FreeBSD Post-Install Hardening
UNDER CONSTRUCTION: The document is currently being modified! |
Now that you have a solid baseline FreeBSD installation lets move on to configuring and hardening your system. In this article I will be covering setting up ports, installing some base software, setting up a user environment, and fixing some basic security concerns. The test system I will be using for this and all articles following this is from the FreeBSD Installation article. I personally will not be using a ZFS-based test system merely because using ZFS inside of VirtualBox is a bit redundant.
Again for this and all my other articles I am assuming you have a basic understanding of the shell and the computer in general (See Also: Category:FreeBSD). Assuming you have the FreeBSD machine installed, booted up and logged in as root, let us begin.
Ports
The FreeBSD Ports and Packages Collection (ports) offers a simple way for users and administrators to install applications. As there are a few basic system applications we will be needing to install lets get ports up to date. To do so we will be using csup(1) and an example supfile left from installation.
mkdir ~/csup/
cp /usr/share/examples/cvsup/ports-supfile ~/csup/
csup -L 2 -h cvsup10.us.freebsd.org ~/csup/ports-supfile
This will take a moment or two depending on the speed of your connection to the internet and the CVSup server you chose.[1] Once the ports collection is installed the next step is to setup some ports, kernel and world build options.
/etc/make.conf & /etc/src.conf
Both located in /etc/ the primary purpose of make.conf is to control the compilation of the FreeBSD sources, documentation, and ported applications; where as the only purpose of src.conf is to control the compilation of the FreeBSD source code.[2] Note that changing these documents is completely optional and is not required. However after years of using FreeBSD myself I have found that these few settings will simplify and quicken a lot of things on the system, mainly if you are someone who compiles everything from source. If you are not this type of person maybe you can skip this section, I would still recommend looking it over at the very least. Some things will still be applicable, jails for example need special attention toward to src.conf.
This will set the default documentation locale, the ports updating defaults, enable multithreaded building of ports and world, and set the default kernel config file. Please take note of the comments left for determining your settings based off of how many CPU cores your machine has, they start with a hash tag (#).
cat >> /etc/make.conf << _EOF_
DOC_LANG=en_US.ISO8859-1 INSTALL_NODEBUG="yes" KERNCONF=VM SUP_UPDATE="yes" SUP="/usr/bin/csup" SUPFLAGS="-L 2" PORTSSUPFILE="/root/csup/ports-supfile" .if ${.CURDIR:M*/ports/*} CFLAGS = -O2 -combine -fno-strict-aliasing -pipe -s CXXFLAGS = -O2 -combine -fno-strict-aliasing -pipe -s WRKDIRPREFIX = ${PORTSDIR}/obj .endif .if ${.CURDIR:M*/usr/src/*} || ${.CURDIR:M*/usr/obj/*} CFLAGS += -O2 -fno-strict-aliasing -pipe -s CXXFLAGS += -O2 -fno-strict-aliasing -pipe -s COPTFLAGS = -O2 -fno-strict-aliasing -pipe -s MAKEOPTS += -j8 # replace with (cpu_cores*2) .endif MAKE_JOBS_NUMBER=8 # replace with (cpu_cores*2) FORCE_MAKE_JOBS="yes" _EOF_ |
02. Download your make.conf and src.conf files.
bsd# cd /etc
bsd# fetch http://privatebox.org/bsd/etc/make.conf(.jail/.zfs) bsd# fetch http://privatebox.org/bsd/etc/src.conf(.jail/.zfs)
03. Install the default editor, sudo and subversion-freebsd.
bsd# cd /usr/ports/editors/nano; make install clean; bsd# cd /usr/ports/security/sudo; make install clean;
bsd# cd /usr/ports/devel/subversion-freebsd; make install clean;
bsd# setenv EDITOR nano
04. Change the way passwords are stored to blowfish, fetch login.conf, run the database
rebuiler, then reset the root password. bsd# cd /etc bsd# fetch http://privatebox.org/bsd/etc/auth.conf bsd# fetch http://privatebox.org/bsd/etc/login.conf bsd# cap_mkdb /etc/login.conf bsd# passwd To double check that these changes work you should open up the /etc/master.passwd file and make sure the root password starts with "$2a"
05. Clean out the default user files directory
bsd# cd /usr/share/skel/; rm dot.rhosts; bsd# fetch http://privatebox.org/bsd/home/dot.cshrc bsd# fetch http://privatebox.org/bsd/home/dot.login bsd# fetch http://privatebox.org/bsd/home/dot.login_conf bsd# fetch http://privatebox.org/bsd/home/dot.mail_aliases bsd# fetch http://privatebox.org/bsd/home/dot.profile
bsd# cp dot.cshrc ~/.cshrc; cp dot.login ~/.login; cp dot.login_conf ~/.login_conf; bsd# cp dot.mail_aliases ~/.mail_aliases; cp dot.profile ~/.profile;
bsd# cd; rm .k5login; bsd# touch /etc/COPYRIGHT bsd# chmod g+rwx /usr/src /usr/obj
06. Add a users group, then modify the default adduser settings, remove the toor user
account and add yourself a shell user that you will now always ssh from (instead of root).
