Securing FreeBSD 4.x STABLE

oscarcvt writes "While browsing through daily daemon news I found a story posted on Jan 4th that made reference to an article about securing FreeBSD 4.x. The article is titled 'A basic guide to securing FreeBSD 4.x-STABLE' . Everything from mounting ro to secure levels and lots of other stuff. Happy secureading!"

Securing FreeBSD

[CounterZer0]

Isn't it called 'Insert the OpenBSD install CDROM, and reboot'.?

Re:Securing FreeBSD

This is what I really hate about Slashdotters, and especially Linux users, the no clue about security.
First, there is no such thing as a secure system, there are however trusted systems, how much trust you can put in a system and its proven that it will always hold true to that level.
The difference in security in the base systems is so small and irrelevant that the security of a box is more dependant on how well you know the system. If you use FreeBSD, use FreeBSD. If you use Linux, which I think sucks ass, use that one.

Dont get me wrong, I love all the BSDs and use them all, but its not the system that makes the level of trust you can put into it.

If you want security, use Trusted Solaris, OS/400 or OpenVMS.

Re:Securing FreeBSD

With your obvious intelligence, I would've thought you would have had the more obvious answer... more secure than FreeBSD *and* OpenBSD! Just don't power the machine on!

Having tried both, I really don't feel that FreeBSD is really any less secure than Open if properly locked down. OpenBSD's motto is "secure out of the box", which, yes, is true. Its also got virtually every service locked out also. Run Apache and make it a webserver..whoops, its now only as secure as Apache is.

To anyone who *knows* how to secure a box, in general any OS can be made pretty secure, and this includes Free/Net/OpenBSD, Solaris, Linux, HP/UX, Irix... the list could go on.

But, for the best security in the world... install DOS 3.3 with no network drivers. Or just leave it turned off.

Re:Securing FreeBSD

[oscarcvt]

How about some features OpenBSD provides such as an encrypted swap space?? I dont think FreeBSD provides that.

I agree with the claim that systems are not secure but trusted to a certain degree.

One more thing, if we take the BSD's, Linux, Solaris and install Apache there'd be no difference in security amongst these systems? I dont think so.

Re:Securing FreeBSD

Hmm.. encrypted swap. So you slow down your swapping to encrypt/decrypt it... I dunno.
I wouldn't use it.

Besides, in order to get to swap someone must:

1) Gain login access & root on your machine
(and then you've got more serious problems).

2) Gain *physical* access to your machine.
(again, serious problems. What good is
encrypted swap when they can boot off CD,
break into your system, and have access to
all of your data files anyways?).

Re:Securing FreeBSD

[thogard]

Swap space is an archaic idea. The system should reserve an amount of RAM for the OS in low memory conditions and tell other programs they can't have any more. I haven't had a server run out of memory in a long time and I'm tired of X and netscrape swaping to the "never used unless theres a bug" swap space. Nothinkg like watching a program swap out a gig or so.

There's one problem

[watchmaker1]

He recommends setting each user's dir to 0700. If this machine runs apache and you have UserDir turned on to allow http://some.box/~user/ style access which maps ~user to something like /home/user/web-public, apache will not be able to serve up that user's web-public.

Can you tell I've hit this before?

Re:There's one problem

[Mister+Snee]

Well, you could always run Apache with root privileges. ^-^

Those of you who'd be inclined to think that this is a god-awful idea purely because of the insane myriad of vulnerabilities it opens up should conside how, within a week or so of applying this fix, all your other problems would seem pretty insignificant.

It works, honest!

Re:There's one problem

[Arandir]

The tips offered in that article weren't meant to be taken as rigid inflexible law. Obviously your users need their home directories to be world readable, then make them world readable. But if they don't need it, then setting the directories to 0700 is a wise precaution.

Re:There's one problem

[Dahan]

You don't need a world-readable home directory for Apache to be able to get to ~/public_html/ though... Use mode 0711 and people/processes can traverse through the directory, but not read its contents.

Re:There's one problem

run apache in the 'www' group then chgrp www /home/* and chmod 710 /home/*

:P

Re:There's one problem

[vanyel]

That is the reason I don't put userdir in the user's home directory. I created /home/web/ for web directories. I have to create it for them, but it's a minor issue and avoids users, especially those unfamiliar with unix permissions, from having to worry about it.

SC_DISABLE_REBOOT

[david8210]

It's FreeBSD nasty, why does not FreeBSD provide a sysctl to simply let root turn ctl+alt+del off? According to the article's "Secure the console", user can access console, they should let root to do the simple settings, at least it can prevent user from pressing ctl+alt+del to suddenly reboot machine! the user might not on purpose.

Re:SC_DISABLE_REBOOT

[Hal-9001]

1. The odds of pressing CTRL-ALT-DEL by accident are infinitessimally small--those keys are relatively far apart on most keyboards.

2. If someone has physical access to your machine, you're fscked anyway...

Re:SC_DISABLE_REBOOT

If you're used to MS's Ctrl-Alt-Del method to unlock blank screens, it's easy to "accidentally" hit that combo.

No problem

[braque]

you can set the userdir to something else, e.g. /home/homepages

Then www.server.com/~user/bla.html == /home/homepages/user/bla.html

works like a charm here, all users have mod 700 homedirs and 755 homepagedirs.

Don't bother to secure FreeBSD

Netcraft confirms: *BSD is dying

Yet another crippling bombshell hit the beleaguered *BSD community when recently IDC confirmed that *BSD accounts for less than a fraction of 1 percent of all servers. Coming on the heels of the latest Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as further exemplified by failing dead last [samag.com] in the recent Sys Admin comprehensive networking test.

You don't need to be a Kreskin [amdest.com] to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood. FreeBSD is the most endangered of them all, having lost 93% of its core developers.

Let's keep to the facts and look at the numbers.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.

All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS hobbyist dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.

Fact: *BSD is dead

Re:Don't bother to secure FreeBSD

[oscarcvt]

What are you securing?? winblows??

I've tried out linux and FreeBSD and I go for FreeBSD all the way. It's a unified project without a 1,000 handfulls of distros.

Its common sense not to rely on net surveys, and accounting for *BSD users based on USENET postings is a poor populational sample. A good introductory statistics course would fit you well.

You didn't mention daemonnews or apple? Do you think apple will let *BSD die after OS X is based on FreeBSD??

Being as FreeBSD is open source much of its greatness comes from OS hobbyists. It seems you don't know what you are talking about, or my eyes are selling me out! hopefully not to ms.

Fact: Your numeric skills are dead
Fact: *BSD is alive and rockin'

Re:Don't bother to secure FreeBSD

Based on? My god a you that stupid....
Apple OSX uses just FreeBSD shit because the stupid license will let it...

They rather used Linux, trust me...but since that is underr GPL...hehehe

Poer to the penguins!!

Re:Don't bother to secure FreeBSD

[oscarcvt]

Please share your wonderful insights into the complex world of linux licensing!!
If you're sure why linux wasn't licensed to apple maybe you could tell us all why?

The real reason is *bsd is a better os in general!

fact: you are a wannabe newbie

One guy's opinion

[duffbeer703]

This is just my opinion. Nothing more.

After trying to use Linux (redhat 6x/7x, mandrake 7x/8x, debian, slackware) I found that none were upgradeable as easy as FreeBSD. Try upgrading from Redhat 7.1 -> 7.2. I've had it fail on 3 different machines (at work). Nightmares doing that. Plus everything is changing on a .x release. Debian sounds the best, but it didn't even install on the computer I tried. Mandrake just died one day (no clue)...the os wouldn't boot and i just gave up. Slackware is good, but it doesn't seem to have the documentation of FreeBSD. I used to love Linux, until I used it. The biggest problems I have had are with dependencies and non-kernel related problems. I think a centrally managed OS like the BSD's are much more efficient. With kernel releases every few months for Linux, how can you expect it to be stable? I'm a business person. I value time and money. /stand/sysinstall is the greatest utility FreeBSD has. From that 1 utility I can change anything I need to. Simple as that. Redhat had utilities that don't even work right!

(Linux has always been very stable for me as a server. It runs into serious problems only when you start trying to make it into a desktop system and extensively use the X environment. In fact, X itself works just fine with a trimmed down window manager like fvwm. It's just not very "cool" or flashy, and not at all user-friendly when you need to add new items to menus.)

As a business user, I'd assume you're trying to use BSD (or Linux) in a server situation? If so, I'm not sure why you had so many issues with Linux. On the other hand, BSD installs all the basic stuff you need to run a very stable web, ftp, mail, news, etc. type of server - so I'm not faulting you at all for making that choice.

For myself, I find freebsd the os of choice for my servers, but as far as a desktop is concerned it pisses me off enormously that despite running on only one architecture and having only one distro, freebsd (4.4 stable) can't even set AA fonts up properly, key bindings in vim are fucked up etc.

BSD is just rock solid. It's easy to install, upgrade and use. It has been proven. I can't wait to use 4.5 and try it out. Linux is trying to emulate Windows, and it never will. Linux should find it's niche over time. I know BSD has and it's thriving. Doing everything for everyone is bad, and I know BSD isn't.

Re:One guy's opinion

What a bullshit!

I have Redhat, Mandrake, Solaris and FreeBSD runnig on server (Redhat, FreeBSD), Firewall (Redhat), Router (Debian) and Desktop (Mandrake), Solaris i use for my sun desktop (3d)..anyway..

Redhat is easily to upgrade, Debian is easy to upgrade, Mandrake is easy upgradae and FreeBSD is easy upgrade.

If you find it hard to upgrade Linux try reading a book or surf on the net. Ever heard of Red Carpet, RH network, Mandrake update? You know what is real hell? 3D under FeeBSD thats hell! ;)

Re:One guy's opinion

[thogard]

Mandrake wipes out most of my system configuration every time it upgrades and I'm currently on Mandrake 8.0. FreeBSD hasn't rewritten any of my modified config files yet on an upgrade.

The last Mandrake upgrade broke my kdm startup. I used to run two different kdm's on different virtual termals (vt7/8) so I use vt8 and other people in my house use vt7 and a guest account. I don't know if this is a kdm problem, an x problem or something else but it was working and now I can't get it to work. Mandrake also wants to overwrite my resolution defintions for X. I use a start up of 800x600 (because I've got and LCD that only does that resolution) and then I can switch to 1024x768 if I want to and the other users don't have to knwo about the ctrl-atl-+ if I swap monitors.

I've been using BSD unix in some flavor since 87 or so and I've never had the problems I get with some of the newer "user friendly" Linux distros durring upgrades.

Oh, Mandrake update has never found any packages that needed upgradeing the last year or so.

*BSD is dying

It is now official - Netcraft has confirmed: *BSD is dying

Yet another crippling bombshell hit the beleaguered *BSD community when recently IDC confirmed that *BSD accounts for less than a fraction of 1 percent of all servers. Coming on the heels of the latest Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as further exemplified by failing dead last in the recent Sys Admin comprehensive networking test.

You don't need to be a Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood. FreeBSD is the most endangered of them all, having lost 93% of its core developers.

Let's keep to the facts and look at the numbers.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.

All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS hobbyist dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.

Fact: *BSD is dead

Re:*BSD is dying

And how aboput AppleOSX?
Is that not FreeBSD based? are at least it uses some code snippets.
I think AppleOSX has gained market share so in fact some pieces of FreeBSD did also.

But in general i agree Free(BSD) is as good as dead or at least it looks like that.

It Free(BSD) is not MORE stable than Linux (my personal view after running them both for over 2 years they both never crashed or misfunctioned)

Soi how cares if FeeBSD stops to exist i will not care..

Re:*BSD is dying

Ah..now i understand..Eric Raymond was talking about FreeBSD v5 not NT!

Re:*BSD is dying

And if you stopped to exist, I will not care either.

Get serious -- mod the kernel !

[teambpsi]

one of the things I really like about working with FreeBSD is the ability to very easily skinny-down the kernel.

usually if you've installed the kern-development or full set, go to

/usr/src/sys/i386/conf

copy GENERIC over to a new file and run through commenting out stuff you'll never use ... you can always reactivate it later if you need/want it

don't need nfs? comment out

#options NFS #Network Filesystem
#options NFS_ROOT #NFS usable as root device, NFS required

consider making a CDROM based boot image instead of HD -- not as fast boot (well, relatively) but ultimately secure and the machine will always come up in case of HD crash/corruption

otherwise, if you don't have SCSI, dump them all! also, chop out any additional ethernet drivers, etc.

not only will you get a smaller kernel with "less moving parts" that boots faster, you'll have less of a finger print to hit

ipfilter is a must as well, and definitely shutdown all extra services in /etc/inetd.conf

and finally, regarding SSH -- set it up to accept root connections from specific hosts, and then add in tcpwrappers and/or ipfilters to help enforce that -- it helps to cut down on any future buffer-overrun attacks that may surface

nicer

much much nicer but infortunately in french (feel free to transalte :)

http://minithins.net/papers/FreeBSD.txt

Document updated

This document has now been updated on his site to revision 1.8. There's quite a few changes and a bit more info now.