vivek
May 19th, 2009, 14:47
This is list of recommended security settings to protect FreeBSD server from both internal (done by your own users) and external attacks (done by crackers). Please discuss your recommendation below and I will update main post as and when required. The goal is to create a nice itemized and linked (to man files, handbook articles, etc.) article in the HOWTO section.
OpenSSH server
Unless the system needs to provide the remote login and file transfer capabilities of SSH, disable the OpenSSH server. However, it is required in 95% case.
Block ssh login attempts
Use any one of the following port:
security/denyhosts Works with both jaild ssh and host sshd without firewall access. Blocks ssh access.
security/sshguard-pf Protect hosts from brute force attacks against ssh and other services using pf
security/sshguard-ipfw Protect hosts from brute force attacks against ssh and other services using ipfw
security/sshguard-ipfilter Protect hosts from brute force attacks against ssh and other services using ipfilter
security/sshblock Block abusive SSH login attempts
security/sshit Checks for SSH/FTP bruteforce and blocks given IPs
Configure firewall such as pf to limit incomming port 22 traffic. Allow, ssh login from 192.168.1.0/24 220.1.2.3 only. A typical pf rule:
pass in on $ext_if inet proto tcp from {192.168.1.0/24, 220.1.2.3 } to 201.41.71.xxx port ssh flags S/SA synproxy state
/etc/ssh/sshd_config Settings
Set Idle Timeout Interval for User Logins (600 seconds)
ClientAliveInterval 600
ClientAliveCountMax 0
Disable .rhosts Files
IgnoreRhosts yes
Disable Host-Based Authentication
HostbasedAuthentication no
Disable Empty Passwords
PermitEmptyPasswords no
Limit Users' SSH Access, allow only foo (add foo to wheel so that he can su - root) and bar to login via ssh:
AllowUsers foo bar
Configure public keybased login for ssh - http://www.freebsd.org/doc/en/books/handbook/openssh.html
Use Keychain from Gntoo project, which is a shell script which acts as a user-friendly front-end to ssh-agent(1), allowing you to have one long-running ssh-agent process per system rather than per login session. This is must for all servers, if you are configuring password less login for backup or any other purposes.
Keychain How to http://www.gentoo.org/proj/en/keychain/
security/keychain
Other suggestions - Disable root login, change ssh port, Bind ssh to specific IP address,Only use SSH protocol 2,Deny root user login,Setup login banner ,Disable SSHD password authentication See: http://nixcraft.com/2516-post1.html
Recommend readings:
pf.conf
sshd
sshd_config
Openssh FAQ http://www.openssh.org/faq.html
Lots of suggestion @ slashdot thread - rundown on SSH Brute Force Attacks - http://it.slashdot.org/article.pl?sid=05/07/16/1615233
FreeBSD Jails
FreeBSD jail establish a clean cut separation between various services and users, mainly for security and ease of administration reasons. Run major services such as HTTPD, SMTPD, SQL Server and other public services in a jail. It offers the following features:
Virtualization: Each jail is a virtual environment running on the host machine with its own files, processes, user and superuser accounts. From within a jailed process, the environment is (almost) indistinguishable from a real system.
Security: Each jail is sealed from the others thus providing an additional level of security.
Ease of delegation: Thanks to the limited scope of a jail, it allows administrators to painlessly delegate several tasks which require superuser access without handing out complete control over the system.
Jail Setup Tutorial - http://www.freebsd.org/doc/en/books/handbook/jails.html
Multiple IPs in jail - http://www.cyberciti.biz/faq/freebsd-jail-add-multiple-ipv4-ipv6-address/
Man pages - jail jls jexec
Host-based intrusion detection system
Use integrity checking software which can detect the intrusions. It monitors filesystem for unauthorized change such as find out if system binaries modified and new cracked versions installed or not.
security/aide - AIDE is Advanced Intrusion Detection Environment. This piece of software was written as a replacement and extension for Tripwire.
security/integrit - Integrit is an alternative to file integrity verification programs like tripwire and aide. It helps you determine whether an intruder has modified a computer system.
security/tripwire is a tool that aids system administrators and users in monitoring a designated set of files for any changes.
Monitor log files
FreeBSD installs couple of scripts and email output to root account. Read those security emails. It contains lots of useful information and warnings. You can also use the following tools:
sysutils/logcheck helps spot problems, anomalies and security violations in your logfiles automatically and will send the summaries to you via e-mail. Logcheck is run as a cron job.
Logwatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish.
Use shell tools such as tail, grep, awk and friends to monitor log files. A few quick examples:
tail -f /var/log/messages
tail -f /var/log/maillog
egrep -i 'wanr|error' /var/log/messages
awk '{ print $1}' /var/log/httpd-access.log| sort | uniq -c | sort -n
Root account security
You need to protect root account. A few tips:
Never give out root password to anyone. Delegate root level access using sudo (port security/sudo. Never give shell or vi or any command that can escape to shell access using sudo. Keep an eye on sudo log file and /var/log/auth.log.
Automatically log users out after a period of inactivity by setting
# csh / tcsh - 5 minutes time out
set -r autologout 5
# bash / sh 300 seconds time out
TMOUT=300
readonly TMOUT
export TMOUT
Add above to system global shell startup files.
Use sysutils/vlock a utility which locks a terminal so it can only be unlocked with the user's password (or the root password).
See Openssh and scripts for more info - http://www.cyberciti.biz/faq/linux-unix-login-bash-shell-force-time-outs/
See FreeBSD handbook for protecting root user - http://www.freebsd.org/doc/en/books/handbook/securing-freebsd.html
kern.securelevel
Set kern.securelevel level 3 once *everything is configured* properly. Any super-user process can raise the level, but no process can lower it. See security man page and FreeBSD handbook security chapter - http://www.freebsd.org/doc/en/books/handbook/security.html
Sample /etc/rc.conf settings:
kern_securelevel_enable="YES"
kern_securelevel="3"
Various limitations on users
Use limitations to avoid DoS attack from both internal and external threats.
Disk limitations via file system disk quota - See tutorial - http://www.freebsd.org/doc/en/books/handbook/quotas.html
Configure user resource limits, accounting limits via login class. You can control cputime, memory, vm usage, umask, path, open FDs, file limits, max process and so on. See login.conf man page for details.
ACL - Access Control Lists (http://www.freebsd.org/doc/en/books/handbook/fs-acl.html) extend the standard UNIX® permission model in a highly compatible (POSIX®.1e) way. This feature permits an administrator to make use of and take advantage of a more sophisticated security model.
NOTE: I'm still working on a list...
OpenSSH server
Unless the system needs to provide the remote login and file transfer capabilities of SSH, disable the OpenSSH server. However, it is required in 95% case.
Block ssh login attempts
Use any one of the following port:
security/denyhosts Works with both jaild ssh and host sshd without firewall access. Blocks ssh access.
security/sshguard-pf Protect hosts from brute force attacks against ssh and other services using pf
security/sshguard-ipfw Protect hosts from brute force attacks against ssh and other services using ipfw
security/sshguard-ipfilter Protect hosts from brute force attacks against ssh and other services using ipfilter
security/sshblock Block abusive SSH login attempts
security/sshit Checks for SSH/FTP bruteforce and blocks given IPs
Configure firewall such as pf to limit incomming port 22 traffic. Allow, ssh login from 192.168.1.0/24 220.1.2.3 only. A typical pf rule:
pass in on $ext_if inet proto tcp from {192.168.1.0/24, 220.1.2.3 } to 201.41.71.xxx port ssh flags S/SA synproxy state
/etc/ssh/sshd_config Settings
Set Idle Timeout Interval for User Logins (600 seconds)
ClientAliveInterval 600
ClientAliveCountMax 0
Disable .rhosts Files
IgnoreRhosts yes
Disable Host-Based Authentication
HostbasedAuthentication no
Disable Empty Passwords
PermitEmptyPasswords no
Limit Users' SSH Access, allow only foo (add foo to wheel so that he can su - root) and bar to login via ssh:
AllowUsers foo bar
Configure public keybased login for ssh - http://www.freebsd.org/doc/en/books/handbook/openssh.html
Use Keychain from Gntoo project, which is a shell script which acts as a user-friendly front-end to ssh-agent(1), allowing you to have one long-running ssh-agent process per system rather than per login session. This is must for all servers, if you are configuring password less login for backup or any other purposes.
Keychain How to http://www.gentoo.org/proj/en/keychain/
security/keychain
Other suggestions - Disable root login, change ssh port, Bind ssh to specific IP address,Only use SSH protocol 2,Deny root user login,Setup login banner ,Disable SSHD password authentication See: http://nixcraft.com/2516-post1.html
Recommend readings:
pf.conf
sshd
sshd_config
Openssh FAQ http://www.openssh.org/faq.html
Lots of suggestion @ slashdot thread - rundown on SSH Brute Force Attacks - http://it.slashdot.org/article.pl?sid=05/07/16/1615233
FreeBSD Jails
FreeBSD jail establish a clean cut separation between various services and users, mainly for security and ease of administration reasons. Run major services such as HTTPD, SMTPD, SQL Server and other public services in a jail. It offers the following features:
Virtualization: Each jail is a virtual environment running on the host machine with its own files, processes, user and superuser accounts. From within a jailed process, the environment is (almost) indistinguishable from a real system.
Security: Each jail is sealed from the others thus providing an additional level of security.
Ease of delegation: Thanks to the limited scope of a jail, it allows administrators to painlessly delegate several tasks which require superuser access without handing out complete control over the system.
Jail Setup Tutorial - http://www.freebsd.org/doc/en/books/handbook/jails.html
Multiple IPs in jail - http://www.cyberciti.biz/faq/freebsd-jail-add-multiple-ipv4-ipv6-address/
Man pages - jail jls jexec
Host-based intrusion detection system
Use integrity checking software which can detect the intrusions. It monitors filesystem for unauthorized change such as find out if system binaries modified and new cracked versions installed or not.
security/aide - AIDE is Advanced Intrusion Detection Environment. This piece of software was written as a replacement and extension for Tripwire.
security/integrit - Integrit is an alternative to file integrity verification programs like tripwire and aide. It helps you determine whether an intruder has modified a computer system.
security/tripwire is a tool that aids system administrators and users in monitoring a designated set of files for any changes.
Monitor log files
FreeBSD installs couple of scripts and email output to root account. Read those security emails. It contains lots of useful information and warnings. You can also use the following tools:
sysutils/logcheck helps spot problems, anomalies and security violations in your logfiles automatically and will send the summaries to you via e-mail. Logcheck is run as a cron job.
Logwatch is a customizable, pluggable log-monitoring system. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish.
Use shell tools such as tail, grep, awk and friends to monitor log files. A few quick examples:
tail -f /var/log/messages
tail -f /var/log/maillog
egrep -i 'wanr|error' /var/log/messages
awk '{ print $1}' /var/log/httpd-access.log| sort | uniq -c | sort -n
Root account security
You need to protect root account. A few tips:
Never give out root password to anyone. Delegate root level access using sudo (port security/sudo. Never give shell or vi or any command that can escape to shell access using sudo. Keep an eye on sudo log file and /var/log/auth.log.
Automatically log users out after a period of inactivity by setting
# csh / tcsh - 5 minutes time out
set -r autologout 5
# bash / sh 300 seconds time out
TMOUT=300
readonly TMOUT
export TMOUT
Add above to system global shell startup files.
Use sysutils/vlock a utility which locks a terminal so it can only be unlocked with the user's password (or the root password).
See Openssh and scripts for more info - http://www.cyberciti.biz/faq/linux-unix-login-bash-shell-force-time-outs/
See FreeBSD handbook for protecting root user - http://www.freebsd.org/doc/en/books/handbook/securing-freebsd.html
kern.securelevel
Set kern.securelevel level 3 once *everything is configured* properly. Any super-user process can raise the level, but no process can lower it. See security man page and FreeBSD handbook security chapter - http://www.freebsd.org/doc/en/books/handbook/security.html
Sample /etc/rc.conf settings:
kern_securelevel_enable="YES"
kern_securelevel="3"
Various limitations on users
Use limitations to avoid DoS attack from both internal and external threats.
Disk limitations via file system disk quota - See tutorial - http://www.freebsd.org/doc/en/books/handbook/quotas.html
Configure user resource limits, accounting limits via login class. You can control cputime, memory, vm usage, umask, path, open FDs, file limits, max process and so on. See login.conf man page for details.
ACL - Access Control Lists (http://www.freebsd.org/doc/en/books/handbook/fs-acl.html) extend the standard UNIX® permission model in a highly compatible (POSIX®.1e) way. This feature permits an administrator to make use of and take advantage of a more sophisticated security model.
NOTE: I'm still working on a list...