How do I take full ownership of my FreeBSD installation?

[SirDice]

I want to know the weakest links

Just to get back to this. Your biggest threat is you and anyone else that uses the system. Even the most secure system in the world isn't going to protect you if you run something stupid.

 

[gpw928]

I think that disabling ssh might make your system less secure, because you will require routine access (from secure networks) for patching and general administration if you want to keep your system secure.

By all means disable PermitRootLogin, and PasswordAuthentication.

Otherwise it's difficult to offer generic advice without knowing the attack surfaces. e.g. putting a competent firewall between your host an the Internet makes some difference...

For a generic high level approach, there's a lot of prior art curated by various cyber security organisations.

e.g. when I was working full time, the ASD Essential Eight for Linux was mandatory, and audited. You can see it's written for Windows and adapted to Linux/Unix, but many of the ideas are relevant to FreeBSD.

And I agree with SirDice. A competent backup system is your best insurance, by far.

 

[msplsh]

If he's only logging in at the console, then it doesn't matter if sshd is disabled.

 

[Toolforger]

A competent backup system is your best insurance, by far.

Actually I am trying to build that competent backup system
(Project blurb: "Panicroom: A citadel for your data" - "citadel" in the sense of "the building to retreat to when under attack", maybe there's a better word?)

 

[gpw928]

This thread on the subject of backups may be of interest.

 

[Mjölnir]

I'm struggling with getting an overview of all the services installed, and what configuration I have to check.

install the freebsd-doc (english + your native language) and get through it. It's of the finest you can find among OS user/admin docs.

$ su -
# pkg search freebsd-doc
# pkg install {en,it}-freebsd-doc

You may want to transfer or download the PDF or HTML docs to your graphical desktop computer.

How do I identify all the rc.conf settings that pertain to a service?

Replace "ipfw" with the service name you get from service -l
$ service ipfw rcvar
Unfortunately, very few service scripts support this, so you have to read the service scripts. They are in /etc/rc.d and /usr/local/etc/rc.d. Luckily, the relevant settings are at the top of the scripts (mostly, not always). The default settings are in /etc/defaults/rc.conf. Besides that, many services grab additional settings from their own configurations files, mostly found under /etc and /usr/local/etc

How do I make sure I didn't overlook an important rc.conf setting (or other setting)?

It's hard to give an honest answer... Be curious but patient and start to learn. It's worth it, be ashured you have solid system.

I do assume that FreeBSD is pretty secure by default.

Hmm. Yes and no...
At least go through # bsdconfig and set the single user console to ask for a password (that edits /etc/ttys)
Last not least, you need to have a system manufactured before 2008 because todays consumer devices are like mainframe systems twenty years ago. If you want to be absolutely safe -- well, don't use any computer at all.