Solved Asking about security steps

[Handy92]

If is enought to defend computer, doing as follow:
1. Disable external logging to computer (SSH for example)
2. Doing separate (crypt) root partition.
3. Enable IPFW
4. Disalble syslogd, sendmail.
5. Deny logging to root partition from normal user via add user to another group?

Is good idea to add normal user to Jail?

 

[Oko]

No!

 

[SirDice]

It's never a good idea to disable syslog as this would disable all logging. Logging is very important for security, without it you're practically blind.

Filesystem level encryption doesn't improve (online) security. It only prevents someone from reading the data if the disk (or the whole server) gets stolen.

 

[Handy92]

How to check all running daemons? And what binary file is absolutely nessesery to the system work?

 

[Oko]

How to check all running daemons? And what binary file is absolutely nessesery to the system work?

No daemons are running on vanilla FreeBSD unless you turn some on. BSDs are not Linux. If you didn't turn them on they are not running. I don't think that you or for that matter I (a UNIX user of 25+ years) have a knowledge to decide what should be included into generic kernel. That is why people who truly care about security like OpenBSD fox strongly discourage recompiling kernel.

 

[SirDice]

No daemons are running on vanilla FreeBSD unless you turn some on.

Erm, what about cron(8), syslogd(8) and devd(8)? And sendmail(8), although it's running as local submit only, is also started by default. syslogd(8) is even listening on a network port, by default. Never quite understood that.

You are certainly correct when it comes to daemons installed through ports/packages though, those are never enabled by default.

 

[Oko]

Erm, what about cron(8), syslogd(8) and devd(8)? And sendmail(8), although it's running as local submit only, is also started by default. syslogd(8) is even listening on a network port, by default. Never quite understood that.

You are certainly correct when it comes to daemons installed through ports/packages though, those are never enabled by default.

You are quite right but as you correctly observed all those daemons run locally and pose no security risk even for a machine which is plugged into the Internet. Once syslog starts listening for outside machines than when your problems start. I also like your observation about ports/packages. The reason I dislike Debian and Ubuntu so vehemently is exactly those "clever" Debian scripts which install, configure, and start daemon for you. What seems like a good idea for computer illiterate people is great security risk for people like you and me who manage hundreds of servers.

BetweenBesides OP has no business killing the daemons you mentioned nor recompiling kernel. That should be the developer business to chose the sane defaults.

 

[Handy92]

Inetd()

pose no security risk

Yeah. Wright. Look At manual from syslogd for example Or handbook for OpenBSD.
Any body knows How to check what daemons as running?
Next step will be securing FireFox.

I haved braking on system. But I do not know with way, suspect is syslogd via 514 port and some daemon or FireFox. I found changing some configuration file, and somebody was entertain computer ("cutting" AC line, changing internet connection, just Obstruction of life). My mistake is not do a disk backup . Last installation was poorly protected, and was acces for everything. Now I must prune system to the absolute minimum, just delete everything what it is not absolute necessary to run machine, and web. After monitoring critical system files. I do not have time (I am studied now) for this and by this time I am forced to using Tails....

 

[Oko]

Inetd()



Yeah. Wright. Look At manual from syslogd for example Or handbook for OpenBSD.
Any body knows How to check what daemons as running?
Next step will be securing FireFox.

syslogd by default is not listening on outside ports. Secondly you have PF to firewall things which are exposed to the Internet. As of Firefox it is now pledged on OpenBSD

http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man2/pledge.2

You could also run it in the separate low privilege account. Swap has been always encrypted on OpenBSD so that vector attack is non-existing. What about using Proxy for web surfing. You could do even layer 7 filtering. I have not got impression that you know anything about security based on this thread so I would argue that on my OpenBSD desktop you will be the biggest security risk.

Inetd()
I haved braking on system. But I do not know with way, suspect is syslogd via 514 port and some daemon or FireFox. I found changing some configuration file, and somebody was entertain computer. My mistake is not do a disk backup . Last installation was poorly protected, and was acces for everything. Now I must prune system to the absolute minimum, just delete everything what it is not absolute necessary to run machine, and web. After monitoring critical system files. By this time I am forced to using Tails....

Bla bla ...

 

[atomicbeef]

You shouldn't kill syslogd(8) because logs are extremely useful for security.

You can't list all of the currently running daemons that are not enabled, (i.e. that were started with onestart) but according to service(8), you can list the currently enabled services with service -e.

 

[Oko]

You shouldn't kill syslogd(8) because logs are extremely useful for security.

+1

Actually he should send those logs to the remote logging server if he needs to do some forensic work in the case of the breakage. Also there are even primitive tools to do Intrusion detection which could benefit from syslog. Syslog could be even parsed by things like fail2ban to improve PF.

 

[Handy92]

But syslogd will be enable just I set syslogd_flags="-ss" and how about newsyslogd?

Do not log messages from remote machines. If specified twice, no network socket will be opened at all, which also disables logging to remote machines

I'm sorry that I have a better idea of you in this matter. I do not know whether you do it consciously or not, but your entries testify that you have no any, A-N-Y! idea what you're talking about.
https://www.freebsd.org/doc/handbook/security.html Thats it for You.

 

[da1]

Well, I lived to see the day when someone told Oko he has no idea about security :facepalm:.

 

[SirDice]

Before things spiral out of control, I ask everyone to read rules #3, #4 and #5: Thread freebsd-forums-rules.38922/

 

[atomicbeef]

Handy92, you really should read the entire man page for syslogd(8). Notice the -a flag. I'm not sure what you were trying to say by quoting the syslogd(8) man page, but I can assume that you interpreted it as the man page telling you not to enable remote logging. This is untrue and only describes the function of the -s flag.

SirDice has already warned you about your forum etiquette, but I want to stress the fact that all of us are taking time out of our busy lives to help you with your problems. The least you can do is be respectful and polite while we assist you. I trust Oko for security advice because he is experienced in BSD systems and is very security aware. Instead of telling him that he doesn't know anything, you should ask for clarification. Once you understand what he is talking about, you can choose whether or not to take his advice. However, I recommend that you do take his advice, as he has given you great tips on how to save yourself time when things go south.

 

[da1]

Not to mention that he (Oko) has been around even before the existence of this forum (the other forum anyone?) and has give really good advice.

//end off-topic

 

[Handy92]

You should do nothing. Is really great tips, but not for securing the system.

 

[atomicbeef]

As long as you transfer the logs through an encrypted connection (using security/stunnel for example) and only allow trusted hosts to transfer logs, I see no security implications in remote logging.

 

[Handy92]

Can You tell me if this configuration firewall is sufficient? Or what's else must be blocked to allow access ONLY! for HTTP (53, 80, 443)

ipfw -q -f flush

#loopback
ipfw add allow all from any to any via lo0
ipfw add deny all from any to 127.0.0.0/8
ipfw add deny all from 127.0.0.0/8 to me
ipfw add deny tcp any to any frag

#internet
ipfw add 100 allow tcp from me to any 80 setup keep-state out via (WIFI i do not have interface now)
ipfw add 105 allow tcp from me to any 443 setup keep-state out via WIFI
ipfw add 110 allow udp from me to DNS dst-port 53 keep-state
ipfw add 115 allow tcp from me to DNS dst-port 53 setup keep-state

#block
ipfw add deny all from any to any
block ping
block ident
block ACK

And it make sense to use IPFW with PF?

 

[atomicbeef]

I've never used ipfw(8) so I can't comment on your ruleset, but I can however tell you that mixing pf(4) and ipfw(8) is completely pointless and won't work at all. Pick one firewall and use it.

 

[Handy92]

I use LiveCD with Ubuntu and I use DVD-RW for data. On FreeBSD is exist simple crypter like a TrueCrypt?

 

[ondra_knezour]

See geli(8), gbde(8) and security/truecrypt.

 

[Handy92]

New partition with /etc mountpoint with ro option in /etc/fstab is good idea?

 

[atomicbeef]

It wouldn't make much sense because in most cases only root can modify files under /etc and if the attacker has root access they can just remount /etc as rw.

 

[ANOKNUSA]

I've been following this thread from the start, and still have no idea what's going on. Handy92 , if your last install was broken into over the Internet, then just set up a proper firewall. Trying to lock down random system components with half-baked methods out of overblown paranoia will only lead to another broken install.