BSD DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement


FreeBSD Basics Securing FreeBSD

by Dru Lavigne
08/08/2002

In the past few days, I've been sorting through my piles of notes and organizing the security tips I've gathered from various resources over the years. I thought some of them might interest you, so this week, I'll take a break from the archiving series and write a bit about securing your FreeBSD system.

Obviously, I won't be able to give a thorough coverage of such a broad topic in the confines of one article. Which is just as well, since it is impossible to create a one-size-fits-all list that will guarantee the security of any system.

As I sort through my notes, I notice that most are geared toward tightening the security of a FreeBSD system that acts as some sort of server (e.g. Web server, mail server). Which isn't so great, if you are instead using your FreeBSD system as your personal system, and desire full desktop functionality. You would be a very unhappy camper if a security setting broke some functionality that took you a week of struggle to learn how to get working in the first place.

For this reason, you'll note that, unlike most security tutorials, this article will not address changing any of the permissions on your FreeBSD system. This is intentional. Unless you're securing a production server and you know what you're doing, never change the permissions of any file. (If you must practice with permissions, stick to the files in your home directory). Otherwise, things might stop working; things you might miss like email, X Window System, sound. Strange things will happen at strange times, making it harder to clue in that they are related to the permission setting you played with a week ago Tuesday.

We all know that the Internet isn't always a friendly place and that you probably don't want to give the rest of the world the same access to your system as you give yourself. This means you don't want to be on the Internet without being protected by some sort of firewall. Fortunately, your FreeBSD system supports two firewalls: ipfw and ipfilter. Even better, the amount of easy-to-follow documentation has steadily improved over the last year. If you're not behind a firewall, dedicate a Saturday afternoon to do some reading and configure firewall functionality on your system. You'll be glad you did. Here are some resources to get you started:

man ipfw
FreeBSD Handbook: Section 10.7 -- Firewalls
Setting Up a Dual-Homed Host using IPFW and NATD

man ipf
IPFilter and PF resources

Good security is always "defense in depth," meaning that if one mechanism fails, there is a backup mechanism. Even though your system is now protected by a firewall, you should also disable all services except for those you absolutely need. On a desktop system, you need very few services.

To see which services are listening for connection attempts on your system, use this command:

sockstat -4

Your output will vary, depending upon what settings you selected during the final installation phase of FreeBSD and what ports and packages you have built since then.

It is very common to see port 6000 (X Window Server) in the output; if you don't, start an X Window session and rerun sockstat -4. Unfortunately, there have been many X Window exploits over the years; fortunately, you don't need to leave port 6000 open in order to use X on your system. Don't worry, you'll still have a GUI if you close this port!

There are several ways to close this port; I've found the easiest is to become the superuser and edit /usr/X11R6/bin/startx. Find the serverargs line and change it so that it looks like this:

serverargs="-nolisten tcp"

Once you've saved your changes, start X as a regular user and rerun sockstat -4. If you didn't have any typos, X will start as usual, but port 6000 will be missing in your sockstat -4 output.

If you'd like to read up on some of the security issues of leaving port 6000 open, here is a Crash Course in X Window Security.

Okay, that's one less service in your sockstat -4 output. You probably still have two ports that deal with email: ports 25 (smtp) and 587 (submission). You don't need port 587 to send/receive email; to close it you can edit /etc/mail/sendmail.cf. Find this line:

O DaemonPortOptions=Port=587, Name=MSA, M=E

and put a # in front of it to comment it out. Then, to tell sendmail about your change:

killall -HUP sendmail

The -HUP won't stop sendmail, but will tell it to read the changes you made to /etc/mail/sendmail.cf. Repeat sockstat -4 and it should no longer show port 587.

What about port 25? You may or may not need to leave this port open, depending upon which program you use to send and read your email. If you're running FreeBSD 4.6-RELEASE or higher, put this line in /etc/rc.conf:

sendmail_enable="NO"

This will tell sendmail to only listen on the localhost, which will allow any mail client to be able to send email. If you know that your mail client has its own built-in SMTP agent or you're feeling adventurous, you can try this line instead:

sendmail_enable="NONE"

which will close port 25 completely. To see if you've broken the ability to send email, make sure you've closed all of your terminals and saved all of your work. Then, as the superuser:

shutdown now

Press enter when prompted, then type exit. Once you've logged back in, see if you can send a test message to your email account. If you can't, go back to the word "NO" and repeat the above to re-open port 25 for the localhost.

If port 111 (portmap) shows up in your "sockstat" output, remove it by adding the following lines to /etc/rc.conf (or, if a line already exists in that file, change the YES to a NO):

nfs_server_enable="NO"
nfs_client_enable="NO"
portmap_enable="NO"

Portmap is only needed if you are running NFS, which you won't be on a stand-alone FreeBSD desktop. It also has a long history of security issues, so if you don't absolutely need it, disable it.

syslog (port 514) will probably also show in your output. You don't want to disable syslog completely, as you do want to receive logging messages. However, you don't need to have this port open to do so. In your /etc/rc.conf file, make sure syslog is enabled and add a second line with some options:

syslogd_enable="YES"
syslogd_flags="-ss"

Those two sses (make sure you have two, not just one) in the flags will disable logging from remote hosts and close that port, but still allow your localhost to keep its logging capabilities.

Next, make sure inetd_enable is not set to YES in /etc/rc.conf. If inetd is showing up in your sockstat output, something has been uncommented out in /etc/inetd.conf. If you don't need it, put a # back in front of that line, and do a killall inetd.

If you get your address from your ISP's DHCP server, keep dhclient (port 68) open, or you won't be able to renew your IP address.

If you find anything else in your sockstat output, skim through man rc.conf to see if there is an option to disable it. If there isn't, it was most likely started with a startup script that was installed with a package or a port. If this is the case:

cd /usr/local/etc/rc.d

to see which startup scripts have been added to your system. Most packages/ports will install a sample script with a "sample" extension. As long as it ends in "sample," that script will not run at startup. Other packages/ports install a working script that is read at bootup and you will find the culprit in this directory. The easiest way to disable the script is to rename it with a "sample" extension, and then kill the daemon so that its port number no longer shows up in sockstat -4. For example, I recently installed ethereal and noticed that snmpd showed up in my sockstat -4 output. The snmp daemon has a long history of exploits and I didn't want it listening on my system, so I became the superuser and did this:

cd /usr/local/etc/rc.d
mv snmpd.sh snmpd.sh.sample
killall snmpd

You might also want to consider adding the following options to /etc/rc.conf:

tcp_drop_synfin="YES"

This option prevents something known as OS fingerprinting, which is a scan technique used to determine the type of operating system running on a host. If you decide to enable this option, you will also have to rebuild your kernel with the following option included in your kernel configuration file:

options TCP_DROP_SYNFIN

Two related options are:

icmp_drop_redirect="YES"	
icmp_log_redirect="YES"

Pages: 1, 2

Next Pagearrow





Sponsored by: