Hello list,
In an attempt to provide some *useful* information about DNS server security
to the list, ;-), here is the procedure I use to lock down ISC BIND's named on
a Red Hat Linux 6.2 system. I am reporting on RHL 6.2 because that is what I
use, but a lot of this information applies generically.
First, obtain and install the 8.9.3 release of the Red Hat BIND RPMs.
These are Red Hat Errata Updates. Earlier releases have serious known
security holes!
Edit the /etc/rc.d/init.d/named file. Change the "daemon" command to read as
follows:
daemon named -t /var/named -u named -c named.conf
Save the file and exit. The "-t /var/named" puts named(8) in a chroot jail,
and "-c named.conf" is required to locate the config file once you do that.
The "-u named" is part of the updated Red Hat package; it causes named to run
as user named, group named, rather than root/root.
Now, run these commands:
cd /etc
mv named.conf /var/named
ln -s ../var/named/named.conf
These commands move the config file to /var/named, where it needs to be for
a chroot'ed daemon to access it. It also puts a symlink in the original
location, so that people and programs do not get confused. Next do this:
cd /var/run
rm ndc
ln -s ../named/ndc
That sets up a symlink to the (not yet present) named control socket, so that
ndc(8) will still work.
Now, check the permissions on /var/named. It and its children should
generally be user-owned by root, group-owned by named, and writable only by
root. You can limit read (and execute for dirs) to the named group only
(640), or make them world readable (644) -- your choice.
Edit your named.conf file, and change the directory line to read:
directory ".";
The named directory will become the current directory once the chroot is done.
You also need to add these lines for the ndc control socket to be created
correctly:
controls {
unix "ndc" perm 0600 owner 0 group 0;
};
That tells named to create the ndc socket in the current directory
(/var/named), owned and restricted to root.
If you are using any slave zones or custom log files, you will need to
create separate subdirectories for them, and make the permissions on those
directories 775 (rwxrwxr-x), owned by root.named, so that named can write its
files.
Restart named, and make sure it comes up okay.
After doing this, named will no longer write messages to the syslog daemon,
presumably because it is chroot'ed and cannot access /dev/log. I have not
solved this issue yet, but if you are using custom named channels and log
files instead of the default syslog, you will not be affected.
I hope this helps someone!
--
Ben Scott <[EMAIL PROTECTED]>
Net Technologies, Inc. <http://www.ntisys.com>
Voice: (800)905-3049 x18 Fax: (978)499-7839
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
