Mais um artigo sobre como assegurar seu servidor de nomes (BIND) , específico *BSD...
Securing DNS (OpenBSD/FreeBSD Version)
There have been a large number of problems with BIND because of the
size and complexity of the functions it performs. As a result, a number of
attacks (and here ) are beginning to emerge that target this service
specifically, some of which can allow full remote access to the target host.
Because systems running DNS servers are so critical to the network
infrastructure, it is vital that these systems do not get compromised.
To further this, I've prepared this short document that describes how to set
up your BIND 8.1.x server in a chroot() environment under OpenBSD
2.3 , which is what I run my DNS/SMTP/WWW servers on. This
document is largely inspired by my friend Adam Shostack and his paper
on the identical subject matter (which covers Solaris). Please read his
paper (and check out his entire page which contains good reading) after
you've been here. As a side note, OpenBSD version 2.4 and above now run
with BIND in a chroot() jail by default (this document was originally
written before that release), but these instructions will prove equally useful
to other BSD variants that don't have this useful and prudent feature on by
default.
NOTE: This is a living document and I expect changes and small
errors to be discovered over time. My DNS server is very small and
handles a limited number of zones and traffic. It is quite possible that the
information I supply here does not work for larger sites. If this is your case
please write me and tell me what is broken so I can change it
here! Your input will be given full credit and will help everyone who
wishes to contain the beast we call BIND.
Step One: Get The Software and Install
Go to the ISC FTP Site and download the latest version of BIND. These
directions have only been tested on BIND version 8.1.x. Higher versions
are shipping now and testing will be done on these as well, although a
preliminary glance indicates that the procedure will be virtually identical.
Install the software per the directions included with the package.
Step Two: Make static named and named-xfer
binaries
After the build and install you will need to make a statically linked
version of the program. This is easily accomplished by going into the
directory /src/port/openbsd under BIND and editing the file
Makefile.set.
Change the line:
'CDEBUG= -O2 -g'
To:
'CDEBUG= -O2 -static'
Go to the top of the BIND source directory and do a "make clean"
followed by a "make". Go onto the next step where you will copy the files
to the chroot() directory.
For the uninitiated, a statically linked program is one that does not
perform dynamic loading of libraries. For a chroot() environment it means
that the executable will be "self-contained" and will not cause an error if
you are missing a library file. While it is not necessary to have statically
linked files in the chroot() environment, it often makes setup easier. I
prefer to have all network daemons statically linked for this reason.
Step Three: Make a Directory for BIND
Create a directory for BIND to be chroot()ed in. This can be as simple as
/chroot/named and will be the "pseudo" root where BIND will reside.
The ultra-paranoid may even want to put this chroot jail on a separate
physical volume.
Under this directory you will need to create the following directory
structure:
/dev
/etc
/namedb
/usr
/libexec
/var
/run
Under each directory you will need to copy the following files and/or
perform the following commands:
/
copy statically linked named binary from the BIND src/bin/named
directory
/etc
copy named.conf from /etc
copy localtime from /etc (so named logs correct timezone in syslog)
/etc/namedb
copy all zone databases and files from /etc/namedb
/dev
mknod null c 2 2; chmod 666 null (For other BSD variants, look at
/dev/MAKEDEV to get the mknod command)
/usr/libexec
copy statically linked named-xfer binary from the BIND
src/bin/named-xfer directory
/var/run
None
Additionally, Bernhard Weisshuhn , writes that if
you have custom logging directories specified that you need to be sure to
make these as well (/var/log). Although named won't crash, it will
complain.
Step Four: Add named user and group
Add the user named to the /etc/passwd and to the /etc/group files.
This will be the UID/GID that the server runs under.
You should now go to the /chroot/named/var/run directory and make
it writable by named so the named.pid file can be written to upon startup.
This is used by the ndc command to control named's operation.
At this point you may want to go into your chroot named area and chown
-R named.named on the /etc/namedb directory. This allows named
to dump cache and statistical information if you send it the proper signal
(kill -INT ) . This change should not significantly effect the
security of your chroot() setup. Leaving it owned as root won't allow
named to write out this information (remember named now runs under a
new UID and no longer root), but still allows named to function. A second
option is to change the permissions to allow writing to this directory, but
leaving it owned by root. This could also work but you need to be careful
with doing so to ensure normal users can't modify your named records!
IMPORTANT: ** DO NOT USE AN EXISTING UID/GID to run
named under (i.e. "nobody"). It is always a bad idea to use an existing
UID/GID under a chroot environment as it can impact the protection
offered by the service. Make a separate UID/GID for every daemon
you run under chroot() as a matter of practice.
Step Five: Edit startup scripts
1) Edit /etc/rc and change the named startup line from:
echo 'starting named'; named $named_flags
To the location of your statically linked binary under the chroot
directory:
echo 'starting named'; /chroot/named/named $named_flags
You now need to enable a syslog socket in your chroot jail so named can
write messages to your logs. To do this edit /etc/rc.conf and change the
syslogd flags:
syslogd_flags="-a /chroot/named/dev/log" (FreeBSD uses '-l'
instead of '-a')
You will also need to change the startup flags for BIND. Version 8.x has a
feature where you can change the user and group ID after binding. This is
where you specify your UID/GID you assigned to BIND above.
named_flags="-u named -g named -t /chroot/named"
2) BIND 8.1.x ships with a script called "ndc" which is used to control
named operations. You will need to edit this file and change the location of
the variable PIDFILE from /var/run/named.pid to
/chroot/named/var/run/named.pid. BIND 8.2.x and above now
makes this a binary and this change won't be necessary any longer.
Step Six: Test it out
Stop syslogd and named if they running and then from the command line
type:
syslogd -a /chroot/named/dev/log (FreeBSD uses '-l' instead of
'-a')
Go into this directory and ls -al. You should see (the date is insignificant):
srw-rw-rw- 1 root wheel 0 Jan 01 12:00 log
The "s" bit is set to indicate that the file is a socket. This is how named will
write to syslog from within the chroot() jail.
Now type:
/chroot/named/named -u named -g named -t /chroot/named
If all goes well named will start and your logs will indicate that named is
"Ready to answer queries."
Perform other DNS tests as appropriate to ensure operation, then reboot
your system and verify the setup. BIND should have started and reported
it chroot()ed to to directory and changed UID/GID. You can use a
program such as lsof to list out the owner of all network sockets on the
host. The owner should be your named UID/GID.
When everything is working you should either rename /etc/namedb to
something like /etc/namedb.orig and chmod 000 /usr/sbin/named to
ensure that the old version doesn't get run by mistake. Reboot your system
and assuming everything is correct your named will now be chroot()ed.
Thanks
Thanks to the following people who made suggestions and submitted
corrections:
Steinar Haug - Comments concerning blocking of
TCP to port 53.
Bernhard Weisshuhn - Comments pertaining to
Linux install (typos, adding /etc/group entry).
Marc Heuse - Comments pertaining to
logging and renaming of old binaries and directories.
Jan Gruber - Comments pertaining to permissions on
/chroot/named/var/run and changes to the ndc control script.
Modred - Corrections for FreeBSD and small
typo on making /dev/log
Robert J. Brown - Corrections in steps five and six
where I typed /chroot/named instead of /chroot/named/named to start the
binary. Advised about changes to ndc under BIND 8.2.
|
