port-i386: RE: NetBSD for shell acct. services

Subject: RE: NetBSD for shell acct. services
To: Claudio Leite <claudio@tux.org>
From: Gunnar Helliesen <gunnar@bitcon.no>
List: port-i386
Date: 08/19/1998 01:41:02
Perry E. Metzger wrote:
> 
> I would also make sure that tight monitoring systems could detect
> system attack -- in particular, I would operate tripwire off of read
> only media at very frequent intervals to assure that nothing 
> dangerous 
> had been done to the system.

I'd also send all syslog information to another system somewhere, one
that the potentially hostile users do not have accounts on. If you're
really paranoid, you can log to write-once media (it's also a good idea
to write wtemp info there). The ideal loghost runs from read-only media,
logs to write-once media and is behind a separate firewall.

On the same note, putting important binaries like su(1), login(1),
init(8), getty(8), syslogd(8) and so on on read-only media is a good
idea. An easy way to do this is to mount all of /usr from read-only
media.

Do not run any binaries that you do not have access to full source code
for. OTOH, as Perry said, do not keep any sources nor any compilers on
the public machine.

Make sure you touch empty .rhosts and .forward files with owner root and
appropriate permissions (as in 400) in all privileged user homedirs.

Go through /etc/inetd.conf and disable everything you don't need or
don't know what is. Particularly make sure to turn off all r* services.

Make sure you log all email activity, and most importantly:

Create a policy where you specify all appropriate use of your system and
state that all other use is not acceptable and will be legally pursued.
Force all your users to acknowledge (in writing) that they've read,
understood and accepted your policy.

> Again, I would do this for ANY Unix system exposed to potentially
> hostile users -- not just NetBSD.

Indeed.

> Doing this sort of thing right is a bit of an art, but it is easily
> feasible.

Yes. The main thing is to log _everything_ and protect the integrity of
the logs.

If I were running an ISP I'd also set up an NFR (www.nfr.net) host in
"stealth mode" on the same Ethernet as the publicly available host(s)
and keep an eye open for services appearing on non-privileged ports etc.

Oh, and no X11 on the shell machine of course.

Gunnar

--
Gunnar Helliesen   | Bergen IT Consult AS  | NetBSD/VAX on a uVAX II
Systems Consultant | Bergen, Norway        | '86 Jaguar Sovereign 4.2
gunnar@bitcon.no   | http://www.bitcon.no/ | '73 Mercedes 280 (240D)