BSD DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement


Securing FreeBSD
Pages: 1, 2

ICMP redirects can be used to launch a DOS attack, as explained in the ICMP redirect portion of this ARP and ICMP redirection games article.



Be very careful if you decide to include the icmp_log_redirect option, as it will log every ICMP redirect, which has the potential of filling up your logging directory if you ever are the victim of this type of attack.

When you built your firewall, you probably included this option:

log_in_vain="YES"

If you didn't, it is a good option to include, as it logs all attempts to closed ports.

An interesting option is:

accounting_enable="YES"

This will enable system accounting. If you're new to system accounting, read man sa and man lastcomm to decide whether this option would be useful to you or not.

Finally, this is a good option to include:

clear_tmp_enable="YES"

as it will clear /tmp at startup, which is always a good thing.

Let's leave /etc/rc.conf and see what else we can do to tighten up your system. I like to change the default algorithm used when encrypting a user's password to the Blowfish algorithm, as it provides the highest security at the greatest speed. Here is a quick comparison of algorithms.

Also, if you're interested in this sort of stuff, check out the Cryptogram newsletter written by the author of Blowfish.

To implement Blowfish hashes, edit /etc/login.conf and change the passwd_format line so that it looks like this:

:passwd_format=blf:\

Save your change, then rebuild the login database with this command:

cap_mkdb /etc/login.conf

You'll then have to change all of your user's passwords so they will get a new Blowfish hash. You can do this by typing:

passwd username

as the superuser. Whatever username you use, that will be the user whose password will be updated. Repeat for all of your users, including the root account.

Once you're finished, double-check that it worked and you didn't forget any users:

more /etc/master.passwd

All of the passwords for your users should begin with $2.

Finally, configure the adduser utility to use Blowfish whenever you create a new user by editing /etc/auth.conf. Change the crypt_default line so that it looks like this:

crypt_default=blf

You've probably noticed when you log in to your FreeBSD system that your login prompt reminds you that you are running FreeBSD. And that after you log in, you receive the FreeBSD copyright information, which is followed by the version of FreeBSD and the name of your kernel, and finally, a useful (but rather boring) motd which again reminds you that you are running FreeBSD. You probably already know what version of FreeBSD you are running and might not want to share that information with the rest of the world. And the motd is a good place to remind the rest of the world that they shouldn't be messing with your system anyways.

You can edit /etc/motd to say whatever suits your purposes, be it anything from your favorite sci-fi excerpt to all the nasty things that will happen to someone if they continue to try to log in to your system.

Next, to remove the copyright info:

touch /etc/COPYRIGHT

Then to change the text that appears at the login prompt, edit /etc/gettytab. Find the line in the default:\ section that starts with

:cb:ce:ck:lc

Carefully, change the text between \r\n\ \r\n\r\nr\n: to whatever text you wish to appear. Double-check that you have the right amount of \rs and \ns and save your change. For example, my login prompt looks like this:

I'm a node in cyberspace. Who are you?
login:

You can test your changes by going to another terminal and logging in.

Finally, even though you've edited your motd to remove your version and kernel information, by default FreeBSD will still re-add it to /etc/motd every time you log in. To prevent this behavior, add the following line to /etc/rc.conf:

update_motd="NO"

This change requires a reboot, so make sure you've first tested your previous changes and have saved all of your work on any other terminals.

There are a few edits that will also restrict logins to your system in the first place. Since these changes modify the behavior of the login program, you'll want to carefully test your changes. Keep one terminal open and go to another terminal to log out and ensure that you can still log in. If for some reason you're unable to log in (this shouldn't happen, but you can't be too careful), you can return to the other terminal and look for typos in the file you just edited.

No one (including you) should ever log in to your system using the root account. To prevent this from happening, edit /etc/ttys. Once you get past a page's worth of comments, you'll notice a section that goes from ttyv0 to ttyv8. Change the word secure on each of those lines to insecure. This is a file you don't want a typo in, so double-check your changes carefully. Test your change by trying to log in as root on one of your terminals. You should receive a "Login incorrect" message.

Personally, I tend to use all nine terminals on my desktop. If you don't, you can also change the word "on" to "off" on some of the ttys in /etc/ttys. Remember to leave at least one terminal "on," or else you won't be able to log in, which will severely hamper the usefulness of your system. You'll also note that ttyv8 is "off" by default, which means you have to manually start an X Window session. If you'd like X to start automatically at bootup, change that "off" to "on."

The last edit I'll mention in today's article allows you to restrict who can log in to your system and from where. This is done by editing /etc/login.access.

If you want to prevent all remote logins (meaning you can only log in if you are physically sitting at your system), remove the # from this line:

#-:wheel:ALL EXCEPT LOCAL .win.tue.nl

and remove the .win.tue.nl so that the line now looks like this:

-:wheel:ALL EXCEPT LOCAL

If you plan on accessing your system remotely, replace .win.tue.nl with the IP address(es) or hostname(s) of the system(s) you'll be logging in from. If there are multiple addresses, separate them with a single space.

If you have only one or two user accounts that you wish to be able to log in to your system, you can prevent all other logins like so:

-:ALL EXCEPT user1 user2:ttyv0 ttyv1 ttyv2 ttyv3 ttyv4

Replace user1 user2 with the names of the user accounts to which you wish to give access. Put in as many ttys as you wish to restrict.

Alternatively, you can place the users in a group and give login access to that group. This example adds the users genisis, biko, and dlavigne6 to a group called mygroup and allows only the members of that group to log in to my FreeBSD system. First, I'll edit /etc/group and carefully add this line:

mygroup:*:100:genisis,dlavigne6,biko

When you add your own group, make sure you use a GID (in my case, 100) that is not being used by any other lines in your /etc/group file.

Then, change /etc/login.access to:

-:ALL EXCEPT mygroup:ttyv0 ttyv1 ttyv2 ttyv3 ttyv4 ttyv5

It is very important you test this change. Leave one terminal logged in, just in case something goes wrong. Go to another terminal and try to log in as each of the users in your group. That should work. Then try to log in as another user; if need be, create a test account and try to log in as that test account. That login attempt should result in a "Permission denied" message.

That's all the space I have for this week. In the next article, I'll resume the archiving series by demonstrating the little-known but very handy pax utility.

If you've tried to email me lately, you've noticed that my address has changed. I can now be reached at dlavigne6@cogeco.ca.

Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.


Read more FreeBSD Basics columns.

Return to the BSD DevCenter.






Sponsored by: