LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > *BSD
User Name
Password
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.

Notices


Reply
  Search this Thread
Old 02-04-2008, 04:58 AM   #1
Carpo
Member
 
Registered: Aug 2003
Location: Somewhere
Distribution: Gentoo (for now)
Posts: 364

Rep: Reputation: 30
how would i secure freebsd


all of the guides i used to use are extremely out dated, the server will be running ftp and web, shh also but this will be blocked at the router, can anyone offer me a few sites i could look at?

Thanks
 
Old 02-04-2008, 05:00 AM   #2
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
You need to start with an overview just for BSD.
http://www.onlamp.com/pub/a/bsd/2000/08/08/OpenBSD.html
 
Old 02-04-2008, 01:18 PM   #3
Carpo
Member
 
Registered: Aug 2003
Location: Somewhere
Distribution: Gentoo (for now)
Posts: 364

Original Poster
Rep: Reputation: 30
reading now - thanks
 
Old 02-04-2008, 01:40 PM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by Carpo
the server will be running ftp and web, shh also but this will be blocked at the router
For a detailed overview, start with the security(7) manpages.

ftp daemon:
Are you running ftpd included in the base system? Is it for anonymous logins only? Should those users be able to both read/write or just one of those?

web daemon:
Is this apache22? Is it serving static content? Does it need to be open to the world?

ssh daemon:
If it's restricted to internal networks, do you have an internal (private IP space) NIC you can bind it to exclusively? Can you enable only pubkey authentication?

As a more general comment, I'd personally run all three services in separate FBSD jails. Bottom line is you can harden the hell out of that box given the will (and dedication).

Finally, if you have access to a good library or are willing to shell out cash, I recommend O'Reilly's "Mastering FreeBSD and OpenBSD Security". Very informative.
 
Old 02-13-2008, 12:12 PM   #5
Kropotkin
Member
 
Registered: Oct 2004
Location: /usr/home
Distribution: Linux Mint, FreeBSD, Android
Posts: 358

Rep: Reputation: 32
If you are running FreeBSD behind a router, then you should be fairly safe. Open only the external ports you need and keep it up to date.
 
Old 02-14-2008, 03:55 PM   #6
javpra
Member
 
Registered: Nov 2003
Distribution: FreeBSD/Gentoo/Debian
Posts: 52

Rep: Reputation: 19
If this is a server or you want to further lock down your box there are some other things you can modify as well. Sysctl has several usefull options which can be set in /etc/sysctl.conf. Adding "hw.syscons.kbd_reboot=0" prevents the use of ctrl-alt-delete, "hw.syscons.kbd_debug=0" prevents the use of the debug key. Network visibility can be minimized by changing "net.inet.tcp.blackhole=0" to "net.inet.tcp.blackhole=2" and changing "net.inet.udp.blackhole=0" to "net.inet.udp.blackhole=1". A reboot is needed for the previous changes to take effect. These can also be done on the fly by using `sysctl` directly. The `sysctl` man page may be useful. Changing the "console" entry in /etc/ttys from "secure" to "insecure" will prompt for a password when entering single user mode. There is a "toor" user account created by default which is no longer used. That account can be deleted using the `vipw` command. Most of this is in a book by O'Reilly called "Mastering FreeBSD and OpenBSD Security". That may also be a good read for you. Hope this helps.
 
Old 02-19-2008, 09:18 AM   #7
da1
Member
 
Registered: May 2007
Distribution: FreeBSD
Posts: 113

Rep: Reputation: 16
you could do some of the folowing:

1. enable VPN, and give keys to eveyone to conect. you have only 1 port opened.... s.o.s.f. google for benefits of using vpn

2. read dru lavigne's bsd-hacks book. allthough it is outdated, it has some pretty interesting things like using blowfish encription and some other usefull stuf. (if you don't have the book, pm me with your e-mail adress or somethin', and i'll send it to you)

3. you say your bsd box is behind a router, google for manuals for the router, read it and use what you've read.

4. ssh: you can allow only some usernames through ssh that are allowed to conect using that protocol. speaking of wich, you can set ssh to eait for a password input for say max. 3 seconds, thus if the user doen't input the pass in 3 sec and hit's enter to validate, the ssh daemon automagicly disables the conexion it made with the user.

5. http: use https

6. ftp: use something with virtual users and something with a database of it's own (say pure-ftpd with puredb) <- personal ideea here, try multiple ftp daemons.

7. http://www.bsdguides.org/

8. good luck, use cofee, cigarettes and no sleep :P

ps: try pf, ipfw and ipf (i personaly use pf) <-firewalls

Last edited by da1; 02-19-2008 at 09:19 AM.
 
Old 02-19-2008, 11:42 AM   #8
Dr_Death_UAE
Member
 
Registered: Jul 2005
Location: U.A.E
Distribution: FreeBSD,Fedora,Solaris,AIX
Posts: 168

Rep: Reputation: 30
Hello start with upgrading the system port tree.

"portsnap fetch extract" if it was your first time to run this command if not run "portsnap fetch update"
then "portupgrade -a" to upgrade all the ports.

then secure the /tmp by adding these line to the /etc/fstab file:

+++fstab+++
/tmp noexec,nosuid,nosymfollow
/var/tmp noexec,nosuid,nosymfollow
#possibly symlink /tmp to /var/tmp or vice versa (depending on how i config it)
/home nosuid
or
/usr/home nosuid
/var nosuid
/var/mail nosuid

You can't put nosuid everywhere, but it does not hurt to add it into filesystems which have no setuid binaries at all.
/tmp,/var,/home

+++rc.conf+++
sendmail_enable="NONE"
kern_securelevel_enable="YES"
kern_securelevel="1" #this will messup the chflags on the first part of the programs
portmap_enable="NO" #portmap will kill nfs if disabled
inetd_enable="NO" #kill inetd i never use it
clear_tmp_enable="YES" #clear tmp on startup
update_motd="NO" #dont update motd to show version of fbsd in startup
accounting_enable=”YES”
(dont forget to touch /var/account/acct && accton /var/account/acct && chmod 440 /var/account/acct)
log_in_vain="YES" #sometimes

edit /etc/sysctl.conf
+++sysctl.conf+++
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
kern.coredump=0

edit /etc/auth.conf
+++auth.conf+++
crypt_default = blf

edit /etc/login.conf
+++login.conf+++
passwd_format=blf
default umask=027 #has anyone ever got this working? never seems to work for me

chmod some programs permission
+++programs+++
chflags noschg /bin/rcp
chflags noschg /usr/bin/rsh
chflags noschg /usr/bin/rlogin
chmod ugo= rcp
chmod ugo= /usrrsh
chmod ugo= /usrrlogin

chmod o= /sbin/mksnap_ffs
chmod o= /sbin/shutdown
chmod o= /usratq
chmod o= /usratrm
chmod o= /usrbatch
chmod o= /usrchfn
chmod o= /usrlock
chmod o= /usrlogin
chmod o= /usropieinfo
chmod o= /usropiepasswd
chmod o= /usryppasswd
chmod o= /usrquota
chmod o= /usrlpq
chmod o= /usrlpr
chmod o= /usrlprm
chmod o= /usr/libexec/pt_chown
chmod o= /usr/sbin/mrinfo
chmod o= /usr/sbin/mtrace
chmod o= /usr/sbin/sliplogin
chmod o= /usr/sbin/timedc
chmod o= /usr/sbin/ppp
chmod o= /usr/sbin/pppd
chmod o= /usrwall
chmod o= /usrwrite
chmod o= /usrnetstat
chmod o= /usrfstat
chmod o= /usrvmstat
chmod o= /usrlpq
chmod o= /usrlpr
chmod o= /usrlprm
chmod o= /usr/libexec/sendmail/sendmail
chmod o= /usr/sbin/trpt
chmod o= /usr/sbin/lpc
chmod o= /sbin/sysctl
chmod o= /usruname
chmod o= /sbin/kldstat
chmod o= /sbin/route
chmod o= /usr/sbin/arp
chmod o= /sbin/dmesg
chmod o= /var/run/dmesg.boot
chmod o= /etc/hosts
chmod o= /etc/fstab
chmod o= /etc/ssh/sshd_config
chmod o= /etc/crontab
chmod o= /etc/ftpusers
chmod o= /etc/hosts.allow
chmod o= /etc/host.conf
chmod o= /etc/hosts.equiv
chmod o= /etc/hosts.lpd
chmod o= /etc/inetd.conf
chmod o= /etc/login.access
chmod o= /etc/login.conf
chmod o= /etc/sysctl.conf
chmod o= /etc/syslog.conf
chmod o= /etc/ttys
chmod o= /etc/rc.conf
chmod o= /etc/mac.conf
chmod o= /etc/group
#removing world on group is going to make all the groups appear as numbers*shrug*
chmod o= /etc/passwd
chmod o= /etc/newsyslog.conf
chmod o= /etc/periodic/
chmod o= /var/db/pkg/
chmod o= /usr/sbin/pkg_version
chmod o= /usr/sbin/pkg_info
chmod o= /usrlast
chmod o= /usr/sbin/lastlogin
chmod o= /sbin/ipfw
chmod o= /sbin/mount
chmod o= /usrusers
chmod o= /usrw
chmod o= /usrwho
chmod o= /usrlastcomm
chmod o= /usr/sbin/jls
chmod 751 /home/
chmod o= /var/log/

======================
harden ssh by editing /etc/ssh/sshd_config
user ssh2, change ssh default port and disable root login.
=====================

those are some quick steps that you can do. you can find a good document in hardening FreeBSd in http://www.cisecurity.org/bench_freebsd.html

Regards,
Dr.Death
 
Old 02-19-2008, 12:01 PM   #9
0.o
Member
 
Registered: May 2004
Location: Raleigh, NC
Distribution: Debian, Solaris, HP-UX, AIX
Posts: 208

Rep: Reputation: 35
http://www.bsdguides.org/guides/free...ity/harden.php

That site has lots of guides that are specifically written for *BSD. The one that i have linked you to is pretty good about explaining and showing how to tighten FBSD security.
 
Old 02-20-2008, 09:20 AM   #10
Carpo
Member
 
Registered: Aug 2003
Location: Somewhere
Distribution: Gentoo (for now)
Posts: 364

Original Poster
Rep: Reputation: 30
thanks for all the info i will read and digest it later - 0.o - i have seen that site before and i know someone who has writing a few guides for it, and he informs me that the hardening guide on their is out dated and should not be used in its entirety
 
Old 03-03-2008, 05:34 AM   #11
Carpo
Member
 
Registered: Aug 2003
Location: Somewhere
Distribution: Gentoo (for now)
Posts: 364

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by Dr_Death_UAE View Post
Hello start with upgrading the system port tree.

"portsnap fetch extract" if it was your first time to run this command if not run "portsnap fetch update"
then "portupgrade -a" to upgrade all the ports.

then secure the /tmp by adding these line to the /etc/fstab file:

+++fstab+++
/tmp noexec,nosuid,nosymfollow
/var/tmp noexec,nosuid,nosymfollow
#possibly symlink /tmp to /var/tmp or vice versa (depending on how i config it)
/home nosuid
or
/usr/home nosuid
/var nosuid
/var/mail nosuid

You can't put nosuid everywhere, but it does not hurt to add it into filesystems which have no setuid binaries at all.
/tmp,/var,/home

+++rc.conf+++
sendmail_enable="NONE"
kern_securelevel_enable="YES"
kern_securelevel="1" #this will messup the chflags on the first part of the programs
portmap_enable="NO" #portmap will kill nfs if disabled
inetd_enable="NO" #kill inetd i never use it
clear_tmp_enable="YES" #clear tmp on startup
update_motd="NO" #dont update motd to show version of fbsd in startup
accounting_enable=”YES”
(dont forget to touch /var/account/acct && accton /var/account/acct && chmod 440 /var/account/acct)
log_in_vain="YES" #sometimes

edit /etc/sysctl.conf
+++sysctl.conf+++
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
kern.coredump=0

edit /etc/auth.conf
+++auth.conf+++
crypt_default = blf

edit /etc/login.conf
+++login.conf+++
passwd_format=blf
default umask=027 #has anyone ever got this working? never seems to work for me

chmod some programs permission
+++programs+++
chflags noschg /bin/rcp
chflags noschg /usr/bin/rsh
chflags noschg /usr/bin/rlogin
chmod ugo= rcp
chmod ugo= /usrrsh
chmod ugo= /usrrlogin

chmod o= /sbin/mksnap_ffs
chmod o= /sbin/shutdown
chmod o= /usratq
chmod o= /usratrm
chmod o= /usrbatch
chmod o= /usrchfn
chmod o= /usrlock
chmod o= /usrlogin
chmod o= /usropieinfo
chmod o= /usropiepasswd
chmod o= /usryppasswd
chmod o= /usrquota
chmod o= /usrlpq
chmod o= /usrlpr
chmod o= /usrlprm
chmod o= /usr/libexec/pt_chown
chmod o= /usr/sbin/mrinfo
chmod o= /usr/sbin/mtrace
chmod o= /usr/sbin/sliplogin
chmod o= /usr/sbin/timedc
chmod o= /usr/sbin/ppp
chmod o= /usr/sbin/pppd
chmod o= /usrwall
chmod o= /usrwrite
chmod o= /usrnetstat
chmod o= /usrfstat
chmod o= /usrvmstat
chmod o= /usrlpq
chmod o= /usrlpr
chmod o= /usrlprm
chmod o= /usr/libexec/sendmail/sendmail
chmod o= /usr/sbin/trpt
chmod o= /usr/sbin/lpc
chmod o= /sbin/sysctl
chmod o= /usruname
chmod o= /sbin/kldstat
chmod o= /sbin/route
chmod o= /usr/sbin/arp
chmod o= /sbin/dmesg
chmod o= /var/run/dmesg.boot
chmod o= /etc/hosts
chmod o= /etc/fstab
chmod o= /etc/ssh/sshd_config
chmod o= /etc/crontab
chmod o= /etc/ftpusers
chmod o= /etc/hosts.allow
chmod o= /etc/host.conf
chmod o= /etc/hosts.equiv
chmod o= /etc/hosts.lpd
chmod o= /etc/inetd.conf
chmod o= /etc/login.access
chmod o= /etc/login.conf
chmod o= /etc/sysctl.conf
chmod o= /etc/syslog.conf
chmod o= /etc/ttys
chmod o= /etc/rc.conf
chmod o= /etc/mac.conf
chmod o= /etc/group
#removing world on group is going to make all the groups appear as numbers*shrug*
chmod o= /etc/passwd
chmod o= /etc/newsyslog.conf
chmod o= /etc/periodic/
chmod o= /var/db/pkg/
chmod o= /usr/sbin/pkg_version
chmod o= /usr/sbin/pkg_info
chmod o= /usrlast
chmod o= /usr/sbin/lastlogin
chmod o= /sbin/ipfw
chmod o= /sbin/mount
chmod o= /usrusers
chmod o= /usrw
chmod o= /usrwho
chmod o= /usrlastcomm
chmod o= /usr/sbin/jls
chmod 751 /home/
chmod o= /var/log/

======================
harden ssh by editing /etc/ssh/sshd_config
user ssh2, change ssh default port and disable root login.
=====================

those are some quick steps that you can do. you can find a good document in hardening FreeBSd in http://www.cisecurity.org/bench_freebsd.html

Regards,
Dr.Death
are all those chmods supposed to be like that or are some missing / ?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
VSFTPD with secure & non-secure logins Ricci Graham Linux - Software 6 02-24-2020 11:49 PM
how can I secure my nis server ?can I use openSSL to secure it form sniffing ? abhi_raj Linux - Networking 1 07-10-2006 06:19 AM
LXer: University of Michigan Selects SSH Tectia for Secure System Administration and Secure File Transfers LXer Syndicated Linux News 0 04-25-2006 12:54 AM
Secure email (SSL vs. secure authentication) jrdioko Linux - Newbie 2 11-28-2004 01:39 PM
freebsd is real more secure from linux? blueice Linux - Security 8 07-06-2004 05:24 AM

LinuxQuestions.org > Forums > Other *NIX Forums > *BSD

All times are GMT -5. The time now is 11:01 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration