![]() |
|
|
|
|
|||||||
| Howtos & FAQs Would you like to share some of your solutions for certain problems? Tips or tricks? Post here. |
![]() |
|
|
Thread Tools | Display Modes |
|
#1
|
||||
|
||||
|
This is list of recommended security settings to protect FreeBSD server from both internal (done by your own users) and external attacks (done by crackers). Please discuss your recommendation below and I will update main post as and when required. The goal is to create a nice itemized and linked (to man files, handbook articles, etc.) article in the HOWTO section.
OpenSSH server Unless the system needs to provide the remote login and file transfer capabilities of SSH, disable the OpenSSH server. However, it is required in 95% case. Block ssh login attempts Use any one of the following port:
Code:
pass in on $ext_if inet proto tcp from {192.168.1.0/24, 220.1.2.3 } to 201.41.71.xxx port ssh flags S/SA synproxy state
Set Idle Timeout Interval for User Logins (600 seconds) Code:
ClientAliveInterval 600 ClientAliveCountMax 0 Code:
IgnoreRhosts yes Code:
HostbasedAuthentication no Code:
PermitEmptyPasswords no Code:
AllowUsers foo bar Use Keychain from Gntoo project, which is a shell script which acts as a user-friendly front-end to ssh-agent(1), allowing you to have one long-running ssh-agent process per system rather than per login session. This is must for all servers, if you are configuring password less login for backup or any other purposes.
Other suggestions - Disable root login, change ssh port, Bind ssh to specific IP address,Only use SSH protocol 2,Deny root user login,Setup login banner ,Disable SSHD password authentication See: http://nixcraft.com/2516-post1.html Recommend readings:
FreeBSD Jails FreeBSD jail establish a clean cut separation between various services and users, mainly for security and ease of administration reasons. Run major services such as HTTPD, SMTPD, SQL Server and other public services in a jail. It offers the following features:
Use integrity checking software which can detect the intrusions. It monitors filesystem for unauthorized change such as find out if system binaries modified and new cracked versions installed or not.
FreeBSD installs couple of scripts and email output to root account. Read those security emails. It contains lots of useful information and warnings. You can also use the following tools:
Code:
tail -f /var/log/messages
tail -f /var/log/maillog
egrep -i 'wanr|error' /var/log/messages
awk '{ print $1}' /var/log/httpd-access.log| sort | uniq -c | sort -n
You need to protect root account. A few tips:
NOTE: I'm still working on a list...
__________________
"First they ignore you, then they laugh at you, then they fight you, then you win" -- Mahatma Gandhi. Last edited by vivek; May 20th, 2009 at 11:47. |
| The Following 3 Users Say Thank You to vivek For This Useful Post: | ||
|
#2
|
||||
|
||||
|
Continued from post # 1...
Apache Security Run minimal built-in modules. To see all compiled modules: Code:
httpd -l
Hide Apache version (/usr/local/etc/apache22/extra/httpd-default.conf Code:
ServerTokens Prod ServerSignature Off Code:
/usr/local/etc/rc.d/apache22 configtest Turn off server side includes and server side scripting such as php, python and so on. Only grant access to certian diretories to run perl, python, php. Use mod_fastcgi or mod_fcgi Disable symbolic links. Secure /tmp and /var/tmp directories and mount it with noexec, nosuid, nosymfollow. Disable .htaccess if not required. Make sure you use mod_ssl to encrypt content. Make sure you install and use mod security, which provides an application level firewall for Apache. A sample pf.conf(5) rule: Code:
http_servers = "{ 202.54.1.1, 202.54.1.3, 202.54.1.5}"
https_servers = "{ 202.54.1.2, 202.54.1.3}"
# ....
pass in on $ext_if inet proto tcp from any to $http_servers port http flags S/SA synproxy state
pass in on $ext_if inet proto tcp from any to $https_servers port https flags S/SA synproxy state
Configure php securely use suexec or other wrappers. If possible use www/mod_fastcgi (see FreeBSD apache FastCGI PHP tutorial) to start php externally with other UID. Restrict file and directory access, use chmod and chgrp command to set permission on documentroot. Configure firewall to allow access to the web server. Run Apache in a chroot jail if possible. Use chroot(8), FreeBSD jails, www/mod_chroot, www/mod_security (mod_security tutorial and project website) SecChrootDir directive. Some basic examples of mod_security: Code:
# Prevent directory traversal SecFilter "\.\./" # Filter on specific system specific paths SecFilter /etc/passwd SecFilter /bin/ # Prevent cross-site scripting SecFilter "<[[:space:]]* script" # Prevent SQL injection SecFilter "delete[[:space:]]+from" SecFilter "insert[[:space:]]+into" SecFilter "select.+from" Code:
portsnap fetch update pkg_version -vl '<' Run lightweight web server. If you just run a wordpress blog or static html site, switch to www/lighttpd or www/nginx web server.
BIND DNS Server BIND9 is in base system. Isolate DNS from Other Services. FreeBSD support chrooting bind server out of box. Add following to /etc/rc.conf Code:
named_enable="YES" named_chrootdir="/var/named" Code:
dns_servers = "{ 202.1.2.3 }"
# ...
pass in on $ext_if inet proto udp from any to $dns_servers port domain
pass in on $ext_if inet proto tcp from any to $dns_servers port domain flags S/SA synproxy state
Use Views to partition External and Internal information. Authenticate Zone Transfers using TSIG. On primary ns: Code:
cd /tmp dnssec-keygen -a HMAC-MD5 -b 128 -n HOST ns1.freebsd.org Code:
cat Kns1.freebsd.org.+NNN+MMMMM.key Code:
key zone-transfer-key {
algorithm hmac-md5;
secret "base64-key-string";
};
zone "example.com " IN {
type master;
allow-transfer { key zone-transfer-key; };
...
}
Code:
key zone-transfer-key {
algorithm hmac-md5;
secret "base64-key-string ";
};
Disable dynamic updates Code:
zone "freebsd.org " IN {
allow-update { none; };
...
}
Code:
logging {
channel security_channel {
# Send log messages to the specified file
file "/var/log/security.log" versions 3 size 50m;
# Log all messages
severity debug;
# Log the date and time of the message
print-time yes;
# Log the category of the message
print-category yes;
# Log the severity level of the message
print-severity yes;
};
channel default {
# Send logs to the syslog 'local0' facility
syslog local0;
# Log messages of severity 'info' or higher
severity info;
print-category yes;
print-severity yes;
};
# Logs about approval and denial of requests
category security {
security_channel;
default;
};
# Ignore logs about misconfigured remote servers
category lame-servers { null; };
# Default logging options
category default { default; };
channel "querylog" { file "/var/log/query.log" versions 3 size 50m; print-time yes; };
category queries { querylog; };
};
Code:
# Security networking # Limit ICMP net.inet.icmp.icmplim=50 net.inet.icmp.maskrepl=0 net.inet.icmp.drop_redirect=1 net.inet.icmp.bmcastecho=0 net.inet.tcp.icmp_may_rst=0 # Drop synfin packets net.inet.tcp.drop_synfin=1 # a single pass through the firewall # net.inet.ip.fw.one_pass=1 # adds more queue buckets for ipfw dummynet # net.inet.ip.dummynet.hash_size=2048 # increase the size of network mbufs to allocate # kern.ipc.nmbclusters=65536 # If above used add the following to /boot/loader.conf - reboot needed # kern.ipc.nmbclusers="65536" # This is for dos protection # net.inet.tcp.msl=7500 # Turn off stealth IP networking net.inet.ip.stealth=0 # Try to protect against scans net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 # Try to stop some syn flood attacks, and route cache degregation net.inet.ip.rtexpire=2 net.inet.ip.rtminexpire=2 net.inet.ip.rtmaxcache=256 # Drop evil sourcerouted packets net.inet.ip.accept_sourceroute=0 net.inet.ip.sourceroute=0 # Turn it on when you have two interfaces on same switch # net.link.ether.inet.log_arp_wrong_iface=0 # IPCS - memory optimization kern.ipc.shmmax=134217728 kern.ipc.shmall=32768 kern.ipc.semmap=256 # Hide UID and GID from other users security.bsd.see_other_gids=0 security.bsd.see_other_uids=0 security.bsd.unprivileged_read_msgbuf=0 # Max open file? kern.maxfiles=65536
__________________
"First they ignore you, then they laugh at you, then they fight you, then you win" -- Mahatma Gandhi. Last edited by vivek; May 27th, 2009 at 14:26. |
| The Following 5 Users Say Thank You to vivek For This Useful Post: | ||
eayesta (May 26th, 2009), killasmurf86 (August 13th, 2009), Nokobon (June 22nd, 2009), overmind (August 25th, 2009), techie (May 21st, 2009) | ||
|
#3
|
||||
|
||||
|
Continued from post # 2...
General security tips
Resources This is a just tiny list. Try the following resources / books:
I've tried to keep this small but useful list. Please add other information and comments below. Good luck!
__________________
"First they ignore you, then they laugh at you, then they fight you, then you win" -- Mahatma Gandhi. Last edited by vivek; June 16th, 2009 at 20:50. |
| The Following 10 Users Say Thank You to vivek For This Useful Post: | ||
eayesta (May 26th, 2009), hitest (June 7th, 2009), killasmurf86 (August 13th, 2009), Mormegil (August 9th, 2009), overmind (August 25th, 2009), paleksic (May 26th, 2009), saxon3049 (August 20th, 2009), unicyclist (May 20th, 2009), WibbleWobble (October 11th, 2009), z0ran (May 30th, 2009) | ||
|
#4
|
|||
|
|||
|
I know it's not terribly important, but aren't these the default?
__________________
May the source be with you! |
![]() |
| Tags |
| freebsd, howto, security, tips |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Useful Links / Articles | Ico | Howtos & FAQs | 4 | October 26th, 2009 23:14 |
| Limit CPU and other resources while port build | surlyjake | Ports Installation and Maintenance | 7 | June 4th, 2009 01:38 |
| error sending response: not enough free resources | meeinter | Networking | 1 | April 2nd, 2009 00:26 |
| using the links to send to another site | cliedo | Off-Topic | 3 | January 11th, 2009 05:06 |
| Links to the forum on the main FreeBSD website | trasz@ | Feedback | 18 | December 4th, 2008 06:22 |