book

Mastering FreeBSD and OpenBSD Security

by Paco Hope, Bruce Potter, Yanek Korff

March 2005

Beginner to intermediate

464 pages

17h 6m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Mastering FreeBSD and OpenBSD Security
Preface
AudienceAssumptions This Book MakesContents of This BookPart I: Security FoundationPart II: Deployment SituationsPart III: Auditing and Incident ResponseConventions Used in This BookTypographic ConventionsConventions in ExamplesUsing Code ExamplesComments and QuestionsSafari EnabledAcknowledgmentsYanek KorffPaco HopeBruce PotterOur ReviewersO’Reilly
I. Security Foundation
1. The Big Picture
What Is System Security?ConfidentialityIntegrityAvailabilitySummaryIdentifying RisksAttacksProblems in SoftwareBuffer overflowsSQL injectionOther software problemsProtecting yourselfDenial of Service AttacksTarget: physicalTarget: networkTarget: applicationProtecting yourselfImproper Configuration and UseSloppy application configurationProtecting yourselfAccounts and permissionsPasswords and other account problemsNetwork Versus Local AttacksPhysical SecuritySummaryResponding to RiskHow Much Security?Risk and consequenceSecurity versus functionalityChoosing the Right ResponseMitigate riskAccept riskTransfer riskSecurity Process and PrinciplesInitial ConfigurationOngoing MaintenanceAuditing and Incident ResponseSystem Security PrinciplesApply Security EvenlyPractice Defense in DepthFail SafeEnforce Least PrivilegeSegregate ServicesSimplifyUse Security Through Obscurity WiselyDoubt by DefaultStay Up to DateWrapping UpResourcesGeneral Security ResourcesGeneral Security-Related Request for Comments (RFCs)
2. BSD Security Building Blocks
Filesystem ProtectionsOverviewUFS Filesystem FlagsManipulating flagsSystem immutable flag (schg)User immutable flag (uchg)Nodump flag (nodump)System append-only flag (sappnd)User append-only flag (uappnd)System no unlink flag (sunlnk)User no unlink flag (uunlnk)Opaque flag (opaque)Archived flag (arch)Common Uses of FlagsCandidates for system immutableCandidates for append-onlyFinding files with flagsPOSIX Access Control Lists (FreeBSD Only)Enabling ACLsACLs in /etc/fstabACLs in the superblockManaging ACLsTweaking a Running Kernel: sysctlSetting sysctl ValuesKernel Security LevelLevel -1: “permanently insecure”Level 0: transitional security levelLevel 1: improved operational securityLevel 2: high securityLevel 3: network securitySetting the securelevel for FreeBSDSetting the securelevel for OpenBSDThoughts on using securelevelOther Security-Related Kernel VariablesRandom PIDsControlling core dumpsReducing visibility in the networkDropping “synfins”The Basic Sandbox: chrootCreating a chroot EnvironmentAn Example: chrooting ntpdFinding Other DependenciesSorting through kdump’s outputMaking device nodesLimitations of chrootJail: Beyond chrootNew LimitationsLimited process interactionLimited access to network resourcesDevices and mknodCreating Jail EnvironmentsBuilding jails from sourceInstalling from a distribution CDLaunching JailsFat jails as virtual machinesJail security optionsManaging jailsInstalling Software in JailMake a builder jailInstall from binary packageGetting custom software installed in a jailNFS-Based JailsCreating a single NFS master jailInherent ProtectionsFighting Buffer OverflowsW^X memory protectionProPolice stack protectionCryptographyCode ReviewOS Tuningmaxusers: Basic InfluenceIncreasing Maximum ValuesNetwork BufferingWrapping UpResources
3. Secure Installation and Hardening
General ConcernsWhat Are You Building?WorkstationWorkgroup serverInfrastructure serverMultipurpose systemMedia and NetworkTo be networked or not to be networkedMedia verificationPreexisting VulnerabilitiesSlicing Up Your FilesystemXFree86Users and PasswordsSummaryInstalling FreeBSDPreparing the DiskChoosing Distribution SetsPost-Installation ConfigurationBasic network configurationNetwork gatewayinetdsshdSecurity profile (FreeBSD 4.x only)Anonymous FTPNFSTime zoneLinux compatibilityXFree86PackagesFinishing up the installFreeBSD Hardening: Your First StepsStep 1: Configure sudoStep 2: Turn Off Unnecessary ServicesStep 3: Update Your SystemGetting the latest sourcesKernel configurationYour first upgradeStep 4: Wrapping UpInstalling OpenBSDPreparing the DiskConfiguring Your NetworkChoosing Your Distribution SetsActivating sshdAn Innocuous Question About XFinishing UpOpenBSD Hardening: Your First StepsStep 1: Create a UserStep 2: Configure sudoStep 3: Turn Off Unnecessary ServicessshdinetdSendmailStep 4: Update Your SystemStep 5: Wrapping UpPost-Upgrade HardeningConfigure Users and GroupsToor (FreeBSD only)Adjust Mount OptionsLock Down sshdPassword authenticationPublic key authenticationChallenge response authenticationConfigure Basic LoggingCreate Login BannersConfigure NTPTune Your KernelSet File FlagsLocal SecurityOn the screenAdjust /etc/ttysWrapping UpResourcesFreeBSDOpenBSD
4. Secure Administration Techniques
Access ControlControlling User AccessUsing a catchall primary groupProject-based or role-based primary groupsPer-user groupsLogin classesumasksThe danger of ACLs (FreeBSD only)Controlling Administrator AccessDisable and avoid clear-text accessConnect using SSHPrivileged access using sshGeneral sudo ConfigurationAvoid dangerous commandsUse explicit pathsBe very specificUse NOPASSWD sparinglyBe realisticComparing sudo and suSafeguard the Root PasswordSecurity in Everyday TasksInstalling SoftwarePorts and packagesPorts ownershipPorts and base conflictsMultiple versions installed (FreeBSD only)Change ControlTracking ChangesData RecoveryData completenessData confidentialityData retentionFilesystem accessNetwork accessUpgradingPatching OnlyTracking BranchesTracking OpenBSD branchesTracking FreeBSD branchesSecurity Vulnerability ResponseKeeping AbreastSecurity Advisory ResponseCategorizationSeverity assessmentResponse planning and executionNetwork Service Securityinetd and tcpwrappersNetwork File SystemImplicit UID and GID trustNFS export controlNFS network restrictionsNetwork Information ServicesPassword format compatibilityEncrypted password exposureLimiting access to NIS mapsOn the client sideWhen is NIS right for you?Secure File Distribution Using scpInitial setupPushing files with passphrase authenticationPushing files without passphrase authenticationAn scp alternativeWrapping upThe Importance of Time (NTP)SecurityArchitectureMonitoring System HealthNagiosInstallationConfigurationInstalling NRPEConfiguring Nagios with NRPEFine-tuningWrapping upWrapping UpResourcesOperating SystemSystem MonitoringGeneral Security
II. Deployment Situations
5. Creating a Secure DNS Server
The Criticality of DNSTechnical Risks Related to DNSVulnerabilities in DNS softwareZone misconfigurationsMissing zone informationRisks Related to DNS and MailRisks Related to DNS AttacksCache poisoningDNS spoofingRegistration hijackingResponding to DNS-Based RisksLimit recursionLimit zone transfersMaintain your own zonesRun secure, organization-wide recursion serversSeparate caches from authoritative serversSummaryDNS SoftwareBIND 9djbdnsTypical ArchitectureBIND Versus djbdnsOne process or many?Zone maintenanceDynamic updatesIncremental zone transfers and notifyRemote controlSummaryInstalling BINDFreeBSDInstalling djbdnsPreliminariesLocating zone dataDaemontoolsucspi-tcpFreeBSDInstalling on OpenBSD via sourceInstalling on OpenBSD via unofficial portsOperating BINDRunning BIND in chrootMake a filesystemLaunch BIND from /etc/rc.confConfiguration IdeasSecurity restrictionsLoggingUsing includes to separate permissionsManaging BINDTransaction Signatures (TSIG)Cautions about using TSIGPractical uses for TSIGOperating djbdnsRunning tinydnsRoutine MaintenanceThe tinydns data fileLoad balancingNaming nameserversWrapping UpResourcesBIND Resourcesdjbdns ResourcesSelected DNS-Related Requests for Comments (RFCs)
6. Building Secure Mail Servers
Mail Server AttacksOperating System Level AttacksIllegitimate Mail RelayingUnwanted MailMail ArchitectureProtect the Operating SystemAvoid Being an Open RelayStop Unwanted MailContent filtering with SpamAssassinArbitrary content filteringDNS real-time blacklists (RBLs)Mail and DNSSecurity ImplicationsSMTPEnvelope Versus HeaderSecurity ImplicationsSMTP AUTH via SASLTLSSPFMessage integrity, privacy, and non-repudiationMail Server ConfigurationsNull ClientInternal Mail ServerMail RelayExternal Mail ServerSendmailInstallation and ConfigurationRoot BackgroundThe Configuration FilesOverall Sendmail SecurityFile and directory permissionsBeware recipient programsSecurity-Related Configuration OptionsArbitrary program restrictionDon’t blame SendmailMasquerade your domainObfuscate greetingPermissions of transient filesPrivacy optionsRunning sendmail as nonprivileged usersSafe file environmentTrusted userTrusted usersLimiting Denial of Service AttacksBlocking Unwanted MailAccess databaseDNS blacklistsMiltersArbitrary content filteringVirus protectionAuthentication and EncryptionInstalling Sendmail+SASL+TLS on FreeBSDInstalling Sendmail+SASL+TLS on OpenBSDConfiguring Sendmail with SASL+TLSPostfixInstallation and Configuration: FreeBSDInstallation and Configuration: OpenBSDPostfix Security FoundationDo one thing, do it wellUnderstanding loggingChrootConfiguration filesSecurity-Related Configuration OptionsArbitrary program restrictionMasquerade your domainObfuscate smtpd bannerDisable unneeded commandsLimiting Denial of Service AttacksBlocking Unwanted MailAccess tableArbitrary content filteringDNS blacklistsVirus protectionAuthentication and EncryptionVerifying Postfix+SASL+TLS installationConfiguring Postfix with SASL+TLSqmailMail AccessGuidelines for Securing Mail Access—InternallyGuidelines for Securing Mail Access—ExternallyVirtual private networks (VPN)WebmailWrapping UpResourcesMTA SoftwareSpam Defense and AntivirusSMTP SecurityMail Access SoftwareSelected Mail-Related Request for Comments (RFCs)

7. Building a Secure Web Server
Web Server AttacksWhy You CareSpecific Threats to Web ServersFile and data disclosureArbitrary program executionApplication abuseWeb ArchitectureServer Software ChoicesApacheInstalling ApacheFreeBSDMakefile optionsRecording your use of Apache 2OpenBSDConfigure parametersConfiguring ApacheUser overridesProtecting critical filesResisting denial of serviceModule Overviewmod_cgimod_phpPHP and permissionsmod_php Apache configurationPHP configurationmod_perlmod_includemod_davmod_autoindexmod_info and mod_statusmod_userdirApache Best PracticesEnable only modules you needMinimize information leaksAlways separate HTML and CGI locationsProtect sensitive configuration filesRun CGI programs as normal userscgiwrapmod_suexecSummaryEncrypting Web TrafficSSL and certificatesEnabling SSLSSL, TLS, and cipher choiceRestricting ciphers at the serverCPU usagethttpdInstalling thttpdConfiguring thttpdResisting Denial of ServiceAdvanced Web Servers with JailsUsing Jail or ChrootHow many instances?Building and installing into a jailFinding and adding support filesLaunching httpd in chroot(8) on OpenBSD or FreeBSDLaunching httpd in jail(8) on FreeBSDA Two-Tiered ArchitectureConfigure the internal jailsConfiguring the external jailJail versus chrootAdvantages and DisadvantagesUltimate separationPerformanceModularityWrapping UpResourcesApache Resourcesthttpd ResourcesGeneral ResourcesSelected Web-Related RFCs
8. Firewalls
Firewall ArchitecturesBump in the WireDMZSpiderTransparentHostHigh AvailabilityHost LockdownThe Options: IPFW Versus PFIPFWPFDifferencesBasic IPFW ConfigurationKernel ConfigurationStartup ConfigurationFirewall ConfigurationOptional argumentsRequired argumentsUsing the FirewallBasic PF ConfigurationKernel and Startup ConfigurationPF in FreeBSDFirewall ConfigurationUsing the FirewallLoggingHandling FailureCARPCARP ConfigurationpfsyncWrapping UpResources
9. Intrusion Detection
No Magic BulletsMonitoring an IDSResponding to IDS EventsIDS ArchitecturesHost-Based IDSNetwork-Based IDSLog Analysis Versus IDSHoneypots Versus IDSIntrusion Prevention SystemsNIDS on BSDSnortSensor HardwareHost LockdownInstalling and Configuring SnortContaining SnortStoring Events in Flat FilesStoring Events in MySQLSnort with PFACIDInstalling ACIDConfiguring ACIDRunning ACIDHIDS on BSDOsirisInstalling and Configuring OsirisRunning OsirisWrapping UpResources
III. Auditing and Incident Response
10. Managing the Audit Trails
System LoggingLogging via syslogdsyslog.conf ConfigurationSyslog FacilitiesSyslog LevelsProgram and Hostname MatchingSyslog ActionsDebugging syslogdRunning syslogdAdditional socketssyslogd on FreeBSDsyslogd on OpenBSDsyslogd DrawbacksLack of access controlLack of reliabilityLack of integrity or confidentialityMonolithicsyslogd Replacementssyslog-ngminirsyslogdmsyslogCapturing LogsSecuring a LoghostBenefits of a LoghostLoghost System SecuritySyslog RelaySyslog relay configurationConclusionlogfile Managementnewsyslog OverviewConfiguring Log RotationSecuring logfilesAutomated Log MonitoringAutomated Auditing Using logcheckInstallationConfigurationDrawbacksAutomated Auditing Using swatchInstallationConfigurationRunning swatchCatching new messagesOngoing MonitoringAutomated Auditing ScriptsOpenBSD’s Security ScriptFreeBSD’s Periodic ScriptsWrapping UpResourcesLogging ToolsSecure Transport Providers for LoggingLog MonitoringSelected Logging-Related Request for Comments (RFCs)
11. Incident Response and Forensics
Incident ResponsePreparationIdentifying resourcesTraining staffCreation of document templatesBuilding your bag of tricksIncident DetectionIncident AssessmentResponsePostmortem AnalysisForensics on BSDHow Serious Are You?Online and Offline AnalysisThings to Look ForChanged filesAdded usersStrange directoriesUnknown processes and LKMsKnown rootkits and hacker toolsDigging Deeper with the Sleuth KitHistory of the Sleuth KitInstalling and Understanding TSKUsing TSKAutopsyWrapping UpResources
Index
About the Authors
Colophon
Copyright

Overview

FreeBSD and OpenBSD are increasingly gaining traction in educational institutions, non-profits, and corporations worldwide because they provide significant security advantages over Linux. Although a lot can be said for the robustness, clean organization, and stability of the BSD operating systems, security is one of the main reasons system administrators use these two platforms.There are plenty of books to help you get a FreeBSD or OpenBSD system off the ground, and all of them touch on security to some extent, usually dedicating a chapter to the subject. But, as security is commonly named as the key concern for today's system administrators, a single chapter on the subject can't provide the depth of information you need to keep your systems secure.FreeBSD and OpenBSD are rife with security "building blocks" that you can put to use, and Mastering FreeBSD and OpenBSD Security shows you how. Both operating systems have kernel options and filesystem features that go well beyond traditional Unix permissions and controls. This power and flexibility is valuable, but the colossal range of possibilities need to be tackled one step at a time. This book walks you through the installation of a hardened operating system, the installation and configuration of critical services, and ongoing maintenance of your FreeBSD and OpenBSD systems.Using an application-specific approach that builds on your existing knowledge, the book provides sound technical information on FreeBSD and Open-BSD security with plenty of real-world examples to help you configure and deploy a secure system. By imparting a solid technical foundation as well as practical know-how, it enables administrators to push their server's security to the next level. Even administrators in other environments--like Linux and Solaris--can find useful paradigms to emulate.Written by security professionals with two decades of operating system experience, Mastering FreeBSD and OpenBSD Security features broad and deep explanations of how how to secure your most critical systems. Where other books on BSD systems help you achieve functionality, this book will help you more thoroughly secure your deployments.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 0596006268Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills