1. V

    Hardened malloc() for FreeBSD

    Is there a security oriented memory allocator for FreeBSD like GrapheneOS/Linux's Hardened_malloc library or OpenBSD's Otto-malloc where you can enable additional checks? I'd like to do additional hardening on some of...
  2. C

    Using w^x and troubleshooting (i.e. vscode)

    I've finally enabled w^x for on 13.1-RELEASE-p1: # sysctl -a |grep wx kern.elf32.allow_wx: 0 kern.elf64.allow_wx: 0 For the usual suspects that struggle with this, I've used elfctl or proccontrol to circumvent the restriction. Unfortunately, I've come across one program that persistently...
  3. Sivan!

    Is there a way to "mask" a DHCP assigned IP address in a personal computer?

    I do not have a static IP for my computer connected by fiber to home. My ISP assigns an IP address by DHCP, is there a way of making my ISP's router at my home remember the address assigned to me by local settings? I do not fully understand but this URL to a how-to guide points to a method...
  4. Sivan!

    Solved Poudriere as a Security risk ? (may be not, based on the replies)

    Somewhat duplicating portions of what I posted on a different thread, to provide context : Tried installation from the Ports tree, I was doing that to understand the process of installing software from source using the Ports collection. There were error messages while running...
  5. zgasparian

    Port Scanner Detection and Banning

    After a couple of years, I have started to use FreeBSD again. Previously I was using Linux, and in all my servers I have installed "PSAD" package, which detect the Port Scanners IP addresses and bans them through IPTabels rules. I have searched the same in FreeBSD but does not exit. something...
  6. C

    Securelevel utility turned Intrusion detection tool set

    Heads up: So, this turned out to be very long. Longer than I anticipated before I started writing. Also, I'm not completely certain whether this shouldn't have gone into user space programing. Since it's still very much tied into base, I'll leave it here for the moment and ask the moderators to...
  7. C

    Kerberized NFSv4 -> NFS over TLS on 13.0

    Has anyone got a good reference for how to set up krb5p security? I've got NFSv4 running fine without security, but that kerberos setup has been a major pain in the neck. There doesn't seem to be much logging going on, no matter how much -d or -h's I use. It appears, Wireshark is my only utility...
  8. M

    gpgkeys.txt is broken

    $ gpg --allow-non-selfsigned-uid --no-default-keyring --keyring /tmp/tmp.s7YEIIZX --import /tmp/tmp.oVtOGme1 ... gpg: invalid armor header: mQINBF+5ojQBEADSqQjD4h1lOwAGgmz4dK0Zf4JkoJCpQ7jw2B5jigNySdKf1rQN\n gpg: CRC error; DDCBB0 -...
  9. Alain De Vos

    ZFS The .zfs snap directory is world readable

    The .zfs snap directory is world readable. Is this not a security concern ? zpool set listsnapshots=on tank
  10. Alain De Vos

    A seperate forum item for security.

    Security can be anything. Currently issues are spread over the forum ?
  11. I

    Performance tuning

    I notice that after successful installation of KDE on FreeBSD, there are many files linked into the kernal, as shown by the command "kldstat". (1) I wondering where is this configured - what file(s)? I checked /boot/loader.conf and /etc/rc.conf and couldn't find them there. (2) Is there a...
  12. C

    Greenbone Security Assistant Installation (previously "OpenVAS")

    There are several tutorials and guides on how to install OpenVAS on FreeBSD; however, recently OpenVAS was renamed to Greenbone Security Assistant, spread across multiple packages and now no longer fits any of the past setup descriptions. After wading through the documentation myself, I figured...
  13. bobmc

    Can Blackhat Hackers Be Stopped

    Stories about ransomware and malware corruption seem to be on the increase. They attack those who can least afford to restore from backup such as the Colonial Pipeline and hospitals. Colonial paid 4.4 million. There is a story in Wired about a theft of RSA SecureID seeds from an air-gapped...
  14. Stefan G.

    Solved Resume after suspend vulnerable to break in

    My Thinkpad T480 suspends and resumes successfully and with no problems. However, I noticed that if I hit Ctrl-C a few times during the resume process, I kill X and the screen saver and get a password-free access to the shell. This is a major vulnerability and I hope there is a fix for it. Has...
  15. Y

    openVAS - Greenbone pkg update

    Hey, I currently work on a project to scan a network and find vulnerabilities which has to be on FreeBSD. So, as a first step, I installed packages of openvas9 and scanned the network by using the web interface. There is also a server on ubuntu to see what openvas will find. On the report...
  16. F

    IPFW How to protect

    My system was hacked and crashed How to protect Please step by step
  17. Minbari

    Reports: Intel chips have new security flaws

    Reports: Intel chips have new security flaws
  18. E

    Non-root users can change hw.snd.default_unit sysctl

    I'm a little perplexed to have accidentally found that non-root users (even ones denied access to /dev/mixer) can adjust hw.snd.default_unit. I assume non-root users can adjust some other sysctls. I thought sysctl would have been restricted entirely to root. I would appreciate any insight here...
  19. J

    Solved Blocking request based on IP address in X-Forwarded-For header

    I have (courtesy of fail2ban + nginx) tables of IPs I would like to stop from accessing the server in any way (ssh, web, etc.). When they try to ssh, pf blocks them like it should. When they access the webserver directly, they get blocked. But when they access via a proxy, I have no idea what...
  20. 1

    System Hardening Options Post-Install?

    The System Hardening Options presented at install time - if one wished to keep these disabled at install time and then selectively enable them after installing, what is the method for doing so? I am doing a FreeBSD 12 install and was hoping to see instructions on how to do that in the 2.8.4...