DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 5th May 2008
cajunman4life cajunman4life is offline
Real Name: Aaron Graves
Package Pilot
 
Join Date: May 2008
Location: Coolidge, Arizona
Posts: 203
Thanked 16 Times in 14 Posts
Default Hardening FreeBSD

I'd like to start a lively discussion on the methods and procedures everyone uses to "harden" their FreeBSD systems.

Anyone?
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident!
Reply With Quote
  #2   (View Single Post)  
Old 5th May 2008
edhunter's Avatar
edhunter edhunter is offline
Real Name: Georgi Iovchev
Port Guard
 
Join Date: May 2008
Location: Sofia, Bulgaria
Posts: 41
Thanked 0 Times in 0 Posts
Default

On pure os level, actually I do almost nothing on hardening my freebsd machines
I just keep number of users to minimum, also number of servers (daemons) to minimum too. On some machines I change the ssh port because of bots trying to login with different user/passwords on 22 port.
I have rerouted all machines email logs to one account and I quick check this email daily.

I dont say this is right, this is how it works for me.
Yes one my machine once were hacked and our web were deleted, but this has nothing to do with freebsd itself. It was poor php script on our web.
Reply With Quote
  #3   (View Single Post)  
Old 5th May 2008
corey_james corey_james is offline
Uber Geek
 
Join Date: Apr 2008
Location: Brisbane, Australia
Posts: 238
Thanked 4 Times in 10 Posts
Default

argh @ php ... let's not start a discussion on that haha

I don't really do much to freebsd ... if you really want to go into hardening a freebsd have a look at the OS security levels and perhaps changing the default md5 hashing in master.passwd to blowfish encryption.

Definitely reduce the amount of daemons that run on the machine and if you really want, change the default SSH port ( as edhunter suggets )
Reply With Quote
  #4   (View Single Post)  
Old 5th May 2008
horizon's Avatar
horizon horizon is offline
Port Guard
 
Join Date: May 2008
Posts: 16
Thanked 1 Time in 1 Post
Default

I tend to chmod 4750 any setuid root binaries so that only people in wheel can execute them. Could help prevent a local privilege escalation if someone manages to obtain uid nobody via Apache or some other service, or you just have untrusted users on your system.

I also chmod 700 all home directories to prevent users snooping through each others files -- the amount of times I've come across 'passwords.txt'-like files is alarming!
Reply With Quote
  #5   (View Single Post)  
Old 5th May 2008
corey_james corey_james is offline
Uber Geek
 
Join Date: Apr 2008
Location: Brisbane, Australia
Posts: 238
Thanked 4 Times in 10 Posts
Default

what's wrong with keeping a password.txt file ? *sniggers*
Reply With Quote
  #6   (View Single Post)  
Old 8th August 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by corey_james View Post
what's wrong with keeping a password.txt file ? *sniggers*
You dont need one of those if you just set your password to password. Its easy to remember.
Reply With Quote
  #7   (View Single Post)  
Old 8th August 2008
ddekok ddekok is offline
Port Guard
 
Join Date: May 2008
Posts: 38
Thanked 4 Times in 3 Posts
Default

Quote:
Originally Posted by neurosis View Post
You dont need one of those if you just set your password to password. Its easy to remember.
Oh, thank you so much, I had forgotten my password. I had written it down, but I spilled my beer and the ink on the sticky-note on the bottom side of my keyboard ran!
Reply With Quote
  #8   (View Single Post)  
Old 5th May 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 446
Thanked 69 Times in 46 Posts
Default

Quote:
Originally Posted by cajunman4life
I'd like to start a lively discussion on the methods and procedures everyone uses to "harden" their FreeBSD systems.
Desktop or server? In either case, depending on how it's being used would determine how many hardening cycles I'd go through.

Pretty straightforward for my desktop:
  1. make sure no daemons are listening for tcp/udp connections (except maybe dhclient);
  2. search for and disable useless (to me) suid/sgid programs;
  3. enable the blackhole(4) sysctl MIBs;
  4. turn off core dumps (more because I don't want to have to look for and delete them);
  5. occasionally run the security/rkhunter app to perform some sanity checking;
  6. believe it or not, scan downloaded files with clamav;
  7. review system logs and emails;
  8. keep base system and ports updated with security fixes asap.

I actually need to run an annoying proprietary java app that listens on all local interfaces to establish a secure connection with a system at work, so keeping in line with point #1 I run a packet filtering firewall to prevent outside connections to it. (Otherwise I probably wouldn't bother with the firewall.)
__________________
Kill your t.v.
Reply With Quote
  #9   (View Single Post)  
Old 9th August 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by anomie View Post
Desktop or server? In either case, depending on how it's being used would determine how many hardening cycles I'd go through.

Pretty straightforward for my desktop:
  1. make sure no daemons are listening for tcp/udp connections (except maybe dhclient);
  2. search for and disable useless (to me) suid/sgid programs;
  3. enable the blackhole(4) sysctl MIBs;
  4. turn off core dumps (more because I don't want to have to look for and delete them);
  5. occasionally run the security/rkhunter app to perform some sanity checking;
  6. believe it or not, scan downloaded files with clamav;
  7. review system logs and emails;
  8. keep base system and ports updated with security fixes asap.

I actually need to run an annoying proprietary java app that listens on all local interfaces to establish a secure connection with a system at work, so keeping in line with point #1 I run a packet filtering firewall to prevent outside connections to it. (Otherwise I probably wouldn't bother with the firewall.)
Im sorry for asking such a dumb question, but how do you disable core dumps? Ive read that ulimit -c 0 or such works but ive only been able to find information on disabling core dumps for specific files. Is this something that you do system wide? and what would be the correct way to do this. Im asking so I dont make a mistake.

thanks.
Reply With Quote
Old 12th August 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 446
Thanked 69 Times in 46 Posts
Default

Quote:
Originally Posted by neurosis
how do you disable core dumps?
To add to BSDfan666's answer (just in case you're not highly familiar with sysctl), you can permanently disable them using, e.g.:
# echo 'kern.coredump=0' >> /etc/sysctl.conf
__________________
Kill your t.v.
Reply With Quote
Old 5th May 2008
cajunman4life cajunman4life is offline
Real Name: Aaron Graves
Package Pilot
 
Join Date: May 2008
Location: Coolidge, Arizona
Posts: 203
Thanked 16 Times in 14 Posts
Default

Me personally (and all I've been setting up lately are servers) I use this as a start:

http://www.bsdguides.org/guides/free...ity/harden.php

And go on from there depending on each service that needs to be run. I've also been building ezjails (I like it for its low overhead and read only base system) lately. One for each service I want to run (For example, one is running Apache/OpenSSL/PHP, another is running MySQL, another running PostgreSQL, and yet another running VSFTPd). I find it tends to make each jail easy to secure as there is relatively little installed in each jail.
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident!
Reply With Quote
Old 13th May 2008
tanked tanked is offline
Fdisk Soldier
 
Join Date: May 2008
Posts: 56
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by cajunman4life View Post
I've also been building ezjails (I like it for its low overhead and read only base system) lately. One for each service I want to run (For example, one is running Apache/OpenSSL/PHP, another is running MySQL, another running PostgreSQL, and yet another running VSFTPd). I find it tends to make each jail easy to secure as there is relatively little installed in each jail.
I too use ezjail and would recommend it to anyone running multiple servers; its just so easy to set up plus the added protection of making the userland read-only means anyone breaking into your jail would find it hard to corrupt the binaries. The only thing jails need now is the virtual network stack implementation, maybe it will be MFC'd at some point.
Reply With Quote
Old 13th May 2008
kazcor kazcor is offline
Real Name: Registreed Usre
Port Guard
 
Join Date: May 2008
Location: bliner, erg
Posts: 20
Thanked 1 Time in 1 Post
Default

- /usr ro,nodev, /home nosuid,nodev,noexec, /tmp->/var/tmp
- use of rkhunter, chkrootkit, logcheck
- lock up all services that allow access to the inside in jails (yep, ezjail)
- jails on separate partition(s) or image(s)
- OTPs for all accounts
- disable local console root access
- kernel without module support
- all services on non-standard ports
- chflags schg on all sensitive files, sappend on logs
- afterwards raise securitylevels, if you care
- provide a VPN for access to your server, regardless of LAN/WLAN

Even more paranoid

- disable .history for all shells
- don't cache passwords to LAN services (HTTP/SMTP/etc.)
- use tor (at least for DNS queries)
- use privoxy for filtering (in a jail, of course)
- if using firefox from inside use NoScript where possible

Want more?
- provide a UPS for your machine
- provide a webcam with motion recognition and shutdown timer (harddisk encrypted, of course)
- close windows and draw the curtains, before touching a keyboard
- <add your favourite option here>
Reply With Quote
Old 15th May 2008
starbuck's Avatar
starbuck starbuck is offline
Port Guard
 
Join Date: Apr 2008
Location: Eugene, OR
Posts: 31
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by kazcor
- chflags schg on all sensitive files, sappend on logs
Does flagging the logs as "sappend" prevent them from being rotated? How do you get around this?

I noticed no one mentioned using various "Secure Levels." Is there anyone here running their FreeBSD system at Secure Level 2 or 3?
Reply With Quote
Old 16th May 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 446
Thanked 69 Times in 46 Posts
Default

Quote:
Originally Posted by starbuck
Does flagging the logs as "sappend" prevent them from being rotated? How do you get around this?
Yes, it does. You could remove the flag, then rotate the logs, then re-add the flag. But then that would imply that you're running in a securelevel < 1 (which somewhat defeats the purpose of the file flag if root can just remove it ).

So the real answer is that your log file will be growing indefinitely (until you take the steps to temporarily get to a lower securelevel and manually rotate it).

If you haven't already, check out the manpages for security(7) and chflags(1). There is a good book I reviewed here that discusses this topic in great detail.
__________________
Kill your t.v.
Reply With Quote
Old 5th May 2008
stukov's Avatar
stukov stukov is offline
Real Name: Jean-Michel Philippon-Nadeau
Package Pilot
 
Join Date: May 2008
Location: Sherbrooke, Qc, Canada
Posts: 167
Thanked 6 Times in 6 Posts
Default

I like to check the filesystem for changes with tools like TripWire or Yafic. I also like to have a quick look at my logs every morning while drinking coffee.
__________________
"Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius -- and a lot of courage -- to move in the opposite direction."
Reply With Quote
Old 7th May 2008
keithlybsd keithlybsd is offline
Port Guard
 
Join Date: May 2008
Posts: 10
Thanked 0 Times in 0 Posts
Default

Lots of good suggestions here,

I am sure this is a lame one but host based firewall is a must. Stateful inspection and make sure to apply out bound rules.

I prefer to only use ssh keys for login and not allow user/pass.

And you can dll the free version of cis bench mark and run that against a system. That little app shows you tons of ways to tighten down a box.

I do these things combined most of the above suggestions.
Reply With Quote
Old 7th May 2008
18Googol2's Avatar
18Googol2 18Googol2 is offline
Real Name: whoami
Spam Deminer
 
Join Date: Apr 2008
Location: pwd
Posts: 283
Thanked 20 Times in 18 Posts
Default

Quote:
Originally Posted by keithlybsd View Post
I prefer to only use ssh keys for login and not allow user/pass.
Just so you know you can use ssh key with passphrase

The followings configuration I would implement to secure ssh access and I think they are quite elegant:

- VPN

- No direct ssh access from internet. To access the server, all the ssh traffic is tunnelled (the only limitation with my current tunnelling application, hts & htc is it cant accept multiple tunneling connections. Anyone know the alternative one that can do this? )

- Port knocking
Reply With Quote
Old 7th May 2008
keithlybsd keithlybsd is offline
Port Guard
 
Join Date: May 2008
Posts: 10
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by 18Googol2 View Post
Just so you know you can use ssh key with passphrase

The followings configuration I would implement to secure ssh access and I think they are quite elegant:

- VPN

- No direct ssh access from internet. To access the server, all the ssh traffic is tunnelled (the only limitation with my current tunnelling application, hts & htc is it cant accept multiple tunneling connections. Anyone know the alternative one that can do this? )

- Port knocking

Yes I know, I meant not plain old/user pass logins.

I typically setup agent and then forward the passphrase
Reply With Quote
Old 7th May 2008
keithlybsd keithlybsd is offline
Port Guard
 
Join Date: May 2008
Posts: 10
Thanked 0 Times in 0 Posts
Default

sorry not sure what you mean by hts and htc.


So you tunnel the ssh through a VPN?
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Basic sshd hardening anomie Guides 12 12th September 2008 03:39 AM
Can I use this link for hardening FreeBSD 7 mfaridi FreeBSD Security 1 9th July 2008 07:35 AM


All times are GMT. The time now is 10:47 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick