Lab: Host Hardening
In this lab, you will be doing hardening your machines to make them more resistant to attacks.
Late submissions will result in a 10% penalty per day (e.g., 2.5 days late result in 25% penalty)
On your Linux machine, you will be changing some of the kernel
parameters in the
/proc filesystem. Any changes
you make will be forgotten once the system reboots. To make the
changes permanent, see
man sysctl.conf and
Similarly, you will be making changes to the Windows Registry. After making registry changes to your Windows server, you will likely need to reboot it. Rebooting your Linux machine is not necessary.
1. Disabling Extraneous Services
The most basic way to mitigate network attacks is to disable services which are not needed. Many OS vendors enable extra services by default to make their systems work "out-of-the-box". Unfortunately, these services provide attackers with a lot of useful information. Also, since the administrator doesn't use the service, important security updates are often forgetton, leaving the system vulnerable to attack. An attacker can't compromise a service that is not running!
Identify two services running your Linux router which are not currently needed. You can use
lsofto help you determine what is listening on specific TCP/UDP ports and to determine what processes are holding those sockets open. If you are not sure if a certain service is needed, try searching the web to determine what function it provides.
Once you have determined what two services aren't needed, try stopping them via their
/etc/init.dscripts. Verify that you can still use your system. For example, you can still SSH to it and you can still connect out to the internet with it. If everything is still working as expected, permanently disable these services from starting up by removing their
/etc/rc?.dsymlinks. If you aren't sure what these symlinks are for, see this initialization reference.
Search the web for information on "Simple TCP/IP Services", which is a service that can be configured to run on Windows. Learn about the specific protocols provided by this service. Now, shut down this service on your Windows server, and prevent it from starting up again. You can use
cmdprompt to verify the listening ports were closed.
Search the web for information on the Windows "Remote Registry Service". This service is rarely needed by administrators that already have remote access to the system such as RDP. Disable this service and prevent it from starting up at boot.
Search the web for information on "Hidden administrative shares". Learn about what they are, how they may be useful, and why they might pose a security risk. Find a registry setting to disable these shares and do so.
Search the web for information on "Null Sessions" and for kinds of attacks or information gathering techniques that are possible if they are enabled. Decide what level of Null Sessions should be allowed on your system and restrict them via the indicated registry setting(s).
2. Mitigating Denial of Service (DoS) Attacks
There are many forms of Denial of Service attacks. They fall mainly into two classes: resource-exhaustion attacks and bug exploitation. This lab will focus on the former type, as these are often tied to difficult to change protocol specifications. The types of resources typically targeted are: processor, memory, and network bandwidth.
A. SYN Floods
One popular attack which attempts to exhaust the memory resources of a host is a SYN flood. Read more about how SYN floods work.
Next, read about SYN cookies and how they trade off the memory requirement of half-open connections for a bit more processing.
The Linux kernel has a built-in SYN cookies option. When enabled, Linux will use SYN cookies if the TCP/IP stack detects it is getting overwhelmed with half-open connections. Use the
/procfilesystem to enable SYN cookies on your Linux router. If you are not familiar with the
/procfilesystem, you should read this article on the /proc filesystem as a reference. This document refers to an outdated version of redhat, but it still applies to current distributions.
Unfortunately, Microsoft has yet to integrate any kind of SYN cookies protection into Windows. Their suggested mitigations involve registry settings which decrease the time half-open connections are kept around, along with some other settings. Microsoft has suggestions on how to harden the TCP/IP stack against denial-of-service attacks. Apply the changes to your Windows server that seem reasonable to you for mitigating SYN floods.
B. Smurf/Fraggle Attacks
Smurf and fraggle attacks are almost identical forms of an amplification attack. By sending a single spoofed broadcast packet to many hosts, many responses may be generated and directed at a victim. Search for references online and find out what the difference is between smurf and fraggle attacks.
Read the documentation in
man icmpand find out how to keep your Linux host from being an accomplice in these kinds of attacks. Update the indicated
For this lab, your team must submit a report with the following information:
What services did you disable on your Linux machine? What are their normal uses?
Simple TCP/IP Services provides the Daytime service. How could the UDP version of this service be used in denial of service attacks against third parties? How could this service be used in conjunction with the UDP echo service to create a datagram loop?
What kinds of information could an attacker obtain anonymously from your Windows 2003 Server if NULL sessions were fully enabled?
When using SYN cookies, if the defending system doesn't store state about SYNs that were replied to previously, what's to stop an attacker from just sending an ACK outright to start a connection?
What kinds of negative impacts do SYN cookies have on TCP connections?
What SYN flood mitigation settings did you apply to your Windows server? Why did you choose these settings?
Your grade for this lab will be composed of:
100% - The answer to each question..