Borrowing a bit of experience -- hardening FreeBSD --


 
Thread Tools Search this Thread
Operating Systems BSD Borrowing a bit of experience -- hardening FreeBSD --
# 1  
Old 04-11-2014
BSD Borrowing a bit of experience -- hardening FreeBSD --

I have been playing with qmail a lot in a virtual machine (debian OS), So I feel it 's time to go for a real server, but in order to have a bit of extra fun I decided to start testing in a real environment with FreeBSD. Of course this will be done in a non production server... nevertheless I am a bit worried about security. So It would be really nice to hear about others experiences, how to aboard security issues in FreeBSD, what to have in mind and of course knowledge or may be experiences are welcome !!!

Hope to read advices and experiences :-)

The server will be running FreeBSD 10

apache, qmail and bind nothing more (only one domain - No panel config Please - )

Thanks for reading and sharing ;-)
# 2  
Old 05-07-2014
Just seeing this post.
Besides remote scanners like nmap you perhaps can run the following script.
Code:
#!/bin/sh
# This script detects world-wide writable files that can make the OS unsafe.
# It lists them as shell commands that would do fixes. (Pipe it to sh for execution!)

# No wildcard globbing
set -f

# Safe PATH
export PATH
PATH=/bin:/usr/bin:/usr/sbin:/sbin

# Get "mtab"
# Seems like a hack but is better portable than df
#
for mtab in /etc/mnttab /etc/mtab /proc/mounts
do
  [ -f $mtab ] && break
done
if [ ! -f $mtab ]
then
  echo "UNKNOWN: no $mtab"
  exit 3
fi

# Knowing that / is the first mounted OS disk,
# get all disks of the same type from mtab
#
awk '$2=="/" {type=$3} $3==type {print $2}' $mtab |
# and process each disk
while read mdir
do
 # only consider directories that belong to a Unix OS
 case $mdir/ in
 //|/tmp/*|/var/*|/usr/*|/opt/*|/etc/*|/dev/*|/stand/*|/boot/*)
  # List world-writable files and directories together with a command that restricts it.
  # Assume that a directory ending with /tmp is a temporary directory: do not descend and set the t bit.
  find "$mdir" -xdev \( -type f -o -type d \! -perm -1000 \) -perm -2 \( -type d -name tmp -prune -exec echo chmod +t {} \; -o -exec echo chmod o-w {} \; \) -o -type d -name tmp -prune
 ;;
 esac
done

I don't have a BSD system, so am interested if it runs at all...
# 3  
Old 06-13-2014
BSD

Quote:
Originally Posted by se2pi
I have been playing with qmail a lot in a virtual machine (debian OS), So I feel it 's time to go for a real server, but in order to have a bit of extra fun I decided to start testing in a real environment with FreeBSD. Of course this will be done in a non production server... nevertheless I am a bit worried about security. So It would be really nice to hear about others experiences, how to aboard security issues in FreeBSD, what to have in mind and of course knowledge or may be experiences are welcome !!!

Hope to read advices and experiences :-)

The server will be running FreeBSD 10

apache, qmail and bind nothing more (only one domain - No panel config Please - )

Thanks for reading and sharing ;-)
If your going to go with BSD's apache - Take your time to run Audit-D and Lynis to harden your config, run Apache in the Jail under Chroot and use Mod_Security.

I'll be honest and say I dont like Apache simply because it falls over far too often and it's easy for an attacker that knows what they're doing to go peeling it appart like peeling the layers off an Onion. ie: Which version of PHP - Soon query that!

Bind is also not my first choice, but it does the Job I guess, as it's not a production server then yeah go for it have fun exploring all the different security options at your disposal and play with them, the only way you learn about that kind of stuff is to play with it over and over and then you'll slowly get the gist.

See the fact of it is that it's not really a Typesafe system, thats why it comes bundled with things like Acid-Base and Snort, when in truth it uses far too much in line PHP, Perl, Java & Pthreads (Posix) etc, etc. If your looking for the totally 100% secure operating system, then you might want to explore 9-Base which is more Unix than Unix and uses Secure Name Spaces and then of course you configure you setup to dump it's db and user tables into 9, on BSD they break in and they elevate to Root on Plan 9 they break in and elevate to Nobody!

If it's going to be a production server then I would suggest going backwards rapidly, because it was only after Windows 3.35 that wierd stuff started creeping in. If you still have any old copies of Windows 3.1 laying around you can soon upgrade them to resemble 95 with Calmira II or you could go with freeDOS and OpenGEM.

It's time to dig out and dispose of all the wierd and unknowable security config's that seem to be prevelant everywhere, because in the age where they saying users should have no privacy then it's fast becoming evident that those are the words of a politician who doesnt know the first thing about 8 Bit - 16 Bit - 32 Bit or 64 Bit.

An I'll be damed if I'll let them just tread all over my civil liberties an those of everybody else just because they want to profit from there Multi-Level Marketing Scams and the fact they want a new Car.

It doesnt have to be BSD an it doesnt have to be Debian but it can sure as hell be Unix!

Last edited by Opr_Sys; 06-13-2014 at 10:14 AM..
Login or Register to Ask a Question

Previous Thread | Next Thread

6 More Discussions You Might Find Interesting

1. Windows & DOS: Issues & Discussions

Which version of Windows Vista to install with a product key? 32-bit or 64-bit?

Hello everyone. I bought a dell laptop (XPS M1330) online which came without a hard drive. There is a Windows Vista Ultimate OEMAct sticker with product key at the bottom case. I checked dell website (here) for this model and it says this model supports both 32 and 64-bit version of Windows... (4 Replies)
Discussion started by: milhan
4 Replies

2. Shell Programming and Scripting

How to handle 64 bit arithmetic operation at 32 bit compiled perl interpreter?H

Hi, Here is the issue. From the program snippet I have Base: 0x1800000000, Size: 0x3FFE7FFFFFFFF which are of 40 and 56 bits. SO I used use bignum to do the math but summing them up I always failed having correct result. perl interpreter info, perl, v5.8.8 built for... (0 Replies)
Discussion started by: rrd1986
0 Replies

3. UNIX for Advanced & Expert Users

migrating unix mp-ras 32 bit to linux suse 64 bit

Hi. I need to migrate the whole unix environment from a Unix mp-ras 32 bit to a Linux Suse 64 bit. 1) can i use cpio to copy the data? 2) can i just copy the users from unix to linux or do i have to create them by hand 3) are there any other concerns i should worry about? thanx (1 Reply)
Discussion started by: mrodrig
1 Replies

4. Red Hat

boot the 32 bit kernel on a 64 bit PPC Linux machine?

Hi all, I'm looking to cover a corner case for an upcoming test cycle. Is there a way to boot a RedHat Advanced Server 4 (update 3) installed on a Power PC machine to use a 32 bit kernel? This would be similar to what is done here -> https://www.unix.com/aix/26204-aix-platform.html I've done... (0 Replies)
Discussion started by: philrau
0 Replies

5. UNIX for Dummies Questions & Answers

I'm looking for a 64-bit Desktop that will run Windows, Linspire, FreeBSD and Solaris

Ok, I've been shopping around and I've seen some nice one's, but they are either too expensive or they are not 64-bit; I want to be prepared for the future at the right price (under $3,000 with a decent configuration)! :D Where can I find a good 64-bit desktop or workstation that will run the... (0 Replies)
Discussion started by: Mr. Nice Guy
0 Replies

6. Programming

copying or concatinating string from 1st bit, leaving 0th bit

Hello, If i have 2 strings str1 and str2, i would like to copy/concatenate str2 to str1, from 1st bit leaving the 0th bit. How do i do it? (2 Replies)
Discussion started by: jazz
2 Replies
Login or Register to Ask a Question