Hardening bsd.

TempleBSD

Member

Reaction score: 14
Messages: 43

Thanks, I'll take a look at openntpd.
Why sshd on workstations? Because this is at home, one is a "work" system, the other is my "home" system, I don't have a KVM to keep switching monitors/keyboards/etc and sometimes I just need to pop in and check something out. So running a local firewall lets me restrict ssh from specific IPs on my home network (theres a separate box fronting everything to world that is default deny in and out) and honestly just to give me something to muck with to keep mind active.

Do I "need" to have sshd running? No. Is it conveinent for me to have it running? Yes. But anything running on a computer comes down to a choice between those 2, no?
Well then the firewall makes much more sense as well!
 

mer

Aspiring Daemon

Reaction score: 339
Messages: 552

Well then the firewall makes much more sense as well!
Yep. It always boils down to knowing what you need and what you don't. I have some books on my shelf about "building firewalls" "FreeBSD and OpenBSD Security" and "PF" from the mid 1990s that I've read and re-read so many times I've forgotten, but they form the basis of my thinking. Always start with Default Deny and add things. Keep an eye on network traffic so you know what is going on. Took a while, maybe somethings break for a little bit, but easier in the long run.
 

Vick Khera

New Member

Reaction score: 1
Messages: 7

Apparantly you need COMPAT_FREEBSD12 & COMPAT_FREEBSD11 for a lot of programs to work correctly.
"rust" is dependent on COMPAT_FREEBSD11 !!!!
Based on your comment I discovered this is what was causing rclone to fail on FreeBSD 13. I had COMPAT_FREEBSD12 already to facilitate the upgrade of my packages. Rclone will fail with a kqueue error without COMPAT 11.
 
OP
Alain De Vos

Alain De Vos

Daemon

Reaction score: 649
Messages: 2,175

falkon-qtonly browser has improved alot.
I you don't use google login it is a good alternative to firefox and its "kern.elf64.aslr.stack_gap=0"
 

debguy

Well-Known Member

Reaction score: 24
Messages: 275

authenticated FTP allowed by default, ftpd installed by default. that could GO. i ran an ftp server once and other than a very few downloads all i got was attempts from france and china to upload a W95 ftp worm
 

debguy

Well-Known Member

Reaction score: 24
Messages: 275

I found security holes in GNU linux's "login.c" which included pam login (borrowed from sun which bsd borrowed). I hope FreeBSD doesn't use that code because I found a few holes fixed and posted them but no one ever looked.

Browsers? I think all today's bloated web browsers used some webkit and or gecko that use 200MB per web page (u gotta upgrade) and have no sense of compatibility or security. Google I'm sure is NOT secure, they will 'go' right into your compiler if you let them.

Here's an old IBM trick: delete your compiler and no one can make any binary on your machine that isn't already there ! :)
 

ralphbsz

Son of Beastie

Reaction score: 2,358
Messages: 3,245

Here's an old IBM trick: delete your compiler and no one can make any binary on your machine that isn't already there ! :)
Sure they can: "cat > /bin/hack", followed by typing lots of strange key combinations.

Seymour cray toggled the first OS for the Cyber in from the front panel, rumor has it. We've all done binary programming in our (mis-spent) youth. I used to be my own assembler, where I would write the assembly program nicely on paper, and then hand-assemble the binary bytes into the left column.

Oh, and this was a Sun trick. IBM used to distribute the source code for the OS to its customers, long before the idea of "open source" was born, when Richard Stallman was still soiling diapers. Admittedly, it didn't came on binary media (because it was too big for tapes), but instead on microfilm.
 

kpedersen

Son of Beastie

Reaction score: 2,097
Messages: 2,957

Sure they can: "cat > /bin/hack", followed by typing lots of strange key combinations.
Very true. And many exploits are shell code getting written to w&x memory and executed.
The bad guys are very good with lower level "languages" than C.
 

Trihexagonal

Son of Beastie

Reaction score: 2,436
Messages: 2,956

I didn't see these lines posted from /etc/rc.conf:

Code:
clean_tmp_X="YES"
tcp_drop_synfin="YES"

ssh_enable="NO"
telnet_enable="NO"
cupsd_enable="NO"
portmap_enable="NO"
rlogin_enable="NO"
inetd_enable="NO"
webcamd_enable="NO"
samba_enable="NO"
lpd_enable="NO"
winbindd_enable="NO"
nfs_server_enable="NO"
nfs_client_enable="NO"
I feel like a "firewall" sounds cooler than it actually is, depending on how in-depth your config of it is.
*snip*
Additionally, there is not a router for sale today that doesn't have a basic firewall on it. To be clear, a firewall has its purpose, but I don't feel like it will be of much use when running on a desktop.
I can unhook/unplug my router and connect any of my laptops to the Internet by direct Ethernet connection, leave it for months and not give it a second thought. I had been running a pfSense firewall/router in a Dell tower when I got cable. It only came with a passthru modem. I retired my older equipment and ran without one online 24/7

It runs on all my FreeBSD laptops and ran on OpenBSD with a syntax change of one word on the outbound rule to egress
mer You should consider openntpd which does not open a socket by default as opposed to default ntpd. How come you're running sshd on workstations?
It blocks TCP port 25 and I still get my daily Security Report, which is all I use sendmail for. My rule blocking port 0 carried over from my Win98 ConSeal PC Firewall ruleset. Years later, while tweaking the Win10Pro firewall, I discovered it will stop Win10Pro from downloading updates and installing updates for the Windows 10 Service.

It's not even called an Operating System by Microsoft in their documentation:

The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service.

There can be an added cost at any time to keep that Service. Pretty slick and slipped it in after the masses were addicted and dumbed down sufficiently to have no choice but stay with it. Or ask for a desktop in our Base System.

I'll be openly asking for and expecting a Clan favor in the very near future sans Legal Lingo.
Second time today posting /etc/pf.conf.

Code:
### Macro name for external interface
ext_if = "em0"
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Block spooks
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in quick log on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### Block all IPv6
block in quick inet6 all
block out quick inet6 all

### Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

### Block specific ports
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
block in quick log on $ext_if proto udp from any to any port $netbios_udp

### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
 
OP
Alain De Vos

Alain De Vos

Daemon

Reaction score: 649
Messages: 2,175

@trihexgonal,
inetd is obsolete.
Gonna add it to src.conf WITHOUT_INETD
src.conf is currenlty:
Code:
WITHOUT_BIND=yes
WITHOUT_BLUETOOTH=yes
WITHOUT_CROSS_COMPILER=yes
WITHOUT_DEBUG_FILES=yes
WITHOUT_FLOPPY=yes
WITHOUT_HYPERV=YES
WITHOUT_INETD=yes
WITHOUT_IPX=yes
WITHOUT_KDUMP=yes
WITHOUT_KERNEL_SYMBOLS=yes
WITHOUT_KVM_SUPPORT=yes
WITHOUT_KVM=yes
WITHOUT_LLVM_TARGET_AARCH64=yes
WITHOUT_LLVM_TARGET_ALL=yes
WITHOUT_LLVM_TARGET_ARM=yes
WITHOUT_LLVM_TARGET_BPF=yes
WITHOUT_LLVM_TARGET_MIPS=yes
WITHOUT_LLVM_TARGET_POWERPC=yes
WITHOUT_LLVM_TARGET_RISCV=yes
WITHOUT_LLVM_TARGET_SPARC=yes
WITHOUT_LOCATE=yes
WITHOUT_LPR=yes
WITHOUT_MAIL=yes
WITHOUT_MAILWRAPPER=yes
WITHOUT_NDIS=yes
WITHOUT_NVME=yes
WITHOUT_OPENSSH=yes
WITHOUT_RPCBIND_WARMSTART_SUPPORT=yes
WITHOUT_SENDMAIL=yes
WITHOUT_TCP_WRAPPERS=yes
WITHOUT_WIRELESS_SUPPORT=yes
WITHOUT_WIRELESS=yes
WITHOUT_WPA_SUPPLICANT_EAPOL=yes
 

mer

Aspiring Daemon

Reaction score: 339
Messages: 552

Don't forget that /etc/rc.conf is combined with /etc/defaults/rc.conf. A lot of "enabled" in defaults/rc.conf are set to NO, so you don't have to set them in /etc/rc.conf.

Now a really good reason to actually set things explicitly in /etc/rc.conf is upgrading. Unless you explicitly check you could have an "enabled=NO" get flipped to YES. But if you have it explicitly in /etc/rc.conf, you don't have to worry.

Trihexagonal Nice ruleset. Good use of quick. I tend to scrub in/out all (NFS may break doing this) , nice belt and suspenders blocking RFC non-routables in on ext_if.
One thing that is fun/easy to do with pf is default deny all, then macro with explicit pass protocols. I've done this in the past and even with Windows systems on a network, it's actually a pretty short list to have everything work.

pfSense: been running that for a while, I've actually spent the money for the appliances because it's worth it to me.
 

Trihexagonal

Son of Beastie

Reaction score: 2,436
Messages: 2,956

Trihexagonal One thing that is fun/easy to do with pf is default deny all, then macro with explicit pass protocols. I've done this in the past and even with Windows systems on a network, it's actually a pretty short list to have everything work.
When I used Win98 I would start ConsealPC Firewall with a blank ruleset. Then go to a site I visited regularly and allow a rule for that site on the fly to every site I visited and those rules only. I had a very tight ruleset and kept a close eye on it.

Now they keep a close eye on me and hope I don't come to chat. To say some words.

When I disappeared offline for a year or so I got a PM at able2know .org where I do Alliteration Aggrandizement. I'm suspicious of such things and figured they were trying to draw me out but I had wanted to go back and tell the players something in the forum so that gave me the excuse. The account was new and the only thing done from it was send me that PM, which had the contents deleted.

That was like a Get Well card and they had been worried about me not being seen so long.. All we needed now was a Family Album of photos. I said I wanted to talk to someone who knew me, not the caliber of people they passed watching me on to in the next generation. Pitiful. they are.

Well, you summoned the Demon and he doesn't go away if ignored. I wanted to talk in a civil manner to the last person that spoke to me the last time I had to show up because they had broken our undeclared truce. I played games, am quick as a bot in chat, practiced my impressions, told tall stories to nice people, played Bait and Switch on pedophiles who posed as Priests and terrified would be tough guys to the point things changed on the site.

So I got their attention and caused Chaos on a system wide scale but I got tired of the people who went there, cybersex all they know to talk about, and when I spotted one of them made myself known by asking questions.

He said "Hmmm. jigoku, that's Japanese. For Hell...

It is as I feared..."

My job was over so I left without another word and haven't been back. But when they wouldn't talk to me I talked to them and whoever opened it got the message for the sender and the words they didn't want to hear in a more powerful form to teach them a lesson

But I miss my old m8tes and have them to thank for the person I am today, and they watched me become more than I had been or ever thought I would become as it happen the last 20 years.

IT people had a name for people who fixated on firewall logs and filed false alarms to the Abuse desk listed. I believe it was something like "Goomers with a firewall."

I've used telnet before but none of the other things I have listed as "No". I'm not certain it keeps them from being started but I run my box like I learned how and do a lot of things differently. Never touched fstab to use or edit it for one.

@trihexgonal,
inetd is obsolete.
Gonna add it to src.conf WITHOUT_INETD
src.conf is currenlty:
Or used anything but the generic kernel. Never used buildworld or compiled a kernel.
FreeBSD is trhe most usr friendly desktop oriented OS I have ever taught myself to use.

You are no doubt much wiser than myself and wouldn't dare question you on FreeBSD facts, but I just saw something posted that included having inetd running.

I always use the same file System files saved to disk after a rebuild on all my machines. I read in Hacking Exposed 1st Edition about NFS being a Security risk before I ever left Win98 and one of the things that stuck with me from reading it.

Code:
root@bakemono:/ # rpcinfo -p
rpcinfo: can't contact portmapper: RPC: Port mapper failure - RPC: Success
root@bakemono:/ # showmount
RPC: Port mapper failure
showmount: can't do mountdump rpc
root@bakemono:/ #
 

aragats

Daemon

Reaction score: 701
Messages: 1,618

Alain De Vos said:
falkon-qtonly browser has improved alot.
I you don't use google login it is a good alternative to firefox and its "kern.elf64.aslr.stack_gap=0"
Does falkon-qtonly support extension like uBlock Origin...?
Recenly I tried using Falkon as the main browser for a while, however, found it's significantly slower compared to Firefox.
Also, it does not honor Xorg's DPI setting. I think, it's a Qt problem, and using QT_SCALE_FACTOR makes it ugly.
 

Phishfry

Beastie's Twin

Reaction score: 2,670
Messages: 5,596

I think, it's a Qt problem
Try compiling Falkon from ports. There was something I turned off that made it nicer. I think it was webkit? Not sure. I messed with the ports options and found something OK.
I am not saying its faster but it is an alternative to the Mozilla monoculture.
I gave up on Otter. It works but captcha's don't.
 

mer

Aspiring Daemon

Reaction score: 339
Messages: 552

Try compiling Falkon from ports. There was something I turned off that made it nicer. I think it was webkit? Not sure. I messed with the ports options and found something OK.
I am not saying its faster but it is an alternative to the Mozilla monoculture.
I gave up on Otter. It works but captcha's don't.
pkg search falkon shows 2 flavors: falkon and falkon-qtonly. Qt only says "no integration with KDE Plasma" so maybe that?
 

mer

Aspiring Daemon

Reaction score: 339
Messages: 552

That's exactly what is needed ― I don't need KDE bindings. Qt is used by KDE as back-end, not opposite.
I can verify that it at least works, plays video and audio, renders fast enough for me on my normal websites. Looks like the memory usage may be a bit less than firefox, based on a simple test of logging into this site, this thread in both.
Gotta love web "standards" where some things only work on browser-X others on browser-Y.
 

Aeterna

Member

Reaction score: 30
Messages: 99

Firefox gives a segmentation fault. But this is known. Time to use qutebrowser.
In fstab,
Code:
/dev/ada2p2.eli    none         swap                          sw,ealgo=aes,keylen=128,sectorsize=16384 0 0

I have
Code:
/dev/ada0p2.eli    none    swap    sw,ealgo=AES-XTS,keylen=256,sectorsize=4096    0    0
and firefox works fine.
 

TempleBSD

Member

Reaction score: 14
Messages: 43

Second time today posting /etc/pf.conf. [...]
Could you explain to me, why one would want a firewall running on a desktop? I have all my devices sitting behind my pfsense-router with restrictive firewall and suricata-IDS (for the servers). If I don't explicitly make a mistake, no device should ever (try to) communicate with the internet in a way not intended by me. And then there is still the firewall on my router. Recently saw this bit on yt and that is about what I'm trying to say:
Its titled "Linux" but this part really does apply to all computers which the admin actually owns/controls. Video is only playing from the relevant chapter on.
View: https://youtu.be/fKuqYQdqRIs?t=823
 
Top