Basic Security Measures for FreeBSD

Introduction

This document will describe the basic security measures that should be applied to a FreeBSD 4.x workstation. Mostly all of these measures should be applied in a server environment too with some extra measures (CGI/PHP security for webservers, SQL security for databases, etc.)

The basics

FreeBSD is a pretty secure OS, although security aware people shouldn’t rely on default OS security because even if the installed release is secure at the moment, our security system should protect us not only from current vulnerabilities but from ALL of them, even the undiscovered/undisclosed ones.

The first thing to do after we install FreeBSD is disabling to services we don’t need. Let’s say that you need FTP for file transfer and a SSHD (that you will only use in your local network). In order to disable all other services edit /etc/rc.conf like this.

Now edit /etc/inetd.conf and uncomment ftp. The rest of the services should be left commented unless you don’t need something else too (but remember that more services mean more risk).

Ok, now you should check the /usr/local/etc/rc.d/ directory. That’s where httpd, rpcd, and other daemons are initialized just chmod -x the scripts you don’t need (or just move/delete them if you feel more comfortable with it).

Now reboot your system and type this .

If you see any other open service that you don’t need you probably missed something in /usr/local/etc/rc.d/.

User management

If you are the only one who’s using the workstation you should have at least 2 users besides root. The first one should be used for ftp access. That’s because ftp transfers are not encrypted and they can be sniffed. This user should have the lowest security level and SHOULD NOT BE PART OF THE WHEEL GROUP. This is very important, this is the reason for having 2 users. The difference between regular users and users added to the wheel group is that while those in the wheel group are able to “su root”, regular users can’t access root even if they would have the root password.

The second user should be part of the wheel group and it will be used ONLY for ssh. This user’s password shouldn’t be exposed to unencrypted protocols (like ftp, telnet, pop, etc). In order to make sure that you will never accidentally log in to ftp, you should add this user to /etc/ftpusers. If you need multiple users you should use this scheme for all of them (depending on their needs). I guess it’s useless to say that you should use different passwords for these users :).

Firewalling

Firewalls are usually designed to prevent outsiders from accessing services on our network, they’re also used to prevent DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks.

FreeBSD comes with a superb firewalling tool called ipfw. It’s very flexible has tons of options yet it’s pretty easy to use & set up. Now we’re going to discuss how to set up a firewall for a workstation connected to the internet trough a dial-up connection (that’s what I have at home), however you can use this document for other connection types too.

First of all you have to reconfigure your kernel. If you don’t know how to do that, check in the FreeBSD handbook.

Edit your own kernel and add the following lines.

Now all you have to do is recompile the kernel. But don’t reboot yet. We’re gonna still need to do some changes in /etc/rc.conf.

Open /etc/rc.conf in your favorite text editor and add these lines.

Now, if you are a dial-up user you might have natd enabled either in your rc.conf file either in your ppp.conf file. Disable them by adding/modifying this line in rc.conf:

ppp_nat="NO"

Now let’s get down to the firewall rules. Create the /etc/firewall/ directory and start editing the ipfw.rules file (or whatever you added to rc./conf) – example.

That’s all. Now reboot your machine. In order to check if the firewall was loaded type:

ipfw show

You should see the firewall rules you just made. Now your firewall is up and running protecting you from the outside world. If you want to disable your firewall do:

ipfw -f flush

The great thing about ipfw is that you can add commands on the way. All you have to do is type:

ipfw add Rule_Number Rule

The Rule_Number is important because ipfw interprets the commands in the order you specify them. For more advanced ipfw rules read the man.

Testing your security

OK, now you have a pretty secure workstation that you can safely connect to the internet. But how can you know that for sure ? Test it.

Testing the firewall

For this operation you’ll probably need a friend’s help (because your firewall was configured to allow localhost connections. Of course you could add something like:

ipfw del 120
ipfw del 130
ipfw del 140

Or whatever the numbers of the rules that allow localhost connections are. Either way you have to find a way to be “outside” the firewall.

Now, ask a friend, or by yourself do a nmap scan (you can install it in freeBSD from /usr/ports/security/nmap). The command should be something like:

nmap -v -O -sS your.host.com

If everything is right you should only see the ports you enabled (21 and maybe 80). To check your ftp and httpd security the best way is to look up their version number in a security database like bugtraq, security-focus, packetstormsecurity, etc.

Don't miss