Hardening servers for the modern internet

Similar documents
File System Hierarchy Standard (FHS)

Linux Systems Administration Getting Started with Linux

Introduction. What is Linux? What is the difference between a client and a server?

How to Restrict a Login Shell Using Linux Namespaces

Linux Kung Fu. Stephen James UBNetDef, Spring 2017

Chapter Two. Lesson A. Objectives. Exploring the UNIX File System and File Security. Understanding Files and Directories

Some Practical Matters. Introduction to Unix. What's Our Goal? Linux!= UNIX

Computer Center, CS, NCTU. Outline. FreeBSD version 8.2-RELEASE. Installing FreeBSD. From CD-ROM

Computer System Management - Unix/Linux

FreeBSD Overview Comparison with Linux. Welcome. Class Schedule. Some Practical Matters. Introduction. SANOG VI IP Services Workshop

Welcome to getting started with Ubuntu Server. This System Administrator Manual. guide to be simple to follow, with step by step instructions

At course completion. Overview. Audience profile. Course Outline. : 55187B: Linux System Administration. Course Outline :: 55187B::

"Charting the Course... MOC B: Linux System Administration. Course Summary

2 nd SEE 6DISS Workshop Plovdiv June Host Configuration (Windows XP) Athanassios Liakopoulos

Filesystem Hierarchy and Permissions

Assignment 3 Firewalls

Embedded System Design

Introduction to FreeBSD (Additional Material)

Network stack virtualization for FreeBSD 7.0. Marko Zec

This material is based on work supported by the National Science Foundation under Grant No

521262S Computer Networks 2 (fall 2007) Laboratory exercise #4: Multimedia, QoS and testing

Filesystem Hierarchy Operating systems I800 Edmund Laugasson

INTRODUCTION TO LINUX

Exam LFCS/Course 55187B Linux System Administration

Filesystem Hierarchy and Permissions

Lab I: Using tcpdump and Wireshark

iptables and ip6tables An introduction to LINUX firewall

FreeBSD Jails vs. Solaris Zones

Welcome. Introduction to FreeBSD. Class Schedule. Some Practical Matters. Outline continued. Outline. Introduction. Pre-SANOG VI Workshop

Getting Started with Linux

Overview LEARN. History of Linux Linux Architecture Linux File System Linux Access Linux Commands File Permission Editors Conclusion and Questions

Computer Center, CS, NCTU. Outline. FreeBSD version 9.0-RELEASE 9.1-RC1. Installing FreeBSD. From CD-ROM From USB

iocell Documentation Release iocell

CSCI 2132 Software Development. Lecture 3: Unix Shells and Other Basic Concepts

Introduction to Linux. Woo-Yeong Jeong Computer Systems Laboratory Sungkyunkwan University

Critical Analysis and last hour guide for RHCSA/RHCE Enterprise 7

Essential Unix and Linux! Perl for Bioinformatics, ! F. Pineda

EE516: Embedded Software Project 1. Setting Up Environment for Projects

Herding Clones. Mike Kershaw August 17, urmk/

Static and source based routing

Static routing lab KTH/CSC. Juniper version. Group Nr. Name 1. Name 2. Name 3. Name 4. Date. Grade. Instructor s Signature

ZFS Boot Environments

Course 55187B Linux System Administration

TELE3119 Trusted Networks Lab 1(a),(b) Sniffing wireless traffic

Manual Update Ubuntu To Command Line

Created: Tue 14:35

OpenStack Havana All-in-One lab on VMware Workstation

Unix Shells and Other Basic Concepts

Capture The Flag Challenge Prep Class

Thousands of Linux Installations (and only one administrator)

Perl and R Scripting for Biologists

3 Connection, Shell Serial Connection over Console Port SSH Connection Internet Connection... 5

TimeIPS Server. IPS256T Virtual Machine. Installation Guide

Computer Security II Lab Network Security

Course Wiki. Today s Topics. Web Resources. Amazon EC2. Linux. Apache PHP. Workflow and Tools. Extensible Networking Platform 1

