ONLamp.com
oreilly.comSafari Books Online.Conferences.

advertisement


Interesting New Ports
Pages: 1, 2

Hardening Your System's Security

The final port I'd like to demonstrate is found in /usr/ports/security/lockdown. I was originally skeptical since this port is a script designed to harden or increase the security of a FreeBSD system. I tend to shy away from such promises, as hardening a system definitely doesn't fit into the one-size-fits-all category.



However, Daniel Blankensteiner has done an excellent job in creating a totally configurable script that allows you to apply a set of custom configurations. An administrator could easily create a separate configuration file suited to each of his systems. Not only is the configuration file easy to apply, it supplies a concrete record of changes applied to a newly installed or upgraded system.

Once you've installed the port, familiarize yourself with man lockdown -- it summarizes the various configuration options contained within the script configuration file.

Then:

# cp /usr/local/etc/lockdown.conf.sample /usr/local/etc/lockdown.conf

Note: If you're planning on making configuration files for multiple systems, include the hostname of the system in the name of the copied over configuration file. This way, you can store multiple configuration files in a central location. When you actually use the lockdown utility, you can use the desired configuration file by specifying its name with the -f switch.

Open the copied-over file in your favorite editor. You'll find that this file is very well commented, with many sample hardening changes to get you started. For example, here's a section on tightening up /etc/fstab to mount your partitions securely:

####################
# Mounting options #
####################
# If the mount point exists, mount it with the specified options.
# Please remember that /tmp has to be executable to "make world"
# and if you need to jail a process in a partition, don't mount it with 
"nodev"

mount /tmp       rw,noexec,nosuid,nodev,nosymfollow
mount /var/tmp   rw,noexec,nosuid,nodev,nosymfollow
mount /home      rw,noexec,nosuid,nodev
mount /usr/home  rw,noexec,nosuid,nodev
mount /var       rw,nosuid,nodev
mount /var/mail  rw,noexec,nodev,nosuid

If these mount options are new to you, see the -o section of man mount. You'll also find the FreeBSD Security How-To very useful when determining which options are suited to your environment:

The next section allows you to set your /etc/rc.conf options and gives some ideas to get you started. See man rc.conf for each possible option.

########################
# /etc/rc.conf options #
########################
# This will just add some options to /etc/rc.conf
rc_conf enable_sendmail="NONE"
rc_conf kern_securelevel_enable="YES"
rc_conf portmap_enable="NO"
rc_conf inetd_enable="NO"
rc_conf kern_securelevel="3"
rc_conf clear_tmp_enable="YES"
#rc_conf update_motd="NO"
rc_conf syslogd_flags="-ss"          # Comment this if this is a 
                                     # log server (or change it)

The next section allows you to create a stealth server:

##################
# Stealth server #
##################
# If this is a log server, firewall or gateway you can put it into 
# stealth mode. 
# This is NOT recommended for normal server use.
# Note: For a stealthier server you should also block some icmp request
# like:
# Echo, Time and Netmask requests
#rc_conf tcp_drop_synfin="YES"
#sysctl net.inet.tcp.blackhole=2
#sysctl net.inet.udp.blackhole=1
#kern 	options	IPSTEALTH
#kern 	options	TCP_DROP_SYNFIN

Securing FreeBSD discussed these options and many of those that follow in greater detail.

The next section allows you to set various networking configurations:

######################
# Networking options #
######################
rc_conf icmp_drop_redirect="YES"
rc_conf icmp_log_redirect="YES"
rc_conf log_in_vain="YES"
kern 	options	RANDOM_IP_ID
openssh AllowGroups wheel
openssh Protocol 2

set_warning "
Warning
I blah blah blah blah
and then some"

Those last options configure SSH. See Configuring SSH for more details.

Next, you have the opportunity to customize /etc/login.conf:

#######################
# Login Class options #
#######################
login_class default minpasswordlen=8
login_class default mixpasswordcase=true
login_class default uname=077
# Encryption of passwords
auth_conf crypt_default=blf
login_class default passwd_format=blf

Then, /etc/ttys:

##############
# Root Login #
##############
allow_direct_root_login NO               # Set tty* in /etc/ttys to
                                         # insecure
password_protect_singleuser_mode YES     # Set console to insecure
                                         # in /etc/ttys

There are user-specific options:

#####################
# Restrict the user #
#####################
allow_cron NO
allow_at NO
sysctl security.bsd.see_other_uids=0     # Use kern.ps_showallprocs
                                         # for 4.X

As well as kernel options:

##################
# Kernel options #
##################
kern options	SC_NO_HISTORY           # Don't keep history, so
                                        # there can't be scrolled
kern options	SC_DISABLE_REBOOT       # Disable ctrl+alt+del
#kern options	SC_DISABLE_DDBKEY       # Uncomment if using the
                                        # kernel debugger

Finally, there is an entire section for permissions and file flags:

#################################
# Restrict access to suid files #
#################################
# If you want /somefile to have:
#	Permissions 0000
#	User root
#	Group wheel
#	Flags uappnd and schg
# Just write:
# file /somefile p: 0000 u: root g: wheel f: uappnd,schg
file /bin/rcp p: disable
file /sbin/mksnap_ffs p: noWorld 
file /sbin/ping p: noWorld
<snip long list of files>

################################
# Restrict access to gid files #
################################
file /usr/bin/fstat p: noWorld
file /usr/bin/netstat p: noWorld
file /usr/bin/vmstat p: noWorld
file /usr/bin/wall p: noWorld
file /usr/bin/write p: noWorld
file /usr/bin/lpq p: noWorld
file /usr/bin/lpr p: noWorld
file /usr/bin/lprm p: noWorld
file /usr/libexec/sendmail/sendmail p: noWorld
file /usr/sbin/trpt p: noWorld
file /usr/sbin/lpc p: noWorld

########################################
# Restrict access to information files #
########################################
# if you change permissions on files also listed in /etc/newsyslog.conf, 
# Lockdown will also adjust /etc/newsyslog.conf accordingly
file /sbin/sysctl p: noWorld
file /usr/bin/uname p: noWorld
file /sbin/kldstat p: noWorld
#file /usr/bin/netstat p: noWorld		#Uncomment if using 4.X
file /sbin/route p: noWorld
<snip long list of files>

I was very pleased with the comprehensiveness of the configuration file and how easy it is to make my own changes. If you wish to suggest additional sections to the file, Daniel is open to suggestions. See his site for contact information.

Conclusion

Also, I'm open to suggestions for future articles you'd like to see in this series. Drop me a line if there is a port or a feature of FreeBSD that you'd like to see demonstrated.

Finally, if you live in North America, mark May 13-16 on your calendar and see if you can find a way to make it to Ottawa, Ontario, Canada. Yes, BSDCan is fast approaching and there is an amazing lineup of presenters. Here's your chance to meet with other FreeBSD users and to put faces to those names you see at the FreeBSD site and on the mailing lists. I'll be manning the registration desk and look forward to seeing you there. We'll also try to have copies of BSD Hacks available.

Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.


Read more FreeBSD Basics columns.

Return to the BSD DevCenter.



Sponsored by: