DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 5th May 2008
cajunman4life cajunman4life is offline
Real Name: Aaron Graves
Package Pilot
 
Join Date: May 2008
Location: Coolidge, Arizona
Posts: 203
Default Hardening FreeBSD

I'd like to start a lively discussion on the methods and procedures everyone uses to "harden" their FreeBSD systems.

Anyone?
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident!
Reply With Quote
  #2   (View Single Post)  
Old 5th May 2008
edhunter's Avatar
edhunter edhunter is offline
Real Name: Georgi Iovchev
Port Guard
 
Join Date: May 2008
Location: Sofia, Bulgaria
Posts: 41
Default

On pure os level, actually I do almost nothing on hardening my freebsd machines
I just keep number of users to minimum, also number of servers (daemons) to minimum too. On some machines I change the ssh port because of bots trying to login with different user/passwords on 22 port.
I have rerouted all machines email logs to one account and I quick check this email daily.

I dont say this is right, this is how it works for me.
Yes one my machine once were hacked and our web were deleted, but this has nothing to do with freebsd itself. It was poor php script on our web.
Reply With Quote
  #3   (View Single Post)  
Old 5th May 2008
corey_james corey_james is offline
Uber Geek
 
Join Date: Apr 2008
Location: Brisbane, Australia
Posts: 238
Default

argh @ php ... let's not start a discussion on that haha

I don't really do much to freebsd ... if you really want to go into hardening a freebsd have a look at the OS security levels and perhaps changing the default md5 hashing in master.passwd to blowfish encryption.

Definitely reduce the amount of daemons that run on the machine and if you really want, change the default SSH port ( as edhunter suggets )
Reply With Quote
  #4   (View Single Post)  
Old 5th May 2008
horizon's Avatar
horizon horizon is offline
Port Guard
 
Join Date: May 2008
Posts: 16
Default

I tend to chmod 4750 any setuid root binaries so that only people in wheel can execute them. Could help prevent a local privilege escalation if someone manages to obtain uid nobody via Apache or some other service, or you just have untrusted users on your system.

I also chmod 700 all home directories to prevent users snooping through each others files -- the amount of times I've come across 'passwords.txt'-like files is alarming!
Reply With Quote
  #5   (View Single Post)  
Old 5th May 2008
corey_james corey_james is offline
Uber Geek
 
Join Date: Apr 2008
Location: Brisbane, Australia
Posts: 238
Default

what's wrong with keeping a password.txt file ? *sniggers*
Reply With Quote
  #6   (View Single Post)  
Old 5th May 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 445
Default

Quote:
Originally Posted by cajunman4life
I'd like to start a lively discussion on the methods and procedures everyone uses to "harden" their FreeBSD systems.
Desktop or server? In either case, depending on how it's being used would determine how many hardening cycles I'd go through.

Pretty straightforward for my desktop:
  1. make sure no daemons are listening for tcp/udp connections (except maybe dhclient);
  2. search for and disable useless (to me) suid/sgid programs;
  3. enable the blackhole(4) sysctl MIBs;
  4. turn off core dumps (more because I don't want to have to look for and delete them);
  5. occasionally run the security/rkhunter app to perform some sanity checking;
  6. believe it or not, scan downloaded files with clamav;
  7. review system logs and emails;
  8. keep base system and ports updated with security fixes asap.

I actually need to run an annoying proprietary java app that listens on all local interfaces to establish a secure connection with a system at work, so keeping in line with point #1 I run a packet filtering firewall to prevent outside connections to it. (Otherwise I probably wouldn't bother with the firewall.)
__________________
Kill your t.v.
Reply With Quote
  #7   (View Single Post)  
Old 5th May 2008
cajunman4life cajunman4life is offline
Real Name: Aaron Graves
Package Pilot
 
Join Date: May 2008
Location: Coolidge, Arizona
Posts: 203
Default

Me personally (and all I've been setting up lately are servers) I use this as a start:

http://www.bsdguides.org/guides/free...ity/harden.php

And go on from there depending on each service that needs to be run. I've also been building ezjails (I like it for its low overhead and read only base system) lately. One for each service I want to run (For example, one is running Apache/OpenSSL/PHP, another is running MySQL, another running PostgreSQL, and yet another running VSFTPd). I find it tends to make each jail easy to secure as there is relatively little installed in each jail.
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident!
Reply With Quote
  #8   (View Single Post)  
Old 5th May 2008
stukov's Avatar
stukov stukov is offline
Real Name: Jean-Michel Philippon-Nadeau
Package Pilot
 
Join Date: May 2008
Location: Sherbrooke, Qc, Canada
Posts: 167
Default

I like to check the filesystem for changes with tools like TripWire or Yafic. I also like to have a quick look at my logs every morning while drinking coffee.
__________________
"Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius -- and a lot of courage -- to move in the opposite direction."
Reply With Quote
  #9   (View Single Post)  
Old 7th May 2008
keithlybsd keithlybsd is offline
Port Guard
 
Join Date: May 2008
Posts: 10
Default

Lots of good suggestions here,

I am sure this is a lame one but host based firewall is a must. Stateful inspection and make sure to apply out bound rules.

