If you can't read please download the document
Upload
nagios
View
2.674
Download
0
Embed Size (px)
Citation preview
Securing Your Nagios Server
Spenser Reinhardt
Hardware is easy to protect: lock it in a room, chain it to a desk, or buy a spare. Information poses more of a problem. It can exist in more than one place; be transported halfway across the planet in seconds; and be stolen without your knowledge. Bruce Schneier
Who am I?
Nagios employee (2012)
Active Def Con member and speaker
OWASP Member
CTF Creator
Better be despised for too anxious apprehensions, than ruined by too confident security. Edmund Burke
Why Should You Care?
Yearly number of attacks are only increasing
Sophistication of attacks are ever increasing
Whether you like it or not, chances are you will be a target
Nagios servers, hold many privileged keys.
Privacy is not for the passive. Jeffrey Rosen
Overview
Apache Modifications
Database Alterations
Iptables Rules
OS Lockdown
Better be despised for too anxious apprehensions, than ruined by too confident security. Edmund Burke
Why you should consider this?
Vital network information
Notifies administrators and teams of issues
Relatively low difficulty
The Defenders Dilemma
An attacker need only find one way onto the network, a defender must close all holes.
Apache Modifications Overview
Remove Apache and PHP version-ing
Virtual host restrictions
Forced SSL redirection
Stronger SSL certificates and algorithms
Mod_Security
Security through obscurity, is only secure until it is discovered
Removing Version Information
Apache: /etc/httpd/conf/httpd.confServerTokens ProductOnlyServerSignature Off
PHP: /etc/php.iniexpose_php Off
HTTP/1.1 302 FoundDate: Sat, 21 Sep 2013 15:51:01 GMTServer: ApacheLocation: https:///Connection: closeContent-Type: text/html; charset=iso-8859-1
Security breaches usually entail more recovery efforts than acts of God. Unlike proverbial lightning, breaches of security can be counted on to strike twice unless the route of compromise has been shut off. FedCIRC
Restricting Apache Virtual Hosts
/etc/http/conf.d/nagiosxi.conf (default) Order allow,deny Allow from all# Order deny,allow# Deny from all# Allow from 127.0.0.1
/etc/http/conf.d/nagiosxi.conf (restricted)# Order allow,deny# Allow from all Order deny,allow Deny from all Allow from 127.0.0.1 192.168.168.0/24 10.1.2.0/255.255.255.0 nagios.com
Order rules are opposite IP tables, last evaluated rule that matches connections applies
Security is always excessive until it's not enough. Robbie Sinclair, Head of Security, Country Energy, NSW Australia
Force SSL Redirection
/etc/httpd/conf.d/https.confRewriteEngine OnRewriteCond %{HTTPS} offRewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Forces all pages loaded with http, to redirect to https.
Pages can be requested insecurely still, but will be redirected immidiately
There are risks and costs to a program of action--but they are far less than the long range cost of comfortable inaction. John F. Kennedy
Increasing SSL Security
As openssl requires a password for aes256, we will need to generate a new key, give it a password, and then remove the password before we generate anything else:
cd /etc/pki/tls/privateopenssl genrsa -aes256 -out ca.key.pass 2048ORopenssl genrsa -aes256 -out ca.key.pass 4096
Type in the password you used above when asked as the following command will strip the password:
openssl rsa -in ca.key.pass -out ca.keyopenssl req -new -key ca.key -out ca.csropenssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crtcp ca.crt ../certs/
One person's "paranoia" is another person's "engineering redundancy." Marcus J. Ranum
Increasing SSL Security (2)
Modify the files in /etc/httpd/conf.d to add the following lines directly after the line.
SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite DHE-RSA-AES256-SHA:ALL:!ADH:!EXPORT:!SSLv2:!RC2:!CAMELLIA256:!3DES:!DES-CBC3-SHA:!RC4:+HIGH:!MEDIUM:!LOW SSLCertificateFile /etc/pki/tls/certs/ca.crt SSLCertificateKeyFile /etc/pki/tls/private/ca.key AllowOverride All
Information is the oxygen of the modern age. It seeps through the walls topped by barbed wire, it wafts across the electrified borders. Ronald Reagan
Mod_Security
Install Mod_Security Packagesyum install mod_security_crs-extras mod_security mod_security_crs
Download and copy my exclusions rule list
cd /tmpwget http://assets.nagios.com/downloads/nagiosxi/misc/mod_security_excluded_rules.confcp /tmp/mod_security_excluded_rules.conf /etc/httpd/conf.d/
Troubleshootingtail -f /var/log/httpd/error_log | grep -o "/etc/httpd/modsecurity.d/activated_rules/.\{0,75\}/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"]SecRuleRemoveById [ID Number]
The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents. Nathaniel Borenstein
Database Alterations Root User
Root MYSQL Passwordmysqladmin -u root -pnagiosxi password NewPassword
/root/scripts/automysqlbackup PASSWORD=NewPassword/usr/local/nagiosxi/scripts/backup_xi.sh mysqlpass="NewPassword"/usr/local/nagiosxi/scripts/restore_xi.sh mysqlpass="NewPassword"/usr/local/nagiosxi/var/xi-sys.cfg mysqlpass='NewPassword'
Phishing is a major problem because there really is no patch for human stupidity Mike Danseglio
Database Alteration Changing Passwords
Changing a MySQL password, non-root users
mysqladmin -u root -p use mysql; set password for 'ndoutils'@localhost = password('NewPassword'); flush privileges; quit;
When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else. David Brin
Database Alterations NagiosQL User
/usr/local/nagiosxi/html/config.inc.php: "pwd" => 'n@gweb', "password" => 'n@gweb',
/usr/local/nagiosxi/html/config.inc.dist: "pwd" => 'n@gweb', "password" => 'n@gweb',
/usr/local/nagiosxi/html/config.inc.saved: "pwd" => 'n@gweb', "password" => 'n@gweb',
/usr/local/nagiosxi/etc/components/ccm_config.inc.php: "password" => "n@gweb",
/usr/local/nagiosxi/html/includes/components/ccm/config.inc.php: 'password' => 'n@gweb',
/usr/local/nagiosxi/html/includes/components/ccm/ccm.inc.php: $password = grab_array_var($cfg['db_info' ['nagiosql'],'pwd','n@gweb');
Men are only as good as their technical development allows them to be. George Orwell
Database Alterations Ndoutils User
/usr/local/nagios/etc/ndo2db.cfg db_pass=n@gweb
/usr/local/nagiosxi/html/config.inc.php: "pwd" => 'n@gweb',
/usr/local/nagiosxi/html/config.inc.dist: "pwd" => 'n@gweb',
/usr/local/nagiosxi/html/config.inc.saved: "pwd" => 'n@gweb',
/usr/local/nagvis/etc/nagvis.ini.php dbpass="n@gweb"
Be careful and you will save many men from the sin of robbing you. Ed Howe
Database Alterations - Postgres
psql -U nagiosxi
ALTER USER nagiosxi WITH PASSWORD 'NewPassword';
/usr/local/nagiosxi/var/xi-sys.cfgpgsqlpass='nagiosxi'/usr/local/nagiosxi/scripts/backup_xi.shpg_dump -c -U nagiosxi nagiosxi > $mydir/pgsql/nagiosxi.sql/usr/local/nagiosxi/scripts/restore_xi.shpsql -U nagiosxi nagiosxi < pgsql/nagiosxi.sql/usr/local/nagiosxi/html/config.inc.php: "pwd" => 'n@gweb', /usr/local/nagiosxi/html/config.inc.dist: "pwd" => 'n@gweb',/usr/local/nagiosxi/html/config.inc.saved: "pwd" => 'n@gweb',
One of the tests of leadership is the ability to recognize a problem before it becomes an emergency. Arnold Glascow
Locking Down IPtables
iptables -Fiptables -Xiptables -P INPUT DROPiptables -P OUTPUT DROPiptables -P FORWARD DROPiptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 22 -s 192.168.1.25 -j ACCEPTiptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 80 -s 192.168.1.25 -j ACCEPTiptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 443 -s 192.168.1.45 -j ACCEPTiptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 5667 -s 192.168.1.200 -j ACCEPTiptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp --dport 162 -s 192.168.1.0/24. -j ACCEPTIptables -A INPUT -m state --state NEW -p udp --dport 53 -s 192.168.1.200 -j ACCEPTIptables -A INPUT -m state --state ESTABLISHED -p tcp -s 192.168.1.0/24 -j ACCEPTiptables -A OUTPUT -s 192.168.1.0/24 -j ACCEPT
Service iptables save
It's not good enough to have a system where everyone (using the system) must be trusted, it must also be made robust against insiders! Robert Morris
OS Hardening
ASLR \ Exec Shield
sshd configuration
aide
SeLinux
GRSecurity Kernel Patches
Like the death of a celebrity from a drug overdose, publicized data loss incidents remind us that we should probably do something about taking better care of our data. But we usually don't, because we quickly remind ourselves that backups are boring as h***, and that it's shark week on Discovery. Nik Cubrilovic
ASLR \ Exec Shield
Address Space Layout Randomizationkernel.randomize_va_space = 1
Exec Shieldkernel.exec-shield = 1
Both can be enabled by modifying /ect/sysctl.conf and running sysctl -p or rebooting the system.
A good programmer is someone who always looks both ways before crossing a one-way street. Doug Linder
SSHD Config
/etc/ssh/sshd_conf
Protocol 2SyslogFacility AUTHLoginGraceTime 1mPermitRootLogin noMaxAuthTries 3MaxSessions 5MaxStartups 3IgnoreRhosts yesPasswordAuthentication yesChallengeResponseAuthentication noGSSAPIAuthentication yesGSSAPICleanupCredentials yesUsePAM yesX11Forwarding no
The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents. Nathaniel Borenstein
Aide installation and configuration
yum install aide
curl http:\\assets.nagios.com/downloads/nagiosxi/xi_security/aide.conf.{selinux,non-se} -o /etc/aide.conf
aide --init
cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
aide check
System updates, nagios updates, config changes, etc will cause aide warnings.
AIDE, version 0.14
### All files match AIDE database. Looks okay!
The best way to get management excited about a disaster plan is to burn down the building across the street. Dan Erwin, Security Officer, Dow Chemical Co
SELinux
Initially created and still greatly maintained by NSA
Enforces Mandatory Access Control (MAC)
Application and User Domain RestrictionsExecution restrictions
Port use restrictions
Additional file permissions
But not quite ready for Nagios XI
In theory, one can build provably secure systems. In theory, theory can be applied to practice but in practice, it can't. M. Dacier, Eurecom Institute
GRSecurity\PaX
Kernel based security patches
True ASLR and Stack protections
Role-based Access Control (RBAC)
Chroot advantages
Breaks RHEL Warranty by kernel modification
You can't hold firewalls and intrusion detection systems accountable. You can only hold people accountable. Daryl White, DOI CIO
Questions? - Thank You!
History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It's always better to assume the worst. Assume your adversaries are better than they are. Assume science and technology will soon be able to do things they cannot yet. Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you'll be glad you did. Bruce Schneier
Click to edit the outline text format
Second Outline Level
Third Outline Level
Fourth Outline Level
Fifth Outline Level
Sixth Outline Level
Seventh Outline Level
Eighth Outline Level
Ninth Outline Level
Click to edit the title text format
Click to edit the title text format
Click to edit the outline text formatSecond Outline LevelThird Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline LevelSeventh Outline LevelEighth Outline LevelNinth Outline Level