Since I last came across this very useful FreeBSD checklist I was better able to keep track of what I was doing when installing FreeBSD on different machines. Since my last post on this checklist I have since update the check list to better fit my needs when installing FreeBSD. I even used this checklist to get one of my professors started with FreeBSD.Partition Setup:
================
/ <400MB>
/var <400MB>
/tmp <400MB>
/usr
/storage
FreeBSD Security Checklist, taken from www.sddi.net
Installation
[ ] separate slices for /
/usr/home(G), /var(MB), /storage(G) using the ufs2 fs
[ ] no inetd.conf, or nfs since port_map is not being used.
[ ] no ntp, since rdate is being used
[ ] add /sysutils/rdate-1.0 & /security/chkrootkit-0.36
[ ] add non-privileged user account in wheel group
Users
[ ] vipw and remove toor user, rename Charlie&, change shells
[ ] in /etc/group, and add ssh:*:0:sshusergroup
This is to disallow root the ability to ssh into the box
motd
[ ] cp /etc/motd /etc/motd.old
[ ] rm /etc/motd
[ ] touch /etc/motd
[ ] vi /etc/motd and create
What ever message you want to see when you or others users
login to the box.
[ ] cp /etc/motd /etc/issue
/etc/ssh/sshd_config
[ ] port 22
I change my port to 2222 to prevent default scans from
triggering alerts to port 22.
[ ] protocol 2
[ ] #Hostkey /etc/ssh/ssh_host_key
[ ] PermitRootLogin no
[ ] MaxStartups 5:50:10
After 5 bad logins, refuse 50% of new ones and refuse more than
10 total
[ ] X11Forwarding no
X11 forwarding does not prevent users from forwarding X11
traffic, as users can always install their own forwarders.
[ ] PrintLastLog yes
[ ] SyslogFacility auth
Sends log information to /var/log/auth
[ ] LogLevel VERBOSE
[ ] PasswordAuthentication no
[ ] Banner /etc/issue
[ ] AllowGroups sshusers
/etc/ssh/ssh_config
[ ] ForwardAgent no
[ ] ForwardX11 no
[ ] PasswordAuthentication no
[ ] CheckHostIP yes
This allows ssh to detect if a host key changed due to DNS
spoofing.
[ ] Protocol 2
DSA Key Generation (as opposed to passwd)
[ ] su - {nonprivuser} as root
[ ] ssh-keygen -t dsa
[ ] accept default /.ssh/id_dsa
[ ] enter passwords twice
[ ] cd .ssh
[ ] cat id_dsa.pub > authorized_keys2
[ ] copy key to floppy, and confirm
[ ] delete key from server
rc.conf
[ ] inetd.conf="NO"
[ ] syslogd_enable="YES"
[ ] syslogd_flags="-ss"
This disables port 514 to prevent logging to and from the
server.
[ ] icmp_drop_redirect="YES"
Ignore pings?
[ ] icmp_log_redirect="YES"
[ ] clear_tmp_enable="YES"
Empty /tmp on boot
[ ] portmap_enable="NO"
If not running nfs
[ ] icmp_bmcastecho="NO"
Prevent springboarding & smurf attacks
[ ] fsck_y_enable="YES"
fun fsck -y if the initial preen of filesystems fail?
-y assumes yes to all questions.
[ ] update_motd="NO"
We do not want to overwrite the mssage of the day on boot
[ ] tcp_drop_synfin="YES"
Drop packets with the syn or fin bit set.
[ ] log_in_vain="YES"
Log all attempts to access the box by a closed port.
[ ] sshd_enable="YES"
Run our sshd daemon on boot.
login.conf & auth.conf
[ ] vi /etc/login.conf
[ ] :passwd_format=blf: Change default password encryption from md5 to blowfish, an
algorithm yet to be broken.
[ ] :passwordtime=52d: Renew passwords every 52nd day
[ ] mixpasswordcase=true:
[ ] :minpasswordlen=9:
[ ] :idletime=32: This can be annoying!
[ ] cap_mkdb /etc/login.conf
[ ] confirm with vipw that password field starts with $2 for flowfish
[ ] confirm shells for users
[ ] vi /etc/auth.conf
[ ] crypt_default=blf
This makes blowfish the default algorithm for all new users
added
sysctl.conf
[ ] vi sysctl.conf
[ ] kern.ipc.shmmax=67108864
[ ] kern.ipc.shmall=32768
To further optimise performance
To enhance the shared memory X11 interface, it is recommended
that the values of some sysctl(8) variables should be increased
[ ] net.inet.tcp.blackhole=2
[ ] net.inet.udp.blackhole=1
[ ] kern.ps_showallprocs=0
[ ] vfs.usermount=1
Allows for normal users to mount filesystems
[ ] hw.ata.atapi_dma=1
Enables DMA access for ATAPI devices.
[ ] kern.ps_showallprocs=0
Disallow the viewing of other users processes. For normal users
only
[ ] net.inet.ip.forwarding=1
Enable IP Forwarding
[ ] net.inet.ip.check_interface=1
This verifies that an incoming packet arrives on an interface
that has an address matching the packet's destination address
[ ] net.inet.tcp.recvspace=65535
To enable high performance data transfers. This is good when
transfering files.
[ ] net.inet.tcp.sendspace=65535
<>
[ ] net.inet.tcp.blackhole=2
[ ] net.inet.udp.blackhole=1
[ ] kern.ipc.shm_allow_removed=1
For vmware
fstab
[ ] vi /etc/fstab
[ ] /tmp to rw,noexec
[ ] /usr/home to rw,nosuid,noexec
[ ] /floppy to rw,noauoto,noexec,nosuid,nodev,noatime
[ ] /cdrom to ro,noauto
cvsup
[ ] vi /etc/make.conf
...
crontab
[ ] chmod 600 /etc/crontab
[ ] touch /var/cron/allow and add users who can change cron jobs
[ ] chmod 600 /var/cron/deny
[ ] vi /var/cron/deny and add users to disallow
[ ] add 0 2 * * * root /usr/libexec/locate.updatedb
[ ] add 0 2 * * * root /usr/local/sbin/rdate {ntpserver}
[ ] add 1 3 * * * root /usr/local/sbin/chkrootkit
Kernel Changes /usr/src/sys/i386/conf/{kernelname}
[ ] #pseudo-device bpf
[ ] options SC_NO_HISTORY
[ ] options SC_DISABLE_REBOOT
[ ] options SC_DISABLE_DDBKEY
[ ] options TCP_DROP_SYNFIN
[ ] options RANDOM_IP_ID
[ ] options ICMP_BANDLIM
[ ] confirm settings in /usr/src/sys/i386/conf/LINT
[ ] rebuild kernel and reboot
making world
[ ]
... Dave, do your magic
File Permissions
[ ] chmod 700 /root
[ ] chmod 600 /etc/syslog.conf
[ ] chmod 600 /etc/rc.conf
[ ] chmod 600 /etc/newsyslog.conf
[ ] chmod 600 /etc/hosts.allow
[ ] chmod 600 on /etc/login.conf
[ ] chmod 700 /usr/home/*
Network Time Protocol
[ ] restrict default ignore
TCP Wrappers
vi /etc/hosts.allow
[ ] sshd : localhost : allow
[ ] sshd : x.x.x.x, x.x.x.x : allow
[ ] sshd : all : deny
[ ] ftpd : ALL : deny and so on for unused services
Console Access
[ ] vi /etc/ttys
[ ] first line: console none unknown off insecure
[ ] on insecure for each tty
Bash Shell
[ ] vi /usr/share/skel/.bash_logout
[ ] clear
chflags
[ ] list files to sappnd & schg
Clean-up
[ ] sockstat -4
[ ] tcpdump -xX
======================================================================
No comments:
Post a Comment