I prefer to only use ssh keys for login and not allow user/pass.

And you can dll the free version of cis bench mark and run that against a system. That little app shows you tons of ways to tighten down a box.

I do these things combined most of the above suggestions.
Reply With Quote
Old 7th May 2008
18Googol2's Avatar
18Googol2 18Googol2 is offline
Real Name: whoami
Spam Deminer
 
Join Date: Apr 2008
Location: pwd
Posts: 283
Default

Quote:
Originally Posted by keithlybsd View Post
I prefer to only use ssh keys for login and not allow user/pass.
Just so you know you can use ssh key with passphrase

The followings configuration I would implement to secure ssh access and I think they are quite elegant:

- VPN

- No direct ssh access from internet. To access the server, all the ssh traffic is tunnelled (the only limitation with my current tunnelling application, hts & htc is it cant accept multiple tunneling connections. Anyone know the alternative one that can do this? )

- Port knocking
Reply With Quote
Old 7th May 2008
keithlybsd keithlybsd is offline
Port Guard
 
Join Date: May 2008
Posts: 10
Default

Quote:
Originally Posted by 18Googol2 View Post
Just so you know you can use ssh key with passphrase

The followings configuration I would implement to secure ssh access and I think they are quite elegant:

- VPN

- No direct ssh access from internet. To access the server, all the ssh traffic is tunnelled (the only limitation with my current tunnelling application, hts & htc is it cant accept multiple tunneling connections. Anyone know the alternative one that can do this? )

- Port knocking

Yes I know, I meant not plain old/user pass logins.

I typically setup agent and then forward the passphrase
Reply With Quote
Old 7th May 2008
keithlybsd keithlybsd is offline
Port Guard
 
Join Date: May 2008
Posts: 10
Default

sorry not sure what you mean by hts and htc.


So you tunnel the ssh through a VPN?
Reply With Quote
Old 8th May 2008
18Googol2's Avatar
18Googol2 18Googol2 is offline
Real Name: whoami
Spam Deminer
 
Join Date: Apr 2008
Location: pwd
Posts: 283
Default

hts & htc is http tunneling server and client application.

You tunnel the ssh traffic with http encapsulated. That means the ssh traffic now looks like normal web traffic, which is very nice because in some place like school and workplace, the only kind of outgoing traffic allowed is web, and the bloody firewall blocks the rest, ssh, pop3, file sharing you name it.

Unless they implement IDS or L7 firewall, you should be able to ssh your home server without any problem
Reply With Quote
Old 8th May 2008
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Default

My typical steps are to:

change the headers on each vtty* above the login prompt to some thing less "let's tell the whole world what we are".

change the motd to some thing more strict and create a suitable banner for sshd

ensure proper settings for users and passwords.

create groups/users and set perms as necessary for the system and ensure a sensible setup for what it's there to do.

configure sshd to be a bit more to my 'tastes' then the defaults and change it from port 22 to some thing else.


Kill unnecessary services, I usually don't use inetd either but that's just my way of doing things.


Say hello to pf and continue with system wide adjustments as necessary (e.g. what is this machine for factors).
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
Old 9th May 2008
keithlybsd keithlybsd is offline
Port Guard
 
Join Date: May 2008
Posts: 10
Default

Quote:
Originally Posted by 18Googol2 View Post
hts & htc is http tunneling server and client application.

You tunnel the ssh traffic with http encapsulated. That means the ssh traffic now looks like normal web traffic, which is very nice because in some place like school and workplace, the only kind of outgoing traffic allowed is web, and the bloody firewall blocks the rest, ssh, pop3, file sharing you name it.

Unless they implement IDS or L7 firewall, you should be able to ssh your home server without any problem
Ahh, ok for me it is usually the other way around. Typically the only outbound protocols allowed is ssh. So I tunnel all kinds of stuff through it. This actually isn't bothered by the IDS, IPS or L7 firewalls. Kinda of the reverse situation that your in.
Reply With Quote
Old 11th May 2008
lumiwa lumiwa is offline
Package Pilot
 
Join Date: May 2008
Posts: 145
Default

I am a newbie in FreeBSD world. All my life ) I was OS/2 and Linux user but last three or for months ( am I old??) ion my computer is just FreeBSD 7.0 and I am upset with myself why I didn't install this great system 15 years ago .
I like to work in console but I like KDE too and I use a computer as a destop machine. What I did for hardening and I hope that is okay:
In the "rc.conf" I have:

syslogd_flags="-ss"
clear_tmp_enable="YES"
log_in_vain="1"
tcp_drop_synfin="YES"
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
ntpdate_enable="YES"
ntpdate_flags="ntp1.cs.wisc.edu"
linux_enable="YES"
pf_enable="YES"
pflog_enable="YES"
update_motd="NO"

Yes, I run openbsd firewall.

