|
|||
Hardening FreeBSD
I'd like to start a lively discussion on the methods and procedures everyone uses to "harden" their FreeBSD systems.
Anyone?
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident! |
|
|||
argh @ php ... let's not start a discussion on that haha
I don't really do much to freebsd ... if you really want to go into hardening a freebsd have a look at the OS security levels and perhaps changing the default md5 hashing in master.passwd to blowfish encryption. Definitely reduce the amount of daemons that run on the machine and if you really want, change the default SSH port ( as edhunter suggets ) |
|
||||
I tend to chmod 4750 any setuid root binaries so that only people in wheel can execute them. Could help prevent a local privilege escalation if someone manages to obtain uid nobody via Apache or some other service, or you just have untrusted users on your system.
I also chmod 700 all home directories to prevent users snooping through each others files -- the amount of times I've come across 'passwords.txt'-like files is alarming! |
|
|||
what's wrong with keeping a password.txt file ? *sniggers*
|
|
||||
Quote:
Pretty straightforward for my desktop:
I actually need to run an annoying proprietary java app that listens on all local interfaces to establish a secure connection with a system at work, so keeping in line with point #1 I run a packet filtering firewall to prevent outside connections to it. (Otherwise I probably wouldn't bother with the firewall.)
__________________
Kill your t.v. |
|
|||
Me personally (and all I've been setting up lately are servers) I use this as a start:
http://www.bsdguides.org/guides/free...ity/harden.php And go on from there depending on each service that needs to be run. I've also been building ezjails (I like it for its low overhead and read only base system) lately. One for each service I want to run (For example, one is running Apache/OpenSSL/PHP, another is running MySQL, another running PostgreSQL, and yet another running VSFTPd). I find it tends to make each jail easy to secure as there is relatively little installed in each jail.
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident! |
|
||||
I like to check the filesystem for changes with tools like TripWire or Yafic. I also like to have a quick look at my logs every morning while drinking coffee.
__________________
"Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius -- and a lot of courage -- to move in the opposite direction." |
|
|||
Lots of good suggestions here,
I am sure this is a lame one but host based firewall is a must. Stateful inspection and make sure to apply out bound rules. I prefer to only use ssh keys for login and not allow user/pass. And you can dll the free version of cis bench mark and run that against a system. That little app shows you tons of ways to tighten down a box. I do these things combined most of the above suggestions. |
|
||||
Quote:
The followings configuration I would implement to secure ssh access and I think they are quite elegant: - VPN - No direct ssh access from internet. To access the server, all the ssh traffic is tunnelled (the only limitation with my current tunnelling application, hts & htc is it cant accept multiple tunneling connections. Anyone know the alternative one that can do this? ) - Port knocking |
|
|||
Quote:
Yes I know, I meant not plain old/user pass logins. I typically setup agent and then forward the passphrase |
|
|||
sorry not sure what you mean by hts and htc.
So you tunnel the ssh through a VPN? |
|
||||
hts & htc is http tunneling server and client application.
You tunnel the ssh traffic with http encapsulated. That means the ssh traffic now looks like normal web traffic, which is very nice because in some place like school and workplace, the only kind of outgoing traffic allowed is web, and the bloody firewall blocks the rest, ssh, pop3, file sharing you name it. Unless they implement IDS or L7 firewall, you should be able to ssh your home server without any problem |
|
||||
My typical steps are to:
change the headers on each vtty* above the login prompt to some thing less "let's tell the whole world what we are". change the motd to some thing more strict and create a suitable banner for sshd ensure proper settings for users and passwords. create groups/users and set perms as necessary for the system and ensure a sensible setup for what it's there to do. configure sshd to be a bit more to my 'tastes' then the defaults and change it from port 22 to some thing else. Kill unnecessary services, I usually don't use inetd either but that's just my way of doing things. Say hello to pf and continue with system wide adjustments as necessary (e.g. what is this machine for factors).
__________________
My Journal Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''. |
|
|||
Quote:
|
|
|||
I am a newbie in FreeBSD world. All my life ) I was OS/2 and Linux user but last three or for months ( am I old??) ion my computer is just FreeBSD 7.0 and I am upset with myself why I didn't install this great system 15 years ago .
I like to work in console but I like KDE too and I use a computer as a destop machine. What I did for hardening and I hope that is okay: In the "rc.conf" I have: syslogd_flags="-ss" clear_tmp_enable="YES" log_in_vain="1" tcp_drop_synfin="YES" icmp_drop_redirect="YES" icmp_log_redirect="YES" ntpdate_enable="YES" ntpdate_flags="ntp1.cs.wisc.edu" linux_enable="YES" pf_enable="YES" pflog_enable="YES" update_motd="NO" Yes, I run openbsd firewall. In sysctl.conf I wrote: security.bsd.see_other_uids=0 net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 Maybe there are some changes more but I don't remeber know... |
|
||||
My suggestions for hardening (that I can remember without documentation ):
-Disable root login for sshd (should be done by default) -Change SSHD port to something different and only allow certain users/groups to login to sshd -If you can't/don't want to change the listening port then setup something like swatch or denyhosts to block any IP addresses attempting to brute force accounts on your box -Disable any services you do not need (don't use inetd if you don't need to) -add -ss to disable syslogd binding to a socket -use secure permissions on log files (don't allow any user who doesn't need to read logs files access to them) -remove stick bit on set UID/GID binaries -only allow authorised users to run cron jobs -change default encryption for passwords to blowfish -setup PF to block network access to services that remote hosts don't need access to -add the following to /etc/rc.conf -+ icmp_drop_redirect="YES" -+ icmp_log_redirect="YES" -+ log_in_vain="YES" -Bring the ARP cache timeout down to five minutes. Append to /etc/sysctl.conf - 'net.link.ether.inet.max_age=300' -remove toor account -nosuid options on /tmp in /etc/fstab
__________________
It was a new day yesterday, but it's an old day now. |
|
|||
Quote:
|
|
|||
- /usr ro,nodev, /home nosuid,nodev,noexec, /tmp->/var/tmp
- use of rkhunter, chkrootkit, logcheck - lock up all services that allow access to the inside in jails (yep, ezjail) - jails on separate partition(s) or image(s) - OTPs for all accounts - disable local console root access - kernel without module support - all services on non-standard ports - chflags schg on all sensitive files, sappend on logs - afterwards raise securitylevels, if you care - provide a VPN for access to your server, regardless of LAN/WLAN Even more paranoid - disable .history for all shells - don't cache passwords to LAN services (HTTP/SMTP/etc.) - use tor (at least for DNS queries) - use privoxy for filtering (in a jail, of course) - if using firefox from inside use NoScript where possible Want more? - provide a UPS for your machine - provide a webcam with motion recognition and shutdown timer (harddisk encrypted, of course) - close windows and draw the curtains, before touching a keyboard - <add your favourite option here> |
|
||||
Quote:
I noticed no one mentioned using various "Secure Levels." Is there anyone here running their FreeBSD system at Secure Level 2 or 3? |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Basic sshd hardening | anomie | Guides | 12 | 12th September 2008 03:39 AM |
Can I use this link for hardening FreeBSD 7 | mfaridi | FreeBSD Security | 1 | 9th July 2008 07:35 AM |