Network Hardening with Bastille

network hardeningBastille is an open source program that facilitates the network hardening of a system running Linux. It performs many of the tasks discussed in previous articles on this blog such as disabling services and ports. It eases the process of hardening a Linux system, giving you the choice of what to lock down and what not to, depending on your security requirements, and bundles many of the routine tasks done to secure a Linux system into a single package.

Bastille is powerful and can save administrators time from configuring each individual file and program throughout the operating system. Bastille is a set of Perl scripts that run as an interactive program, and instead of configuring files and programs individually, in Bastille the administrator answers a series of “Yes” and “No” questions through an interactive GUI. The program automatically implements the administrator’s preferences based on their answer to the questions, thus streamlining the network hardening process.

Bastille is written specifically for Red Hat Linux and Mandrake Linux, but it can easily be modified to run on most Unixoid systems. The specific Red Hat/Mandrake content has been generalized, and now the formerly hard-coded filenames are represented as variables. These variables are set automatically at runtime. Before you install Bastille on your system, you will want to ensure your Linux version is supported by Bastille. It is known to work with Red Hat, Fedora, SUSE, Debian, Ubuntu, Gentoo, and Mandriva, as well as HP-UX.

Network Hardening with Bastille: Features

More information about each of Bastille’s features is available when the program is run, but here is an overview of the main network hardening features of the program:

  • Apply restrictive permissions on administrator utilities: This allows only the root to read and execute common admin utilities such as ifconfig, linux-conf, ping, traceroute, and runlevel. It also disables the SUID root status for these programs.
  • Disable r-protocols: The r-protocols allow users to log on to remote systems using IP-based authentication. This authentication is based on the IP address, so a hacker could easily create spoofed packets that appear to be from the authorized system.
  • Disable CTRL-ALT-DELETE rebooting: This disallows rebooting the machine by this method.
  • Optimize TCP Wrappers: This choice modifies the inetd.conf and /etc/hosts.allow file so that whenever inetd gets a request, it has to contact TCP Wrappers, which will determine if the requesting IP address is allowed to run the service.
  • Limit system resource usage: If you limit system resource usage, you improve network hardening can reduce the chances of a denial-of-service (DoS) attack. If you limit system resource usage, the following changes will occur:
    • Individual file size is limited to 40 MB.
    • Each individual user is limited to 150 processes.
    • The allowable core files number is configured to zero. Core files are used for system troubleshooting, and can be exploited by hackers if the gain control of them.
  • Restrict console access: Bastille can specify which user accounts are allowed to log on via the console.
  • Additional and remote logging: Enables the admin to add two additional logs to /var/log: /var/log/kernel (for kernel messages) and /var/log/syslog (for error and warning severity messages)
  • Process accounting setup: Allows you to log the commands of all users.
  • Deactivate NFS and Samba: NFS (Network File System) and Samba are services for accessing files from Linux systems on remote systems. Unless the firewall is configured to block the packets or the admin secures these services, Bastille recommends deactivating these services.
  • Harden Apache web server: httpd should be disabled if the service is not required. If Apache is being run, there are also ways of enabling Apache in a manner that ensures maximal network hardening.

Implementing this policy goes a long way towards achieving network hardening. In the next article, we will take a look at the process of implementing Bastille.

External Links:

The official Bastille web site

How to Harden Your Linux Server’s Security with Bastille on

Hardening your systems with Bastille Linux at

ntop: An Introduction

ntopntop is a network probe that shows network usage. It displays a list of hosts that are currently using the network and reports information concerning the IP and non-IP traffic generated by each host. It is a simple, open source (GPL), portable traffic measurement and monitoring tool, which supports various management activities, including network optimization and planning, and detection of network security violations. In interactive mode, it displays the network status on the user’s terminal; in web mode, it acts as a web server, creating an HTML dump of the network status. ntop was developed by Luca Deri, a research scientist and network manager at the University of Pisa. It started development in 1997, and the first public release was in 1998 (v. 0.4). Version 2.0 was released in 2002 and added support for commercial protocols such as NetFlow v5 and sFlow v2, and version 3.0 was released in 2004 and added RRD support, as well as IPv6 and SCSI/FiberChannel support. Binaries for ntop are currently available for Ubuntu and Red Hat/CentOS.

Advantages of ntop

There are several advantages to using ntop. It is portable and platform neutral; you can deploy it wherever you want with the same look and feel. There are minimal requirements needed to leverage its use. Finally, it is suitable for monitoring both a LAN (by default) and a WAN (if ntop is configured properly).

We can classify the network activity measured by ntop into two categories: traffic measurement and traffic characterization and monitoring. Traffic measurement covers data sent and received, including volume and packets, classified according to network and IP protocol, as well as multicast traffic, TCP session history, bandwidth measurement and analysis, VLAN and AS traffic statistics, and VoIP monitoring. Traffic characterization and monitoring involves observing network flows as well as protocol utilization, ARP and ICMP monitoring, and detection of popular P2P protocols. Monitoring such traffic can be an aid in network optimization and planning which encompasses identification of routers and Internet servers, traffic distribution, service mapping, and mapping network traffic.

In the next article, I will cover integration of ntop into your network.

External Links:

The official ntop site

© 2013 David Zientara. All rights reserved. Privacy Policy