Differences between BSD License and MIT License

BSD License
* Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

* Neither the name of the nor the names of its contributors may be used to endorse or promote productsderived from this software without specific prior written permission.

MIT License

Permission is hereby granted, free of charge, to any personobtaining a copy of this software and associated documentationfiles (the "Software"), to deal in the Software withoutrestriction, including without limitation the rights to use,copy, modify, merge, publish, distribute, sublicense, and/or sellcopies of the Software, and to permit persons to whom theSoftware is furnished to do so, subject to the followingconditions.

The above copyright notice and this permission notice shall beincluded in all copies or substantial portions of the Software.

Firewall Checklist

Introduction
This checklist should be used to audit a firewall. This checklist does not provide vendor specific security considerations but rather attempts to provide a generic listing of security considerations to be used when auditing a firewall.

Only technical aspects of security are addressed in this checklist. Manual elements like physical protection for the firewall server is not considered.

Prior to using this checklist the following elements should be considered:
· Operating system: This checklist only defines the security items relating the firewall software and not to any security elements of the operating system.
· Port restrictions: A listing of ports to be restricted are highlighted in this checklist. However, prior to recommending that the ports be restricted, the auditor should ensure that the service associated with that port is not used by the business e.g. remote access via telnet. Where such situations exist this checklist attempts to provide alternate security options if the service is needed e.g. use SSH instead of Telnet.
· Modems within the internal network: Modems within the internal network are the biggest threat to subvert a firewall and thus the auditor should ensure that there are no modems within the internal network. It is senseless performing an audit on the firewall when an even bigger threat exists via the modem. The auditor should perform war dialling to identify any modems within the internal network with tools like phonesweeper.
· Application level firewalls: The inherent nature of application level firewalls require that the operating system be as secure as possible due to the close binding of these two components. Thus, the auditor should ensure that the security on the operating system is secure before evaluating the security offered by the application level firewall.
· Defence in depth: It must be recognised that the firewall implementation is a not an end to itself to provide security. Thus, it is vital that the auditor evaluate the security of the other components like IDS, operating systems, web applications, IIS/Apache, routers and databases. Some organisations have opted for firewall network appliances, which are firewalls loaded onto operating systems which have their security already preconfigured. In such instances, the auditor need only review the security of the firewall configuration instead of the operating system as well.
· Rulesets: This checklist provides a listing of best practice rulesets to be applied. However, the organisational requirements may not need all of the rulesets. For e.g. where an organisation has a need to allow access via the internet to critical servers, the rulesets wound not include a deny rule to that internal IP address for the critical server. Instead it may provide for allow access to HTTP 80 to the critical IP and deny all other traffic to the critical IP. It must be noted that some elements of the recommended rulesets have to be applied irrespective of business requirements e.g. blocking private addresses (RFC1918), illegal addresses, standard unroutables, reserved addresses, etc.
· Laptop users: Most organisations use mobile laptops for telecommuting and on the road sales, etc. This provides a further vulnerability even if the organisation operates a VPN. The hacker could easily gain access to the laptop when it is connected to the internet and download tools to the laptop that can become a problem when the laptop is again connected to the corporate network. In a VPN situation, the hacker with access to the remote station once the tunnel is connected, can access the corporate network. In such a circumstance, it is important for the auditor to determine if laptop usage occurs and to evaluate whether personal firewalls are installed on these laptops prior to usage. This checklist provides a generic set of considerations for personal firewalls, but it does not provide any product specific security recommendations.

Checklist

No.
Security Elements
1. Review the rulesets to ensure that they follow the order as follows:
· anti-spoofing filters (blocked private addresses, internal addresses appearing from the outside)
· User permit rules (e.g. allow HTTP to public webserver)
· Management permit rules (e.g. SNMP traps to network management server)
· Noise drops (e.g. discard OSPF and HSRP chatter)
· Deny and Alert (alert systems administrator about traffic that is suspicious)
· Deny and log (log remaining traffic for analysis)

Firewalls operate on a first match basis, thus the above structure is important to ensure that suspicious traffic is kept out instead of inadvertently allowing them in by not following the proper order.

2. Application based firewall
Ensure that the administrators monitor any attempts to violate the security policy using the audit logs generated by the application level firewall. Alternatively some application level firewalls provide the functionality to log to intrusion detection systems. In such a circumstance ensure that the correct host, which is hosting the IDS, is defined in the application level firewall.
Ensure that there is a process to update the application level firewall’s vulnerabilities checked to the most current vulnerabilities.

Ensure that there is a process to update the software with the latest attack signatures.
In the event of the signatures being downloaded from the vendors’ site, ensure that it is a trusted site.

In the event of the signature being e-mailed to the systems administrator, ensure that digital signatures are used to verify the vendor and that the information transmitted has not been modified en-route.

The following commands should be blocked for SMTP at the application level firewall:
· EXPN (expand)
· VRFY (verify)
· DEBUG
· WIZARD

The following command should be blocked for FTP:
· PUT

Review the denied URL’s and ensure that they are appropriate for e.g. any URL’s to hacker sites should be blocked. In some instances organisations may want to block access to x-rated sites or other harmful sites. As such they would subscribe to sites, which maintain listings of such harmful sites. Ensure that the URL’s to deny are updated as released by the sites that warn of harmful sites.
Ensure that only authorised users are authenticated by the application level firewall.

3. Stateful inspection
Review the state tables to ensure that appropriate rules are set up in terms of source and destination IP’s, source and destination ports and timeouts.
Ensure that the timeouts are appropriate so as not to give the hacker too much time to launch a successful attack.

For URL’s
· If a URL filtering server is used, ensure that it is appropriately defined in the firewall software. If the filtering server is external to the organisation ensure that it is a trusted source.
· If the URL is from a file, ensure that there is adequate protection for this file to ensure no unauthorised modifications.

Ensure that specific traffic containing scripts; ActiveX and java are striped prior to being allowed into the internal network.

If filtering on MAC addresses is allowed, review the filters to ensure that it is restricted to the appropriate MAC’s as defined in the security policy.

4.
Logging
Ensure that logging is enabled and that the logs are reviewed to identify any potential patterns that could indicate an attack.

5. Patches and updates

Ensure that the latest patches and updates relating to your firewall product is tested and installed.

If patches and updates are automatically downloaded from the vendors’ websites, ensure that the update is received from a trusted site.

In the event that patches and updates are e-mailed to the systems administrator ensure that digital signatures are used to verify the vendor and ensure that the information has not been modified en-route.

6. Location – DMZ

Ensure that there are two firewalls – one to connect the web server to the internet and the other to connect the web server to the internal network.

In the event of two firewalls ensure that it is of different types and that dual NIC’s are used.

This would increase security since a hacker would need to have knowledge of the strengths, weaknesses and bugs of both firewalls.

The rulesets for both firewalls would vary based on their location e.g. between web server and the internet and between web server and the internal network.

7. Vulnerability assessments/ Testing

Ascertain if there is a procedure to test for open ports using nmap and whether unnecessary ports are closed.

Ensure that there is a procedure to test the rulesets when established or changed so as not to create a denial of service on the organisation or allow any weaknesses to continue undetected.

8. Compliance with security policy

Ensure that the ruleset complies with the organisation security policy.

9. Ensure that the following spoofed, private (RFC 1918) and illegal addresses are blocked:
Standard unroutables
· 255.255.255.255
· 127.0.0.0
Private (RFC 1918) addresses
· 10.0.0.0 – 10.255.255.255
· 172.16.0.0 – 172.31.255.255
· 192.168.0.0 - 192.168.255.255
Reserved addresses
· 240.0.0.0
Illegal addresses
· 0.0.0.0

UDP echo
ICMP broadcast (RFC 2644)

Ensure that traffic from the above addresses is not transmitted by the interface.

10. Ensure that loose source routing and strict source routing (lsrsr & ssrr) are blocked and logged by the firewall.

11. Port restrictions
The following ports should blocked:
53
69
87
111
512 – 514
515
540
2000
2049
6000 – 6255
20
21
22
23
25
37
79
HTTP (except to external web servers)
109 &110
119
123
135
137 & 138
139
143
161 &162
161 &162
179
389
443
445
514
1080
2001
4001
4045
6001
8000, 8080, 8888

12. Remote access
If remote access is to be used, ensure that the SSH protocol (port 22) is used instead of Telnet.

13. File Transfers
If FTP is a requirement, ensure that the server, which supports FTP, is placed in a different subnet than the internal protected network.

14. Mail Traffic
Ascertain which protocol is used for mail and ensure that there is a rule to block incoming mail traffic except to internal mail.

15. ICMP (ICMP 8, 11, 3)
Ensure that there is a rule blocking ICMP echo requests and replies.
Ensure that there is a rule blocking outgoing time exceeded and unreachable messages.

16. IP Readdressing/IP Masquerading
Ensure that the firewall rules have the readdressing option enabled such that internal IP addresses are not displayed to the external untrusted networks.

17. Zone Transfers
If the firewall is stateful, ensure packet filtering for UDP/TCP 53. IP packets for UDP 53 from the Internet are limited to authorised replies from the internal network. If the packet were not replying to a request from the internal DNS server, the firewall would deny it. The firewall is also denying IP packets for TCP 53 on the internal DNS server, besides those from authorised external secondary DNS servers, to prevent unauthorised zone transfers.

18. Egress Filtering
Ensure that there is a rule specifying that only traffic originating from IP’s within the internal network be allowed. Traffic with IP’s other than from the Internal network are to be dropped.
Ensure that any traffic originating from IP’s other than from the internal network are logged.

19. Critical servers
Ensure that there is a deny rule for traffic destined to critical internal addresses from external sources. This rule is based on the organisational requirements, since some organisations may allow traffic via a web application to be routed via a DMZ.

20. Personal firewalls
Ensure that laptop users are given appropriate training regarding the threats, types of elements blocked by the firewall and guidelines for operation of the personal firewall. This element is essential, since often times personal firewalls rely on user prompt to respond to attacks e.g. whether to accept/deny a request from a specific address.
Review the security settings of the personal firewall to ensure that it restricts access to specific ports, protects against known attacks, and that there is adequate logging and user alerts in the event of an intrusion.
Ensure that there is a procedure to update the software for any new attacks that become known.
Alternatively most tools provide the option of transferring automatic updates via the internet. In such instances ensure that updates are received from trusted sites.

21. Distributed firewalls
Ensure that the security policy is consistently distributed to all hosts especially when there are changes to the policy.

Ensure that there are adequate controls to ensure the integrity of the policy during transfer, e.g. IPSec to encrypt the policy when in transfer.

Ensure that there are adequate controls to authenticate the appropriate host. Again IPSec can be used for authentication with cryptographic certificates.

22. Stealth Firewalls
Ensure that default users and passwords are reset.

Ensure that the firewall is appropriately configured to know which hosts are on which interface.
Review the firewall access control lists to ensure that the appropriate traffic is routed to the appropriate segments.

A stealth firewall does not have a presence on the network it is protecting and it makes it more difficult for the hacker to determine which firewall product is being used and their versions and to ascertain the topology of the network.

23. Ensure that ACK bit monitoring is established to ensure that a remote system cannot initiate a TCP connection, but can only respond to packets sent to it.

24. Continued availability of Firewalls
Ensure that there is a hot standby for the primary firewall.

Current SMTP Protocol limitation

1. Email can be forged.
2. Easy to use social engineering to gain knowledge.
3. Cant verify sender
4. Can not trust E-Mail Message

Monolithic MTA vs Modular MTA

Sendmail and smail are monolithic MTA. In other words, they have one large, complex program that “switches hats”: it puts on one hat to be an SMTP server, another to be an SMTP client, another to inject messages locally, and another to manage the queue.
Qmail and Postfix are modular MTA. Each of these functions is performed by a separate program. As a result, the programs are much smaller, simpler, and less likely to contain functional or security bugs. To further enhance security, postfix and qmail’s modular’s run with different privileges, and they don’t “trust” each other: they don’t assume the other modular always do only what they’re supposed to do.

Modular MTA is difference from Monolithic MTA, the interactions between other modules are well-defined, and modules only exchange the minimum necessary information with each other.
This is generally A Good Thing , but sometimes it makes it hard to do things. For example , the sendmail “-v” flag causes Sendmail to print a trace of its actions to standard output for debugging purposes. Since the one Sendmail binary handles injection, queueing, alias processing, .forward file processing, and remote forwarding via SMTP, it is able to easily trace the entire delivery until the message delivered. The equivalent capability in qmail doesn’t exsit, and would require substantial code changes and additional complexity to implement the passing of the “debug” flag from module to module.

What is Windows Registry

Windows Keep a central database of information crucial to its operations called the Registry. The Registry is that it stores user personal information. Examples include the information you enter when you register Windows and Office products like Word and Excel, lists of web sites you have visited, login profiles required for using various applications, and much more.

Below just introduce a few useful Registry facts:--

• The Registry is a large , complicated database.
• The Registry consists of thousands of individual entries. Each entry consists of 2 parts, a key and a value. Each value is the setting for its associated key.
• The Registry organizes the entries into hierarchies.
• Making a mistake while editing the Registry could damage Windows, so please onlu edit it if you feel well qualified to do so. Always make a backcup before editing the Registry.

Restartable Active Directory Domain Services (ADDS)

One of the key new features for Windows 2008 server is Administrator can stop and restart Active Directory Domain Services (ADDS) by using Microsoft Management Console (MMC) snap-ins or the command line.

Restartable ADDS reduces the time that is required to perform certain operations such as applying updates to the server.

Administrators can also stop ADDS to perform tasks such as offline defragmentation of the Active Directory database, without restart the domain controller. Other services that are running on the server and that do not depend on the ADDS to function, such as Dynamic Host Configuration Protocol (DHCP), remain available to satisfy client requests while ADDS is stopped.

20 ways to Secure your Apache Configuration

Here are 20 things you can do to make your apache configuration more secure.

Disclaimer: The thing about security is that there are no guarantees or absolutes. These suggestions should make your server a bit tighter, but don’t think your server is necessarily secure after following these suggestions.

Additionally some of these suggestions may decrease performance, or cause problems due to your environment. It is up to you to determine if any of the changes I suggest are not compatible with your requirements. In other words proceed at your own risk.

Step 1: First, make sure you’ve installed latest security patches

There is no sense in putting locks on the windows, if your door is wide open. As such, if you’re not patched up there isn’t really much point in continuing any longer on this list.

Step 2: Hide the Apache Version number, and other sensitive information.

By default many Apache installations tell the world what version of Apache you’re running, what operating system/version you’re running, and even what Apache Modules are installed on the server. Attackers can use this information to their advantage when performing an attack. It also sends the message that you have left most defaults alone.

There are two directives that you need to add, or edit in your httpd.conf file:

ServerSignature Off

ServerTokens Prod

The ServerSignature appears on the bottom of pages generated by apache such as 404 pages, directory listings, etc.

The ServerTokens directive is used to determine what Apache will put in the Server HTTP response header. By setting it to Prod it sets the HTTP response header as follows:

Server: Apache

If you’re super paranoid you could change this to something other than “Apache” by editing the source code, or by using mod_security (see below).

Step 3: Make sure apache is running under its own user account and group

Several apache installations have it run as the user nobody. So suppose both Apache and your mail server were running as nobody an attack through Apache may allow the mail server to also be compromised, and vise versa.

User apache

Group apache

Step 4: Ensure that files outside the web root are not served

We don’t want apache to be able to access any files out side of its web root. So assuming all your web sites are placed under one directory (we will call this /web), you would set it up as follows:

Order Deny,Allow

Deny from all

Options None

AllowOverride None

Order Allow,Deny

Allow from all

Note that because we set Options None and AllowOverride None this will turn off all options and overrides for the server. You now have to add them explicitly for each directory that requires an Option or Override.

Step 5: Turn off directory browsing

You can do this with an Options directive inside a Directory tag. Set Options to either None or -Indexes

Options -Indexes

Step 6: Turn off server side includes

This is also done with the Options directive inside a Directory tag. Set Options to either None or -Includes

Options -Includes

Step 7: Turn off CGI execution

If you’re not using CGI turn it off with the Options directive inside a Directory tag. Set Options to either None or -ExecCGI

Options -ExecCGI

Step 8: Don’t allow apache to follow symbolic links

This can be done using the Options directive inside a Directory tag. Set Options to either None or -FollowSymLinks

Options -FollowSymLinks

Step 9: Turning off multiple Options

If you want to turn off all Options simply use:

Options None

If you only want to turn off some separate each option with a space in your Options directive:

Options -ExecCGI -FollowSymLinks -Indexes

Step 10: Turn off support for .htaccess files

This is done in a Directory tag but with the AllowOverride directive. Set it to None.

AllowOverride None

If you require Overrides ensure that they cannot be downloaded, and/or change the name to something other than .htaccess. For example we could change it to .httpdoverride, and block all files that start with .ht from being downloaded as follows:

AccessFileName .httpdoverride

Order allow,deny

Deny from all

Satisfy All

Step 11: Run mod_security

mod_security is a super handy Apache module written by Ivan Ristic, the author of Apache Security from O’Reilly press.

You can do the following with mod_security:

• Simple filtering
• Regular Expression based filtering
• URL Encoding Validation
• Unicode Encoding Validation
• Auditing
• Null byte attack prevention
• Upload memory limits
• Server identity masking
• Built in Chroot support
• And more

Step 12: Disable any unnecessary modules

Apache typically comes with several modules installed. Go through the apache module documentation and learn what each module you have enabled actually does. Many times you will find that you don’t need to have the said module enabled.

Look for lines in your httpd.conf that contain LoadModule. To disable the module you can typically just add a # at the beginning of the line. To search for modules run:

grep LoadModule httpd.conf

Here are some modules that are typically enabled but often not needed: mod_imap, mod_include, mod_info, mod_userdir, mod_status, mod_cgi, mod_autoindex.

Step 13: Make sure only root has read access to apache’s config and binaries

This can be done assuming your apache installation is located at /usr/local/apache as follows:

chown -R root:root /usr/local/apache

chmod -R o-rwx /usr/local/apache

Step 14: Lower the Timeout value

By default the Timeout directive is set to 300 seconds. You can decrease help mitigate the potential effects of a denial of service attack.

Timeout 45

Step 15: Limiting large requests

Apache has several directives that allow you to limit the size of a request; this can also be useful for mitigating the effects of a denial of service attack.

A good place to start is the LimitRequestBody directive. This directive is set to unlimited by default. If you are allowing file uploads of no larger than 1MB, you could set this setting to something like:

LimitRequestBody 1048576

If you’re not allowing file uploads you can set it even smaller.

Some other directives to look at are LimitRequestFields, LimitRequestFieldSize and LimitRequestLine. These directives are set to a reasonable defaults for most servers, but you may want to tweak them to best fit your needs. See the documentation for more info.

Step 16: Limiting the size of an XML Body

If you’re running mod_dav (typically used with subversion) then you may want to limit the max size of an XML request body. The LimitXMLRequestBody directive is only available on Apache 2, and its default value is 1 million bytes (approx 1mb). Many tutorials will have you set this value to 0 which means files of any size may be uploaded, which may be necessary if you’re using WebDAV to upload large files, but if you’re simply using it for source control, you can probably get away with setting an upper bound, such as 10mb:

LimitXMLRequestBody 10485760

Step 17: Limiting Concurrency

Apache has several configuration settings that can be used to adjust handling of concurrent requests. The MaxClients is the maximum number of child processes that will be created to serve requests. This may be set too high if your server doesn’t have enough memory to handle a large number of concurrent requests.

Other directives such as MaxSpareServers, MaxRequestsPerChild, and on Apache2 ThreadsPerChild, ServerLimit, and MaxSpareThreads are important to adjust to match your operating system, and hardware.

Step 18: Restricting Access by IP

If you have a resource that should only by accessed by a certain network, or IP address you can enforce this in your apache configuration. For instance if you want to restrict access to your intranet to allow only the 176.16 network:

Order Deny,Allow

Deny from all

Allow from 176.16.0.0/16

Or by IP:

Order Deny,Allow

Deny from all

Allow from 127.0.0.1

Step 19: Adjusting KeepAlive settings

According to the Apache documentation using HTTP Keep Alive’s can improve client performance by as much as 50%, so be careful before changing these settings, you will be trading performance for a slight denial of service mitigation.

KeepAlive’s are turned on by default and you should leave them on, but you may consider changing the MaxKeepAliveRequests which defaults to 100, and the KeepAliveTimeout which defaults to 15. Analyze your log files to determine the appropriate values.

Step 20: Run Apache in a Chroot environment

chroot allows you to run a program in its own isolated jail. This prevents a break in on one service from being able to effect anything else on the server.

It can be fairly tricky to set this up using chroot due to library dependencies. I mentioned above that the mod_security module has built in chroot support. It makes the process as simple as adding a mod_security directive to your configuration:

SecChrootDir /chroot/apache

Open Source Operating System Comparison