security

  1. F

    IPFW How to protect

    My system was hacked and crashed How to protect Please step by step
  2. Minbari

    Reports: Intel chips have new security flaws

    Reports: Intel chips have new security flaws
  3. E

    Non-root users can change hw.snd.default_unit sysctl

    I'm a little perplexed to have accidentally found that non-root users (even ones denied access to /dev/mixer) can adjust hw.snd.default_unit. I assume non-root users can adjust some other sysctls. I thought sysctl would have been restricted entirely to root. I would appreciate any insight here...
  4. J

    Solved Blocking request based on IP address in X-Forwarded-For header

    I have (courtesy of fail2ban + nginx) tables of IPs I would like to stop from accessing the server in any way (ssh, web, etc.). When they try to ssh, pf blocks them like it should. When they access the webserver directly, they get blocked. But when they access via a proxy, I have no idea what...
  5. 1

    System Hardening Options Post-Install?

    The System Hardening Options presented at install time - if one wished to keep these disabled at install time and then selectively enable them after installing, what is the method for doing so? I am doing a FreeBSD 12 install and was hoping to see instructions on how to do that in the 2.8.4...
  6. E

    Audio/microphone security, group level restriction

    I just realized that the mixer can be adjusted by any user and any user can listen to the microphone on my system. Even a sandbox user, unless chrooted or jailed, could spy on me. Is there a way to adjust /dev/dsp permissions so access requires an audio group? Would I use /etc/devfs.conf for...
  7. W

    Solved How detect the source of change time in specific file?

    Looking in my tripwire logs I got: Modified: "/etc/ssl/private" "/etc/ssl/private/server.key" And: Modified object name: /etc/ssl/private/server.key Property: Expected Observed ------------- -----------...
  8. D

    jails and loopback

    Im new to freebsd and jails, please be patient. according to the freebsd documentation, one should create a cloned loopback for a jail instance. I can't get behind the purpose of creating multiple loopback interfaces. can someone explain me this? Should I create a new lo interface for each...
  9. C

    Problem with login.access

    Good afternoon, I was playing around with login.access. I want to allow a specific machine on the network to be able to connect. The computer's name is cp9043 and the ip address is 192.168.1.15 It doesn't work when I use: +:ALL:192.168.1. +:wheel:console ttyv0 -:ALL:ALL or: +:ALL:192.168.1.15...
  10. T

    Freebsd Racoon setkey configuration?

    When configuring Setkey to add Security Policy Database for AWS tunnels I understand that I should let the kernel know what traffic I want to get encrypted. And so I added my internal network to go to the remote VPC (AWS) network and the other way around. For example: spdadd 25.25.25.64/26...
  11. simplerezo

    pkg audit / vuln.xml / no more updates for base system and kernel ??

    Hi ! I'm using pkg audit to get report about current "vulnerabilities" for ports and also for FreeBSD base/kernel using that special syntax: pkg audit FreeBSD-11.2_2 && pkg audit FreeBSD-kernel-11.2_2 But it looks like vuln.xml is not anymore updated about FreeBSD SA since 12.0p3/11.2p9 ...
  12. H

    Solved Portmaster - unknown traffic

    Dear forum, first if all I hope that I'm posting in the correct forum. Please correct me if it's wrong. I noticed that there is a lot of traffic while upgrading ports with portmaster. I do not mean the actual download of source code, rather during the building process. Also, there is almost no...
  13. mod3777

    FreeBSD and security mitigations

    Hows FreeBSD security mitigations? I am new to FreeBSD and I am very satisfied with this system, until, a guy who runs HBSD and OpenBSD told me: " I don't know of any Linux distro which doesn't use PIC, PIE, and at least stack-protector-strong. The state of userland exploit mitigations in...
  14. D

    Remote code execution on almost all Intel processors: this is again the Management Engine fault

    Persecuted by further discoveries of gaps in the mechanism of speculative instruction execution, Intel discovered that its chips are vulnerable to attack on the other hand - the infamous Management Engine remote management subsystem. This computer-in-computer, which can have complete control...
  15. G

    How do I know a CVE has been fixed for FreeBSD

    Package www/firefox returned so many CVE's from pkg aud -F. So how can I know that all those CVE are patched or not. Some of them are *RESERVED*. Say status of CVE-5863; CVE-2018-5156 etc. from various web sources of cve.mitre & NVD. From FreshPorts-VuXML says an older version is vulnerable...
  16. G

    Use of Capsicum with Firefox

    Message from firefox-60.0.2,1 , after update/install, Some features available on other platforms are not implemented: - Native audio (OSS backend is incomplete, doesn't support WebRTC) - Encrypted Media Extensions (requires Widevine CDM binary) - Process sandboxing (requires Capsicum backend) -...
  17. B

    Mount two firewalls

    I want to mount a firewall. I have the idea of that my traffic could be "sniffered" by somebody. So I will ask for how to mount a firewall, here, on my desktop installation but also on another equipment. Besides, I want to know what else can I do for making the most miserable the attack of a...
  18. nielsk

    logging what root is doing

    Hi, new audit-requirements came up (yeah EU-GDPR and its requirement for acccountability who did when what when dealing with personal data) and now I try to figure out, how I can log what the root-user is doing, especially when an admin is doing sudo su. As I noticed certain commands like "cd"...
  19. B

    Virus & Security

    I write this with the objective of talk about security and viruses in FreeBSD. Once i read in a page about this OS the steps for installing an antivirus. Since that i started to think: how much security this system have? But, if we consider that this system could be configurable to be more...
  20. SirDice

    DDoS amplifications through memcached

    Using databases/memcached is a popular method to speed up high performance websites. But apparently not everybody protects it properly and allows it to be accessible from the internet. New research discovered these open services are abused in a similar fashion to DNS and NTP amplification...
Top