securing-freebsd.html

FreeBSD操作系统的详细使用手册

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Securing FreeBSD</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD Handbook" href="index.html" />
<link rel="UP" title="Security" href="security.html" />
<link rel="PREVIOUS" title="Introduction" href="security-intro.html" />
<link rel="NEXT" title="DES, MD5, and Crypt" href="crypt.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD Handbook</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="security-intro.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 14 Security</td>
<td width="10%" align="right" valign="bottom"><a href="crypt.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="SECURING-FREEBSD" name="SECURING-FREEBSD">14.3 Securing
FreeBSD</a></h1>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Command vs. Protocol:</b> Throughout this document, we will use <b
class="APPLICATION">bold</b> text to refer to an application, and a <tt
class="COMMAND">monospaced</tt> font to refer to specific commands. Protocols will use a
normal font. This typographical distinction is useful for instances such as ssh, since it
is a protocol as well as command.</p>
</blockquote>
</div>

<p>The sections that follow will cover the methods of securing your FreeBSD system that
were mentioned in the <a href="security-intro.html">last section</a> of this chapter.</p>

<div class="SECT2">
<h2 class="SECT2"><a id="SECURING-ROOT-AND-STAFF" name="SECURING-ROOT-AND-STAFF">14.3.1
Securing the <tt class="USERNAME">root</tt> Account and Staff Accounts</a></h2>

<p>First off, do not bother securing staff accounts if you have not secured the <tt
class="USERNAME">root</tt> account. Most systems have a password assigned to the <tt
class="USERNAME">root</tt> account. The first thing you do is assume that the password is
<span class="emphasis"><i class="EMPHASIS">always</i></span> compromised. This does not
mean that you should remove the password. The password is almost always necessary for
console access to the machine. What it does mean is that you should not make it possible
to use the password outside of the console or possibly even with the <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=su&sektion=1"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">su</span>(1)</span></a> command. For
example, make sure that your ptys are specified as being insecure in the <tt
class="FILENAME">/etc/ttys</tt> file so that direct <tt class="USERNAME">root</tt> logins
via <tt class="COMMAND">telnet</tt> or <tt class="COMMAND">rlogin</tt> are disallowed. If
using other login services such as <b class="APPLICATION">sshd</b>, make sure that direct
<tt class="USERNAME">root</tt> logins are disabled there as well. You can do this by
editing your <tt class="FILENAME">/etc/ssh/sshd_config</tt> file, and making sure that
<var class="LITERAL">PermitRootLogin</var> is set to <var class="LITERAL">NO</var>.
Consider every access method -- services such as FTP often fall through the cracks.
Direct <tt class="USERNAME">root</tt> logins should only be allowed via the system
console.</p>

<p>Of course, as a sysadmin you have to be able to get to <tt class="USERNAME">root</tt>,
so we open up a few holes. But we make sure these holes require additional password
verification to operate. One way to make <tt class="USERNAME">root</tt> accessible is to
add appropriate staff accounts to the <tt class="GROUPNAME">wheel</tt> group (in <tt
class="FILENAME">/etc/group</tt>). The staff members placed in the <tt
class="GROUPNAME">wheel</tt> group are allowed to <tt class="COMMAND">su</tt> to <tt
class="USERNAME">root</tt>. You should never give staff members native <tt
class="GROUPNAME">wheel</tt> access by putting them in the <tt
class="GROUPNAME">wheel</tt> group in their password entry. Staff accounts should be
placed in a <tt class="GROUPNAME">staff</tt> group, and then added to the <tt
class="GROUPNAME">wheel</tt> group via the <tt class="FILENAME">/etc/group</tt> file.
Only those staff members who actually need to have <tt class="USERNAME">root</tt> access
should be placed in the <tt class="GROUPNAME">wheel</tt> group. It is also possible, when
using an authentication method such as Kerberos, to use Kerberos' <tt
class="FILENAME">.k5login</tt> file in the <tt class="USERNAME">root</tt> account to
allow a <a href="http://www.FreeBSD.org/cgi/man.cgi?query=ksu&sektion=1"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">ksu</span>(1)</span></a> to <tt
class="USERNAME">root</tt> without having to place anyone at all in the <tt
class="GROUPNAME">wheel</tt> group. This may be the better solution since the <tt
class="GROUPNAME">wheel</tt> mechanism still allows an intruder to break <tt
class="USERNAME">root</tt> if the intruder has gotten hold of your password file and can
break into a staff account. While having the <tt class="GROUPNAME">wheel</tt> mechanism
is better than having nothing at all, it is not necessarily the safest option.</p>

<p>An indirect way to secure staff accounts, and ultimately <tt
class="USERNAME">root</tt> access is to use an alternative login access method and do
what is known as ``starring'' out the encrypted password for the staff accounts. Using
the <a href="http://www.FreeBSD.org/cgi/man.cgi?query=vipw&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">vipw</span>(8)</span></a> command, one
can replace each instance of an encrypted password with a single ``<var
class="LITERAL">*</var>'' character. This command will update the <tt
class="FILENAME">/etc/master.passwd</tt> file and user/password database to disable
password-authenticated logins.</p>

<p>A staff account entry such as:</p>

<pre class="PROGRAMLISTING">
foobar:R9DT/Fa1/LV9U:1000:1000::0:0:Foo Bar:/home/foobar:/usr/local/bin/tcsh
</pre>

<p>Should be changed to this:</p>

<pre class="PROGRAMLISTING">
foobar:*:1000:1000::0:0:Foo Bar:/home/foobar:/usr/local/bin/tcsh
</pre>

<p>This change will prevent normal logins from occurring, since the encrypted password
will never match ``<var class="LITERAL">*</var>''. With this done, staff members must use
another mechanism to authenticate themselves such as <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=kerberos&sektion=1"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">kerberos</span>(1)</span></a> or <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=ssh&sektion=1&manpath=OpenBSD+3.4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">ssh</span>(1)</span></a> using a
public/private key pair. When using something like Kerberos, one generally must secure
the machines which run the Kerberos servers and your desktop workstation. When using a
public/private key pair with ssh, one must generally secure the machine used to login
<span class="emphasis"><i class="EMPHASIS">from</i></span> (typically one's workstation).
An additional layer of protection can be added to the key pair by password protecting the
key pair when creating it with <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=ssh-keygen&sektion=1&manpath=OpenBSD+3.4"><span
 class="CITEREFENTRY"><span class="REFENTRYTITLE">ssh-keygen</span>(1)</span></a>. Being
able to ``star'' out the passwords for staff accounts also guarantees that staff members
can only login through secure access methods that you have set up. This forces all staff
members to use secure, encrypted connections for all of their sessions, which closes an
important hole used by many intruders: sniffing the network from an unrelated, less
secure machine.</p>

<p>The more indirect security mechanisms also assume that you are logging in from a more
restrictive server to a less restrictive server. For example, if your main box is running
all sorts of servers, your workstation should not be running any. In order for your
workstation to be reasonably secure you should run as few servers as possible, up to and
including no servers at all, and you should run a password-protected screen blanker. Of
course, given physical access to a workstation an attacker can break any sort of security
you put on it. This is definitely a problem that you should consider, but you should also
consider the fact that the vast majority of break-ins occur remotely, over a network,
from people who do not have physical access to your workstation or servers.</p>

<p>Using something like Kerberos also gives you the ability to disable or change the
password for a staff account in one place, and have it immediately affect all the
machines on which the staff member may have an account. If a staff member's account gets
compromised, the ability to instantly change his password on all machines should not be
underrated. With discrete passwords, changing a password on N machines can be a mess. You
can also impose re-passwording restrictions with Kerberos: not only can a Kerberos ticket
be made to timeout after a while, but the Kerberos system can require that the user
choose a new password after a certain period of time (say, once a month).</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN18871" name="AEN18871">14.3.2 Securing Root-run Servers and
SUID/SGID Binaries</a></h2>

<p>The prudent sysadmin only runs the servers he needs to, no more, no less. Be aware
that third party servers are often the most bug-prone. For example, running an old
version of <b class="APPLICATION">imapd</b> or <b class="APPLICATION">popper</b> is like
giving a universal <tt class="USERNAME">root</tt> ticket out to the entire world. Never
run a server that you have not checked out carefully. Many servers do not need to be run
as <tt class="USERNAME">root</tt>. For example, the <b class="APPLICATION">ntalk</b>, <b
class="APPLICATION">comsat</b>, and <b class="APPLICATION">finger</b> daemons can be run
in special user <i class="FIRSTTERM">sandboxes</i>. A sandbox is not perfect, unless you
go through a large amount of trouble, but the onion approach to security still stands: If
someone is able to break in through a server running in a sandbox, they still have to
break out of the sandbox. The more layers the attacker must break through, the lower the
likelihood of his success. Root holes have historically been found in virtually every
server ever run as <tt class="USERNAME">root</tt>, including basic system servers. If you
are running a machine through which people only login via <b class="APPLICATION">sshd</b>
and never login via <b class="APPLICATION">telnetd</b> or <b class="APPLICATION">rshd</b>
or <b class="APPLICATION">rlogind</b>, then turn off those services!</p>

<p>FreeBSD now defaults to running <b class="APPLICATION">ntalkd</b>, <b
class="APPLICATION">comsat</b>, and <b class="APPLICATION">finger</b> in a sandbox.
Another program which may be a candidate for running in a sandbox is <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=named&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">named</span>(8)</span></a>. <tt
class="FILENAME">/etc/defaults/rc.conf</tt> includes the arguments necessary to run <b
class="APPLICATION">named</b> in a sandbox in a commented-out form. Depending on whether
you are installing a new system or upgrading an existing system, the special user
accounts used by these sandboxes may not be installed. The prudent sysadmin would
research and implement sandboxes for servers whenever possible.</p>

<p>There are a number of other servers that typically do not run in sandboxes: <b
class="APPLICATION">sendmail</b>, <b class="APPLICATION">popper</b>, <b
class="APPLICATION">imapd</b>, <b class="APPLICATION">ftpd</b>, and others. There are
alternatives to some of these, but installing them may require more work than you are