Author: Dru Lavigne
Translation: Delphij
I have organized some of the past notes in the past few days, and some security recommendations collected in recent years. I think this may be helpful to you, so I will suspend the document series in this week, write a little more secure content for your FreeBSD system.
Obviously, in this field I can't use an article to fully introduce all things. In addition, it is impossible to give a solution to prevent all of the four seas, and ensure that any system is safe.
In the process of me to finish the notes, I noticed how many ways to make the FreeBSD server (such as a web server, mail server, etc.). If you use FreeBSD as your personal system, you want a full desktop function, this is not too enough. You definitely don't want to use some functions that cannot be used because of some of the enhanced security settings, and is unpredictable from the computer after this week until the problem is found.
Therefore, you will notice that in different and many other security tutorials, this document does not recommend that you modify the permissions of files in the FreeBSD system. This is intentional. Unless you're enhanced a production server security, and you know what you are doing, don't modify the file permission. (If you must do an experiment, please work in your own folder). Otherwise, some things may stop working, such as email, x window system, sound. The strange part will happen in an inadvertent moment, let your headache for a long time, it may be a problem that may be a permission setting before a week.
We all know that Internet is not always a friendly place, and you may not want another place to have the same access license permission as you. This means that you may not want to access the Internet without a certain firewall. Fortunately, your FreeBSD system supports a variety of firewalls: IPFW and IPFilter. More exciting is that popular and understandable documents are rapidly increased. If you are not behind the firewall, then spend a reading on your system on your system on your system, and drill one. You will feel happy, the following is part of the available resources:
Man IPFW
FreeBSD Handbook: Section 10.7 - FireWalls
Setting up a dual-homed host using ipfw and natd
Man IPF
IPFilter and PF Resources
Good security is always "layered fortification", which means that if a mechanism is invalid, there is still a standby mechanism. Even if your system has been protected by a firewall, you still need to disable all services, except those who absolutely needed. In the desktop system, there is no need for a lot of services.
Use the following command to see which services are trying to listen to your system:
Sockstat-4
The difference in output may be large, depending on the software selected in the final phase of the installation, and the port and package installed after you have installed it.
Port 6000 (X Window Server) is very common in the output; if you don't see it, start an X Window session, then re-run SockStat -4. Unfortunately, there are many attacks on X Window in the past few years. Fortunately, using X does not need to open the 6000 port, do not worry, even if this port is closed, you can still use the graphical interface!
Many methods can turn off this port. The easiest way I found is to become a super user and edit / usr / x11r6 / bin / startX. Find the line of serverargs and change it to the following:
Serverargs = "- NOLISTEN TCP" After saving the modification, run X and execute SockStat-4 as a normal user. If there is no typing error, then x will start like it is often, but port 6000 will not appear in the SockStat -4 output.
If you want to know the consequences of the 6000 port, read Crash Course In x Window Security.
Ok, now the service in the Sockstat-4 output is less. We also need to handle mail: Port 25 (SMTP) and 587 (Submission). The sending and receiving email does not require a 587 port. In order to close it, we need to modify /etc/mail/sendmail.cf. Find this line:
O daemonportOptions = port = 587, name = msa, m = e
Then add # in front and tell Sendmail changes:
Killall-Hup Sendmail
-HUP will not kill Sendmail, but he will tell Sendmail to reprocess /etc/mail/sendmail.cf. Repeat SockStat -4, which will no longer display 587.
So what? You may need, or you may not need to open this port, depending on what kind of mail program is used to send and receive emails. For systems running FreeBSD 4.6-Release or higher, add the following lines in /etc/rc.conf:
Sendmail_enable = "no"
Tell Sendmail only monitors LocalHost, which allows all mail clients to send emails. If you know your mail client with a built-in SMTP agent, or you like to take risks, then you can try it:
Sendmail_enable = "none"
This will completely close the 25 port. Check if this is a very important thing that you can't send emails, make sure you have turned off all applications, then you will execute as superuser:
SHUTDOWN NOW
After receiving the prompt, press Enter, exit. After logging in, give yourself a message, if you can't receive it, then change none back to NO.
If your "SOCKSTAT" display port 111 is open, add the following lines to /etc/rc.conf (or, if there is already these lines, change Yes to NO):
NFS_SERVER_ENABLE = "NO"
NFS_CLIENT_ENABLE = "NO"
Portmap_enable = "no"
Portmap is only necessary when running NFS, and this is often not required for the FreeBSD desktop system. It has a lot of security issues in history, so it will not be used unless you absolutely need it.
Syslog (port 514) may also appear in your output. We may not want to turn off Syslog entirely because the message records it provides is what we need. But we don't need to open the port for this. Add the following options in the /etc/rc.conf file:
Syslogd_enable = "yes"
Syslogd_flags = "- ss"
SS in the flag (confirmed two S, instead of one) will disable records from the remote host and turn off the port, but still allow LocalHost to log logging.
Subsequently, INETD_ENABLE is not YES in /etc/rc.conf. If there is inetd in the SockStat output, then there is certain items in /etc/inetd.conf, and if you don't need it, add the row in front of #, and killall inetd. If you need to use DHCP to automatically get your address, keep DHClient (UDP 68) open, otherwise the address will not be refreshed.
If you have found anything else in the SockStat output, please see if there is any tips on how to turn off these things in Man Rc.conf. If not, then it is likely to be a startup script to launch some service programs, please execute:
CD /usr/local/etc/rc.d
Let's take a look at the startup script in your system. Most Packages / Ports install an extension script that extends Sample for starting services, which are not executed; there are some scripts that can be executed directly, they will load when the computer is started. It is forbidden to change the simple understanding of a certain script to Sample, then kill the daemon so that SockStat will not say anything. For example, I have recently installed Ethereal results found that SNMPD appeared in the SockStat -4 output. This program is not good in security, so I upgrade myself into root and execute the following command:
CD /usr/local/etc/rc.d
MV snmpd.sh snmpd.sh.sample killall SNMPD
You may want to add the following options to /etc/rc.conf:
TCP_DROP_SYNFIN = "YES"
This option can defeat attempts such as OS fingerprint recognition (translation: this option is invalid for the latest NMAP). If you plan to open this option, then you need to join in the kernel compilation profile:
Options tcp_drop_synfin
There are two related options:
ICMP_DROP_REDIRECT = "YES"
ICMP_LOG_REDIRECT = "YES"
ICMP redirects can be used to complete DOS attacks. This ARP and ICMP Redirection Games Article introduces some cases.
Be careful when opening the ICMP_LOG_REDIRECT option, because it will record each ICMP redirection, if you have been attacked, the log is likely to be filled with record.
After building a firewall, consider adding the following options:
LOG_IN_VAIN = "YES"
This option records the connection attempts to close the port. Another interesting option is:
Accounting_enable = "yes"
This will open the system audit function if you are not familiar with them, then read MAN SA and Man Lastcomm.
Finally, the options below may be very useful:
CLEAR_TMP_ENABLE = "YES"
Because it will empty / TMP when the system is started, this is always a thing worth doing.
Let's study other settings that enhance security. I prefer to change the default password encryption algorithm to blowfish because it also provides the fastest speed under the premise of providing the best security. Here is a Comparison Of Algorithms [Comparison of Several Cryptographic Algorithms].
Of course, if you are interested in such things, look at Cryptogram Newsletter, it is written by the author of the blowfish. In order to enable blowfish hashing, edit /etc/login.conf and change the passwd_format line to the following:
: passwd_format = BLF: /
Save settings, recreate login databases:
CAP_MKDB / Etc/login.conf
You can then modify the password of each user so that these passwords use the BLOWFISH hash value. Execute the following command as a super user:
Passwd username
You need to modify the passwords of all users, including root yourself.
After completing these operations, retrieve it to confirm that you have no missing:
More /etc/master.passwd
All users' passwords should be $ 2. Start
Finally, reconfigure the AddUser program to use Blowfish in the future. Modify /etc/auth.conf, find the Crypt_Default line, change to:
Crypt_default = BLF
You may have already noticed that freeBSD will prompt you at each time you log in, the system you are using is FreeBSD, and its copyright information, including the compilation time of the kernel, and so on. This information may be useful, but quite annoying, especially when others can log in, it may expose some information you don't want to expose.
You can prevent your computer from saying something you should not say by editing / etc / motd, or some ideas you like, including SCI-Fi Digest you like, or others - In short, what do you want to write?
Subsequently, delete copyright information:
Touch / etc / copyright
You can then modify the login prompt, edit / etc / gettytab. Find the DEFAULT: / Section, the beginning of the following:
: CB: CE: CK: LC
Carefully modify / r / n / / r / n / R / NR / N: The text between it is adapted to your needs. Please check the quantity of / r and / n carefully and save the modification. For example, my login prompt is this:
I'm a node in cyberspace. Who is you?
Login:
You can try logins on other terminals to confirm the correctness.
Finally, even if you have modified MOTD and remove the kernel version information, freeBSD will still join / etc / motd after startup by default. Therefore, you need to modify /etc/rc.conf and add the following settings:
Update_motd = "no"
This setting will take effect to restart.
In addition, it is also very important to limit logins. Because these changes will change the behavior of the Login program, they need to be very cautious. A preferred habit is to maintain a terminal that log in as root and try it with another terminal. This will still be corrected if you have problems due to some reason.
Anyone who includes you should not log in directly with root. Modify / etc / ttys. You will notice a series of settings for TTYV0 to TTYV8. Change the back Secure to INSecure. Note that this file is definitely a file you don't want to have any errors, so please test carefully. If the setting is correct, root login will receive "Login IncorRect".
I personally tend to use all 9 terminals. If you don't plan this, please change the corresponding "on" to "OFF", of course, just part of TTYS. Remember to keep at least 1 "ON," Otherwise, you will not log in, which will cause the system to not be used. TTYV8 is "OFF" by default, which means you need to manually open X, if you want to start automatically, then change it to "ON.". The last one I want to say is to stop from other places, this is achieved by editing /etc/login.access.
You may want to prohibit all remote logins (this means you must physically sit in front of the machine), remove the front of the next line below:
# -: Wheel: all except local .win.tue.nl
Remove .win.tue.nl, then it looks like this:
-: Wheel: All Except local
If you need to log in from remote, then replace .win.tue.nl to replace the corresponding IP or domain name. If there are multiple addresses, separated by spaces.
If there is only one or two users, then you can reject someone register:
-: ALL EXCEPT USER1 USER2: TTYV0 TTYV1 TTYV2 TTYV3 TTYV4
Replace USER1 USER2 with the specific user name. Add corresponding TTY if needed.
Alternatively, the user can also be included here. First, edit / etc / group and increase the following line:
MyGroup: *: 100: Genisis, Dlavigne6, Biko
When grouping groups, the uniqueness of GID is required.
Subsequently, modify /etc/login.access:
-: ALL EXCEPT MYGROUP: TTYV0 TTYV1 TTYV2 TTYV3 TTYV4 TTYV5
Test it is very important, be sure to leave a terminal. Test the login on each terminal to confirm its effect.
Note: Any reprint or excerned, please retain the author information and indicate the article (Chinese FreeBSD user group http://www.cnfug.org)
