New to FreeBSD - Security Audit

A.Ch

A.Ch

Hello everyone,

Recently I started my own self managed FreeBSD serverto host one of my own websites. For certain reasons I used DirectAdmin hosting control panel to ease up some processes for myself.

I have already done some server and SSH hardening thanks to online articles however, when I checked my server using Lynis Audit I noticed that there are some warnings still.

I would really appreciate if you help me regarding this issue.

This is my the Audit report:

Code: 
+] System Tools
------------------------------------
  - Scanning available tools...
  - Checking system binaries...
2018-07-16 15:00:44 cwd=/ 2 args: /usr/sbin/exim -bV

[+] Plugins (phase 1)
------------------------------------
 Note: plugins have more extensive tests and may take several minutes to complete
 
  - Plugins enabled                                           [ NONE ]

[+] Boot and services
------------------------------------
  - Service Manager                                           [ bsdrc ]
  - Checking presence FreeBSD loader                          [ FOUND ]
  - Checking services at startup (service/rc.conf)            [ DONE ]
      Result: found 25 services/options set

[+] Kernel
------------------------------------
  - Checking active kernel modules
    Found 3 kernel modules                                    [ DONE ]

[+] Memory and Processes
------------------------------------
  - Searching for dead/zombie processes                       [ OK ]
  - Searching for IO waiting processes                        [ OK ]

[+] Users, Groups and Authentication
------------------------------------
  - Administrator accounts                                    [ WARNING ]
  - Unique UIDs                                               [ WARNING ]
  - Checking chkgrp tool                                      [ FOUND ]
    - Checking consistency of /etc/group file                 [ OK ]
  - Login shells                                              [ WARNING ]
  - Unique group IDs                                          [ OK ]
  - Unique group names                                        [ OK ]
  - Query system users (non daemons)                          [ DONE ]
  - NIS+ authentication support                               [ NOT ENABLED ]
  - NIS authentication support                                [ ENABLED ]
  - sudoers file                                              [ NOT FOUND ]
  - PAM password strength tools                               [ OK ]
  - PAM configuration file (pam.conf)                         [ NOT FOUND ]
  - PAM configuration files (pam.d)                           [ FOUND ]
  - Determining default umask
    - umask (/etc/profile and /etc/profile.d)                 [ OK ]
    - umask (/etc/login.conf)                                 [ WEAK ]
  - LDAP authentication support                               [ NOT ENABLED ]

[+] Shells
------------------------------------
  - Checking console TTYs                                     [ WARNING ]
  - Checking shells from /etc/shells
    Result: found 3 shells (valid shells: 3).
    - Session timeout settings/tools                          [ NONE ]
  - Checking default umask values
    - Checking default umask in /etc/csh.cshrc                [ NONE ]
    - Checking default umask in /etc/profile                  [ NONE ]

[+] File systems
------------------------------------
  - Checking mount points
    - Checking /home mount point                              [ SYMLINK ]
    - Checking /tmp mount point                               [ SUGGESTION ]
    - Checking /var mount point                               [ SUGGESTION ]
  - Querying FFS/UFS mount points (fstab)                     [ FOUND ]
  - Querying ZFS mount points (mount -p)                      [ NONE ]
  - Query swap partitions (fstab)                             [ OK ]
  - Testing swap partitions                                   [ OK ]
  - Checking for old files in /tmp                            [ OK ]
  - Checking /tmp sticky bit                                  [ OK ]
  - Checking /var/tmp sticky bit                              [ OK ]

[+] USB Devices
------------------------------------

[+] Storage
------------------------------------

[+] NFS
------------------------------------
  - Query rpc registered programs                             [ DONE ]
  - Query NFS versions                                        [ DONE ]
  - Query NFS protocols                                       [ DONE ]
  - Check running NFS daemon                                  [ NOT FOUND ]

[+] Name services
------------------------------------
  - Checking /etc/resolv.conf options                         [ FOUND ]
  - Searching DNS domain name                                 [ FOUND ]
      Domain name: aionets
  - Checking Unbound status                                   [ RUNNING ]
  - Checking configuration file                               [ OK ]
  - Checking BIND status                                      [ FOUND ]
    - Checking BIND configuration file                        [ FOUND ]
    - Checking BIND configuration consistency                 [ OK ]
    - Checking BIND version in banner                         [ WARNING ]
  - Checking /etc/hosts
    - Checking /etc/hosts (duplicates)                        [ OK ]
    - Checking /etc/hosts (hostname)                          [ OK ]
    - Checking /etc/hosts (localhost)                         [ OK ]
    - Checking /etc/hosts (localhost to IP)                   [ OK ]

[+] Ports and packages
------------------------------------
  - Searching package managers
  - Checking pkg audit to obtain vulnerable packages          [ NONE ]
  - Checking package audit tool                               [ INSTALLED ]
    Found: pkg audit

[+] Networking
------------------------------------
  - Checking configured nameservers
    - Testing nameservers
        Nameserver: 127.0.0.1                                 [ OK ]
  - Checking default gateway                                  [ DONE ]
  - Getting listening ports (TCP/UDP)                         [ DONE ]
      * Found 44 ports
  - Checking promiscuous interfaces                           [ OK ]
  - Checking waiting connections                              [ OK ]
  - Checking status DHCP client                               [ RUNNING ]

[+] Printers and Spools
------------------------------------
  - Integrity check of printcap file                          [ OK ]
  - Checking cups daemon                                      [ NOT FOUND ]
  - Checking lp daemon                                        [ NOT RUNNING ]

[+] Software: e-mail and messaging
------------------------------------
  - Exim status                                               [ RUNNING ]
  - Dovecot status                                            [ RUNNING ]

[+] Software: firewalls
------------------------------------
  - Checking IPFW status                                      [ RUNNING ]
    - IPFW enabled in /etc/rc.conf                            [ YES ]
  - Checking host based firewall                              [ ACTIVE ]

[+] Software: webserver
------------------------------------
  - Checking Apache                                           [ NOT FOUND ]
  - Checking nginx                                            [ FOUND ]
    - Searching nginx configuration file                      [ FOUND ]
    - Parsing configuration options
        - /usr/local/etc/nginx/nginx.conf
      - SSL configured                                        [ NO ]
      - Checking log file configuration
        - Missing log files (access_log)                      [ NO ]
        - Disabled access logging                             [ NO ]
        - Missing log files (error_log)                       [ NO ]
        - Debugging mode on error_log                         [ NO ]

[+] SSH Support
------------------------------------
  - Checking running SSH daemon                               [ FOUND ]
    - Searching SSH configuration                             [ FOUND ]
    - SSH option: AllowTcpForwarding                          [ SUGGESTION ]
    - SSH option: ClientAliveCountMax                         [ SUGGESTION ]
    - SSH option: ClientAliveInterval                         [ OK ]
    - SSH option: Compression                                 [ SUGGESTION ]
    - SSH option: FingerprintHash                             [ OK ]
    - SSH option: GatewayPorts                                [ OK ]
    - SSH option: IgnoreRhosts                                [ OK ]
    - SSH option: LoginGraceTime                              [ OK ]
    - SSH option: LogLevel                                    [ SUGGESTION ]
    - SSH option: MaxAuthTries                                [ SUGGESTION ]
    - SSH option: MaxSessions                                 [ SUGGESTION ]
    - SSH option: PermitRootLogin                             [ OK ]
    - SSH option: PermitUserEnvironment                       [ OK ]
    - SSH option: PermitTunnel                                [ OK ]
    - SSH option: Port                                        [ SUGGESTION ]
    - SSH option: PrintLastLog                                [ NOT FOUND ]
    - SSH option: Protocol                                    [ OK ]
    - SSH option: StrictModes                                 [ OK ]
    - SSH option: TCPKeepAlive                                [ SUGGESTION ]
    - SSH option: UseDNS                                      [ SUGGESTION ]
    - SSH option: UsePrivilegeSeparation                      [ OK ]
    - SSH option: VerifyReverseMapping                        [ NOT FOUND ]
    - SSH option: X11Forwarding                               [ SUGGESTION ]
    - SSH option: AllowAgentForwarding                        [ SUGGESTION ]
    - SSH option: AllowUsers                                  [ FOUND ]
    - SSH option: AllowGroups                                 [ NOT FOUND ]

[+] SNMP Support
------------------------------------
  - Checking running SNMP daemon                              [ NOT FOUND ]

[+] Databases
------------------------------------
  - MySQL process status                                      [ FOUND ]

[+] LDAP Services
------------------------------------
  - Checking OpenLDAP instance                                [ NOT FOUND ]

[+] PHP
------------------------------------
  - Checking PHP                                              [ FOUND ]
    - Checking PHP disabled functions                         [ FOUND ]
    - Checking expose_php option                              [ ON ]
    - Checking enable_dl option                               [ OFF ]
    - Checking allow_url_fopen option                         [ ON ]
    - Checking allow_url_include option                       [ OFF ]

[+] Squid Support
------------------------------------
  - Checking running Squid daemon                             [ NOT FOUND ]

[+] Logging and files
------------------------------------
  - Checking for a running log daemon                         [ OK ]
    - Checking Syslog-NG status                               [ NOT FOUND ]
    - Checking systemd journal status                         [ NOT FOUND ]
    - Checking Metalog status                                 [ NOT FOUND ]
    - Checking RSyslog status                                 [ NOT FOUND ]
    - Checking RFC 3195 daemon status                         [ NOT FOUND ]
  - Checking remote logging                                   [ NOT ENABLED ]
  - Checking /etc/newsyslog.conf                              [ FOUND ]
    - Checking log directories (newsyslog.conf)               [ DONE ]
    - Checking log files (newsyslog.conf)                     [ DONE ]
  - Checking log directories (static list)                    [ DONE ]
  - Checking open log files                                   [ DONE ]
  - Checking deleted files in use                             [ DONE ]

[+] Insecure services
------------------------------------
  - Checking inetd status                                     [ NOT ACTIVE ]
    - Checking inetd.conf services                            [ OK ]

[+] Banners and identification
------------------------------------
  - /COPYRIGHT                                                [ FOUND ]
  - /etc/COPYRIGHT                                            [ NOT FOUND ]
  - /etc/issue                                                [ NOT FOUND ]
  - /etc/issue.net                                            [ NOT FOUND ]

[+] Scheduled tasks
------------------------------------
  - Checking crontab/cronjob                                  [ DONE ]

[+] Accounting
------------------------------------
  - Checking accounting information                           [ NOT FOUND ]

[+] Time and Synchronization
------------------------------------
  - NTP daemon found: ntpd                                    [ FOUND ]
  - Checking for a running NTP daemon or client               [ OK ]
  - Checking valid association ID's                           [ FOUND ]
  - Checking high stratum ntp peers                           [ OK ]
  - Checking unreliable ntp peers                             [ NONE ]
  - Checking selected time source                             [ OK ]
  - Checking time source candidates                           [ OK ]
  - Checking falsetickers                                     [ OK ]

[+] Cryptography
------------------------------------
  - Checking for expired SSL certificates [0/3]               [ NONE ]

[+] Virtualization
------------------------------------

[+] Containers
------------------------------------

[+] Security frameworks
------------------------------------
  - Checking presence AppArmor                                [ NOT FOUND ]
  - Checking presence SELinux                                 [ NOT FOUND ]
  - Checking presence grsecurity                              [ NOT FOUND ]
  - Checking for implemented MAC framework                    [ NONE ]

[+] Software: file integrity
------------------------------------
  - Checking file integrity tools
    - mtree                                                   [ FOUND ]
  - Checking presence integrity tool                          [ FOUND ]

[+] Software: System tooling
------------------------------------
  - Checking automation tooling
  - Automation tooling                                        [ NOT FOUND ]
  - Checking for IDS/IPS tooling                              [ NONE ]

[+] Software: Malware
------------------------------------
  - Checking ClamAV scanner                                   [ FOUND ]
  - Checking ClamAV daemon                                    [ FOUND ]
    - Checking freshclam                                      [ FOUND ]

[+] File Permissions
------------------------------------
  - Starting file permissions check
    /root/.ssh                                                [ OK ]

[+] Home directories
------------------------------------
  - Checking shell history files                              [ OK ]

[+] Kernel Hardening
------------------------------------
  - Comparing sysctl key pairs with scan profile
    - hw.kbd.keymap_restrict_change (exp: 4)                  [ DIFFERENT ]
    - kern.sugid_coredump (exp: 0)                            [ OK ]
    - net.inet.icmp.bmcastecho (exp: 0)                       [ OK ]
    - net.inet.icmp.drop_redirect (exp: 1)                    [ DIFFERENT ]
    - net.inet.ip.accept_sourceroute (exp: 0)                 [ OK ]
    - net.inet.ip.check_interface (exp: 1)                    [ DIFFERENT ]
    - net.inet.ip.forwarding (exp: 0)                         [ OK ]
    - net.inet.ip.process_options (exp: 0)                    [ DIFFERENT ]
    - net.inet.ip.random_id (exp: 1)                          [ DIFFERENT ]
    - net.inet.ip.redirect (exp: 0)                           [ DIFFERENT ]
    - net.inet.ip.sourceroute (exp: 0)                        [ OK ]
    - net.inet.tcp.always_keepalive (exp: 0)                  [ DIFFERENT ]
    - net.inet.tcp.blackhole (exp: 2)                         [ DIFFERENT ]
    - net.inet.tcp.drop_synfin (exp: 1)                       [ DIFFERENT ]
    - net.inet.tcp.icmp_may_rst (exp: 0)                      [ DIFFERENT ]
    - net.inet.tcp.nolocaltimewait (exp: 1)                   [ DIFFERENT ]
    - net.inet.tcp.path_mtu_discovery (exp: 0)                [ DIFFERENT ]
    - net.inet.udp.blackhole (exp: 1)                         [ DIFFERENT ]
    - net.inet6.icmp6.rediraccept (exp: 0)                    [ DIFFERENT ]
    - net.inet6.ip6.forwarding (exp: 0)                       [ OK ]
    - net.inet6.ip6.fw.enable (exp: 1)                        [ OK ]
    - net.inet6.ip6.redirect (exp: 0)                         [ DIFFERENT ]
    - security.bsd.hardlink_check_gid (exp: 1)                [ DIFFERENT ]
    - security.bsd.hardlink_check_uid (exp: 1)                [ DIFFERENT ]
    - security.bsd.see_other_gids (exp: 0)                    [ OK ]
    - security.bsd.see_other_uids (exp: 0)                    [ OK ]
    - security.bsd.stack_guard_page (exp: 1)                  [ OK ]
    - security.bsd.unprivileged_proc_debug (exp: 0)           [ OK ]
    - security.bsd.unprivileged_read_msgbuf (exp: 0)          [ OK ]

[+] Hardening
------------------------------------
    - Installed compiler(s)                                   [ FOUND ]
    - Installed malware scanner                               [ FOUND ]

[+] Custom Tests
------------------------------------
  - Running custom tests...                                   [ NONE ]

[+] Plugins (phase 2)
------------------------------------

================================================================================

  -[ Lynis 2.6.4 Results ]-

  Warnings (6):
  ----------------------------
  ! Multiple users with UID 0 found in passwd file [AUTH-9204]
    - Solution :
      https://cisofy.com/controls/AUTH-9204/

  ! Multiple accounts found with same UID [AUTH-9208]
    - Solution :
      https://cisofy.com/controls/AUTH-9208/

  ! Possible harmful shell found (for passwordless account!) [AUTH-9218]
    - Solution :
      https://cisofy.com/controls/AUTH-9218/

  ! Found unprotected console in /etc/ttys [SHLL-6202]
    - Solution :
      https://cisofy.com/controls/SHLL-6202/

  ! Found BIND version in banner [NAME-4210]
    - Solution :
      https://cisofy.com/controls/NAME-4210/

  ! PHP option expose_php is possibly turned on, which can reveal useful information for attackers. [PHP-2372]
    - Solution :
      https://cisofy.com/controls/PHP-2372/

  Suggestions (26):
  ----------------------------
  * Version of Lynis outdated, consider upgrading to the latest version [LYNIS]
    - Solution :
      https://cisofy.com/controls/LYNIS/

  * Determine if account is needed, as shell /usr/local/libexec/uucp/uucico does not exist [AUTH-9218]
    - Solution :
      https://cisofy.com/controls/AUTH-9218/

  * Umask in /etc/login.conf could be more strict like 027 [AUTH-9328]
    - Solution :
      https://cisofy.com/controls/AUTH-9328/

  * Symlinked mount point needs to be checked manually [FILE-6310]
    - Details  : /home
    - Solution :
      https://cisofy.com/controls/FILE-6310/

  * To decrease the impact of a full /tmp file system, place /tmp on a separated partition [FILE-6310]
    - Solution :
      https://cisofy.com/controls/FILE-6310/

  * To decrease the impact of a full /var file system, place /var on a separated partition [FILE-6310]
    - Solution :
      https://cisofy.com/controls/FILE-6310/

  * The version in BIND can be masked by defining 'version none' in the configuration file [NAME-4210]
    - Solution :
      https://cisofy.com/controls/NAME-4210/

  * Add HTTPS to nginx virtual hosts for enhanced protection of sensitive data and privacy [HTTP-6710]
    - Solution :
      https://cisofy.com/controls/HTTP-6710/

  * Consider hardening SSH configuration [SSH-7408]
    - Details  : AllowTcpForwarding (YES --> NO)
    - Solution :
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408]
    - Details  : ClientAliveCountMax (3 --> 2)
    - Solution :
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408]
    - Details  : Compression (DELAYED --> NO)
    - Solution :
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408]
    - Details  : LogLevel (INFO --> VERBOSE)
    - Solution :
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408]
    - Details  : MaxAuthTries (3 --> 2)
    - Solution :
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408]
    - Details  : MaxSessions (10 --> 2)
    - Solution :
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408]
    - Details  : Port (22 --> )
    - Solution :
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408]
    - Details  : TCPKeepAlive (YES --> NO)
    - Solution :
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408]
    - Details  : UseDNS (YES --> NO)
    - Solution :
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408]
    - Details  : X11Forwarding (YES --> NO)
    - Solution :
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408]
    - Details  : AllowAgentForwarding (YES --> NO)
    - Solution :
      https://cisofy.com/controls/SSH-7408/

  * Change the expose_php line to: expose_php = Off [PHP-2372]
    - Solution :
      https://cisofy.com/controls/PHP-2372/

  * Change the allow_url_fopen line to: allow_url_fopen = Off, to disable downloads via PHP [PHP-2376]
    - Solution :
      https://cisofy.com/controls/PHP-2376/

  * Enable logging to an external logging host for archiving purposes and additional protection [LOGG-2154]
    - Solution :
      https://cisofy.com/controls/LOGG-2154/

  * Enable process accounting [ACCT-2754]
    - Solution :
      https://cisofy.com/controls/ACCT-2754/

  * Determine if automation tools are present for system management [TOOL-5002]
    - Solution :
      https://cisofy.com/controls/TOOL-5002/

  * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000]
    - Solution :
      https://cisofy.com/controls/KRNL-6000/

  * Harden compilers like restricting access to root user only [HRDN-7222]
    - Solution :
      https://cisofy.com/controls/HRDN-7222/

  Follow-up:
  ----------------------------
  - Show details of a test (lynis show details TEST-ID)
  - Check the logfile for all details (less /var/log/lynis.log)
  - Read security controls texts (https://cisofy.com)
  - Use --upload to upload data to central system (Lynis Enterprise users)

================================================================================

  Lynis security scan details:

  Hardening index : 66 [#############       ]
  Tests performed : 189
  Plugins enabled : 0

  Components:
  - Firewall               [V]
  - Malware scanner        [V]

  Lynis Modules:
  - Compliance Status      [?]
  - Security Audit         [V]
  - Vulnerability Scan     [V]
 
What you should (or could) do is mentioned at the end of the report. What exactly isn't clear?
 
I would still suggest that you don't blindly focus on what one program tells you. Now, there are some good suggestions mentioned above, no denying that, but some are also some rather "static" ones as I like to call them. As in: they don't take any other factors into consideration.

For example: if you use sshd yet have also set up blacklistd(8) then setting the password failure attempts from 3 to 2 really won't matter all that much anymore. One could even argue that the risk of using port 22 has also decreased (though I'd definitely highly recommend not using port 22 whenever you need a public accessible ssh server).

Still, this is exactly what I mean with not putting too much trust into this. For example: I am a little surprised that they do suggest putting /tmp on its own filesystem (which is a very good suggestion I think) but then don't bother to mention the execution flag.

So: # mount -o noexec /tmp or # zfs set exec=off zroot/tmp.

Reasoning is simple: if an attacker has managed to gain filesystem access (for example: by abusing a PHP setup) then pretty much everyone will try to run some local exploits using /tmp, because that's a known location for this stuff. Well, not on my servers :D

Another warning: don't think that you'll be safe by merely following up on those suggestions. Security isn't a product or a collection of settings which you can use, it's a (ongoing) methodology.
 
For each of the things that the "Lynis" scanning tool complained about, learn about the underlying system, and think through the security implications. The same applies to each of the things the scanning tool did not complain about: there are many possible security problems that it probably did not find, because they are not just properties of a single host.

Examples: https://cisofy.com/controls/KRNL-6000/ is so overgeneralized to be flat out wrong: There are cases where one validly has to adjust sysctl parameters, without security implications. Similarly, https://cisofy.com/controls/AUTH-9204 is not in general correct; there can be valid reasons to have multiple accounts with UID 0, which can not be addressed by group membership.

Working through the whole list you gave above would take an experienced administrator many hours (perhaps 4 to 8 hours). Please do not expect us to do your work for you.
 
SirDice said:
What you should (or could) do is mentioned at the end of the report. What exactly isn't clear?
Click to expand...
Thank you for you reply,

I just installed this audit tool and since I am new in FreeBSD world I was dubious wether I trust these recommendations or not. Considering the fact that this server is going to be for private web-hosting.

In addition most of the recommendations and articles on their website is not really clear specially for a person like me who is new with this system and has always used administration services and CloudLinux.

Regards.
 
ralphbsz said:
Working through the whole list you gave above would take an experienced administrator many hours (perhaps 4 to 8 hours). Please do not expect us to do your work for you.
Click to expand...
Thank you for your suggestion,

Please note that I don't expect anything. Everyone starts from somehwhere to learn and I thought asking a question (pretty large one, I agree:)) in the related forum was not a bad idea. Sorry for mis understanding !!!
 
ShelLuser said:
I would still suggest that you don't blindly focus on what one program tells you. Now, there are some good suggestions mentioned above, no denying that, but some are also some rather "static" ones as I like to call them. As in: they don't take any other factors into consideration.

For example: if you use sshd yet have also set up blacklistd(8) then setting the password failure attempts from 3 to 2 really won't matter all that much anymore. One could even argue that the risk of using port 22 has also decreased (though I'd definitely highly recommend not using port 22 whenever you need a public accessible ssh server).

Still, this is exactly what I mean with not putting too much trust into this. For example: I am a little surprised that they do suggest putting /tmp on its own filesystem (which is a very good suggestion I think) but then don't bother to mention the execution flag.

So: # mount -o noexec /tmp or # zfs set exec=off zroot/tmp.

Reasoning is simple: if an attacker has managed to gain filesystem access (for example: by abusing a PHP setup) then pretty much everyone will try to run some local exploits using /tmp, because that's a known location for this stuff. Well, not on my servers :D

Another warning: don't think that you'll be safe by merely following up on those suggestions. Security isn't a product or a collection of settings which you can use, it's a (ongoing) methodology.
Click to expand...
Thank you for your great recommendations,

Would you please mention for a server which is going to host a personal website (not a shared server) what security configurations is recommended for FreeBSD ?

Please note that I don't expect details, if you just give me some info I will try to search for it.

Thank you again
 
Another useful tool: By default, cron runs daily/weekly/monthly jobs that check things, and send e-mail to root. Read those e-mails. They scan for many potential security problems.
 
Take the results with a grain of salt. I recommend you go through each warning and suggestion and consider the merits of it. Sometimes security related scanner results make sense, other times they are nonsense.

Consider the shared UID warning. It is probably because you have bash on your system, and, consequently, a user called toor. Toor is locked by default. Someone has to be able to obtain root to access it, which makes its existence a moot point on most systems.

It says you have IPFW running. Good for you, maybe. IPFW doesn't do squat if all of your service ports are open to the whole internet and you are blocking random ports you aren't using. I have frequently seen documentation recommend opening ports from any source for their application. E.g., the only addresses that should be able to connect to your MySQL database are your application servers and possibly an administrative server.

Their comment on symlinked home needing a manual check is nonsense, in my opinion. This is the default on FreeBSD systems. Their scanner should be written to handle this.

The BIND comment makes sense. It is generally a bad idea to reveal versions to the internet.
 
unixer said:
Consider the shared UID warning. It is probably because you have bash on your system, and, consequently, a user called toor.
Click to expand...
Bash has nothing to do with the existence of the toor account. The account is always there, regardless if you installed bash or not. The account can easily be removed, it's not required for anything.
 
This advise doesn't fit using ZFS. Setting limits on var and tmp is easier than creating partitions (and no wasted space at the end of the partitions).

* To decrease the impact of a full /tmp file system, place /tmp on a separated partition [FILE-6310]
- Solution :
https://cisofy.com/controls/FILE-6310/

* To decrease the impact of a full /var file system, place /var on a separated partition [FILE-6310]
- Solution :
https://cisofy.com/controls/FILE-6310/
Click to expand...
 
FWIW a security checklist/rule of thumb:
Install nothing more than you absolutely need
Run no more services than you absolutely need
Create no more users than absolutely necessary
Ensure your web server only has access to what it absolutely needs in order to run; even better if it's in a jail(8)
and even then. Be absolutely sure the permissions are read-only. If at all possible.
Same for DNS
Don't allow ftp, if you can avoid it.
History proves PHP is an exploit waiting to happen. Install no more extentions than absolutely necessary, and be VERY mindful of the /usr/local/etc/php.ini file.
Know what, and when miscreants are knocking on your door; add the following to your sysctl.conf(5) file:
Code: 
net.inet.tcp.log_in_vain=1
The log will be noisy. But it's worth it! You'll quickly learn how to get ahead of the curve.
Consider using pf(4) to thwart aggressors. It's more powerful than the other alternatives available. Requires less fuss-n-muss too.
Most of all this seems obvious, looking at it. But you might find it helpful to create a "checklist". As it's easy to overlook something, when you're bogged down in setting things up. What with all the details they involve.

HTH!

--Chris
 
You must log in or register to reply here.
Back
Top