FreeBSD Post-Install Hardening

From Wiki³
IconUNDER CONSTRUCTION: The document is currently being modified!

Now that you have a solid baseline FreeBSD installation lets move on to configuring and hardening your system. In this article I will be covering setting up ports, installing some base software, setting up a user environment, and fixing some basic security concerns. The test system I will be using for this and all articles following this is from the FreeBSD Installation article. I personally will not be using a ZFS-based test system merely because using ZFS inside of VirtualBox is a bit redundant.

Again for this and all my other articles I am assuming you have a basic understanding of the shell and the computer in general (See Also: Category:FreeBSD). Assuming you have the FreeBSD machine installed, booted up and logged in as root, let us begin.

Ports

The FreeBSD Ports and Packages Collection (ports) offers a simple way for users and administrators to install applications. As there are a few basic system applications we will be needing to install lets get ports up to date. To do so we will be using csup(1) and an example supfile left from installation.

mkdir ~/csup/

cp /usr/share/examples/cvsup/ports-supfile ~/csup/

csup -L 2 -h cvsup10.us.freebsd.org ~/csup/ports-supfile

This will take a moment or two depending on the speed of your connection to the internet and the CVSup server you chose.[1] Once the ports collection is installed the next step is to setup some ports, kernel and world build options.

/etc/make.conf & /etc/src.conf

Both located in /etc/ the primary purpose of make.conf is to control the compilation of the FreeBSD sources, documentation, and ported applications; where as the only purpose of src.conf is to control the compilation of the FreeBSD source code.[2] Note that changing these documents is completely optional and is not required. However after years of using FreeBSD myself I have found that these few settings will simplify and quicken a lot of things on the system, mainly if you are someone who compiles everything from source. If you are not this type of person maybe you can skip this section, I would still recommend looking it over at the very least. Some things will still be applicable, jails for example need special attention toward to src.conf.

This will set the default documentation locale, the ports updating defaults, enable multithreaded building of ports and world, and set the default kernel config file. Please take note of the comments left for determining your settings based off of how many CPU cores your machine has, they start with a hash tag (#).

cat >> /etc/make.conf << _EOF_

DOC_LANG=en_US.ISO8859-1 INSTALL_NODEBUG="yes" KERNCONF=VM SUP_UPDATE="yes" SUP="/usr/bin/csup" SUPFLAGS="-L 2" PORTSSUPFILE="/root/csup/ports-supfile" .if ${.CURDIR:M*/ports/*} CFLAGS = -O2 -combine -fno-strict-aliasing -pipe -s CXXFLAGS = -O2 -combine -fno-strict-aliasing -pipe -s WRKDIRPREFIX = ${PORTSDIR}/obj .endif .if ${.CURDIR:M*/usr/src/*} || ${.CURDIR:M*/usr/obj/*} CFLAGS += -O2 -fno-strict-aliasing -pipe -s CXXFLAGS += -O2 -fno-strict-aliasing -pipe -s COPTFLAGS = -O2 -fno-strict-aliasing -pipe -s MAKEOPTS += -j8 # replace with (cpu_cores*2) .endif MAKE_JOBS_NUMBER=8 # replace with (cpu_cores*2) FORCE_MAKE_JOBS="yes" _EOF_

02. Download your make.conf and src.conf files.

bsd# cd /etc

   bsd# fetch http://privatebox.org/bsd/etc/make.conf(.jail/.zfs)
   bsd# fetch http://privatebox.org/bsd/etc/src.conf(.jail/.zfs)

03. Install the default editor, sudo and subversion-freebsd.

   bsd# cd /usr/ports/editors/nano; make install clean;
   bsd# cd /usr/ports/security/sudo; make install clean;

bsd# cd /usr/ports/devel/subversion-freebsd; make install clean;

   bsd# setenv EDITOR nano

04. Change the way passwords are stored to blowfish, fetch login.conf, run the database

   rebuiler, then reset the root password.
  
   bsd# cd /etc
   bsd# fetch http://privatebox.org/bsd/etc/auth.conf
   bsd# fetch http://privatebox.org/bsd/etc/login.conf
   bsd# cap_mkdb /etc/login.conf
   bsd# passwd
  
   To double check that these changes work you should open up the /etc/master.passwd
   file and make sure the root password starts with "$2a"

05. Clean out the default user files directory

   bsd# cd /usr/share/skel/; rm dot.rhosts;
   bsd# fetch http://privatebox.org/bsd/home/dot.cshrc
   bsd# fetch http://privatebox.org/bsd/home/dot.login
   bsd# fetch http://privatebox.org/bsd/home/dot.login_conf
   bsd# fetch http://privatebox.org/bsd/home/dot.mail_aliases
   bsd# fetch http://privatebox.org/bsd/home/dot.profile

bsd# cp dot.cshrc ~/.cshrc; cp dot.login ~/.login; cp dot.login_conf ~/.login_conf; bsd# cp dot.mail_aliases ~/.mail_aliases; cp dot.profile ~/.profile;

   bsd# cd; rm .k5login;
   bsd# touch /etc/COPYRIGHT
   bsd# chmod g+rwx /usr/src /usr/obj

06. Add a users group, then modify the default adduser settings, remove the toor user

   account and add yourself a shell user that you will now always ssh from (instead
   of root).
   bsd# pw groupadd users
   bsd# adduser -C
      Uid (Leave empty for default):
      Login group []: users
      Enter additional groups []:
      Login class [default]: users
      Shell (sh csh tcsh nologin) [sh]: tcsh
      Home directory [/home/]:
      Home directory permissions (Leave empty for default): 0700
      Use password-based authentication? [yes]:
      Use an empty password? (yes/no) [no]:
      Use a random password? (yes/no) [no]:
      Lock out the account after creation? [no]:
      Pass Type  : yes
      Class      : users
      Groups     : users
      Home       : /home/
      Home Mode	: 0700
      Shell      : /bin/tcsh
      Locked     : no
      OK? (yes/no): yes
      Re-edit the default configuration? (yes/no): no
      Goodbye!
   bsd# pw userdel toor
   bsd# adduser
      Username   : k
      Password   : *****
      Full Name  : *****
      Uid        : 420
      Class      : root
      Groups     : wheel
      Home       : /home/k
      Home Mode	: 0700
      Shell      : /bin/tcsh
      Locked     : no
      OK? (yes/no): yes
      adduser: INFO: Successfully added (k) to the user database.
      Add another user? (yes/no): no
      Goodbye!

07. Update the doc and source tree from SVN, then copy over the kernel configuration

   file and then check it into the RCS.
   bsd# cd /usr/src/
   bsd# svn checkout svn://svn.freebsd.org/base/stable/8 /usr/src
   bsd# cd /usr/src/sys/i386/conf
   	(This would be /usr/src/sys/amd64/conf on an amd64 system)
   bsd# fetch http://privatebox.org/bsd/home/HUB
   bsd# ci -u HUB

08. Time to upgrade FreeBSD to its most current version, we will benchmark also.

   bsd# cd /usr/src
   bsd# buildworld
   This step will take ~30m-1h.
   bsd# buildkernel
   bsd# sudo make installkernel
   bsd# sudo reboot
   This is the hope and pray that you did everything right stage... When the box
   comes back up login via ssh and su to root. Then start up mergemaster preperation
   and then finally installworld and run mergemaster again (rule of thumb for running
   mergemaster, if your RCS'd it don't overwrite it). Then reboot the machine yet
   again.
   bsd# cd /usr/src
   bsd# mmp
   bsd# sudo make installworld
   bsd# mm
   bsd# sudo reboot

09. Install openssh_portable to replace standard ssh, then replace the sshd_config file

   and restart sshd
   bsd# cd /usr/ports/security/openssh-portable; sudo make install clean;
   bsd# cd /etc/ssh
   bsd# sudo fetch http://privatebox.org/bsd/etc/ssh/sshd_config
   bsd# sudo fetch http://privatebox.org/bsd/etc/ssh/sshd_banner
   bsd# sudo /usr/local/etc/rc.d/openssh onestart

NOTE: Please at this time make sure you can login to ssh, if you can not, then you need to review the steps and retrace what you did.

10. SSH back into the box and su to root. Then, retrieve all new modified system

   files into your /etc folder. Then check them all into the RCS.
   bsd# cd /etc
   bsd# fetch http://privatebox.org/bsd/etc/rc.conf
   bsd# fetch http://privatebox.org/bsd/etc/crontab
   bsd# fetch http://privatebox.org/bsd/etc/hosts
   bsd# fetch http://privatebox.org/bsd/etc/hosts.allow
   bsd# fetch http://privatebox.org/bsd/etc/newsyslog.conf
   bsd# fetch http://privatebox.org/bsd/etc/periodic.conf
   bsd# fetch http://privatebox.org/bsd/etc/sysctl.conf
   bsd# fetch http://privatebox.org/bsd/etc/syslog.conf
   

11. Install portupgrade/portaudit and audit already installed ports.

   bsd# cd /usr/ports/ports-mgmt/portaudit
   bsd# sudo make install clean
   bsd# cd ../portupgrade && sudo make install clean
   bsd# cd ../pkg_cutleaves && sudo make install clean
   bsd# sudo portaudit -Fda

12. Make /tmp the only temp.

   bsd# mv /var/tmp/* /tmp; rm -rf /var/tmp; ln -s /tmp /var/tmp
   (NOTE: If you recieve the message "Operation not permitted" on any of the
   files when you try to move/remove them you need to "chflags noschg
   <file/dir>")

13. Restrict access to crontab to root and your shell user account only. Then

   set proper permissions on the file. Then enable accounting.
   bsd# echo 'root' > /var/cron/allow; echo 'k' >> /var/cron/allow;
   bsd# chmod 0600 /var/cron/allow

14. Run the secure_me.sh file to set proper permissions to all system files.

   bsd# cd; mkdir scripts; cd scripts;
   bsd# fetch http://privatebox.org/bsd/other/secure_me.sh; chmod +x secure_me.sh;
   bsd# ./secure_me.sh