Hardening FreeBSD

[cajunman4life]

I'd like to start a lively discussion on the methods and procedures everyone uses to "harden" their FreeBSD systems.

Anyone?

[edhunter]

On pure os level, actually I do almost nothing on hardening my freebsd machines
I just keep number of users to minimum, also number of servers (daemons) to minimum too. On some machines I change the ssh port because of bots trying to login with different user/passwords on 22 port.
I have rerouted all machines email logs to one account and I quick check this email daily.

I dont say this is right, this is how it works for me.
Yes one my machine once were hacked and our web were deleted, but this has nothing to do with freebsd itself. It was poor php script on our web.

[corey_james]

argh @ php ... let's not start a discussion on that haha

I don't really do much to freebsd ... if you really want to go into hardening a freebsd have a look at the OS security levels and perhaps changing the default md5 hashing in master.passwd to blowfish encryption.

Definitely reduce the amount of daemons that run on the machine and if you really want, change the default SSH port ( as edhunter suggets )

[horizon]

I tend to chmod 4750 any setuid root binaries so that only people in wheel can execute them. Could help prevent a local privilege escalation if someone manages to obtain uid nobody via Apache or some other service, or you just have untrusted users on your system.

I also chmod 700 all home directories to prevent users snooping through each others files -- the amount of times I've come across 'passwords.txt'-like files is alarming!

[corey_james]

what's wrong with keeping a password.txt file ? *sniggers*

[neurosis]

Quote:

Originally Posted by corey_james

what's wrong with keeping a password.txt file ? *sniggers*

You dont need one of those if you just set your password to password. Its easy to remember.

[ddekok]

Quote:

Originally Posted by neurosis

You dont need one of those if you just set your password to password. Its easy to remember.

Oh, thank you so much, I had forgotten my password. I had written it down, but I spilled my beer and the ink on the sticky-note on the bottom side of my keyboard ran!

[anomie]

Quote:

Originally Posted by cajunman4life

I'd like to start a lively discussion on the methods and procedures everyone uses to "harden" their FreeBSD systems.

Desktop or server? In either case, depending on how it's being used would determine how many hardening cycles I'd go through.

Pretty straightforward for my desktop:

1. make sure no daemons are listening for tcp/udp connections (except maybe dhclient);
2. search for and disable useless (to me) suid/sgid programs;
3. enable the blackhole(4) sysctl MIBs;
4. turn off core dumps (more because I don't want to have to look for and delete them);
5. occasionally run the security/rkhunter app to perform some sanity checking;
6. believe it or not, scan downloaded files with clamav;
7. review system logs and emails;
8. keep base system and ports updated with security fixes asap.

I actually need to run an annoying proprietary java app that listens on all local interfaces to establish a secure connection with a system at work, so keeping in line with point #1 I run a packet filtering firewall to prevent outside connections to it. (Otherwise I probably wouldn't bother with the firewall.)

[neurosis]

Quote:

Originally Posted by anomie

Desktop or server? In either case, depending on how it's being used would determine how many hardening cycles I'd go through.

Pretty straightforward for my desktop:

1. make sure no daemons are listening for tcp/udp connections (except maybe dhclient);
2. search for and disable useless (to me) suid/sgid programs;
3. enable the blackhole(4) sysctl MIBs;
4. turn off core dumps (more because I don't want to have to look for and delete them);
5. occasionally run the security/rkhunter app to perform some sanity checking;
6. believe it or not, scan downloaded files with clamav;
7. review system logs and emails;
8. keep base system and ports updated with security fixes asap.

I actually need to run an annoying proprietary java app that listens on all local interfaces to establish a secure connection with a system at work, so keeping in line with point #1 I run a packet filtering firewall to prevent outside connections to it. (Otherwise I probably wouldn't bother with the firewall.)

Im sorry for asking such a dumb question, but how do you disable core dumps? Ive read that ulimit -c 0 or such works but ive only been able to find information on disabling core dumps for specific files. Is this something that you do system wide? and what would be the correct way to do this. Im asking so I dont make a mistake.

thanks.

[anomie]

Quote:

Originally Posted by neurosis

how do you disable core dumps?

To add to BSDfan666's answer (just in case you're not highly familiar with sysctl), you can permanently disable them using, e.g.:
# echo 'kern.coredump=0' >> /etc/sysctl.conf

[cajunman4life]

Me personally (and all I've been setting up lately are servers) I use this as a start:

http://www.bsdguides.org/guides/free...ity/harden.php

And go on from there depending on each service that needs to be run. I've also been building ezjails (I like it for its low overhead and read only base system) lately. One for each service I want to run (For example, one is running Apache/OpenSSL/PHP, another is running MySQL, another running PostgreSQL, and yet another running VSFTPd). I find it tends to make each jail easy to secure as there is relatively little installed in each jail.

[tanked]

Quote:

Originally Posted by cajunman4life

I've also been building ezjails (I like it for its low overhead and read only base system) lately. One for each service I want to run (For example, one is running Apache/OpenSSL/PHP, another is running MySQL, another running PostgreSQL, and yet another running VSFTPd). I find it tends to make each jail easy to secure as there is relatively little installed in each jail.

I too use ezjail and would recommend it to anyone running multiple servers; its just so easy to set up plus the added protection of making the userland read-only means anyone breaking into your jail would find it hard to corrupt the binaries. The only thing jails need now is the virtual network stack implementation, maybe it will be MFC'd at some point.

[kazcor]

- /usr ro,nodev, /home nosuid,nodev,noexec, /tmp->/var/tmp
- use of rkhunter, chkrootkit, logcheck
- lock up all services that allow access to the inside in jails (yep, ezjail)
- jails on separate partition(s) or image(s)
- OTPs for all accounts
- disable local console root access
- kernel without module support
- all services on non-standard ports
- chflags schg on all sensitive files, sappend on logs
- afterwards raise securitylevels, if you care
- provide a VPN for access to your server, regardless of LAN/WLAN

Even more paranoid

- disable .history for all shells
- don't cache passwords to LAN services (HTTP/SMTP/etc.)
- use tor (at least for DNS queries)
- use privoxy for filtering (in a jail, of course)
- if using firefox from inside use NoScript where possible

Want more?
- provide a UPS for your machine
- provide a webcam with motion recognition and shutdown timer (harddisk encrypted, of course)
- close windows and draw the curtains, before touching a keyboard
- <add your favourite option here>

[starbuck]

Quote:

Originally Posted by kazcor

- chflags schg on all sensitive files, sappend on logs

Does flagging the logs as "sappend" prevent them from being rotated? How do you get around this?

I noticed no one mentioned using various "Secure Levels." Is there anyone here running their FreeBSD system at Secure Level 2 or 3?

[anomie]

Quote:

Originally Posted by starbuck

Does flagging the logs as "sappend" prevent them from being rotated? How do you get around this?

Yes, it does. You could remove the flag, then rotate the logs, then re-add the flag. But then that would imply that you're running in a securelevel < 1 (which somewhat defeats the purpose of the file flag if root can just remove it ).

So the real answer is that your log file will be growing indefinitely (until you take the steps to temporarily get to a lower securelevel and manually rotate it).

If you haven't already, check out the manpages for security(7) and chflags(1). There is a good book I reviewed here that discusses this topic in great detail.

[stukov]

I like to check the filesystem for changes with tools like TripWire or Yafic. I also like to have a quick look at my logs every morning while drinking coffee.

[keithlybsd]

Lots of good suggestions here,

I am sure this is a lame one but host based firewall is a must. Stateful inspection and make sure to apply out bound rules.

I prefer to only use ssh keys for login and not allow user/pass.

And you can dll the free version of cis bench mark and run that against a system. That little app shows you tons of ways to tighten down a box.

I do these things combined most of the above suggestions.

[18Googol2]

Quote:

Originally Posted by keithlybsd

I prefer to only use ssh keys for login and not allow user/pass.

Just so you know you can use ssh key with passphrase

The followings configuration I would implement to secure ssh access and I think they are quite elegant:

- VPN

- No direct ssh access from internet. To access the server, all the ssh traffic is tunnelled (the only limitation with my current tunnelling application, hts & htc is it cant accept multiple tunneling connections. Anyone know the alternative one that can do this? )

- Port knocking

[keithlybsd]

Quote:

Originally Posted by 18Googol2

Just so you know you can use ssh key with passphrase

The followings configuration I would implement to secure ssh access and I think they are quite elegant:

- VPN

- No direct ssh access from internet. To access the server, all the ssh traffic is tunnelled (the only limitation with my current tunnelling application, hts & htc is it cant accept multiple tunneling connections. Anyone know the alternative one that can do this? )

- Port knocking

Yes I know, I meant not plain old/user pass logins.

I typically setup agent and then forward the passphrase

[keithlybsd]

sorry not sure what you mean by hts and htc.


So you tunnel the ssh through a VPN?