FreeBSD Post-Install Hardening
 | UNDER CONSTRUCTION: The document is currently being modified! |
Now that you have a solid baseline FreeBSD installation lets move on to configuring and hardening your system. In this article I will be covering setting up ports, installing some base software, setting up a user environment, and fixing some basic security concerns. The test system I will be using for this and all articles following this is from the FreeBSD Installation article. I personally will not be using a ZFS-based test system merely because using ZFS inside of VirtualBox is a bit redundant.
Again for this and all my other articles I am assuming you have a basic understanding of the shell and the computer in general (See Also: Category:FreeBSD). Assuming you have you FreeBSD machine booted up and you are logged in as root, let us begin.
Ports
The FreeBSD Ports and Packages Collection (ports) offers a simple way for users and administrators to install applications. The first thing we are going to do is install this collection so we can begin installing applications from it. To do so we will be using csup(1) and an example supfile leftover from installation.
mkdir ~/csup/
cp /usr/share/examples/cvsup/ports-supfile ~/csup/
csup -L 2 -h cvsup10.us.freebsd.org ~/csup/ports-supfile
Now that the ports collection is installed the next step is to setup the /etc/make.conf config so we can setup some ports and system build defaults. This will set the ports updating defaults, enable multithreaded building, and set the default kernel config.
cat >> /etc/make.conf << _EOF_
| DOC_LANG=en_US.ISO8859-1 INSTALL_NODEBUG="yes" KERNCONF=DREAM SUP_UPDATE="yes" SUP="/usr/bin/csup" SUPFLAGS="-L 2" PORTSSUPFILE="/root/csup/ports-supfile" .if ${.CURDIR:M*/ports/*} CFLAGS = -O2 -combine -fno-strict-aliasing -pipe -s CXXFLAGS = -O2 -combine -fno-strict-aliasing -pipe -s WRKDIRPREFIX = ${PORTSDIR}/obj .endif .if ${.CURDIR:M*/usr/src/*} || ${.CURDIR:M*/usr/obj/*} CFLAGS += -O2 -fno-strict-aliasing -pipe -s CXXFLAGS += -O2 -fno-strict-aliasing -pipe -s COPTFLAGS = -O2 -fno-strict-aliasing -pipe -s MAKEOPTS += -j8 # replace with (cpu_cores*2) .endif MAKE_JOBS_NUMBER=8 # replace with (cpu_cores*2) FORCE_MAKE_JOBS="yes" _EOF_ |
01. First thing you are going to want to do is get yourself into the system via logging
into the console as root. Then get the cvsup program installed, our config loaded in and the ports collection updating. bsd# mkdir csup; cd csup; bsd# fetch http://privatebox.org/bsd/other/ports-local bsd# csup -L 2 ports-local When this is finished move on to step two.
02. Download your make.conf and src.conf files.
bsd# cd /etc
bsd# fetch http://privatebox.org/bsd/etc/make.conf(.jail/.zfs) bsd# fetch http://privatebox.org/bsd/etc/src.conf(.jail/.zfs)
03. Install the default editor, sudo and subversion-freebsd.
bsd# cd /usr/ports/editors/nano; make install clean; bsd# cd /usr/ports/security/sudo; make install clean;
bsd# cd /usr/ports/devel/subversion-freebsd; make install clean;
bsd# setenv EDITOR nano
04. Change the way passwords are stored to blowfish, fetch login.conf, run the database
rebuiler, then reset the root password. bsd# cd /etc bsd# fetch http://privatebox.org/bsd/etc/auth.conf bsd# fetch http://privatebox.org/bsd/etc/login.conf bsd# cap_mkdb /etc/login.conf bsd# passwd To double check that these changes work you should open up the /etc/master.passwd file and make sure the root password starts with "$2a"
05. Clean out the default user files directory
bsd# cd /usr/share/skel/; rm dot.rhosts; bsd# fetch http://privatebox.org/bsd/home/dot.cshrc bsd# fetch http://privatebox.org/bsd/home/dot.login bsd# fetch http://privatebox.org/bsd/home/dot.login_conf bsd# fetch http://privatebox.org/bsd/home/dot.mail_aliases bsd# fetch http://privatebox.org/bsd/home/dot.profile
bsd# cp dot.cshrc ~/.cshrc; cp dot.login ~/.login; cp dot.login_conf ~/.login_conf; bsd# cp dot.mail_aliases ~/.mail_aliases; cp dot.profile ~/.profile;
bsd# cd; rm .k5login; bsd# touch /etc/COPYRIGHT bsd# chmod g+rwx /usr/src /usr/obj
06. Add a users group, then modify the default adduser settings, remove the toor user
account and add yourself a shell user that you will now always ssh from (instead of root).
bsd# pw groupadd users
bsd# adduser -C
Uid (Leave empty for default):
Login group []: users
Enter additional groups []:
Login class [default]: users
Shell (sh csh tcsh nologin) [sh]: tcsh
Home directory [/home/]:
Home directory permissions (Leave empty for default): 0700
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]:
Lock out the account after creation? [no]:
Pass Type : yes
Class : users
Groups : users
Home : /home/
Home Mode : 0700
Shell : /bin/tcsh
Locked : no
OK? (yes/no): yes
Re-edit the default configuration? (yes/no): no
Goodbye!
bsd# pw userdel toor
bsd# adduser
Username : k
Password : *****
Full Name : *****
Uid : 420
Class : root
Groups : wheel
Home : /home/k
Home Mode : 0700
Shell : /bin/tcsh
Locked : no
OK? (yes/no): yes
adduser: INFO: Successfully added (k) to the user database.
Add another user? (yes/no): no
Goodbye!
07. Update the doc and source tree from SVN, then copy over the kernel configuration
file and then check it into the RCS.
bsd# cd /usr/src/ bsd# svn checkout svn://svn.freebsd.org/base/stable/8 /usr/src bsd# cd /usr/src/sys/i386/conf (This would be /usr/src/sys/amd64/conf on an amd64 system) bsd# fetch http://privatebox.org/bsd/home/HUB bsd# ci -u HUB
08. Time to upgrade FreeBSD to its most current version, we will benchmark also.
bsd# cd /usr/src bsd# buildworld
This step will take ~30m-1h.
bsd# buildkernel bsd# sudo make installkernel bsd# sudo reboot
This is the hope and pray that you did everything right stage... When the box comes back up login via ssh and su to root. Then start up mergemaster preperation and then finally installworld and run mergemaster again (rule of thumb for running mergemaster, if your RCS'd it don't overwrite it). Then reboot the machine yet again.
bsd# cd /usr/src bsd# mmp
bsd# sudo make installworld bsd# mm bsd# sudo reboot
09. Install openssh_portable to replace standard ssh, then replace the sshd_config file
and restart sshd
bsd# cd /usr/ports/security/openssh-portable; sudo make install clean; bsd# cd /etc/ssh bsd# sudo fetch http://privatebox.org/bsd/etc/ssh/sshd_config bsd# sudo fetch http://privatebox.org/bsd/etc/ssh/sshd_banner bsd# sudo /usr/local/etc/rc.d/openssh onestart
NOTE: Please at this time make sure you can login to ssh, if you can not, then you need to review the steps and retrace what you did.
10. SSH back into the box and su to root. Then, retrieve all new modified system
files into your /etc folder. Then check them all into the RCS.
bsd# cd /etc bsd# fetch http://privatebox.org/bsd/etc/rc.conf bsd# fetch http://privatebox.org/bsd/etc/crontab bsd# fetch http://privatebox.org/bsd/etc/hosts bsd# fetch http://privatebox.org/bsd/etc/hosts.allow bsd# fetch http://privatebox.org/bsd/etc/newsyslog.conf bsd# fetch http://privatebox.org/bsd/etc/periodic.conf bsd# fetch http://privatebox.org/bsd/etc/sysctl.conf bsd# fetch http://privatebox.org/bsd/etc/syslog.conf
11. Install portupgrade/portaudit and audit already installed ports.
bsd# cd /usr/ports/ports-mgmt/portaudit bsd# sudo make install clean bsd# cd ../portupgrade && sudo make install clean bsd# cd ../pkg_cutleaves && sudo make install clean bsd# sudo portaudit -Fda
12. Make /tmp the only temp.
bsd# mv /var/tmp/* /tmp; rm -rf /var/tmp; ln -s /tmp /var/tmp
(NOTE: If you recieve the message "Operation not permitted" on any of the files when you try to move/remove them you need to "chflags noschg <file/dir>")
13. Restrict access to crontab to root and your shell user account only. Then
set proper permissions on the file. Then enable accounting.
bsd# echo 'root' > /var/cron/allow; echo 'k' >> /var/cron/allow; bsd# chmod 0600 /var/cron/allow
14. Run the secure_me.sh file to set proper permissions to all system files.
bsd# cd; mkdir scripts; cd scripts; bsd# fetch http://privatebox.org/bsd/other/secure_me.sh; chmod +x secure_me.sh; bsd# ./secure_me.sh
