Secure Registry Operating System
From CoCCA Registry Services (NZ) Limited
Contents |
Introduction
The Registry system is the most important at ccTLD, we should secure our Registry systems as much as possible. we can follow number of steps to secure our systems by implement number of technology at our systems, we will list those technology as the following:
Keep the system Kernel updated
Keep the system Kernel updated with latest security patches this step is the most important thing to do for your system, this can be done by track latest vulnerabilities through security reports (http://cve.mitre.org/) and mailing lists.
The recent danger vulnerability are:
POODLE vulnerability for HTTPS
POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack. it is appear also in Resin, as the documentation on Resin to patch the configuration so that it does not accept SSLv3 by inserting the following in the resin configuration:
<protocol>TLSv1,TLSv1.1,TLSv1.2</protocol>
then you should update your OS:
yum update
GHOST glibc vulnerability
GHOST is a 'buffer overflow' bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. This vulnerability allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code with the permissions of the user running the application.
To fix vulnerability:
- Update the glibc and nscd packages on your system using packages update utility yum update .
- Reboot the system or restart all affected services.
Stop and disable unwanted services
Stop and disable unwanted services at your registry systems as a registry systems, the only services can work are: ssh,epp,whois,named,http,https, to ensure that only services that are required are running.Type the following command to list all services which are started at boot time in run level # 3: chkconfig --list | grep '3:on' , also it is useful to ensure your registry services will run afetr any update reboot, to disable any service you can run: (#service serviceName stop # chkconfig serviceName off).
Use iptables to restrict access to open ports
Use iptables to close open ports In normal case your registry system can provide the following services: http,https,epp,whois, named (for zone transfer only),and ssh for remote login, for this we can just allow access to the following ports:80,443,43,53/tcp/udp and ssh, and if possible
restrict access to those services from specific IPs.
for example we can add the following IPtables Rules to file /etc/sysconfig/iptables and do not forget ip6tables also, most of provider now provide IPv6 reachability, add same rules to file: /etc/sysconfig/ip6tables :
-A INPUT -p tcp -s Your_IP_Range --dport ssh -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 43 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT //Recommanded to restrict CoCCA GUI access to specific IP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 700 -j ACCEPT //Recommanded to restrict EPP access to specific IP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT //Recommanded to restrict DNS access to specific IP
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT //Recommanded to restrict DNS access to specific IP
keep track ip attacker database such sans.edu/blocked ip database,which list the top 20 attacking class C (/24) subnets over the last three days. you can use CoCCA script to import those rules to your IPTABLES; but you should edit the following variable at the scripy:
YOUR_IP_RANGE .
you can download the script here:File:Block SSH SCANNER.png
Use firewalld (Centos 7) to restrict access to open ports
Use firewalld to close open ports In normal case your registry system can provide the following services: http,https,epp,whois, named (for zone transfer only), and ssh for remote login, for this we can just allow access to the following ports:80,443,43,53/tcp/udp and ssh, and if possible restrict access to those services from specific IPs. for example, we can add the following Rules:
IPv4
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" port protocol="tcp" port="700" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" port protocol="tcp" port="43" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" port protocol="tcp" port="80" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" port protocol="tcp" port="443" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" port protocol="udp" port="53" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" port protocol="tcp" port="53" accept'
you can restrict access from specific IP or IP range for example: firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="172.16.1.11/32" port protocol="tcp" port="43" accept'
IPv6:
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv6" port protocol="tcp" port="700" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv6" port protocol="tcp" port="43" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv6" port protocol="tcp" port="80" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv6" port protocol="tcp" port="443" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv6" port protocol="udp" port="53" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv6" port protocol="tcp" port="53" accept'
We recommanded to restrict CoCCA GUI access to specific IP
you can download the script here:File:Block SSH SCANNER.png
Minimize Software to Minimize Vulnerability
Avoid installing unnecessary software to avoid vulnerabilities in software, Use the RPM package manager such to review all installed set of software packages on a system. Delete all unwanted packages (# yum list installed #yum list packageName, #yum remove packageName), for example at registry system the X Windows on server is not required, and we should remove it to improve server security and performance, you can Edit /etc/inittab and set run level to 3. Finally, remove X Windows system, enter: # yum groupremove "X Window System".
secure ssh service
all services that are exposed to the internet is susceptible to attacks, SSH is a service all system administrator to login to their system remotely, we should secure this service through number of steps, including:
sshd_config
- we should disable the root login, by default you can ssh to the server as root, and the best not allowed the remote login for root, we just modify the PermitRootLogin to be "PermitRootLogin no".
- restrict which users or groups allowed to login your system: by default every user at your system can login,we can add the following line to the sshd_config file to allow only specific users to login to the system: AllowUsers admin1 admin2
- deny specific users or groups to login your system, this can be done by adding line to the sshd_config file: DenyUsers named apache
- Disable .rhosts Files Don't read the user's ~/.rhosts and ~/.shosts files. Update sshd_config with the following settings: IgnoreRhosts yes ,SSH can emulate the behavior of the obsolete rsh command, just disable insecure access via RSH.
- Disable Host-Based Authentication To disable host-based authentication, update sshd_config with the following option: HostbasedAuthentication no .
- Enable a Warning Banner Set a warning banner by updating sshd_config with the following line: Banner /etc/issue
Prevent ssh Brute force attack
Brute force can be done by trying a large number of login attempts. To prevents brute force attacks against SSH, use the following softwares:
Fail2ban to prevents brute force attacks
Fail2ban prevents brute force attacks against SSH, illegitimate users and bots will attempt to break into your system by repeatedly trying to authenticate using different credentials. The basic idea behind fail2ban is to monitor the logs of common services to spot patterns in authentication failures. When fail2ban is configured to monitor the logs of a service, it looks at a filter that has been configured specific to that service. The filter is designed to identify authentication failures for that specific service through the use of complex regular expressions. It defines these regular expression patterns into a variable called failregex.Luckily, fail2ban includes filter files for common services. When a line in the service's log file matches the failregex in its filter, the defined action is executed for that service. The action is a variable that can be configured to do many different things, depending on the preferences of the administrator. The default action is to ban the offending host/IP address by modifying the iptables firewall rules. You can expand this action to also send an email to the administrator with the whois report of the attacker or the log lines that triggered the action. you can install fail2ban in centos 6.5 /7 as the following command:
First of all, install the EPEL repository by issuing the following (as root):
yum install epel-release
The above should install EPEL and give you access to many new packages. One of those packages is fail2ban, therefore install it by running:
yum install fail2ban
By default there are no jails configured, therefore to configure a basic sshd jail: Create/edit the file /etc/fail2ban/jail.local and add the following lines to this file:
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=noc@your_domains, sender=sshmonitor@your_domains, sendername="sshmonitor"]
logpath = /var/log/secure
maxretry = 5
bantime = 86400
Notice:
In last update of fail2ban maybe in centos 7 and last update fail2ban v0.9.3 the last config use firewalld, and if you need to use iptables instead you cad follow the following steps:
#1 crate file /etc/fail2ban/jail.local and write the same previous [ssh-iptables] jail in this file.
#2 disable the firewalld and install the iptables with the following commands in shell:
# sudo systemctl mask firewalld
# sudo systemctl stop firewalld
# sudo yum -y install iptables-services
# sudo systemctl enable iptables
# sudo systemctl start iptables
After adding IPtables you need to edit fail2ban banaction in the following file to use iptables, because it use firewalld by default:
# /etc/fail2ban/jail.d/00-firewalld.conf
Then need to edit the line:
banaction = firewallcmd-ipset
to be :
banaction = iptables-multiport
restart fail2ban and all thing will be fine.
Google Authenticator
Google Authenticator allows you to add a second layer of protection beyond your password, signing into your account at your registry system will require both your password and a verification code.
There are a lot of reference to how to install google Authenticator, we choice the following reference, and the main steps are:
Notice: - you should test new configuration before close the current opened terminal, some times we face problems with login or Selinux issues). - when you install the google-authenticator for one user the current users will effected, for this we recommend to enable google-authenticator
for all users even the root.
please follow the instructions to install the google authenticator :
We need to install the development tools so we have a compiler, and the libraries we need. To do that we’ll use yum to install the “Development Tools” group:
yum -y groupinstall "Development Tools"
we need the pam development package
yum -y install pam-devel
now lets setup ntp so we can make sure our time is correct. Since we will be using a time based sync:
yum -y install ntp
systemctl enable ntpd (for centos 6.x use:chkconfig ntpd on)
systemctl start ntpd (for centos 6.x use: /etc/init.d/ntpd start)
Now we can download the google authenticator pam module from code.google.com, we will download it to the /opt directory
cd /opt
wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
now lets unzip, untar, compile the module, and install it
bunzip2 libpam-google-authenticator-1.0-source.tar.bz2
tar -xvf libpam-google-authenticator-1.0-source.tar
rm -f libpam-google-authenticator-1.0-source.tar
cd libpam-google-authenticator-1.0
make
make install
Ok now the module has been installed, lets run the program and create our config file
su - user (if you have more than one user you can login to the user using: su - user then generate google-authenticator)
google-authenticator
Now we just need to modify the pam, and sshd config files, and were all set to go. so lets modify the pam config file to require a Google authenticator challenge during ssh authentication.
vi /etc/pam.d/sshd
And add the following line to the top of the file
auth required pam_google_authenticator.so
next lets modify the sshd config file to show the challenge
vi /etc/ssh/sshd_config
and find the line that starts ChallengeResponseAuthentication and it should be as ChallengeResponseAuthentication yes , and save the file sshd_config
Finally we need to reload the sshd config file with
systemctl reload sshd (for centos 6.x use /etc/init.d/sshd reload)
Add new user after secure SSH service
To create new ssh account to login to your server using SSH service, you can follow the following steps: 1- first login to server using your user name, then use sudo command or root credentials to execute the next steps. 2- Create New user.
command in shell:
$ sudo adduser newuser1
3- Give the new user new Password
command in shell:
$ sudo passwd newuser1
4- Add the user to sudoers file: to do this the easy way is to edit the sudoers file using visudo command:
$ visudo
then the sudoers file will open, find the following code:
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
In this case, we’re granting root privileges to the user newuser1 . Add the following below that code:
newuser1 ALL=(ALL) ALL
Now save file by press escape then w!, then enter then escape again then q! then enter, in this case the new user now in sudoers file.
5- Add new user to allowed users list to be able to login in system, we should open the sshd config file:
$ nano /etc/ssh/sshd_config
find the following code: (i mean with xxxxxx is the others users)
#AllowTcpForwarding yes
AllowUsers xxxxx xxxxx xxxxxx
then add new user to end of Allowed user list:
#AllowTcpForwarding yes
AllowUsers newuser1 xxxx xxxx xxxx
then save the file and restart the sshd process using this commnad:
$ systemctl restart sshd
6- create the google-authentication tokens for new user.
after create the user now we should give him the tokens to be able to login to system by login to his account using:
$ su - newuser1
then execute the google-authenticator command:
$ google-authenticator
then answer all question to yes, but please copy all tokens and URL token. it will appear like:
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/newuser1@xzxzxzxzxzxzxzxzxzxzx.zxzxzxz.zzxzx
Your new secret key is: asbvjhxcavdsnkdf
Your verification code is 8242430
Your emergency scratch codes are:
2312423153
6564564564
2455656454