In sysctl.conf I wrote:

security.bsd.see_other_uids=0
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1

Maybe there are some changes more but I don't remeber know...
Reply With Quote
Old 12th May 2008
schrodinger's Avatar
schrodinger schrodinger is offline
Fdisk Soldier
 
Join Date: May 2008
Location: Ireland
Posts: 69
Default

My suggestions for hardening (that I can remember without documentation ):

-Disable root login for sshd (should be done by default)
-Change SSHD port to something different and only allow certain users/groups to login to sshd
-If you can't/don't want to change the listening port then setup something like swatch or denyhosts to block any IP addresses attempting to brute force accounts on your box
-Disable any services you do not need (don't use inetd if you don't need to)
-add -ss to disable syslogd binding to a socket
-use secure permissions on log files (don't allow any user who doesn't need to read logs files access to them)
-remove stick bit on set UID/GID binaries
-only allow authorised users to run cron jobs
-change default encryption for passwords to blowfish
-setup PF to block network access to services that remote hosts don't need access to
-add the following to /etc/rc.conf
-+ icmp_drop_redirect="YES"
-+ icmp_log_redirect="YES"
-+ log_in_vain="YES"
-Bring the ARP cache timeout down to five minutes. Append to /etc/sysctl.conf - 'net.link.ether.inet.max_age=300'
-remove toor account
-nosuid options on /tmp in /etc/fstab
__________________
It was a new day yesterday, but it's an old day now.
Reply With Quote
Old 13th May 2008
tanked tanked is offline
Fdisk Soldier
 
Join Date: May 2008
Posts: 56
Default

Quote:
Originally Posted by cajunman4life View Post
I've also been building ezjails (I like it for its low overhead and read only base system) lately. One for each service I want to run (For example, one is running Apache/OpenSSL/PHP, another is running MySQL, another running PostgreSQL, and yet another running VSFTPd). I find it tends to make each jail easy to secure as there is relatively little installed in each jail.
I too use ezjail and would recommend it to anyone running multiple servers; its just so easy to set up plus the added protection of making the userland read-only means anyone breaking into your jail would find it hard to corrupt the binaries. The only thing jails need now is the virtual network stack implementation, maybe it will be MFC'd at some point.
Reply With Quote
Old 13th May 2008
kazcor kazcor is offline
Real Name: Registreed Usre
Port Guard
 
Join Date: May 2008
Location: bliner, erg
Posts: 20
Default

- /usr ro,nodev, /home nosuid,nodev,noexec, /tmp->/var/tmp
- use of rkhunter, chkrootkit, logcheck
- lock up all services that allow access to the inside in jails (yep, ezjail)
- jails on separate partition(s) or image(s)
- OTPs for all accounts
- disable local console root access
- kernel without module support
- all services on non-standard ports
- chflags schg on all sensitive files, sappend on logs
- afterwards raise securitylevels, if you care
- provide a VPN for access to your server, regardless of LAN/WLAN

Even more paranoid

- disable .history for all shells
- don't cache passwords to LAN services (HTTP/SMTP/etc.)
- use tor (at least for DNS queries)
- use privoxy for filtering (in a jail, of course)
- if using firefox from inside use NoScript where possible

Want more?
- provide a UPS for your machine
- provide a webcam with motion recognition and shutdown timer (harddisk encrypted, of course)
- close windows and draw the curtains, before touching a keyboard
- <add your favourite option here>
Reply With Quote
Old 15th May 2008
starbuck's Avatar
starbuck starbuck is offline
Port Guard
 
Join Date: Apr 2008
Location: Eugene, OR
Posts: 31
Default

Quote:
Originally Posted by kazcor
- chflags schg on all sensitive files, sappend on logs
Does flagging the logs as "sappend" prevent them from being rotated? How do you get around this?

I noticed no one mentioned using various "Secure Levels." Is there anyone here running their FreeBSD system at Secure Level 2 or 3?
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Basic sshd hardening anomie Guides 12 12th September 2008 03:39 AM
Can I use this link for hardening FreeBSD 7 mfaridi FreeBSD Security 1 9th July 2008 07:35 AM


All times are GMT. The time now is 10:25 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick