>Update to my FreeBSD Checklist

>freebsd imageSince I last came across this very useful FreeBSD checklist I was better able to keep track of what I was doing when installing FreeBSD on different machines. Since my last post on this checklist I have since update the check list to better fit my needs when installing FreeBSD. I even used this checklist to get one of my professors started with FreeBSD.

Partition Setup:
================
/
/var
/tmp
/usr
/storage

FreeBSD Security Checklist, taken from www.sddi.net

Installation
[ ] separate slices for /, /tmp(MB), /usr(G),
/usr/home(G), /var(MB), /storage(G) using the ufs2 fs

[ ] no inetd.conf, or nfs since port_map is not being used.

[ ] no ntp, since rdate is being used

[ ] add /sysutils/rdate-1.0 & /security/chkrootkit-0.36

[ ] add non-privileged user account in wheel group

Users
[ ] vipw and remove toor user, rename Charlie&, change shells

[ ] in /etc/group, and add ssh:*:0:sshusergroup
This is to disallow root the ability to ssh into the box

motd
[ ] cp /etc/motd /etc/motd.old

[ ] rm /etc/motd
[ ] touch /etc/motd
[ ] vi /etc/motd and create
What ever message you want to see when you or others users
login to the box.
[ ] cp /etc/motd /etc/issue

/etc/ssh/sshd_config
[ ] port 22
I change my port to 2222 to prevent default scans from
triggering alerts to port 22.

[ ] protocol 2

[ ] #Hostkey /etc/ssh/ssh_host_key

[ ] PermitRootLogin no

[ ] MaxStartups 5:50:10
After 5 bad logins, refuse 50% of new ones and refuse more than
10 total

[ ] X11Forwarding no
X11 forwarding does not prevent users from forwarding X11
traffic, as users can always install their own forwarders.

[ ] PrintLastLog yes

[ ] SyslogFacility auth
Sends log information to /var/log/auth

[ ] LogLevel VERBOSE

[ ] PasswordAuthentication no

[ ] Banner /etc/issue

[ ] AllowGroups sshusers

/etc/ssh/ssh_config
[ ] ForwardAgent no
[ ] ForwardX11 no
[ ] PasswordAuthentication no
[ ] CheckHostIP yes
This allows ssh to detect if a host key changed due to DNS
spoofing.

[ ] Protocol 2

DSA Key Generation (as opposed to passwd)
[ ] su – {nonprivuser} as root

[ ] ssh-keygen -t dsa

[ ] accept default /.ssh/id_dsa

[ ] enter passwords twice

[ ] cd .ssh

[ ] cat id_dsa.pub > authorized_keys2

[ ] copy key to floppy, and confirm

[ ] delete key from server

rc.conf
[ ] inetd.conf=”NO”

[ ] syslogd_enable=”YES”

[ ] syslogd_flags=”-ss”
This disables port 514 to prevent logging to and from the
server.

[ ] icmp_drop_redirect=”YES”
Ignore pings?

[ ] icmp_log_redirect=”YES”

[ ] clear_tmp_enable=”YES”
Empty /tmp on boot

[ ] portmap_enable=”NO”
If not running nfs

[ ] icmp_bmcastecho=”NO”
Prevent springboarding & smurf attacks

[ ] fsck_y_enable=”YES”
fun fsck -y if the initial preen of filesystems fail?
-y assumes yes to all questions.

[ ] update_motd=”NO”
We do not want to overwrite the mssage of the day on boot

[ ] tcp_drop_synfin=”YES”
Drop packets with the syn or fin bit set.

[ ] log_in_vain=”YES”
Log all attempts to access the box by a closed port.

[ ] sshd_enable=”YES”
Run our sshd daemon on boot.

login.conf & auth.conf
[ ] vi /etc/login.conf

[ ] :passwd_format=blf: Change default password encryption from md5 to blowfish, an
algorithm yet to be broken.

[ ] :passwordtime=52d: Renew passwords every 52nd day

[ ] mixpasswordcase=true:
[ ] :minpasswordlen=9:
[ ] :idletime=32: This can be annoying!

[ ] cap_mkdb /etc/login.conf

[ ] confirm with vipw that password field starts with $2 for flowfish

[ ] confirm shells for users

[ ] vi /etc/auth.conf

[ ] crypt_default=blf
This makes blowfish the default algorithm for all new users
added

sysctl.conf
[ ] vi sysctl.conf

[ ] kern.ipc.shmmax=67108864
[ ] kern.ipc.shmall=32768
To further optimise performance
To enhance the shared memory X11 interface, it is recommended
that the values of some sysctl(8) variables should be increased

[ ] net.inet.tcp.blackhole=2

[ ] net.inet.udp.blackhole=1

[ ] kern.ps_showallprocs=0

[ ] vfs.usermount=1
Allows for normal users to mount filesystems

[ ] hw.ata.atapi_dma=1
Enables DMA access for ATAPI devices.

[ ] kern.ps_showallprocs=0
Disallow the viewing of other users processes. For normal users
only

[ ] net.inet.ip.forwarding=1
Enable IP Forwarding

[ ] net.inet.ip.check_interface=1
This verifies that an incoming packet arrives on an interface
that has an address matching the packet’s destination address

[ ] net.inet.tcp.recvspace=65535
To enable high performance data transfers. This is good when
transfering files.

[ ] net.inet.tcp.sendspace=65535

[ ] net.inet.tcp.blackhole=2

[ ] net.inet.udp.blackhole=1

[ ] kern.ipc.shm_allow_removed=1
For vmware

fstab
[ ] vi /etc/fstab
[ ] /tmp to rw,noexec
[ ] /usr/home to rw,nosuid,noexec
[ ] /floppy to rw,noauoto,noexec,nosuid,nodev,noatime
[ ] /cdrom to ro,noauto

cvsup
[ ] vi /etc/make.conf

crontab
[ ] chmod 600 /etc/crontab
[ ] touch /var/cron/allow and add users who can change cron jobs
[ ] chmod 600 /var/cron/deny
[ ] vi /var/cron/deny and add users to disallow
[ ] add 0 2 * * * root /usr/libexec/locate.updatedb
[ ] add 0 2 * * * root /usr/local/sbin/rdate {ntpserver}
[ ] add 1 3 * * * root /usr/local/sbin/chkrootkit

Kernel Changes /usr/src/sys/i386/conf/{kernelname}
[ ] #pseudo-device bpf
[ ] options SC_NO_HISTORY
[ ] options SC_DISABLE_REBOOT
[ ] options SC_DISABLE_DDBKEY
[ ] options TCP_DROP_SYNFIN
[ ] options RANDOM_IP_ID
[ ] options ICMP_BANDLIM
[ ] confirm settings in /usr/src/sys/i386/conf/LINT
[ ] rebuild kernel and reboot

making world
[ ]
… Dave, do your magic

File Permissions
[ ] chmod 700 /root
[ ] chmod 600 /etc/syslog.conf
[ ] chmod 600 /etc/rc.conf
[ ] chmod 600 /etc/newsyslog.conf
[ ] chmod 600 /etc/hosts.allow
[ ] chmod 600 on /etc/login.conf
[ ] chmod 700 /usr/home/*

Network Time Protocol
[ ] restrict default ignore

TCP Wrappers
vi /etc/hosts.allow
[ ] sshd : localhost : allow
[ ] sshd : x.x.x.x, x.x.x.x : allow
[ ] sshd : all : deny
[ ] ftpd : ALL : deny and so on for unused services

Console Access
[ ] vi /etc/ttys
[ ] first line: console none unknown off insecure
[ ] on insecure for each tty

Bash Shell
[ ] vi /usr/share/skel/.bash_logout
[ ] clear

chflags
[ ] list files to sappnd & schg

Clean-up
[ ] sockstat -4
[ ] tcpdump -xX
======================================================================

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s