin
thescriptthatstartstheXserver.Alternatively,onsomesystemsthismaybesetinthe
configurationfileforxdm,gdmorkdm.
UsetheXmagiccookieauthenticationmechanismMITMAGICCOOKIE1orbetter.With
loginsunderthecontrolofxdm,authenticationcanbeenabledforalldisplaysbyediting
the[GPFRQILJfiletoincludetheline'LVSOD\0DQDJHU DXWKRUL]HWUXH
Thismayormaynotbethedefaultonyoursystem.
Ifgrantingaccesstothedisplayfromanothermachine,usethe[DXWKcommandin
preferencetothe[KRVWcommand.
Donotusehostbasedaccesscontrol.Removeallinstancesofthe[KRVWcommandfrom
thesystemwide;VHVVLRQfile,fromuser[VHVVLRQfiles,andfromanyapplication
programsorshellscriptsthatuseX.

F.9.2ProtectanyXtraffic
IfXisusedacrossthenetwork,thenencryptandauthenticateallXnetworktraffic.
UsingtheXForwardingfeatureofSSHisthemoststraightforwardwaytoachievethis.
(SeesectionF.4)

F.9.3AvoidcrossclientXattacks
NotethatinmostXserversthereislittletoprotectoneXclientprogramfromanother.
ThisallowsanyXclientprogramtocapturekeystrokesandscreenshotsofotherXclient
programsandalsotoinjectinputtootherprograms.
ThereforeifsomeXapplicationsarelesstrustedthanothers,considertheriskofthis
foryourenvironmentandseparatetheuseofapplicationsappropriately.
Forexample,considernottypingtherootpasswordwhileinX,insteadusingtheconsole
(oraseparatelogicalXdisplay).
SecureXserversincludedwithBleveltrustedoperatingsystemssuchasTrustedSolaris

aredesignedtoeliminatethisissue.

F.9.4Xdisplaymanagers
Ifthesystemisconfiguredtoprovideagraphicalloginscreen,thedisplaymanager
(suchasxdm,gdmorkdm)istheprogramthatdoesthis.
xdmmaybypassthenormalgettyandloginfunctions,whichmeansthatquotasforthe
user,ownershipofGHYFRQVROHandpossiblyotherpreventivemeasuresputinplace
byyoumaybeignored.
DesktopenvironmentsthatareavailableforUNIXmayprovidedifferentXdisplay
managers(e.g.gdmfromGnomeandkdmfromKDE).

EnsurefamiliaritywiththemanpagesforxauthandXsecurity.Thisinformationwillbeusefulin
configuringthesecurityyourequire.ThechapteronXWindowSystemsecurityintheXWindow
SystemAdministrator'sGuideisalsoagoodreference.

F.10DNSservice
F.10.1BIND
FormostUNIXsystems,BINDwillbethedefaultdomainnameserversoftware
provided.
Turnoffdynamicupdatesunlesstheyarereallyrequired,forexampletosupportActive
Directory.
Considerapplyingthesecuritypracticesdetailedinthefollowingdocuments:
SecureBINDTemplateByRobThomashttp://www.cymru.com/Documents/securebind
template.html
SecuringanInternetNameServerByCricketLiu
http://www.linuxsecurity.com/resource_files/server_security/securing_an_internet_name_server.pdf
ChrootBINDHOWTOByScottWunschhttp://www.losurs.org/docs/howto/Chroot
BIND.htmlforBINDversion9.xorhttp://www.losurs.org/docs/howto/Chroot
BIND8.htmlforBINDversion8.x.

F.10.2DNSserverchoices
BINDistheDNSserversoftwarethatprovidesthemostcomprehensivesetofDNS
features.Ontheotherhanditisalsoalargeandcomplexpieceofsoftware.The
complexityleavesmorescopeforsecurityvulnerabilitiesthroughmisconfigurationor
softwareflaws.
IfBIND'sextrafunctionalityisnotrequired,thenconsiderthebenefitsandcostsof
usinganalternativewithamoresimpledesignsuchasdjbdns.
djbdnsisasetofDNSserversoftwaredesignedwithsecurityasaprimarygoal,but
implementingamorelimitedsetoffeatures.ItprovidesseparateprogramsfortheDNS
cacheandDNSserverroles.djbdnsisavailableat:http://cr.yp.to/djbdns.html

F.11WWWservice
F.11.1Generalconfiguration
ApacheisthemostcommonwebserveronUnixsystems.IfyouareusingApache,
implementthesecurityrecommendationsoutlinedin
http://httpd.apache.org/docs/misc/security_tips.html
Considerrunningthewebserverinachrootjail(seesectionF.2.1).Somesystems
supplythewebserverinthisconfigurationbydefault.Examplestepsforchrooting
ApacheonLinuxandSolariscanbefoundathttp://penguin.triumf.ca/chroot.html.A
simplerwaytochrootApacheisnowprovidedbythemod_security's6HF&KURRW'LU
option,asdescribedhere.
Considerconfiguringthewebservertodisallowautomaticdirectorylistingifan
index.htmlfileisnotpresentinthedirectory.
Considerconfiguringthewebservertonotfollowsymboliclinks.Thispreventsauser
withaccesstothewebserver'sdocumenttreefrommakingotherdocuments,outside

thetree,availableviasymboliclinks.
Considerrunningthewebserveronadedicatedcomputerthatisnotreliedonforother
services.

F.11.2Webapplications
Thissectionappliestodynamicwebcontentincludingallwebapplications,CGIand
serversidescriptinglanguagessuchasPHP,PerlorPython.
Ifusingreadymadewebapplicationssuchascontentmanagementsystems,portalsor
discussionforums,becarefulinchoosinghighqualitysoftwareandbeespeciallyvigilant
inkeepingtheseuptodate.KnownvulnerabilitiesinPHPwebapplicationsaresomeof
themostcommonwaysthatUNIXandLinuxwebserversarecompromised.
Ensurethatanydefaultorexamplescriptsincludedwithanapplicationofframeworkare
removedifnotneeded.
Considermonitoringchangestoscriptsandwebapplicationsusingafileintegrity
checkingprogramsuchasTripwire.(SeesectionG.5.1)
Foranywebsitedevelopedinhouseorbycontract,ensurealldevelopersdoingweb
programmingunderstandthespecificissuesofsecurewebprogramming.Inparticular
theOWASPGuidetoBuildingSecureWebApplications,availableat
http://www.owasp.org/index.php/OWASP_Guide_Projectisindispensible.
ThemostcommonvulnerabilitiesexploitedarelistedintheOWASPTopTenat
http://www.owasp.org/index.php/OWASP_Top_Ten_Project
Setminimalfilesystempermissions,especiallyonthedirectoriescontainingscripts.The
permissionsrequiredbydifferentapplicationsandframeworksvary.Preferablythe
unprivilegedaccountrunningthehttpdshouldnothavepermissiontowritetothescript
area.

F.11.3TLS/SSL
UseTLS(TransportLayerSecurity)oritspredecessorSSL(SecureSocketLayer)to
provideauthenticationandencryptionwhereappropriate.
Confirmthatsensitiveformdataisnotsubmittedunencrypted.
Confirmthattheprivatekeyfilecannotbereadbytheunprivilegedaccountthatthe
httpdprocessrunsas(usuallywwwornobody).
SSLversion2.0isinsecureandshouldbedisallowed.
Forlogonpages,itisrecommendedtouseSSLnotonlyfortheformsubmission,but
alsoforthelogonpageitself,asthismakesiteasiertoinstructusersnottosubmittheir
passwordtoanunauthenticatedsite.

F.11.4Staticonlywebserver
Ifservingstaticpagesisallthatisrequired,considerrunningmorecutdownand
minimalwebserversoftware.
publicfileisasimple,readonlyHTTPandFTPserverdesignedwithsecurityasa
primarygoal.Itisavailablefrom:http://cr.yp.to/publicfile.html

F.12Squidproxy
Avoidprovidinganopenproxy
Configureaccesscontrolssothatonlyauthorisedclientscanmakerequeststhroughtheproxy.
NotethatSquidACLsusethefirstrulethatmatches.Ifnonematch,thelastrulecheckedis
usedinverted.Sotoavoidunintendedaccessitisbesttoputacatchalldenyrulelast:
KWWSBDFFHVVGHQ\DOO
Listenonasingleinterface
Ifthiscomputerhasmorethanonenetworkinterface,specifytheinterface'sIPaddresswitha
configurationline:
KWWSBSRUW
tocausesquidtoonlylistenonthatinterface.
Disableunusedprotocols
Ifyouarenotusingtheintercacheandmanagementprotocols,thenturnthemoffbysetting
theportto0,asinthefollowingconfigurationlines:

VQPSBSRUW
KWFSBSRUW
LFSBSRUW

Denyproxytolocalhost
Toensurethataremoteattackercannotconnecttootherportsonthelocalcomputerviathe
Squidproxy,includeaccessrulessimilartothefollowing:
DFOWRBORFDOKRVWGVW
GHQ\WRBORFDOKRVW
Securesquidfiles
Checkthatsquidlogsandcachefilesarenotworldreadable.Thesecancontaindatafromproxy
usersthatshouldremainconfidential.

F.13CVS
UseSSHtoauthenticateandencryptallCVSaccess.
DonotuseCVSpserverfunctionality.
CreateaUNIXaccountonthecomputerforeachCVSuser,andlimittheirSSHsessionsoitis
onlyableexecutethecommand"FYVVHUYHU".
Whythisprovidesbettersecuritythancvspserver:
1. cvsdoesnotneedtorunasroot
2. Accesscontrolisenforcedbytheoperatingsystem,notbycvs.
BeawarethatCVSaccesscontrolisperdirectory,ratherthanperfile.(TheCVSmanualin
section222describestheaccesscontrolmodel.)
Use/RFN'LUin&965227FRQILJtohavereadonlydirectorieswhereappropriate.

F.14Webbrowsers
Donotallowexternalprogramstospawnautomaticallyforanytypeofdownloadedcontent.
Thisincludesnotallowingbrowserstoautomaticallylaunchmultimediaviewers,shells,script
interpretersormacroprocessors.
Insteadconfigurethebrowsertopromptbeforeopeningexternalprograms.Thiscanbe
achievedusingthehelperapplicationpreferencesforthebrowser.
ConsiderdisablingJavaandJavaScriptinthewebbrowser.
Donotrunawebbrowserasroot.

F.15FTPservice
DonotrunanFTPserviceunlessthereisnoalternative.
Ifthepurposeistoprovideunauthenticatedaccessorpublicaccessitisbettertousea
simpleHTTPserversuchaspublicfile(seesectionF.11.4).
Ifauthenticatedaccessisrequired,itisbettertousesftp.Ansftpserverisincludedas
partofOpenSSH,whichisavailableeitheraspackagesfromyourOSvendor,oras
sourcefromhttp://openssh.com/.Severalfreegraphicalclientsareavailabletosupport
Windowsusers,includingWinSCP(http://winscp.net/).

F.15.1Generalconfiguration
EnsurethatyourFTPserverdoesnothavetheSITEEXECcommand,orthatthis
commandisdisabledcorrectly.
Testwith:
WHOQHWORFDOKRVW
86(5XVHUQDPH
3$66SDVVZRUG
6,7((;(&

Ifitiscorrectlydisabled,youshouldreceiveanerrorresponselike

6,7((;(&
FRPPDQGQRWXQGHUVWRRG
Thentype48,7toendthesession.
EnsurethatyouhavesetupthefileHWFIWSXVHUV.Thisfilespecifiesthoseusersthat
arenotallowedtoconnecttoyourftpd.Thisshouldinclude,asaminimum,theentries:

root,bin,uucp,ingres,daemon,news,nobodyandALLvendorsuppliedaccounts.
Usechroottoconfinetheftpdaemon.(SeesectionF.1.2)
CheckalldefaultconfigurationoptionsonyourFTPserver.Notallversionsofftp
daemonsareconfigurable.Ifyouhaveaconfigurableversionofftp(e.g.,WUFTP)then
makesurethatalldelete,overwrite,rename,chmodandumaskoptions(theremaybe
others)arenotallowedforguestsandanonymoususers.Ingeneral,anonymoususers
shouldnothaveanyunnecessaryprivileges.
Ensuretherearenoshells,interpretersorsystemcommandsinaIWSELQ
aIWSXVUELQaIWSVELQorsimilardirectories.Itmaybenecessarytokeepsome
commands,suchasXQFRPSUHVV,intheselocations.Considertheinclusionofeach
commandonacasebycasebasisandbeawarethatthepresenceofsuchcommands
maymakeitpossibleforlocaluserstogainunauthorisedaccess.Bewaryofincluding
commandsthatcanexecutearbitrarycommands.Forexample,someversionsofWDU
mayallowyoutoexecuteanarbitraryfile.
Ensurethatyouuseaninvalidpasswordandusershellfortheftpentryinthesystem
passwordfileandtheshadowpasswordfile(ifyouhaveone).Itshouldlooksomething
like:
IWS $QRQ\PRXV
IWSKRPHIWSELQIDOVH
whereKRPHIWSistheanonymousFTParea.
SetthepermissionsoftheFTPhomedirectoryaIWSto555(readnowriteexecute),and
checkthatthisdirectoryisownedbyroot(ftp).
MakesurethatyoudonothaveacopyofyourrealHWFSDVVZGfileas
aIWSHWFSDVVZG.Createonefromscratchwithpermissions444,ownedbyroot.It
shouldnotcontainthenamesofanyaccountsinyourrealpasswordfile.Itshould
containonlyURRWandIWS.Theseshouldbedummyentrieswithdisabledpasswords
e.g.:
URRW )WSPDLQWDLQHU
IWS $QRQ\PRXVIWS
Thepasswordfileisusedonlytoprovideuidtousernamemappingforlslistingswithin
ftp.

MakesurethatyoudonothaveacopyofyourrealHWFJURXSfileasaIWSHWFJURXS.
Createonefromscratchwithpermissions444,ownedbyroot.
EnsurethefilesaIWSUKRVWVandaIWSIRUZDUGdonotexist.
SettheloginshelloftheftpaccounttoanonfunctionalshellsuchasELQIDOVH.
EnsurenofilesordirectoriesareownedbytheIWSaccountorhavethesamegroupas
theIWSaccount.Iftheyare,itmaybepossibleforanintrudertoreplacethemwitha
trojanversion.
EnsurenofilesordirectoriesintheFTPareaareworldwritable.
EnsurethatthedirectoriesaIWSHWFandaIWSELQareownedbyrootwithpermissions
111.
EnsurethatanyfilesinaIWSELQareownedbyrootwithpermissions111.
EnsurethatfilesinaIWSHWFareownedbyrootwithpermissions444.
Ensurethatthereisamailaliasforftptoavoidmailbounces.
Ensurethemailspoolfilefortheftpdaemonaccountisownedbyrootwithpermissions
400.(DependingonthesystemthiswillbeinalocationsuchasYDUPDLOIWSor
XVUVSRROPDLOIWS)
NevermountdisksfromothermachinestotheaIWShierarchyunlesstheyaremounted
readonly.
HPUX

F.15.2AnonymousFTP
ToascertainwhetheryouarerunninganonymousFTP,trytoconnecttothelocalhost
withusername"anonymous",andgiveawellformedemailaddressasthepassword.
TodisableanonymousFTP,moveordeleteallfilesinaIWSandthenremovethe"IWS"
useraccountfromthesystem.

EnsurethatifyouwanttouseanonymousFTPyouhaveconfiguredyourserver
correctly.Ingeneral,anonymoususersshouldnotbeallowedtocreatedirectories,
deleteanything,changethefilesysteminanyway(forinstancechangethepermissions
ofafile)oruploadfiles.Ifyouintendtoallowanonymoususerstouploadfiles,read
thesectionbelowaboutuploaddirectories.
Limitthenumberofanonymousconnectionsallowed,andalsothenumberoftimesa
singleIPcanbeloggedinatonce.Anonymoususersshouldonlybeallowedtohaveone
sessionactiveatatimeotherwiseyoumakeaDoSattackeasier.
EnsurethattheanonymousftpuseraccountcannotcreatefilesordirectoriesinANY
directoryunlessrequired.
Verifythattheanonymousftpuseraccountcanonlyreadinformationinpublicareas.

F.15.3Uploaddirectories
Preferably,checkthatyoudonothaveanywritabledirectoriesasthisissafest.Ifyou
musthavewritabledirectoriestoallowupload,werecommendthatyoulimitthe
numbertoone,forinstancean'upload'directory.
Ensurethatthewritabledirectoryisnotalsoreadable.Directoriesthatarebothwritable
andreadablearelikelytobemisused.
Checkthatanywritabledirectoriesareownedbyrootandhavepermissions1733.(note
stickybitset)
Putwritabledirectoriesonaseparatepartitionifpossible.Thiswillhelptoprevent
denialofservicethroughdiskexhaustion.

*$GG0RQLWRULQJ&DSDELOLW\
DISCLAIMER:Werecommendyouconsultyourorganisation'ssecurityandprivacypolices,aswellas
anylawsforyourareabeforeimplementinganyofthesuggestionsinthissection.

G.1syslogconfiguration
Considerusingsyslog'sremoteloggingfeaturetosendlogstoaseparateloggingcomputer.
RemoteloggingensuresthateveniftheUNIXsystemiscompromised,attackerscannotsimply
modifythelogfilestocovertheirtracks.
Considerprotectingthenetworkloggingstreamwithauthenticationandencryption,forexample
bytunnellingitoverSSHwithQHWFDW.
Ifloggingoverthenetwork,dologtolocalfilesaswell.
Unlessthiscomputerisalogserver,ensurethatsyslogwillnotacceptincominglogpackets
overthenetwork.Onsomesystemsthisisthedefault.Onothersitmaybeimplementedby
startingsyslogwiththeWoption(nolisten).
Considerincreasingthelevelofloggingprovidedbysyslog.
Makesurethatthemessagesofthe/2*B$87+facilityatlevel/2*B,1)2andaboveget
logged.
Foremail,enableaminimumlevelof"info"formailmessagestobeloggedbysyslog.
Checkthatthereisareliablemechanismforlogrotation.Ifthereisnot,youmayneedto
replaceanexistingloggingdaemonwithamoresecureorfullfeaturedone.
Checkthatallloginattemptsarelogged,bothsuccessfulandunsuccessful.Theremaybe
severaldifferentwaystologin,suchasattheconsole,throughXandthroughSSH.
Considerprotectingyourlogfileswithfilesystemattributesifpossible,tomakethemappend
only.SeesectionE.4.2fordetails.
OpenBSD, AIX

G.2Monitoringoflogs
G.2.1Processforlogmonitoring
Logsandaudittrailsareonlyoflimiteduseunlesspeopleareactivelymonitoringthem.
Decideonaspecifictimeperiodwithinwhichpeoplewillmonitorthelogs.

Considerautomaticallyemailinglogsorlogextractstotheinternalemailaddressesof
therelevantpeople.Checkthatthesensitivityofinformationcontainedinthelogsis
appropriatetodistributethisway.

G.2.2Automatedlogmonitoringtools
Automatedtoolscannotreplacehumanjudgement,buttheymaketheprocessofpeople
monitoringthelogsmuchmoreefficientbyprovidingdifferentfilteredandprocessed
viewsonthelogs,andalertingautomaticallybasedondefinedpatterns.
Automatingtosomedegreeishighlyrecommendedasotherwiseitisunlikelythatthe
humancomponentofthelogmonitoringtaskwillactuallybedone.
Twoexampleprogramsareswatchandlogsentry.Furtherinformationonlogmonitoring
andavailabletoolsisavailableathttp://loganalysis.org
Ensureanyautomatedreportingfacilitiesprovidedbyyouroperatingsystemareturnedon,and
aresendingoutputtoanappropriateuserforreading.(e.g.FreeBSD/OpenBSDdailyscripts)
Regularlymonitorlogsforbothsuccessfulandunsuccessfullogins,andusesofVXandVXGR.
Regularlycheckforrepeatedaccessfailures.

G.3Enabletrustedauditsubsystemifavailable
Onmanyplatformsamorecomprehensiveauditsubsystemisoptionallyavailable.Thebenefit
istoallowmoredependableandconfigurableloggingofawiderrangeofsecurityevents.
Enablethetrustedsystemauditfeaturesifavailableforyourplatform.
Linux, Solaris, HPUX, AIX

G.4Monitorrunningprocesses
G.4.1Availabilityofservers
Doactivelymonitortherunningstatusofserverprocessesonyourmachinestoolsare
availablethatmakeitpossibletodothisremotely.Someexamplesoftheseare:
Argussystemmonitoringsoftwarehttp://argus.tcp4me.com/
BigBrotherhttp://www.bb4.org
Nagioshttp://www.nagios.org/
ForsomecommercialUNIXvariants,specializedservermonitoringtoolsarealso
availablefromthevendor.

G.4.2Processaccounting
Considerturningonprocessaccounting,ifavailableforyoursystem.Processaccounting
allowsthekerneltokeeprecordsofeachcommandrun,theuserandthetime,exit
codes,aswellaswhatamountofsystemresources(CPU,memory,diskI/O)were
used.
Regularlymonitorprocessaccountinglogfilesforactivityofinterest.
Checkthatprocessaccountinglogfilesareownedbyrootandhavepermissions600.

G.4.3lsof
OVRIisatoolformonitoringopensystemfilesthatcanbeusefulincheckingcurrent
activityonthesystem.OVRImaybeincludedwithyouroperatingsystem,andisalso
availablefromthesourceatftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/

G.5Hostbasedintrusiondetection
G.5.1Fileintegritychecker
Considerusingafileintegritycheckerforintrusiondetection,providingmonitoringfor
unexpectedfilesystemchanges.
Whenusingafileintegritychecker:
Haveasystemadministrationprocedureinplacetocheckandupdatethe

databaseatleastweeklytoreflectlegitimatechanges.Withoutthisanyreal
securityalertsmaybelostamidstthenoiseoflegitimatechangedfiles.
Considerstoringtheintegritycheckerbinary,itsdatabaseandconfigurationfileon
hardwarewriteprotectedmedia,andusingabinarythatisstaticallylinked.
ConsiderrunningtheintegritycheckerfromabootableCD.Thisisthemost
tamperproofoption,butisnotappropriateinmanycasesbecauseitinvolves
downtimewhilethecheckisrun.
AnexamplefileintegritycheckeristheopensourceTripwire,availablefrom
http://sourceforge.net/projects/tripwire/
AIX, Solaris

G.5.2Antivirus/malwaredetection
AntivirusproductsthatrunonUNIXsystemsareoftenaimedatdetectingWindows
malwarethatpassesthroughaUNIXemailorfileserver.Howeverseveralcompanies
alsoproduceantivirussoftwarespecificallytargetingknownUNIXmalware.
InparticularwhereUNIXisdeployedondesktopworkstations,considertheuseof
antivirus/malwaredetectionsoftwaretodetectcontentbasedattacksontheclients.
Dependingontheoperatingsystem,freetoolsmayalsobeavailabletocheckforknown
trojanedbinariesormaliciouskernelmodulesthatmaybeinstalledbyanattackerafter
compromisingthesystem.Thechkrootkittoolsavailablefromwww.chkrootkit.orgare
abletodetectsomeofthemostcommonrootkits.ChkrootkitrunsonLinux,*BSD,
Solaris,HPUXandMacOSX.
Hostbasedintrusiondetectionnotes:HPUX

G.6Networkintrusiondetection
G.6.1SignaturematchingIDS
Considerdeployingasignaturematchingnetworkintrusiondetectionsystem,aimedat
detectingattemptedandsuccessfulnetworkattacks.
SnortisoneopensourcenetworkIDSwhichperformsrealtimetrafficanalysisand
packetlogging.Itcanuseprotocolanalysisandcontentsearching/matchingtodetecta
varietyofknownattacks,basedonconfiguredsignatures.Snortisavailableat:
http://www.snort.org/
DonotrunasignaturematchingnetworkIDStoolorprotocolanalyserinpromiscuous
modeontheserveritself.Insteaduseaseparatecomputer/device.Thisprotectsyour
serverandnetworkfromvulnerabilitiesintheIDSsoftwareitself.
ConsiderconnectingtheIDStothenetworktobemonitoredviaareadonlynetworktap
oraspanningportontheswitch.

G.6.2ARPmonitoring
ConsiderusinganARPmonitoringtooltodetectARPspoofingattackswithinyourLAN.
Onesuchtoolisarpwatch,availableathttp://wwwnrg.ee.lbl.gov/
Monitoringgeneralnotes:OpenBSD

+&RQQHFWWR1HW
H.1Firstputinplaceahostfirewall.
H.1.1Identifyhostfirewallsoftware
MostUNIXoperatingsytemsprovideapacketfilteringhostfirewallsystem,eitheras
partofthebaseinstall,orasanoptionyoucaninstall.
Onaminorityofsystems,areasonablehostfirewallisalreadyconfiguredbydefaulton
newlyinstalledsystems,thoughthiscanusuallybetightenedfurther.

Linux, Solaris, HPUX, FreeBSD, OpenBSD, AIX, IRIX

H.1.2Designhostfirewall
Donotassumethatthereisaninternalnetworkwhosecomputersaretrusted.
Thepointofthehostfirewallistoensurethatwhenoneoftheothercomputersonyour
internalnetworkiscompromised,andtheattackeristhenabletolaunchattacksdirectly
fromthelocalLAN,theywillstillbeunabletocontactalloftheservicesonthis
computer.Therefore,designthehostfirewallbyassumingthattheinternalcomputers
arealreadycompromised,andmayseektoattackthissystem.
RestrictincomingnetworkconnectionstotheminimumsetofTCP/UDPportnumbers
requiredforthiscomputer'srole,asdeterminedinsectionA.6
Consideralsorestrictingoutgoingconnetionstotheminimumsetofdestinationport
numbersrequiredforthecomputer'srole.Ifthiscomputeriscompromised,thiscan
makeitmoredifficultfor(thelesssophisticated)malicioussoftwaretoconnectbackout
toanattackertoreceiveinstructions.
Whereaserviceonthiscomputeronlyneedstocommunicatewithspecifichosts,
considermakingthisexplicitinthefirewallrules,restrictingthatportnumbertoonly
communicatewiththespecifiedhosts.
EnsurethatthefollowingportscanNOTbeaccessedoverthenetwork:
TCPport25(SMTP,unlessthishostisamailserver),
UDPandTCPport111(portmap),
TCPport587(mailsubmissionagent)
TCPports60006010(theXWindowSystem),
andanyotherservicesthatareforuseonthelocalcomputeronly.
IftheIPv6stackonthiscomputerhasnotbeendisabled,thenverifythatthefirewall
rulescorrectlyhandleIPv6packetscomingfromthelocalLAN.Somefirewall
configurationsignoreIPv6.EvenonanIPv4networkthismaygiveunintendedaccessif
theattackeralreadycontrolsanotherpointontheLAN.
Packetfilteringcanbedifficulttoimplementcorrectly.Formoreinformationonfirewalls
andpacketfiltering,thefollowingreferencesmaybeofuse:
InternetFirewallsFAQ
http://www.interhack.net/pubs/fwfaq/
BuildingInternetFirewalls,SecondEdition

H.1.3Weakendsystem
Forcomputerswithmorethanonenetworkinterface,beawareofthe"weakend
system"modelusedbymostUNIXoperatingsystems(RFC1122).Thismeansthaton
hostswithmorethanonenetworkinterface,evenifaserviceonlybindstotheIP
addressofoneinterface,thiswillnotprotectitfrompacketsthatarereceivedona
differentinterfacebutaddressedtothatIP.
Thisisparticularlyimportantwheresecondnetworkcardsareusedtoprovidea
separatemanagementnetwork.
Toaddressthis,either:
1. TurnoffweakESbehaviour(seeOSspecificfootnotes)or,
2. addexplicithostfirewallrulestoblockpacketscomingintooneinterfacebut
addressedtotheIPaddressofanotherinterface.
Solaris, FreeBSD

H.2Positionthiscomputerbehindaborderfirewall.
PositiontheUNIXsystemonaprotectedsubnet,withatleastaseparatefirewalldevicesitting
betweenitandtheopenInternet.

H.3Networkstackhardening/sysctls
Thekernel'snetworksettingscanbetunedandmademoresecure,usuallyusingthesysctl
commandorconfigurationfile.Thedetailsofhowtodothisareveryspecifictoeachoperating
system.Itisrecommendedtocheckthefollowingsettings:

DisableIPsourcerouting.
DisableICMPredirects.
Disableforwarding/routingofIPpacketsunlessthiscomputerisarouter.SeeOSspecific
footnotesfordetails.
IfyourOSprovidessyncookiestomitigateSYNflooddenialofservice,thenensurethat
thisfeatureisturnedon.SyncookiesareavailableonLinux,SolarisandFreeBSD.
Considerconfiguringshorterstatetimeoutsandincreasingthesizeofstatetablesto
makethesystemmoreresistanttodenialofservice.
Forservers,considerconfiguringastaticIPaddressonthehostitself,ratherthanusinga
staticIPallocationthroughDHCP.
Oncriticalcomputers,considerusingastaticARPcachetopreventARPspoofingattacks
fromthelocalLAN.
Linux, Solaris, HPUX, FreeBSD, OpenBSD, AIX

Furtherinformationonadjustingnetworkparametersisprovidedinthefollowingdocuments:
UNIXIPStackTuningGuidev2.7(RobThomas)coversAIX,Solaris,HPUX,Linux,FreeBSD
andIRIX.
http://www.cymru.com/Documents/ipstacktuning.html
TCP/IPStackHardeningcoversAIX,FreeBSD,HPUX,Linux,SolarisandIRIX.
http://www.cromwellintl.com/security/securitystackhardening.html

H.4Connecttonetworkforthefirsttime
Itisrecommendedtoconnectthecomputertothenetworkforthefirsttimeatthisstage.

,7HVW%DFNXS5HEXLOG6WUDWHJ\
I.1Backup/rebuildstrategy
Whenanintrusionorsuspectedintrusionisdetected,youroptionsinrespondingwilldepend
criticallyonwhetheryouhaveaneffectivebackup/rebuildstrategyinplacebeforehand.
Witharebuildprocessthatislargelyautomated,itispossibletoeitherswapinanewharddisk
andrebuildtheserver,orrapidlydeployareplacementserver,allowingthecompromised
machinetobetakenoffthenetworkquicklywhilemaintaininguptime.
Thisabilitytodisconnectthecomputerrapidlyreducestheriskoffurtherintrusiontoother
systems,andatthesametimepreservesevidenceontheharddiskatanearlystage.Butit
dependsonaneffectiverestoreandrebuildingprocessalreadybeinginplace.
Implementabackup,restoreandrebuildingprocessthatsatisfiesyoursecuritypolicy.
DependingontheuptimerequirementsdeterminedinsectionA.4forthissystem,consider
whetherareplacementharddiskorafullreplacementserverisappropriateforyoursituation.
Protecttheconfidentialityandintegrityofthebackupsthemselves,astheinformationinthe
backupsisusuallyassensitiveastheoriginalsystem.Forexample,theauthentication
informationinthebackupisoftensufficienttocompromisetheoriginalsystemremotely.For
integrity,theaimisthatanattackercompromisingthissystemcanonlyalterfuturebackups,
andnotpastbackups.

I.2TESTbackupandrestore
Theimplementationoftherestore/rebuildsystemisnotcompleteuntilithasbeentestedoutin
practice.
Scheduleafullrestore/rebuildofthesystemtoverifythattheprocessworksandissufficiently
fast.

I.3Allowseparaterestoreofsoftwareanddata
Considerhavingbusinessdatabackedupandrestorableseparatelyfromexecutableprograms.
Afteracompromise,thisallowsmoreflexibility,forexampletorestoretoday'sdatabutwith
thesystemandsoftwarebackupfromthreeweeksago.

I.4Repatchafterrestoring

Repatchthesystemimmediatelyafterrestoringfrombackup,toensurethatallthepatchesand
softwareupdatesreleasedbetweenthetimethatbackupwasmadeandthepresentareapplied.

I.5Processforintrusionresponse
Afteranintrusionorsuspectedintrusionhastakenplace,itmaybenecessarytoliaisewithlaw
enforcement,and/orinvestigatewhathashappened,anddetermineifothersystemsonyour
networkhavebeenaffected.

I.5.1Documentedprocess
Haveadocumentedresponseprocessinplacebeforeanyincidentoccurs.
Ifitisdecidedthatpoliceinvestigationisdesirable,itisrecommendedtocontactlaw
enforcementattheearliestpossiblestageintheprocess,andtocoordinateanyactions
withthemfirst.
OnesuggestedresponseprocedureisdescribedinthedocumentStepsforRecovering
fromaUNIXorNTSystemCompromiseYourprocedureshouldbetailoredtomeetyour
specificrequirements.
Aspartofyourprocess,recordinwritinganystepstakenininvestigatinganincident.
Itisusuallyimportanttodeterminehowtheattackerbrokein,sinceifyoucleanand
restorethesystemwithoutknowingthisthentheattackermaysimplyreenterthe
systemviathesamevulnerability.

I.5.2Forensictools
Anyinvestigationisbestdoneonaforensicallysoundimageoftheaffectedharddisk,
ratherthanontheoriginaldisk.Iflawenforcementinvolvementisdesired,thenitis
recommendedtoleavethediskimagingtolawenforcement,andtoavoidalteringthe
systeminanywaybeforethisisdone.
Inothercases,considerhavingthecapabilitytomakeaforensicallysoundimageofan
affectedharddisk,usingddorsimilartoolsonasecond,cleansystem.Thiswillrequire
havingspareharddisksavailableaheadoftimetocreatetheimage.
Itisbeyondthescopeofthisdocumenttodetailsoundhandlingofthedigitalevidence.
SomeoftheissuesinvolvedarementionedinthedocumentCollectingElectronic
EvidenceAfteraSystemCompromise
AutopsyisonefreeforensicfilesystemanalysistoolforUNIXsystems.Itmaybeused
toexamineimagesofstoragedevicesfromacompromisedsystem,andgeneratea
timelineofrecentfileaccess.
Ifusingthistool,runitonlyonanimagecopyoftheoriginalharddisk,onanon
networkedmachine.
Autopsyisavailableathttp://www.sleuthkit.org/autopsy/desc.php
Solaris

I.5.3Malwaredetectiontools
Forsomeincidentsitmaybeusefultoapplyknownmalwaredetectionasdescribedin
sectionG.5.2asaquickwaytoconfirmthatthesystemwascompromised.Ofcourse,a
failuretodetectknownmalwaredoesnotindicatethatthesystemwasclean.

-0DLQWDLQ
J.1Mailinglists
Notificationsofpatchreleasesandsecurityupdatesaregenerallydoneviamailinglists.
Subscribetothevendor"announce"listaswellasanysecuritymailinglistsforyourspecific
operatingsystem.
Subscribetotheappropriatesecurity/updatesmailinglistforeachthirdpartysoftwarepackage
installed.
Alsosubscribetosecurityadvisorymailinglistsfromyourlocalincidentresponseteam(ifyou
haveoneavailable).

AusCERTSecurityBulletinsareavailableathttp://www.auscert.org.au/1
USCERTVulnerabilityNotesareavailableathttp://www.kb.cert.org/vuls/

J.2Softwareinventory
Maintainanuptodatelistofsoftwareinstalledoneachsystem,withversionnumbers.Thislist
includesthebaseOSandeachpieceofthirdpartysoftware.
Thisissignificant,aswhenavulnerabilityadvisoryisreleased,itiseasytocheckwhetherthe
versionsonyoursystemsareaffected.

J.3Rapidpatching
Thewindowoftimebetweenvulnerabilitiesbeingpubliclyannouncedandwidespread
exploitationisnowveryshort.Designyourpatchingandupdateprocessaimingtoallowcritical
patchestobeappliedwithin48hoursofpatchrelease.
Forimportantsystems,maintainatestenvironmentwherepatchescanbetrialledfirstbefore
deployingtoproductionsystems.
Beawarethatinstallingpatches/updatescansometimesreenableservicesthatyouhave
disabled.

J.4Secureadministrativeaccess
J.4.1Stronglyauthenticatedaccessonly
Onlyadministerthecomputerattheconsole,orelseoverthenetworkusingtoolsthat
areproperlyencryptedandauthenticated,suchasSSHorawebinterfaceprotectedby
SSL.Donotassumethatacorporateinternalnetworkissecure.

J.4.2Administeronlyfromasecureworkstation
EnsureworkstationsusedtoadministeraUNIXorLinuxserverareasleastassecureas
theserveritself.OtherwisekeystrokeloggingcanstealyourSSHprivatekey
passphraseandalladministrativepasswords.Publickeycryptographywillnotprotect
againstthis.
Considerallocatingsystemadministratorstwoseparateworkstations,onefor
administeringthesystems,andtheotherforgeneralworksuchasemail,webbrowsing
anddocumentcreation.

J.5Logbookforallsysadminwork
Maintainalogbooktorecordallsignificantsystemadministrationworkonthesystem.

J.6ConfigurationchangecontrolwithCVS
ConsiderusingaCVSserveronaseparatecomputertomanagetheconfigurationfilessuchas
thoseinHWFandXVUORFDOHWF.Thisalsomakesrebuildingthesystemmoreefficient.
SeesectionF.14forsecureuseofCVS.

J.7Regularaudit
Designandputintoactionaprocesstoreassessthesecurityofthesystematregular
intervals.

J.7.1Reapplythischecklist
Periodicallyrecheckthesystemagainstthischecklist,andensurethatthesystemis
stillinconformancewithyoursecuritypolicy.
Inparticular,recheckatthistimethatthesoftwareinstalledisonlytheminimalset
decidedon.

J.7.2Checkfordormantaccounts
Regularlyauditthesystemfordormantaccountsanddisableanythathavenotbeen
usedforaspecifiedperiodoftime,inaccordancewithyoursite'ssecuritypolicy.

Atthisstagealsoauditthepasswordfilesforunauthorisedadditionsorinconsistencies.

J.7.3Auditweakpasswords
Whereappropriate,considerregularlyapplyingapasswordcrackingprogramsuchas
"JohntheRipper"tocheckforweakpasswords.
Thisisespeciallyworthconsideringforamultiusersystemwhichdoesnothaveany
mechanismforenforcingdifficultpasswords.JohntheRipperisavailablefrom:
http://www.openwall.com/john/

J.7.4Applynetworkscan/audittools
Usenetworkportscanningandvulnerabilityscanningtoolsfromaseparatecomputerto
checkperiodicallythatopennetworkportsareasexpected,andthatnowellknown
vulnerabilitiesaredetected.
nmapisaportscanningtoolavailablefrom:http://www.insecure.org/nmap/
Nessusisavulnerabilityscanningtoolavailablefrom:http://www.nessus.org
OpenVASisavulnerabilityscanningtoolavailablefrom:http://www.openvas.org

,QGH[RI266SHFLILF)RRWQRWHV
i.Linux
ii.Solaris
iii.HPUX
iv.FreeBSD
v.OpenBSD
vi.AIX
vii.IRIX

)XUWKHU5HDGLQJ
Books
PracticalUNIX&InternetSecurity,2ndEdition
SimsonGarfinkelandGeneSpafford
O'Reilly&Associates,1996
Volume8:XWindowSystemAdministrator'sGuide
LindaMuiandEricPearce
O'Reilly&Associates,1992(outofprint)
PDFnowfreeonlineathttp://www.oreilly.com/openbook/
SecuringSystemswiththeSolarisSecurityToolkit
AlexNoordergraafandGlennBrunette
PrenticeHallPTR/SunMicrosystemsPress,2003
ManagingNFSandNIS,2ndEdition
HalStern
O'Reilly&Associates,2001
BuildingInternetFirewalls,SecondEdition
ElizabethD.Zwicky,SimonCooper,andD.BrentChapman
O'Reilly&Associates,1995

OnlineReferences
AusCERTSecurityBulletinshttp://www.auscert.org.au/1
USCERTTechnicalCyberSecurityAlertshttp://www.uscert.gov/cas/techalerts/index.html
USCERTCurrentActivityhttp://www.uscert.gov/current/