Hardening bsd.

Alain De Vos

Daemon

Reaction score: 546
Messages: 1,890

There are a few sysctl settings I can think off,
loader.conf
Code:
security.bsd.allow_destructive_dtrace=0
sysctl.conf
Code:
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.see_jail_proc=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=1
kern.elf32.allow_wx=0
kern.elf64.allow_wx=0
kern.elf32.aslr.pie_enable=1
kern.elf32.aslr.enable=1
kern.elf64.aslr.pie_enable=1
kern.elf64.aslr.enable=1
syctl.conf
Code:
net.inet6.ip6.use_tempaddr=1
net.inet6.ip6.prefer_tempaddr=1
net.inet6.ip6.temppltime=7200    # Maximum preferred lifetime for temporary addresses
net.inet6.ip6.tempvltime=14400   # Maximum valid lifetime for temporary addresses
Once I had inet settings below, but they might break rfc's , so I'm not certain it is a good idea ?
Code:
net.inet.icmp.drop_redirect=1              
net.inet.icmp.icmplim=50
net.inet.ip.check_interface=1                  
net.inet.ip.maxfragpackets=0     
net.inet.ip.maxfragsperpacket=0 
net.inet.ip.process_options=0                   
net.inet.ip.random_id=1                         
net.inet.ip.redirect=0
net.inet.tcp.always_keepalive=0            
net.inet.tcp.blackhole=2           
net.inet.tcp.cc.algorithm=cubic
net.inet.tcp.drop_synfin=1                      
net.inet.tcp.nolocaltimewait=1           
net.inet.udp.blackhole=1           
net.inet6.icmp6.rediraccept=0              
net.inet6.ip6.redirect=0
net.link.tap.up_on_open=1
net.inet.tcp.icmp_may_rst=0
Maybe you have other idea's ?
 

matt_k

Member

Reaction score: 63
Messages: 59

in rc.conf

Code:
microcode_update_enable="YES"       #you need to have devcpu-data package installed
clear_tmp_enable="YES"

in /etc/fstab
make sure you have .eli on your swap partition, like so:

Code:
/dev/ada1p2.eli        none    swap    sw        0    0

did you do those sysctls according to this webpage? What's the general consensus on those things written there? I am curious. Some of them seem really nice IMO, but I am no FreeBSD expert by any stretch of imagination.
 

covacat

Well-Known Member

Reaction score: 171
Messages: 365

Code:
#!/bin/sh
# protection against remote exploits / never fails
# do not try on a remote box :)
for i in $(ifconfig -l);do ifconfig $i down;done
echo you are now protected
 
OP
Alain De Vos

Alain De Vos

Daemon

Reaction score: 546
Messages: 1,890

Firefox gives a segmentation fault. But this is known. Time to use qutebrowser.
In fstab,
Code:
/dev/ada2p2.eli    none         swap                          sw,ealgo=aes,keylen=128,sectorsize=16384 0 0
 

mer

Well-Known Member

Reaction score: 189
Messages: 328

I think one needs to really determine "hardening against what"? covacat solution will absolutely prevent all remote exploits.
If you are looking for hardening a user workstation that merely is used to connect to the internet, there are steps there that you may not want to do for a public facing server or that you want to do differently.

If you look at the HardenedBSD project (I'm going by memory, it's been a while since looking) they may have a good starting point for you on sysctls.

If you are going to muck with sysctls, you should probably set kern.securelevel to a nondefault value.
security.jail.param.securelevel probably want to look at.

Mucking with network/IP sysctls can quickly get you to a point of "my system can't talk to anyone else".

I always run a local firewall on my machines, even workstations, either PF or IPFW. PF lets you do a lot of good stuff;
just remember start with a "default deny" stance and turn on only the things you need.
You can also do a lot with properties on ZFS datasets to prevent executables from running on say a dataset that is used only for MySQL databases.

Above is my opinion, based on my personal experiences. Feel free to disagree or completely discount anything.
 
OP
Alain De Vos

Alain De Vos

Daemon

Reaction score: 546
Messages: 1,890

zfs settings,
Code:
/usr/ports                   setuid           off                 
/usr/ports/distfiles      exec             off                   
/usr/ports/distfiles      setuid           off                   
/usr/ports/packages   exec                off                  
/usr/ports/packages   setuid              off                  
/usr/src               exec                   off                  
/usr/src               setuid                 off                   
/var/audit            exec                   off                   
/var/audit            setuid                 off                   
/var/crash           exec                   off                   
/var/crash           setuid                 off                   
/var/log               exec                   off                   
/var/log              setuid                 off                  
/var/mail             exec                   off                  
/var/mail             setuid                 off
 

covacat

Well-Known Member

Reaction score: 171
Messages: 365

hardening to aggressive will break things now and then
noexec on /tmp breaks make installworld unless you use alt TMPDIR or something
 
OP
Alain De Vos

Alain De Vos

Daemon

Reaction score: 546
Messages: 1,890

I gone try to compile the kernel with,
Code:
nooption     COMPAT_FREEBSD32    # Compatible with i386 binaries
nooption     COMPAT_FREEBSD4        # Compatible with FreeBSD4
nooption     COMPAT_FREEBSD5        # Compatible with FreeBSD5
nooption     COMPAT_FREEBSD6        # Compatible with FreeBSD6
nooption     COMPAT_FREEBSD7        # Compatible with FreeBSD7
nooption     COMPAT_FREEBSD9        # Compatible with FreeBSD9
nooption     COMPAT_FREEBSD10    # Compatible with FreeBSD10
nooption     COMPAT_FREEBSD11    # Compatible with FreeBSD11
nooption     COMPAT_FREEBSD12    # Compatible with FreeBSD12
I wonder what breaks...
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 11,600
Messages: 37,925

Binaries built on 13.0 shouldn't break. Those COMPAT_FREEBSD* options are only for running binaries from older versions of FreeBSD. Or, in the case of COMPAT_FREEBSD32, to allow 32 bit binaries to run on a 64 bit OS.

Although I had some issues on FreeBSD 12.0 when I removed COMPAT_FREEBSD11, but this was because those specific applications didn't account for some changed file structures. So your millage may vary, some applications may still use pre-12 kernel structures and will fail without COMPAT_FREEBSD11 and COMPAT_FREEBSD12.
 

covacat

Well-Known Member

Reaction score: 171
Messages: 365

I gone try to compile the kernel with,
Code:
nooption     COMPAT_FREEBSD32    # Compatible with i386 binaries
nooption     COMPAT_FREEBSD4        # Compatible with FreeBSD4
nooption     COMPAT_FREEBSD5        # Compatible with FreeBSD5
nooption     COMPAT_FREEBSD6        # Compatible with FreeBSD6
nooption     COMPAT_FREEBSD7        # Compatible with FreeBSD7
nooption     COMPAT_FREEBSD9        # Compatible with FreeBSD9
nooption     COMPAT_FREEBSD10    # Compatible with FreeBSD10
nooption     COMPAT_FREEBSD11    # Compatible with FreeBSD11
nooption     COMPAT_FREEBSD12    # Compatible with FreeBSD12
I wonder what breaks...
probably safe. only needed that for some older closed source raid management software (hp/lsi/adaptec which usually didn't work anyway)
 

rootbert

Well-Known Member

Reaction score: 148
Messages: 400

in /boot/loader.conf put kern.racct.enable=1 and enable resource limitations ... in case a software package is being attacked and excessive resource consumption renders your host unusable. And put your services into jails, one service per jail.
 

rootbert

Well-Known Member

Reaction score: 148
Messages: 400

Which brings me to what are reasonable resource limits.
hm, that depends entirely on your service and usage. Just monitor your services and you will find out ... whether e.g. 80 processes/2GB of RAM is enough for your small mailserver or webserver or 300 processes/64GB of RAM is enough for your database server. you can also use the "log" action of rctl. I usually have a log entry at roughly 80% of the resource and a deny entry at 100%
 
OP
Alain De Vos

Alain De Vos

Daemon

Reaction score: 546
Messages: 1,890

I gone try to compile the kernel with,
Code:
nooption     COMPAT_FREEBSD32    # Compatible with i386 binaries
nooption     COMPAT_FREEBSD4        # Compatible with FreeBSD4
nooption     COMPAT_FREEBSD5        # Compatible with FreeBSD5
nooption     COMPAT_FREEBSD6        # Compatible with FreeBSD6
nooption     COMPAT_FREEBSD7        # Compatible with FreeBSD7
nooption     COMPAT_FREEBSD9        # Compatible with FreeBSD9
nooption     COMPAT_FREEBSD10    # Compatible with FreeBSD10
nooption     COMPAT_FREEBSD11    # Compatible with FreeBSD11
nooption     COMPAT_FREEBSD12    # Compatible with FreeBSD12
I wonder what breaks...
Now the program "exa" spits out bad system call. And "firefox" spits out channel error.
 
OP
Alain De Vos

Alain De Vos

Daemon

Reaction score: 546
Messages: 1,890

Apparantly you need COMPAT_FREEBSD12 & COMPAT_FREEBSD11 for a lot of programs to work correctly.
"rust" is dependent on COMPAT_FREEBSD11 !!!!
My KERNCONF is now,
Code:
nooption NFSCL
nooption NFSD
nooption NFSLOCKD
nooption NFS_ROOT
nooption         XENHVM                  # Xen HVM kernel infrastructure
nooption     COMPAT_FREEBSD4        # Compatible with FreeBSD4
nooption     COMPAT_FREEBSD5        # Compatible with FreeBSD5
nooption     COMPAT_FREEBSD6        # Compatible with FreeBSD6
nooption     COMPAT_FREEBSD7        # Compatible with FreeBSD7
nooption     COMPAT_FREEBSD9        # Compatible with FreeBSD9
nooption     COMPAT_FREEBSD10    # Compatible with FreeBSD10
nooption     COMPAT_FREEBSD32    # Compatible with i386 binaries

No java for me .
 
Last edited:

TempleBSD

Member

Reaction score: 13
Messages: 29

I always run a local firewall on my machines, even workstations, either PF or IPFW. PF lets you do a lot of good stuff;
just remember start with a "default deny" stance and turn on only the things you need.
I feel like a "firewall" sounds cooler than it actually is, depending on how in-depth your config of it is. Disabling unneeded services and having a "lean" system which does not open ports will achieve the same without adding to the stack of software on the machine. Whilst the firewall will prevent applications trying to communicate without your permission, I fell that in that case the machine is running software which a user does not understand or has misconfigured (both often the case with me, dont treat this as an insult or elitism please) which is mostly fine except when security is of high importance. Additionally, there is not a router for sale today that doesn't have a basic firewall on it. To be clear, a firewall has its purpose, but I don't feel like it will be of much use when running on a desktop.
 

covacat

Well-Known Member

Reaction score: 171
Messages: 365

assuming you have no manual installs
Code:
 pkg query "%n-%v: %q"|egrep ":(11|10|12):"
 
OP
Alain De Vos

Alain De Vos

Daemon

Reaction score: 546
Messages: 1,890

pkg query "%n-%v: %q" does not inform om compat needs. I would be nice to know what does.
 

mer

Well-Known Member

Reaction score: 189
Messages: 328

TempleBSD I also do the same thing on workstations: sockstat is your friend (or netstat -aln) to find open listening sockets. I basically start with the same default deny attitude: turn everything off, then back on only what is needed. Typically only ntpd, sshd and syslogd. syslog gets configured to only listen on localhost. So the firewall is mostly the belt and suspenders approach and to keep my hand in configuring them.

But your point of turn off everything and then only on what you need to minimize listeners is a valid approach.
 

TempleBSD

Member

Reaction score: 13
Messages: 29

mer You should consider openntpd which does not open a socket by default as opposed to default ntpd. How come you're running sshd on workstations?
 

TempleBSD

Member

Reaction score: 13
Messages: 29

pkg query "%n-%v: %q" does not inform om compat needs. I would be nice to know what does.
You have enabled ASLR (but not stackgap) Firefox sadly does not play too nicely with those two which means they should be disabled for the browser or you must find another way of surfing the web. Using
Code:
# elfctl -e +aslr /usr/local/bin/firefox
should do get FF to work again. This disables ASLR for firefox and has to be done on every browser update. That leaves one major path into your system unprotected and therefore you might consider jailing your browser in order to isolate it from the rest of your system.

Btw, what is your expected threat? If some expert hackers or a government is/are specifically targeting you, you might want to look into smashing your PC with a hammer.

https://vez.mrsk.me/freebsd-defaults.html is an interesting article I read a while ago which shows that FreeBSD can be Fort Knox if you want it to but like building a castle, requires attention and planning to get it to withstand serious threats. Have you looked at getting HardenedBSD? The defaults are probably as safe as can be but it might be a little harder to get your required programs to work there.

Not a security (- and or) expert, "pull that LAN cable" is the only sound advice I can wholeheartedly give.
 
OP
Alain De Vos

Alain De Vos

Daemon

Reaction score: 546
Messages: 1,890

PS : Firefox uses rust , which uses COMPAT_FREEBSD11. So without COMPAT_FREEBSD11 no firefox.
I left aslr on firefox , just did a general "kern.elf64.aslr.stack_gap=0"
Qutebrowser has not such requirements but is a bit slower browsing experience.
ooh, openntpd works fine with aslr.
 

mer

Well-Known Member

Reaction score: 189
Messages: 328

mer You should consider openntpd which does not open a socket by default as opposed to default ntpd. How come you're running sshd on workstations?
Thanks, I'll take a look at openntpd.
Why sshd on workstations? Because this is at home, one is a "work" system, the other is my "home" system, I don't have a KVM to keep switching monitors/keyboards/etc and sometimes I just need to pop in and check something out. So running a local firewall lets me restrict ssh from specific IPs on my home network (theres a separate box fronting everything to world that is default deny in and out) and honestly just to give me something to muck with to keep mind active.

Do I "need" to have sshd running? No. Is it conveinent for me to have it running? Yes. But anything running on a computer comes down to a choice between those 2, no?
 
Top