Wednesday, 16 June 2004
Learn some of the basic steps you can take to make your FreeBSD system more secure.1. set additional flags on your /tmp and /home directories. I will show you how to see your current flags and how to change them
[root]# mount
/dev/ad0s1a on / (ufs, local)
/dev/ad0s1f on /tmp (ufs, local, nodev, nosuid, soft-updates)
/dev/ad0s1g on /usr (ufs, local, soft-updates)
/dev/ad0s1e on /var (ufs, local, soft-updates)
/dev/ad0s1h on /home (ufs, local, nosuid, with quotas, soft-updates)
procfs on /proc (procfs, local)
The two partitions above are the ones we will be adding flags for. As you can see I added nodev and nosuid on /tmp and nosuid and quotas on /home
nodev - stops character or block special devices on the filesystem
nosuid - disables suid programs from being run from this filesystem
quotas - to limit the amount of disk space that your users may use
You can set these flags in /etc/fstab file
the /tmp directory is a world writable directory so taking these additional steps is a good idea
2. Set your system security level. For most machines there is no reason to run in securelevel -1, unless you wish to run X-Windows on the machine. If you would like to run a server it is best NOT to run X and step up your kernel security level to 1.
Changing this to 1 will mean that you may no longer replace the kernel without being in single user mode (system immutable and system append-only flags are also enforced), KLD's may not be loaded/unloaded and /dev/mem and /dev/kmem may not be opened for writing. To change the security level do the following:
[root]# sysctl kern.securelevel=1
to make this change permanent add the following to
/etc/rc.conf:
kern_securelevel_enable="YES"
kern_securelevel="1"
3.Remove the toor user.
By default, FreeBSD ships with an additional user that has a UID of 0. This user is known as toor (root backwards), and is intended as a backup user, so that if you mistakenly broke (for eg) root's shell, you could log in using this user and fix things. The account is disabled (passwordless) by default, and hence of no use UNLESS you change it's password. You may either choose to set a password for it, or remove it.
It should be noted that the rmuser(8) command will not allow the deletion of an account with a UID of 0, so you will need to use vipw(8) to remove this account.
4. Shutdown and services you are not using
[root]# netstat -na | grep LISTEN
tcp46 0 0 *.80 *.* LISTEN
tcp4 0 0 *.22 *.* LISTEN
tcp46 0 0 *.22 *.* LISTEN
This shows that http(80) and ssh(22) are listening. If you have a process listening and you're unsure of what process is keeping that port open you may use sockstat(1) to list open sockets and provide you with the relevant information
You can all see anything listening for UDP
netstat -nap udp
udp4 0 0 *.514 *.*
Here, you see that syslogd is listening on port 514 (UDP). You can disable syslogd from listening on a port by changing
/etc/rc.conf
syslogd_enable="YES"
syslogd_flags="-ss"
5. Setup packets being sent to non-listening ports to be ignored and go to a 'Black Hole'
[root]# sysctl net.inet.tcp.blackhole=1
to make this change permanent modify
/etc/rc.conf
net.inet.tcp.blackhole=1
net.inet.udp.blackhole=1
6. KEEP YOUR PACKAGES AND OS CURRENT.
I have an article here on how to automatically update your freeBSD box. I would suggest you set this up! |
sysctl.conf, not rc.conf
Written by Guest on 2005-07-19 02:52:04
Just a minor note, you indicate to edit rc.conf to set the blackhole values, but shouldn't that be /etc/sysctl.conf?  |
Only registered users can write comments.
Please login or register. Powered by AkoComment 1.0 beta 2! |
Home 
FreeBSD Articles 
