|
|
|||
Hardening FreeBSD
I'd like to start a lively discussion on the methods and procedures everyone uses to "harden" their FreeBSD systems.
Anyone?
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident! |
|
|||
argh @ php ... let's not start a discussion on that haha
I don't really do much to freebsd ... if you really want to go into hardening a freebsd have a look at the OS security levels and perhaps changing the default md5 hashing in master.passwd to blowfish encryption. Definitely reduce the amount of daemons that run on the machine and if you really want, change the default SSH port ( as edhunter suggets ) |
|
||||
I tend to chmod 4750 any setuid root binaries so that only people in wheel can execute them. Could help prevent a local privilege escalation if someone manages to obtain uid nobody via Apache or some other service, or you just have untrusted users on your system.
I also chmod 700 all home directories to prevent users snooping through each others files -- the amount of times I've come across 'passwords.txt'-like files is alarming! |
|
|||
what's wrong with keeping a password.txt file ? *sniggers*
|
|
|||
You dont need one of those if you just set your password to password. Its easy to remember.
|
|
|||
Oh, thank you so much, I had forgotten my password. I had written it down, but I spilled my beer and the ink on the sticky-note on the bottom side of my keyboard ran!
|
|
||||
Quote:
Pretty straightforward for my desktop:
I actually need to run an annoying proprietary java app that listens on all local interfaces to establish a secure connection with a system at work, so keeping in line with point #1 I run a packet filtering firewall to prevent outside connections to it. (Otherwise I probably wouldn't bother with the firewall.)
__________________
Kill your t.v. |
|
|||
Quote:
thanks. |
|
||||
Quote:
# echo 'kern.coredump=0' >> /etc/sysctl.conf
__________________
Kill your t.v. |
|
|||
Me personally (and all I've been setting up lately are servers) I use this as a start:
http://www.bsdguides.org/guides/free...ity/harden.php And go on from there depending on each service that needs to be run. I've also been building ezjails (I like it for its low overhead and read only base system) lately. One for each service I want to run (For example, one is running Apache/OpenSSL/PHP, another is running MySQL, another running PostgreSQL, and yet another running VSFTPd). I find it tends to make each jail easy to secure as there is relatively little installed in each jail.
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident! |
|
|||
Quote:
|
|
|||
- /usr ro,nodev, /home nosuid,nodev,noexec, /tmp->/var/tmp
- use of rkhunter, chkrootkit, logcheck - lock up all services that allow access to the inside in jails (yep, ezjail) - jails on separate partition(s) or image(s) - OTPs for all accounts - disable local console root access - kernel without module support - all services on non-standard ports - chflags schg on all sensitive files, sappend on logs - afterwards raise securitylevels, if you care - provide a VPN for access to your server, regardless of LAN/WLAN Even more paranoid - disable .history for all shells - don't cache passwords to LAN services (HTTP/SMTP/etc.) - use tor (at least for DNS queries) - use privoxy for filtering (in a jail, of course) - if using firefox from inside use NoScript where possible Want more? - provide a UPS for your machine - provide a webcam with motion recognition and shutdown timer (harddisk encrypted, of course) - close windows and draw the curtains, before touching a keyboard - <add your favourite option here> |
|
||||
Quote:
I noticed no one mentioned using various "Secure Levels." Is there anyone here running their FreeBSD system at Secure Level 2 or 3? |
|
||||
Quote:
So the real answer is that your log file will be growing indefinitely (until you take the steps to temporarily get to a lower securelevel and manually rotate it). If you haven't already, check out the manpages for security(7) and chflags(1). There is a good book I reviewed here that discusses this topic in great detail.
__________________
Kill your t.v. |
|
||||
I like to check the filesystem for changes with tools like TripWire or Yafic. I also like to have a quick look at my logs every morning while drinking coffee.
__________________
"Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius -- and a lot of courage -- to move in the opposite direction." |
|
|||
Lots of good suggestions here,
I am sure this is a lame one but host based firewall is a must. Stateful inspection and make sure to apply out bound rules. I prefer to only use ssh keys for login and not allow user/pass. And you can dll the free version of cis bench mark and run that against a system. That little app shows you tons of ways to tighten down a box. I do these things combined most of the above suggestions. |
|
||||
Quote:
The followings configuration I would implement to secure ssh access and I think they are quite elegant: - VPN - No direct ssh access from internet. To access the server, all the ssh traffic is tunnelled (the only limitation with my current tunnelling application, hts & htc is it cant accept multiple tunneling connections. Anyone know the alternative one that can do this? ) - Port knocking |
|
|||
Quote:
Yes I know, I meant not plain old/user pass logins. I typically setup agent and then forward the passphrase |
|
|||
sorry not sure what you mean by hts and htc.
So you tunnel the ssh through a VPN? |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Basic sshd hardening | anomie | Guides | 12 | 12th September 2008 03:39 AM |
Can I use this link for hardening FreeBSD 7 | mfaridi | FreeBSD Security | 1 | 9th July 2008 07:35 AM |