Travaux Pratiques de Sécurisation Linux
Denis Ducamp / Hervé Schauer Consultants9 décembre 1999
Reproduction strictement interdite
Ces travaux pratiques vont aborder les deux points suivants :
- Sécurisation complète d'un serveur sous Linux et mise en place d'un
serveur WWW Apache.
- Mise en place d'un FireWall sous Linux avec IPchain.
- Sécurité réseau
- Restriction des accès privilégiés
- Journalisation
- Divers : fichiers et mots de passe
2.1 Sécurité réseau
- Installer ssh / ssf
- Commenter ou protéger par tcp-wrapper chaque service dans inetd.conf
- Nettoyer l'arborescence /etc/rc.d/
2.2 Restriction des accès privilégiés
- Limiter la liste des terminaux dans /etc/securetty
- Compléter /etc/ftpusers
- Compléter /etc/sshd_config
- Utiliser calife et / ou sudo
2.3 Journalisation
- Compléter /etc/syslogd.conf
- Installer la comptabilité
- Gérer les journaux
2.4 Divers
- Sécuriser les fichiers
- Programmes suid et sgid : find / -type f \( -perm -04000 -o -perm -02000 \)
- Fichiers en écriture pour tout le monde : find / -perm -2 ! -type l -ls
- Fichiers sans propriétaire : find / -nouser -o -nogroup -ls
- Sécuriser les mots de passe
- Protection shadow
- Chiffrement MD5
- Durcissement
- Installation d'openssl
- Installation de modssl
- Installation et configuration d'apache
- Création d'un certificat
3.1 Installation d'openssl
- $ cd /usr/src
- $ tar xzvf openssl-0.9.4.tar.gz
- $ cd openssl-0.9.4
- $ ./config
- $ make
- # make install
3.2 Installation de modssl
- $ cd /usr/src
- $ tar xzvf apache_1.3.9.tar.gz
- $ tar xzvf mod_ssl-2.4.9-1.3.9.tar.gz
- $ cd mod_ssl-2.4.9-1.3.9
- $ ./configure --with-apache=../apache_1.3.9
3.3 Installation d'apache
- $ cd /usr/src/apache_1.3.9
- $ SSL_BASE=SYSTEM ./configure --enable-module=ssl --enable-module=info --disable-module=cgi --disable-module=actions
- $ make
- $ make certificate TYPE=custom
- # make install
3.4 Création d'un certificat
- STEP 0: Decide the signature algorithm used for certificates
Signature Algorithm ((R)SA or (D)SA) [R]:
- STEP 1: Generating RSA private key for CA (1024 bit) [ca.key]
- STEP 2: Generating X.509 certificate signing request for CA [ca.csr]
1. Country Name (2 letter code) [XY]:FR
2. State or Province Name (full name) [Snake Desert]:.
3. Locality Name (eg, city) [Snake Town]:Levallois-Perret
4. Organization Name (eg, company) [Snake Oil, Ltd]:GroarWare
5. Organizational Unit Name (eg, section) [Certificate Authority]:Sined
6. Common Name (eg, CA name) [Snake Oil CA]:GroarWare CA
7. Email Address (eg, name@FQDN) [ca@snakeoil.dom]:ducamp@formule.hsc.fr
8. Certificate Validity (days) [365]:
- STEP 3: Generating X.509 certificate for CA signed by itself [ca.crt]
- STEP 4: Generating RSA private key for SERVER (1024 bit) [server.key]
- STEP 5: Generating X.509 certificate signing request for SERVER [server.csr]
1. Country Name (2 letter code) [XY]:FR
2. State or Province Name (full name) [Snake Desert]:.
3. Locality Name (eg, city) [Snake Town]:Levallois-Perret
4. Organization Name (eg, company) [Snake Oil, Ltd]:GroarWare
5. Organizational Unit Name (eg, section) [Webserver Team]:Sined
6. Common Name (eg, FQDN) [www.snakeoil.dom]:formule.hsc.fr
7. Email Address (eg, name@fqdn) [www@snakeoil.dom]::ducamp@formule.hsc.fr
8. Certificate Validity (days) [365]:
- STEP 6: Generating X.509 certificate signed by own CA [server.crt]
- STEP 7: Enrypting RSA private key of CA with a pass phrase for security [ca.key]
Encrypt the private key now? [Y/n]:
Fine, you're using an encrypted private key.
- STEP 8: Enrypting RSA private key of SERVER with a pass phrase for security [server.key]
Encrypt the private key now? [Y/n]: n
Please notice this fact and do this on your own risk.
- RESULT: CA and Server Certification Files
3.5 Configuration d'apache
- supprimer les lignes <IfDefine SSL> et les lignes
</IfDefine> correspondantes de
/usr/local/apache/conf/httpd.conf .
- Changer le port 8080 en port 80 et le port 8443 en 443
- Lancer apachectl start
Contenu de /usr/local/apache/logs/ssl_engine_log :
[30/Nov/1999 10:35:51 32728] [info] Server: Apache/1.3.9, Interface: mod_ssl/2.4.9, Library: OpenSSL/0.9.4
[30/Nov/1999 10:35:51 32728] [info] Init: 1st startup round (still not detached)
[30/Nov/1999 10:35:51 32728] [info] Init: Initializing OpenSSL library
[30/Nov/1999 10:35:51 32728] [info] Init: Loading certificate & private key of SSL-aware server formule.hsc.fr:443
[30/Nov/1999 10:35:51 32728] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[30/Nov/1999 10:35:53 32728] [info] Init: Configuring temporary DH parameters (512/1024 bits)
[30/Nov/1999 10:35:53 32729] [info] Init: 2nd startup round (already detached)
[30/Nov/1999 10:35:53 32729] [info] Init: Reinitializing OpenSSL library
[30/Nov/1999 10:35:54 32729] [info] Init: Seeding PRNG with 512 bytes of entropy
[30/Nov/1999 10:35:54 32729] [info] Init: Configuring temporary RSA private keys (512/1024 bits)
[30/Nov/1999 10:35:54 32729] [info] Init: Configuring temporary DH parameters (512/1024 bits)
[30/Nov/1999 10:35:54 32729] [info] Init: Initializing (virtual) servers for SSL
[30/Nov/1999 10:35:54 32729] [info] Init: Configuring server formule.hsc.fr:443 for SSL protocol
3.6 Tests
- avec openssl :
$ /usr/local/ssl/bin/openssl
s_client -connect localhost:443
...
---
SSL handshake has read 1329 bytes and written 299 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
...
---
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Tue, 30 Nov 1999 09:42:26 GMT
Server: Apache/1.3.9 (Unix) mod_ssl/2.4.9 OpenSSL/0.9.4
Last-Modified: Mon, 29 Nov 1999 16:44:17 GMT
ETag: "97bfc-a71-3842ad61"
Accept-Ranges: bytes
Content-Length: 2673
Connection: close
Content-Type: text/html
closed
- avec Netscape
- Initialisation
- Accepter un flux local
- Autoriser un flux
- Autoriser un flux avec masquage d'adresse
- Sauvegarde / restauration
- Divers : anti-spoofing et IP forwarding /
masquerading
4.1 Initialisation
- Modifier les politiques par défaut :
- # ipchains -P input DENY
- # ipchains -P output DENY
- # ipchains -P forward DENY
- Supprimer toutes les chaines : ipchains -F
- Mettre à zéro tous les compteurs : ipchains -Z
4.2 Accepter un flux local
- En entrée : serveur WEB
# ipchains -A input -i eth0 -p TCP -s 0/0 1024: -d 192.70.106.33 80 -j ACCEPT
# ipchains -A output -i eth0 -p TCP -s 192.70.106.33 80 -d 0/0 1024: ! -y -j ACCEPT
- En sortie : relais SQUID / client WEB
# ipchains -A output -i eth0 -p TCP -s 192.70.106.33 1024: -j ACCEPT
# ipchains -A input -i eth0 -p TCP -s 0/0 1024: -d 192.70.106.33 80 ! -y -j ACCEPT
4.3 Autoriser un flux
- Méthode 1
# ipchains -A forward -p TCP -s 192.70.106/24 1024: -d 0/0 80 -j ACCEPT
# ipchains -A forward -p TCP -s 0/0 80 -d 192.70.106/24 1024: ! -y -j ACCEPT
- Méthode 2
# ipchains -A forward -p TCP -s 0/0 80 -d 192.70.106/24 1024: -y -j REJECT
# ipchains -b -A forward -p TCP -s 0 192.70.106/24 1024: -d 0/0 80 -j ACCEPT
4.4 Autoriser un flux avec masquage d'adresse
- Méthode 1
# ipchains -A forward -p TCP -s 192.168/16 1024: -d 0/0 80 -j MASQ
# ipchains -A forward -p TCP -s 0/0 80 -d 192.168/16 1024: ! -y -j MASQ
- Méthode 2
# ipchains -A forward -p TCP -s 0/0 80 -d 192.168/16 1024: -y -j REJECT
# ipchains -b -A forward -p TCP -s 0 192.168/16 1024: -d 0/0 80 -j MASQ
4.5 Sauvegarde / restauration
- # /sbin/ipchains-save
- # /sbin/ipchains-restore
4.6 Divers
- Anti-spoofing : à exécuter le plus tôt possible.
# This is the best method: turn on Source Address Verification and get
# spoof protection on all current and future interfaces.
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo -n "Setting up IP spoofing protection..."
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
echo "done."
else
echo PROBLEMS SETTING UP IP SPOOFING PROTECTION. BE WORRIED.
echo "CONTROL-D will exit from this shell and continue system startup."
echo
# Start a single user shell on the console
/sbin/sulogin $CONSOLE
fi
- IP forwarding / masquerading : à exécuter le plus
tard possible.
# echo 1 > /proc/sys/net/ipv4/ip_forward
|
® © Hervé Schauer Consultants 1999 -
142, rue de Rivoli -
75001 Paris