DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
Old 22nd June 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 446
Thanked 69 Times in 46 Posts
Default

I had some time today and wrote up a guide on the topic of password enforcement to get things started (I hope that's ok). Please feel free to add on any information, as requested in the closing section of the guide.
__________________
Kill your t.v.
Reply With Quote
Old 25th June 2008
pickupsticks pickupsticks is offline
New User
 
Join Date: Jun 2008
Posts: 6
Thanked 1 Time in 1 Post
Default

Help from CIS. Great tool that i cannot believe was not brought up here, much of what it checks for has been brought up though. It scans your system and gives you results and a score, there is also a guide which shows how to "fix" what it calls problems.
http://www.cisecurity.org/bench_freebsd.html

here is an example of results, the "non-standard suid program"
it complains of is because of the schg flag set by /usr/ports/security/lockdown, did anyone mention it?, very useful )

MACY# egrep "^Negative" ./cis-ruler-log.20080624-20.00.56.59258
Negative: 1.1 System appears not to have been patched within the last month.
Negative: 1.2 ssh_config must have 'Protocol 2' underneath Host *.
Negative: 1.3 host based firewall is NOT enabled.
Negative: 3.2 Password not required for single user console.
Negative: 4.2 No secure level > 0 (sysctl.conf kern.securelevel="-1")
Negative: 5.2 No System Accounting enabled (rc.conf accounting_enable="NO")
Negative: 5.4 /var/log/Xorg.0.log should not be world readable.
Negative: 5.4 /var/log/Xorg.0.log.old should not be world readable.
Negative: 6.1 /etc/fstab does NOT mount cdroms nosuid.
Negative: 7.1 weak authentication not deactivated in /etc/pam.d/rsh.
Negative: 7.3 File /etc/hosts.equiv exists, is non-zero size, isn't linked to /dev/null, and doesn't contain only the - character.
Negative: 7.7 X11 is listening on TCP port 6000.
Negative: 8.3 User joe does not have a maximum password life. (91 days or less recommended).
Negative: 8.4 Default /etc/adduser.conf file not found.
Negative: 8.8 Current umask setting in file /etc/login.conf is 022 -- it should be stronger to block world-read/write/execute.
Negative: 8.8 Current umask setting in file /etc/login.conf is 022 -- it should be stronger to block group-read/write/execute.
Negative: 6.5 Non-standard SUID program /usr/bin/ypchfn
Negative: 6.5 Non-standard SUID program /usr/sbin/authpf
Negative: 6.5 Non-standard SUID program /usr/bin/chfn
Negative: 6.5 Non-standard SUID program /usr/bin/ypchsh
Negative: 6.5 Non-standard SUID program /usr/bin/lprm
Negative: 6.5 Non-standard SUID program /usr/bin/chpass
Negative: 6.5 Non-standard SUID program /usr/bin/ypchpass
Negative: 6.5 Non-standard SUID program /usr/bin/lpr
Negative: 6.5 Non-standard SUID program /usr/bin/chsh
Negative: 6.5 Non-standard SUID program /usr/bin/rsh
Negative: 6.5 Non-standard SUID program /usr/bin/lpq
Negative: 6.5 Non-standard SGID program /usr/sbin/authpf
Negative: 6.5 Non-standard SGID program /usr/bin/lpr
Negative: 6.5 Non-standard SGID program /usr/bin/lprm
Negative: 6.5 Non-standard SGID program /usr/bin/lpq

MACY# egrep "^Positive" ./cis-ruler-log.20080624-20.00.56.59258
Positive: 2.1 inetd/xinetd is not listening on any of the miscellaneous ports checked in this item.
Positive: 2.2 telnet is deactivated.
Positive: 2.3 ftp is deactivated.
Positive: 2.4 rsh, rcp and rlogin are deactivated.
Positive: 2.5 tftp is deactivated.
Positive: 2.6 finger is deactivated.
Positive: 2.7 Kerberos v4 or v5 services are not enabled.
Positive: 3.1 All Serial login prompts are disabled.
Positive: 3.3 Good umask in all rc files.
Positive: 3.4 syslogd has the -s switch and is thus not listening to the network.
Positive: 3.5 Mail daemon is not listening on TCP 25.
Positive: 3.6 DNS named daemon is not listening on port 53.
Positive: 3.7 No RPC services enabled.
Positive: 3.8 No NFS servers enabled.
Positive: 3.9 No NFS client enabled.
Positive: 3.10 No non-privileged NFS ports allowed.
Positive: 3.11 No non-privileged mount requests allowed.
Positive: 3.12 No NIS server enabled.
Positive: 3.13 No NIS client enabled.
Positive: 3.14 No Printer daemon is enabled.
Positive: 4.1 No Core dumps enabled.
Positive: 4.3 No Users see unowned processes.
Positive: 4.4 No Users see processes in other groups.
Positive: 5.1 syslog captures daemon.debug messages.
Positive: 5.3 Logging of packets received on closed ports.
Positive: 5.5 /etc/newsyslog.conf log file permissions are correct.
Positive: 6.2 password and group files have right permissions and owners.
Positive: 6.6 No user's home directory is world or group writable.
Positive: 7.2 All .rhosts files are readable only by their owner.
Positive: 7.4 at/cron is restricted to authorized users.
Positive: 7.5 'Authorized use only' message in /etc/motd.
Positive: 7.6 X Wrapper package is NOT installed.
Positive: 8.1 All system accounts are locked/deleted
Positive: 8.2 All users have passwords
Positive: 8.5 User 'toor' has been removed.
Positive: 8.6 Only one UID 0 account AND it is named root.
Positive: 8.7 No group or world-writable dotfiles in user home directories!
Positive: 8.9 User shells default to mesg n, blocking talk/write.
Positive: 6.3 No world-writable directories without sticky bit.
Positive: 6.4 No non-standard world-writable files.
Positive: 6.7 No unowned files found.
Reply With Quote
Old 25th June 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 446
Thanked 69 Times in 46 Posts
Default

Quote:
Originally Posted by pickupsticks
Help from CIS. Great tool that i cannot believe was not brought up here, much of what it checks for has been brought up though. It scans your system and gives you results and a score...
Cool - I will try it out tomorrow morning. I'm all for automating sanity checks.
__________________
Kill your t.v.
Reply With Quote
Old 25th June 2008
cajunman4life cajunman4life is offline
Real Name: Aaron Graves
Package Pilot
 
Join Date: May 2008
Location: Coolidge, Arizona
Posts: 203
Thanked 16 Times in 14 Posts
Default

Hmm... this CIS thing seems interesting, but fails on a few points. It mentions me not having "-s" in my syslogd flags. I do have that. In fact, I have a lot more than that. Maybe that's why it's failing.

All in all, a fairly good way for a sysadmin to get a "grasp" of a few things. He can safely ignore something that he knows otherwise (like the example above, or "named running on port 53").
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident!
Reply With Quote
Old 25th June 2008
hopla hopla is offline
New User
 
Join Date: May 2008
Posts: 8
Thanked 5 Times in 2 Posts
Default

I don't want to sound negative, but I've also ran the CIS tool on my box before and the fact that it hasn't been updated in a while really shows and is quite annoying.

Lots of false warnings hide the real problems, so you have to manually check everything...

For example:
Code:
Negative: 1.2 ssh_config must have 'Protocol 2' underneath Host *.
SSHD forces SSHv2 by default, so not having it explicitly specified is not a problem anymore!

That's why I also never bothered to install security/lockdown: the last port update is from 19 Apr 2007, in fact that's still the same version 2.0.0 that was released 24 Jun 2005! It could be that it still works properly on FreeBSD6.3/7.0, but i have my doubts...

Anyway I did discover, fix and learn about a lot of problems thanks to the CIS script, so I would still recommend it to everyone! Just take it with a grain of salt

Last edited by hopla; 25th June 2008 at 07:40 AM. Reason: typo
Reply With Quote
Old 15th July 2008
richardpl richardpl is offline
Spam Deminer
 
Join Date: May 2008
Location: Croatia
Posts: 284
Thanked 25 Times in 24 Posts
Default

Dont forget to add following lines to /etc/sysctl.conf

Code:
security.bsd.hardlink_check_gid=1
security.bsd.hardlink_check_uid=1
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_get_quota=0
Reply With Quote
Old 8th August 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by corey_james View Post
what's wrong with keeping a password.txt file ? *sniggers*
You dont need one of those if you just set your password to password. Its easy to remember.
Reply With Quote
Old 8th August 2008
ddekok ddekok is offline
Port Guard
 
Join Date: May 2008
Posts: 38
Thanked 4 Times in 3 Posts
Default

Quote:
Originally Posted by neurosis View Post
You dont need one of those if you just set your password to password. Its easy to remember.
Oh, thank you so much, I had forgotten my password. I had written it down, but I spilled my beer and the ink on the sticky-note on the bottom side of my keyboard ran!
Reply With Quote
Old 9th August 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by anomie View Post
Desktop or server? In either case, depending on how it's being used would determine how many hardening cycles I'd go through.

Pretty straightforward for my desktop:
  1. make sure no daemons are listening for tcp/udp connections (except maybe dhclient);
  2. search for and disable useless (to me) suid/sgid programs;
  3. enable the blackhole(4) sysctl MIBs;
  4. turn off core dumps (more because I don't want to have to look for and delete them);
  5. occasionally run the security/rkhunter app to perform some sanity checking;
  6. believe it or not, scan downloaded files with clamav;
  7. review system logs and emails;
  8. keep base system and ports updated with security fixes asap.

I actually need to run an annoying proprietary java app that listens on all local interfaces to establish a secure connection with a system at work, so keeping in line with point #1 I run a packet filtering firewall to prevent outside connections to it. (Otherwise I probably wouldn't bother with the firewall.)
Im sorry for asking such a dumb question, but how do you disable core dumps? Ive read that ulimit -c 0 or such works but ive only been able to find information on disabling core dumps for specific files. Is this something that you do system wide? and what would be the correct way to do this. Im asking so I dont make a mistake.

thanks.
Reply With Quote
Old 10th August 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

There are several ways to disable that functionality in FreeBSD:

You can disable them via:
  • Login classes (See login.conf(5)).
  • 'ulimit -c 0' with bourne shells, 'limit coredumpsize 0' in csh.
  • sysctl kern.coredump = 0, kern.sugid_coredump = 0 for setuid bins.

Note: It's probably better to leave them enabled, perhaps, debugging the problem and sending it upstream.. but - we don't live in a perfect world.

Last edited by BSDfan666; 10th August 2008 at 03:39 AM.
Reply With Quote
Old 11th August 2008
graudeejs's Avatar
graudeejs graudeejs is offline
Real Name: Aldis Berjoza
formerly killasmurf86
 
Join Date: Jul 2008
Location: Riga, Latvia
Posts: 588
Thanked 29 Times in 26 Posts
Default

How about Sticky?
Reply With Quote
Old 12th August 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 446
Thanked 69 Times in 46 Posts
Default

Quote:
Originally Posted by neurosis
how do you disable core dumps?
To add to BSDfan666's answer (just in case you're not highly familiar with sysctl), you can permanently disable them using, e.g.:
# echo 'kern.coredump=0' >> /etc/sysctl.conf
__________________
Kill your t.v.
Reply With Quote
Old 7th October 2008
valqk valqk is offline
New User
 
Join Date: Oct 2008
Posts: 2
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by 18Googol2 View Post
Just so you know you can use ssh key with passphrase

The followings configuration I would implement to secure ssh access and I think they are quite elegant:

- VPN

- No direct ssh access from internet. To access the server, all the ssh traffic is tunnelled (the only limitation with my current tunnelling application, hts & htc is it cant accept multiple tunneling connections. Anyone know the alternative one that can do this? )

- Port knocking
you can try stone (
/usr/ports/net/stone> cat pkg-descr
Stone is a TCP/IP packet repeater in the application layer. It
repeats TCP and UDP packets from inside to outside of a firewall, or
from outside to inside.

Stone has following features:

1. Simple.
Stone's source code is only 3000 lines long (written in C
language), so you can minimize the risk of security
holes.

2. Stone supports SSL.
Using OpenSSL (http://www.openssl.org/), stone can
encrypt/decrypt packets.

3. Stone is a http proxy.
Stone can also be a tiny http proxy.

4. POP -> APOP conversion.
With stone and a mailer that does not support APOP, you can
access to an APOP server.

WWW: http://www.gcd.org/sengoku/stone/
)
Reply With Quote
Old 7th October 2008
18Googol2's Avatar
18Googol2 18Googol2 is offline
Real Name: whoami
Spam Deminer
 
Join Date: Apr 2008
Location: pwd
Posts: 283
Thanked 20 Times in 18 Posts
Default

Thank you, it looks interesting. I will try it out soon
__________________
The power of plain text? It can control an entire OS
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Basic sshd hardening anomie Guides 12 12th September 2008 03:39 AM
Can I use this link for hardening FreeBSD 7 mfaridi FreeBSD Security 1 9th July 2008 07:35 AM


All times are GMT. The time now is 01:09 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick