Pages: 1, 2
ICMP redirects can be used to launch a DOS attack, as explained in the ICMP redirect portion of this ARP and ICMP redirection games article.
Be very careful if you decide to include the
icmp_log_redirect option, as
it will log every ICMP redirect, which has the potential of filling up your
logging directory if you ever are the victim of this type of attack.
When you built your firewall, you probably included this option:
If you didn't, it is a good option to include, as it logs all attempts to closed ports.
An interesting option is:
This will enable system accounting. If you're new to system accounting,
man sa and
man lastcomm to decide whether this option would be
useful to you or not.
Finally, this is a good option to include:
as it will clear
/tmp at startup, which is always a good thing.
/etc/rc.conf and see what else we can do to tighten
up your system. I like to change the default algorithm used when encrypting a
user's password to the Blowfish algorithm, as it provides the highest security
at the greatest speed. Here is a quick comparison of algorithms.
Also, if you're interested in this sort of stuff, check out the Cryptogram newsletter written by the author of Blowfish.
To implement Blowfish hashes, edit
/etc/login.conf and change the
passwd_format line so that it looks like this:
Save your change, then rebuild the login database with this command:
You'll then have to change all of your user's passwords so they will get a new Blowfish hash. You can do this by typing:
as the superuser. Whatever username you use, that will be the user whose password will be updated. Repeat for all of your users, including the root account.
Once you're finished, double-check that it worked and you didn't forget any users:
All of the passwords for your users should begin with
Finally, configure the
adduser utility to use Blowfish whenever you
create a new user by editing
/etc/auth.conf. Change the
so that it looks like this:
You've probably noticed when you log in to your FreeBSD system that your login prompt reminds you that you are running FreeBSD. And that after you log in, you receive the FreeBSD copyright information, which is followed by the version of FreeBSD and the name of your kernel, and finally, a useful (but rather boring) motd which again reminds you that you are running FreeBSD. You probably already know what version of FreeBSD you are running and might not want to share that information with the rest of the world. And the motd is a good place to remind the rest of the world that they shouldn't be messing with your system anyways.
You can edit
/etc/motd to say whatever suits your purposes, be it
anything from your favorite sci-fi excerpt to all the nasty things that
will happen to someone if they continue to try to log in to your system.
Next, to remove the copyright info:
Then to change the text that appears at the login prompt, edit
/etc/gettytab. Find the line in the
default:\ section that starts with
Carefully, change the text between
\r\n\ \r\n\r\nr\n: to whatever text
you wish to appear. Double-check that you have the right amount of
\ns and save your change. For example, my login prompt looks like this:
I'm a node in cyberspace. Who are you? login:
You can test your changes by going to another terminal and logging in.
Finally, even though you've edited your motd to remove your version and
kernel information, by default FreeBSD will still re-add it to /etc/motd
every time you log in. To prevent this behavior, add the following line to
This change requires a reboot, so make sure you've first tested your previous changes and have saved all of your work on any other terminals.
There are a few edits that will also restrict logins to your system in the
first place. Since these changes modify the behavior of the
program, you'll want to carefully test your changes. Keep one terminal
open and go to another terminal to log out and ensure that you can still log in.
If for some reason you're unable to log in (this shouldn't happen, but you
can't be too careful), you can return to the other terminal and look for
typos in the file you just edited.
No one (including you) should ever log in to your system using the
root account. To prevent this from happening, edit
/etc/ttys. Once you get past a
page's worth of comments, you'll notice a section that goes from
ttyv8. Change the word
secure on each of those lines to
insecure. This is a file you don't want a typo in, so double-check your changes carefully. Test
your change by trying to log in as root on one of your terminals. You should receive a "Login incorrect" message.
Personally, I tend to use all nine terminals on my desktop. If you don't, you
can also change the word "on" to "off" on some of the
/etc/ttys. Remember to leave at least one terminal "on," or else you
won't be able to log in, which will severely hamper the usefulness of your
system. You'll also note that
ttyv8 is "off" by default, which means you have to manually start an X Window session. If you'd like X to start automatically at bootup, change that "off" to "on."
The last edit I'll mention in today's article allows you to restrict who
can log in to your system and from where. This is done by editing
If you want to prevent all remote logins (meaning you can only log in if
you are physically sitting at your system), remove the
# from this line:
#-:wheel:ALL EXCEPT LOCAL .win.tue.nl
and remove the
.win.tue.nl so that the line now looks like this:
-:wheel:ALL EXCEPT LOCAL
If you plan on accessing your system remotely, replace
the IP address(es) or hostname(s) of the system(s) you'll be logging in
from. If there are multiple addresses, separate them with a single space.
If you have only one or two user accounts that you wish to be able to log in to your system, you can prevent all other logins like so:
-:ALL EXCEPT user1 user2:ttyv0 ttyv1 ttyv2 ttyv3 ttyv4
user1 user2 with the names of the user accounts to which you wish to give
access. Put in as many
ttys as you wish to restrict.
Alternatively, you can place the users in a group and give login access to
that group. This example adds the users
dlavigne6 to a group called
mygroup and allows only the members of that group to log in to
my FreeBSD system. First, I'll edit
/etc/group and carefully add this
When you add your own group, make sure you use a GID (in my case, 100)
that is not being used by any other lines in your
-:ALL EXCEPT mygroup:ttyv0 ttyv1 ttyv2 ttyv3 ttyv4 ttyv5
It is very important you test this change. Leave one terminal logged in, just in case something goes wrong. Go to another terminal and try to log in as each of the users in your group. That should work. Then try to log in as another user; if need be, create a test account and try to log in as that test account. That login attempt should result in a "Permission denied" message.
That's all the space I have for this week. In the next article, I'll
resume the archiving series by demonstrating the little-known but very
If you've tried to email me lately, you've noticed that my address has changed. I can now be reached at email@example.com.
Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.
Read more FreeBSD Basics columns.
Return to the BSD DevCenter.