Unix/Linux Go Back    


BSD BSD, sometimes called Berkeley Unix, is a Unix operating system developed by the Computer Systems Research Group of the UC Berkeley.

Borrowing a bit of experience -- hardening FreeBSD --

BSD


Tags
freebsd, qmail, security hardening

Closed    
 
Thread Tools Search this Thread Display Modes
    #1  
Old Unix and Linux 04-11-2014
se2pi se2pi is offline
Registered User
 
Join Date: Mar 2014
Last Activity: 11 April 2014, 11:20 AM EDT
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
BSD Borrowing a bit of experience -- hardening FreeBSD --

I have been playing with qmail a lot in a virtual machine (debian OS), So I feel it 's time to go for a real server, but in order to have a bit of extra fun I decided to start testing in a real environment with FreeBSD. Of course this will be done in a non production server... nevertheless I am a bit worried about security. So It would be really nice to hear about others experiences, how to aboard security issues in FreeBSD, what to have in mind and of course knowledge or may be experiences are welcome !!!

Hope to read advices and experiences :-)

The server will be running FreeBSD 10

apache, qmail and bind nothing more (only one domain - No panel config Please - )

Thanks for reading and sharing ;-)
Sponsored Links
    #2  
Old Unix and Linux 05-07-2014
MadeInGermany MadeInGermany is online now Forum Staff  
Moderator
 
Join Date: May 2012
Last Activity: 22 September 2017, 12:57 PM EDT
Location: Simplicity
Posts: 3,748
Thanks: 306
Thanked 1,257 Times in 1,136 Posts
Just seeing this post.
Besides remote scanners like nmap you perhaps can run the following script.

Code:
#!/bin/sh
# This script detects world-wide writable files that can make the OS unsafe.
# It lists them as shell commands that would do fixes. (Pipe it to sh for execution!)

# No wildcard globbing
set -f

# Safe PATH
export PATH
PATH=/bin:/usr/bin:/usr/sbin:/sbin

# Get "mtab"
# Seems like a hack but is better portable than df
#
for mtab in /etc/mnttab /etc/mtab /proc/mounts
do
  [ -f $mtab ] && break
done
if [ ! -f $mtab ]
then
  echo "UNKNOWN: no $mtab"
  exit 3
fi

# Knowing that / is the first mounted OS disk,
# get all disks of the same type from mtab
#
awk '$2=="/" {type=$3} $3==type {print $2}' $mtab |
# and process each disk
while read mdir
do
 # only consider directories that belong to a Unix OS
 case $mdir/ in
 //|/tmp/*|/var/*|/usr/*|/opt/*|/etc/*|/dev/*|/stand/*|/boot/*)
  # List world-writable files and directories together with a command that restricts it.
  # Assume that a directory ending with /tmp is a temporary directory: do not descend and set the t bit.
  find "$mdir" -xdev \( -type f -o -type d \! -perm -1000 \) -perm -2 \( -type d -name tmp -prune -exec echo chmod +t {} \; -o -exec echo chmod o-w {} \; \) -o -type d -name tmp -prune
 ;;
 esac
done

I don't have a BSD system, so am interested if it runs at all...
Sponsored Links
    #3  
Old Unix and Linux 06-13-2014
Opr_Sys Opr_Sys is offline
Registered User
 
Join Date: Jun 2014
Last Activity: 13 June 2014, 5:35 PM EDT
Location: Error
Posts: 6
Thanks: 0
Thanked 0 Times in 0 Posts
BSD

Quote:
Originally Posted by se2pi View Post
I have been playing with qmail a lot in a virtual machine (debian OS), So I feel it 's time to go for a real server, but in order to have a bit of extra fun I decided to start testing in a real environment with FreeBSD. Of course this will be done in a non production server... nevertheless I am a bit worried about security. So It would be really nice to hear about others experiences, how to aboard security issues in FreeBSD, what to have in mind and of course knowledge or may be experiences are welcome !!!

Hope to read advices and experiences :-)

The server will be running FreeBSD 10

apache, qmail and bind nothing more (only one domain - No panel config Please - )

Thanks for reading and sharing ;-)
If your going to go with BSD's apache - Take your time to run Audit-D and Lynis to harden your config, run Apache in the Jail under Chroot and use Mod_Security.

I'll be honest and say I dont like Apache simply because it falls over far too often and it's easy for an attacker that knows what they're doing to go peeling it appart like peeling the layers off an Onion. ie: Which version of PHP - Soon query that!

Bind is also not my first choice, but it does the Job I guess, as it's not a production server then yeah go for it have fun exploring all the different security options at your disposal and play with them, the only way you learn about that kind of stuff is to play with it over and over and then you'll slowly get the gist.

See the fact of it is that it's not really a Typesafe system, thats why it comes bundled with things like Acid-Base and Snort, when in truth it uses far too much in line PHP, Perl, Java & Pthreads (Posix) etc, etc. If your looking for the totally 100% secure operating system, then you might want to explore 9-Base which is more Unix than Unix and uses Secure Name Spaces and then of course you configure you setup to dump it's db and user tables into 9, on BSD they break in and they elevate to Root on Plan 9 they break in and elevate to Nobody!

If it's going to be a production server then I would suggest going backwards rapidly, because it was only after Windows 3.35 that wierd stuff started creeping in. If you still have any old copies of Windows 3.1 laying around you can soon upgrade them to resemble 95 with Calmira II or you could go with freeDOS and OpenGEM.

It's time to dig out and dispose of all the wierd and unknowable security config's that seem to be prevelant everywhere, because in the age where they saying users should have no privacy then it's fast becoming evident that those are the words of a politician who doesnt know the first thing about 8 Bit - 16 Bit - 32 Bit or 64 Bit.

An I'll be damed if I'll let them just tread all over my civil liberties an those of everybody else just because they want to profit from there Multi-Level Marketing Scams and the fact they want a new Car.

It doesnt have to be BSD an it doesnt have to be Debian but it can sure as hell be Unix!

Last edited by Opr_Sys; 06-13-2014 at 09:14 AM..
Sponsored Links
Closed

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Linux More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
How to handle 64 bit arithmetic operation at 32 bit compiled perl interpreter?H rrd1986 Shell Programming and Scripting 0 07-11-2012 02:30 AM
I'm looking for a 64-bit Desktop that will run Windows, Linspire, FreeBSD and Solaris Mr. Nice Guy UNIX for Dummies Questions & Answers 0 12-03-2005 07:38 PM
copying or concatinating string from 1st bit, leaving 0th bit jazz Programming 2 11-10-2005 11:38 AM



All times are GMT -4. The time now is 01:13 PM.