bsd# pw groupadd users bsd# adduser -C Uid (Leave empty for default): Login group []: users Enter additional groups []: Login class [default]: users Shell (sh csh tcsh nologin) [sh]: tcsh Home directory [/home/]: Home directory permissions (Leave empty for default): 0700 Use password-based authentication? [yes]: Use an empty password? (yes/no) [no]: Use a random password? (yes/no) [no]: Lock out the account after creation? [no]: Pass Type : yes Class : users Groups : users Home : /home/ Home Mode : 0700 Shell : /bin/tcsh Locked : no OK? (yes/no): yes Re-edit the default configuration? (yes/no): no Goodbye! bsd# pw userdel toor bsd# adduser Username : k Password : ***** Full Name : ***** Uid : 420 Class : root Groups : wheel Home : /home/k Home Mode : 0700 Shell : /bin/tcsh Locked : no OK? (yes/no): yes adduser: INFO: Successfully added (k) to the user database. Add another user? (yes/no): no Goodbye!
07. Update the doc and source tree from SVN, then copy over the kernel configuration
file and then check it into the RCS.
bsd# cd /usr/src/ bsd# svn checkout svn://svn.freebsd.org/base/stable/8 /usr/src bsd# cd /usr/src/sys/i386/conf (This would be /usr/src/sys/amd64/conf on an amd64 system) bsd# fetch http://privatebox.org/bsd/home/HUB bsd# ci -u HUB
08. Time to upgrade FreeBSD to its most current version, we will benchmark also.
bsd# cd /usr/src bsd# buildworld
This step will take ~30m-1h.
bsd# buildkernel bsd# sudo make installkernel bsd# sudo reboot
This is the hope and pray that you did everything right stage... When the box comes back up login via ssh and su to root. Then start up mergemaster preperation and then finally installworld and run mergemaster again (rule of thumb for running mergemaster, if your RCS'd it don't overwrite it). Then reboot the machine yet again.
bsd# cd /usr/src bsd# mmp
bsd# sudo make installworld bsd# mm bsd# sudo reboot
09. Install openssh_portable to replace standard ssh, then replace the sshd_config file
and restart sshd
bsd# cd /usr/ports/security/openssh-portable; sudo make install clean; bsd# cd /etc/ssh bsd# sudo fetch http://privatebox.org/bsd/etc/ssh/sshd_config bsd# sudo fetch http://privatebox.org/bsd/etc/ssh/sshd_banner bsd# sudo /usr/local/etc/rc.d/openssh onestart
NOTE: Please at this time make sure you can login to ssh, if you can not, then you need to review the steps and retrace what you did.
10. SSH back into the box and su to root. Then, retrieve all new modified system
files into your /etc folder. Then check them all into the RCS.
bsd# cd /etc bsd# fetch http://privatebox.org/bsd/etc/rc.conf bsd# fetch http://privatebox.org/bsd/etc/crontab bsd# fetch http://privatebox.org/bsd/etc/hosts bsd# fetch http://privatebox.org/bsd/etc/hosts.allow bsd# fetch http://privatebox.org/bsd/etc/newsyslog.conf bsd# fetch http://privatebox.org/bsd/etc/periodic.conf bsd# fetch http://privatebox.org/bsd/etc/sysctl.conf bsd# fetch http://privatebox.org/bsd/etc/syslog.conf
11. Install portupgrade/portaudit and audit already installed ports.
bsd# cd /usr/ports/ports-mgmt/portaudit bsd# sudo make install clean bsd# cd ../portupgrade && sudo make install clean bsd# cd ../pkg_cutleaves && sudo make install clean bsd# sudo portaudit -Fda
12. Make /tmp the only temp.
bsd# mv /var/tmp/* /tmp; rm -rf /var/tmp; ln -s /tmp /var/tmp
(NOTE: If you recieve the message "Operation not permitted" on any of the files when you try to move/remove them you need to "chflags noschg <file/dir>")
13. Restrict access to crontab to root and your shell user account only. Then
set proper permissions on the file. Then enable accounting.
bsd# echo 'root' > /var/cron/allow; echo 'k' >> /var/cron/allow; bsd# chmod 0600 /var/cron/allow
14. Run the secure_me.sh file to set proper permissions to all system files.
bsd# cd; mkdir scripts; cd scripts; bsd# fetch http://privatebox.org/bsd/other/secure_me.sh; chmod +x secure_me.sh; bsd# ./secure_me.sh