COMPUTER NETWORKING LAB EXERCISES (TP) 4

u-root: / with the convenience of scripting and the performance of compilation

ISLET: Jon Schipp, AIDE jonschipp.com. An Attempt to Improve Linux-based Software Training

Create a pfsense router for your private lab network template

PowerVM Lx86 for x86 Linux Applications Administration Guide

Manage Directories and Files in Linux. Objectives. Understand the Filesystem Hierarchy Standard (FHS)

NETWORK CONFIGURATION AND SERVICES. route add default gw /etc/init.d/apache restart

Introduction to Linux

Sysinstall main menu. Move the cursor down by using the DOWN-ARROW and select Standard.

Travis Cardwell Technical Meeting

SANOG VI IP Services Workshop: FreeBSD Install

1 Installation (briefly)

ELEC 377 Operating Systems. Week 8 Class 1

Unix / Linux Overview

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

Documentation. OTRS Appliance Installation Guide. Build Date:

GNU/Linux 101. Casey McLaughlin. Research Computing Center Spring Workshop Series 2018

NAT Support for Multiple Pools Using Route Maps

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

Chapter-3. Introduction to Unix: Fundamental Commands

Splunk N Box. Splunk Multi-Site Clusters In 20 Minutes or Less! Mohamad Hassan Sales Engineer. 9/25/2017 Washington, DC

Static Routing Exercise. Scalable Infrastructure Workshop AfNOG 2011

FreeBSD Overview Comparison with Linux

FreeBSD Overview Comparison with Linux. Some Practical Matters. Outline. Outline continued

Created: Tue 14:30

Overview of the UNIX File System

Lab 1: Packet Sniffing and Wireshark

The new VVorld. FreeBSD jail based virtualization. Bjoern Zeeb, Robert Watson. The FreeBSD Project. BSDCan 2010

Working with Ubuntu Linux. Track 2 Workshop June 2010 Pago Pago, American Samoa

INSTALLATION. Security of Information and Communication Systems

Unix Filesystem. January 26 th, 2004 Class Meeting 2

CompTIA Linux+ Guide to Linux Certification Fourth Edition. Chapter 2 Linux Installation and Usage

Jason Dixon DixonGroup Consulting. August 4, 2005

Computer Center, CS, NCTU. Outline. FreeBSD version 11.1-RELEASE. Installing FreeBSD. From CD-ROM From USB

Today. Operating System Evolution. CSCI 4061 Introduction to Operating Systems. Gen 1: Mono-programming ( ) OS Evolution Unix Overview

Static Ip Address Problems Windows 7 Setup. Virtual >>>CLICK HERE<<<

Setting-up WAN Emulation using WAN-Bridge Live-CD v1.10

Configuring a Palo Alto Firewall in AWS

Introduction to Linux

exam.30q. Number: Passing Score: 800 Time Limit: 120 min File Version: 1 LPI

Practical Exercises of Computer system security course

Linux Home Lab Environment

RHCSA BOOT CAMP. Network Security

INSTALLATION. Security of Information and Communication Systems. Table of contents

Installing and Using Docker Toolbox for Mac OSX and Windows

Transcription:

Hardening servers for the modern internet Philip Paeps The FreeBSD Foundation SANOG32 7 August 2018 Dhaka, Bangladesh

Session 1 (09:00 11:00) 1. Presentation: Introduction to the FreeBSD project (30 minutes) 2. Presentation: FreeBSD tips for Linux refugees (30 minutes) 3. Lab: Installing a FreeBSD server in a virtual machine (60 minutes) Goal: have FreeBSD installed on your laptop before the tea break. 7 August 2018 Introduction to FreeBSD 2

Session 2 (11:30 13:00) 1. Presentation: Introduction to the pf packet filter (60 minutes) 2. Lab: pf exercises Goal: have pf configured on your laptop before lunch. 7 August 2018 Introduction to FreeBSD 3

Session 3 (14:30 16:00) 1. Presentation: Introduction to jails and ezjail (60 minutes) 2. Lab: Configuring jails and ezjail in your virtual machines (30 minutes) Goal: have jails on your laptop before the tea break. 7 August 2018 Introduction to FreeBSD 4

Session 4 (16:30 18:00) 1. Presentation: introduction to letsencrypt.org (30 minutes) 2. Demo: getting a letsencrypt.org certificate in a jail (30 minutes) 3. Lab: get a letsencrypt.org certificate for your jail (30 minutes) Goal: Have an HTTPS secured webserver by the end of the day 7 August 2018 Introduction to FreeBSD 5

Documentation everywhere Online documentation Installed by default Primarily Unix man pages Cookbook-style FreeBSD Handbook https://www.freebsd.org/doc/handbook/book.html FreeBSD Wiki https://wiki.freebsd.org/ 7 August 2018 Introduction to FreeBSD 6

Finding your way around the system (1) /boot Bootloader configuration, kernel and kernel modules /bin, /sbin Essential user commands /dev Device special files (managed by devfs(5)) /etc System configuration files and scripts /lib, /libexec Critical system libraries/utilities /tmp Temporary files not guaranteed to persist across reboots /usr Majority of user utilities and applications /var Multi-purpose log, temporary, transient, and spool files 7 August 2018 Introduction to FreeBSD 7

Finding your way around the system (2) Third-party applications installed by pkg(8) live in /usr/local /proc is not mounted by default Runtime kernel parameters managed by sysctl(8) No systemd! 7 August 2018 Introduction to FreeBSD 8

The pkg(8) package manager New since FreeBSD 10.0-RELEASE (2014) Basic commands pkg install pkg remove pkg upgrade pkg audit See also chapter 4 of the FreeBSD Handbook https://www.freebsd.org/doc/handbook/ports.html 7 August 2018 Introduction to FreeBSD 9

Starting and stopping services System configuration lives in /etc/rc.conf The sysrc(8) utility can be used to configure services Services are started and stopped with the service(8) utility sysrc sshd_enable="yes" service sshd start service sshd stop 7 August 2018 Introduction to FreeBSD 10

Network configuration Boot-time configuration lives in /etc/rc.conf sysrc ifconfig_em0="dhcp" sysrc ifconfig_em0="inet 192.0.2.42/24" sysrc ifconfig_em0_ipv6="inet6 2001:db8::42/64" Run-time configuration is managed by ifconfig(8) ISC DHCP client is available out of the box dhclient(8) Further documentation in the manual pages and in the FreeBSD handbook! 7 August 2018 Introduction to FreeBSD 11

Tips for Linux refugees (1) vi is really vi pkg install vim if you prefer Vim or pkg install emacs if you enjoy pain sh is really sh pkg install zsh if you prefer zsh or pkg install bash if you enjoy pain root s shell is csh Don t mess with that! 7 August 2018 Introduction to FreeBSD 12

Tips for Linux refugees (2) FreeBSD aims to be consistent and self-documenting Warnings and errors generally provide clues to the solution Consulting man pages is often much faster than Google The FreeBSD community is very helpful! Subscribe to the questions@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-questions 7 August 2018 Introduction to FreeBSD 13

Keeping up to date (1) The FreeBSD security team regularly issues security advisories and errata notices for supported FreeBSD releases. Stable branches (e.g. X-STABLE) are supported for five years after X.0-RELEASE Individual point releases (e.g. X.0-RELEASE) are supported for three months after the next point release (e.g. X.1-RELEASE) 7 August 2018 Introduction to FreeBSD 14

Keeping up to date (2) Use freebsd-update(8) to patch a supported -RELEASE freebsd-update fetch freebsd-update install Check for updates nightly from /etc/crontab 0 3 * * * root /usr/sbin/freebsd-update cron NOTE WELL! This only checks for updates, it does not install them! 7 August 2018 Introduction to FreeBSD 15

Keeping up to date (3) Upgrade to a newer supported -RELEASE freebsd-update upgrade r X.Y-RELEASE Follow instructions for merging configuration files and rebooting freebsd-update(8) usually will not destroy your system but There is no excuse for not having (tested) backups! 7 August 2018 Introduction to FreeBSD 16

Installing your first FreeBSD server in a virtual machine 7 August 2018 Introduction to FreeBSD 17

Downloading FreeBSD On the SANOG32 wireless network http://172.16.0.246 VMware VirtualBox CD-ROM ISO image USB memstick image FreeBSD-11.2-RELEASE-amd64.vmdk.xz FreeBSD-11.2-RELEASE-amd64.vhd.xz FreeBSD-11.2-RELEASE-amd64-disc1.iso.xz FreeBSD-11.2-RELEASE-amd64-memstick.img 7 August 2018 Introduction to FreeBSD 18

Installing FreeBSD in VMware (1) 7 August 2018 Introduction to FreeBSD 19

Installing FreeBSD in VMware (2) 7 August 2018 Introduction to FreeBSD 20

Installing FreeBSD in VMware (3) 7 August 2018 Introduction to FreeBSD 21

Installing FreeBSD in VMware (4) 7 August 2018 Introduction to FreeBSD 22

Installing FreeBSD in VMware (5) 7 August 2018 Introduction to FreeBSD 23

Exercises (1) 1. Install FreeBSD in a virtual machine on your own laptop 2. Connect your virtual machine to the SANOG32 network Bridge your virtual machine to the wireless network Use dhclient em0 to get an IP address Ping a machine on the internet to verify it works Make your configuration persistent in /etc/rc.conf Reboot and verify again! 7 August 2018 Introduction to FreeBSD 24

Exercises (2) 1. Install the nginx web server using pkg(8) 2. Enable nginx in /etc/rc.conf 3. Start nginx 4. Verify you and your neighbour can connect to your web server 5. Reboot your virtual machine to verify everything still works 7 August 2018 Introduction to FreeBSD 25

The pf packet filter 7 August 2018 Introduction to FreeBSD 26

High-level overview Operate on the IP and transport layers of the network stack Packets are recognised based on Source and destination address IP protocol (TCP, UDP, ICMP, ) Source and destination port (TCP, UDP) Type and code (ICMP) Matching packets are either allowed or refused 7 August 2018 Introduction to FreeBSD 27

History of pf Originally developed on OpenBSD to replace ipfilter (2001) Primary goals Security Ease of configuration Imported in FreeBSD (2003) Optimised for FreeBSD (2003 present) Performance Multi-threading 7 August 2018 Introduction to FreeBSD 28

Finding pf documentation pf on FreeBSD is not in sync with pf in OpenBSD! Blindly following OpenBSD documentation will not work No match keyword on FreeBSD FreeBSD handbook and online man pages are accurate 7 August 2018 Introduction to FreeBSD 29

pf features (Switch to mlaier s slides from SUCON) 7 August 2018 Introduction to FreeBSD 30

pf exercises (1) 1. Make a clone of your virtual machine 2. Configure both virtual machines to NAT through your laptop 3. Write down the IP addresses of your two virtual machines 4. Write a pf filter to block all but outgoing traffic 1. Test that this works! 5. Change your filter on one VM to allow ssh from the other VM 6. Change your filter on onevm to allow HTTP from the other VM 7 August 2018 Introduction to FreeBSD 31

pf exercises (2) Configure NAT on one VM and route through the other VM Block all traffic to your web server from 192.168.42.0/24 7 August 2018 Introduction to FreeBSD 32

Configuring pf All configuration is kept in /etc/pf.conf (one single file) Order matters but not very much Settings Macros NAT Rules Syntax is simple and easy to understand 7 August 2018 Introduction to FreeBSD 33

Jails: light-weight multi-tenancy 7 August 2018 Introduction to FreeBSD 34

What are jails Essentially a chroot(8) with an IP address Actually: any number of IP addresses IPv4 or IPv6 Simply: confine a process and all its children to a sandbox 7 August 2018 Introduction to FreeBSD 35

Configuring jails Manually using /etc/jail.conf and the jail command More usefully using ezjail https://www.freebsd.org/doc/handbook/jails-ezjail.html https://www.freebsd.org/doc/handbook/jails.html 7 August 2018 Introduction to FreeBSD 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback