book

Mastering FreeBSD and OpenBSD Security

by Paco Hope, Bruce Potter, Yanek Korff

March 2005

Beginner to intermediate

464 pages

17h 6m

English

O'Reilly Media, Inc.

Read now

Unlock full access

AudienceAssumptions This Book MakesContents of This BookPart I: Security FoundationPart II: Deployment SituationsPart III: Auditing and Incident ResponseConventions Used in This BookTypographic ConventionsConventions in ExamplesUsing Code ExamplesComments and QuestionsSafari EnabledAcknowledgmentsYanek KorffPaco HopeBruce PotterOur ReviewersO’Reilly
What Is System Security?ConfidentialityIntegrityAvailabilitySummaryIdentifying RisksAttacksProblems in SoftwareBuffer overflowsSQL injectionOther software problemsProtecting yourselfDenial of Service AttacksTarget: physicalTarget: networkTarget: applicationProtecting yourselfImproper Configuration and UseSloppy application configurationProtecting yourselfAccounts and permissionsPasswords and other account problemsNetwork Versus Local AttacksPhysical SecuritySummaryResponding to RiskHow Much Security?Risk and consequenceSecurity versus functionalityChoosing the Right ResponseMitigate riskAccept riskTransfer riskSecurity Process and PrinciplesInitial ConfigurationOngoing MaintenanceAuditing and Incident ResponseSystem Security PrinciplesApply Security EvenlyPractice Defense in DepthFail SafeEnforce Least PrivilegeSegregate ServicesSimplifyUse Security Through Obscurity WiselyDoubt by DefaultStay Up to DateWrapping UpResourcesGeneral Security ResourcesGeneral Security-Related Request for Comments (RFCs)
Filesystem ProtectionsOverviewUFS Filesystem FlagsManipulating flagsSystem immutable flag (schg)User immutable flag (uchg)Nodump flag (nodump)System append-only flag (sappnd)User append-only flag (uappnd)System no unlink flag (sunlnk)User no unlink flag (uunlnk)Opaque flag (opaque)Archived flag (arch)Common Uses of FlagsCandidates for system immutableCandidates for append-onlyFinding files with flagsPOSIX Access Control Lists (FreeBSD Only)Enabling ACLsACLs in /etc/fstabACLs in the superblockManaging ACLsTweaking a Running Kernel: sysctlSetting sysctl ValuesKernel Security LevelLevel -1: “permanently insecure”Level 0: transitional security levelLevel 1: improved operational securityLevel 2: high securityLevel 3: network securitySetting the securelevel for FreeBSDSetting the securelevel for OpenBSDThoughts on using securelevelOther Security-Related Kernel VariablesRandom PIDsControlling core dumpsReducing visibility in the networkDropping “synfins”The Basic Sandbox: chrootCreating a chroot EnvironmentAn Example: chrooting ntpdFinding Other DependenciesSorting through kdump’s outputMaking device nodesLimitations of chrootJail: Beyond chrootNew LimitationsLimited process interactionLimited access to network resourcesDevices and mknodCreating Jail EnvironmentsBuilding jails from sourceInstalling from a distribution CDLaunching JailsFat jails as virtual machinesJail security optionsManaging jailsInstalling Software in JailMake a builder jailInstall from binary packageGetting custom software installed in a jailNFS-Based JailsCreating a single NFS master jailInherent ProtectionsFighting Buffer OverflowsW^X memory protectionProPolice stack protectionCryptographyCode ReviewOS Tuningmaxusers: Basic InfluenceIncreasing Maximum ValuesNetwork BufferingWrapping UpResources
General ConcernsWhat Are You Building?WorkstationWorkgroup serverInfrastructure serverMultipurpose systemMedia and NetworkTo be networked or not to be networkedMedia verificationPreexisting VulnerabilitiesSlicing Up Your FilesystemXFree86Users and PasswordsSummaryInstalling FreeBSDPreparing the DiskChoosing Distribution SetsPost-Installation ConfigurationBasic network configurationNetwork gatewayinetdsshdSecurity profile (FreeBSD 4.x only)Anonymous FTPNFSTime zoneLinux compatibilityXFree86PackagesFinishing up the installFreeBSD Hardening: Your First StepsStep 1: Configure sudoStep 2: Turn Off Unnecessary ServicesStep 3: Update Your SystemGetting the latest sourcesKernel configurationYour first upgradeStep 4: Wrapping UpInstalling OpenBSDPreparing the DiskConfiguring Your NetworkChoosing Your Distribution SetsActivating sshdAn Innocuous Question About XFinishing UpOpenBSD Hardening: Your First StepsStep 1: Create a UserStep 2: Configure sudoStep 3: Turn Off Unnecessary ServicessshdinetdSendmailStep 4: Update Your SystemStep 5: Wrapping UpPost-Upgrade HardeningConfigure Users and GroupsToor (FreeBSD only)Adjust Mount OptionsLock Down sshdPassword authenticationPublic key authenticationChallenge response authenticationConfigure Basic LoggingCreate Login BannersConfigure NTPTune Your KernelSet File FlagsLocal SecurityOn the screenAdjust /etc/ttysWrapping UpResourcesFreeBSDOpenBSD
Access ControlControlling User AccessUsing a catchall primary groupProject-based or role-based primary groupsPer-user groupsLogin classesumasksThe danger of ACLs (FreeBSD only)Controlling Administrator AccessDisable and avoid clear-text accessConnect using SSHPrivileged access using sshGeneral sudo ConfigurationAvoid dangerous commandsUse explicit pathsBe very specificUse NOPASSWD sparinglyBe realisticComparing sudo and suSafeguard the Root PasswordSecurity in Everyday TasksInstalling SoftwarePorts and packagesPorts ownershipPorts and base conflictsMultiple versions installed (FreeBSD only)Change ControlTracking ChangesData RecoveryData completenessData confidentialityData retentionFilesystem accessNetwork accessUpgradingPatching OnlyTracking BranchesTracking OpenBSD branchesTracking FreeBSD branchesSecurity Vulnerability ResponseKeeping AbreastSecurity Advisory ResponseCategorizationSeverity assessmentResponse planning and executionNetwork Service Securityinetd and tcpwrappersNetwork File SystemImplicit UID and GID trustNFS export controlNFS network restrictionsNetwork Information ServicesPassword format compatibilityEncrypted password exposureLimiting access to NIS mapsOn the client sideWhen is NIS right for you?Secure File Distribution Using scpInitial setupPushing files with passphrase authenticationPushing files without passphrase authenticationAn scp alternativeWrapping upThe Importance of Time (NTP)SecurityArchitectureMonitoring System HealthNagiosInstallationConfigurationInstalling NRPEConfiguring Nagios with NRPEFine-tuningWrapping upWrapping UpResourcesOperating SystemSystem MonitoringGeneral Security
The Criticality of DNSTechnical Risks Related to DNSVulnerabilities in DNS softwareZone misconfigurationsMissing zone informationRisks Related to DNS and MailRisks Related to DNS AttacksCache poisoningDNS spoofingRegistration hijackingResponding to DNS-Based RisksLimit recursionLimit zone transfersMaintain your own zonesRun secure, organization-wide recursion serversSeparate caches from authoritative serversSummaryDNS SoftwareBIND 9djbdnsTypical ArchitectureBIND Versus djbdnsOne process or many?Zone maintenanceDynamic updatesIncremental zone transfers and notifyRemote controlSummaryInstalling BINDFreeBSDInstalling djbdnsPreliminariesLocating zone dataDaemontoolsucspi-tcpFreeBSDInstalling on OpenBSD via sourceInstalling on OpenBSD via unofficial portsOperating BINDRunning BIND in chrootMake a filesystemLaunch BIND from /etc/rc.confConfiguration IdeasSecurity restrictionsLoggingUsing includes to separate permissionsManaging BINDTransaction Signatures (TSIG)Cautions about using TSIGPractical uses for TSIGOperating djbdnsRunning tinydnsRoutine MaintenanceThe tinydns data fileLoad balancingNaming nameserversWrapping UpResourcesBIND Resourcesdjbdns ResourcesSelected DNS-Related Requests for Comments (RFCs)
Mail Server AttacksOperating System Level AttacksIllegitimate Mail RelayingUnwanted MailMail ArchitectureProtect the Operating SystemAvoid Being an Open RelayStop Unwanted MailContent filtering with SpamAssassinArbitrary content filteringDNS real-time blacklists (RBLs)Mail and DNSSecurity ImplicationsSMTPEnvelope Versus HeaderSecurity ImplicationsSMTP AUTH via SASLTLSSPFMessage integrity, privacy, and non-repudiationMail Server ConfigurationsNull ClientInternal Mail ServerMail RelayExternal Mail ServerSendmailInstallation and ConfigurationRoot BackgroundThe Configuration FilesOverall Sendmail SecurityFile and directory permissionsBeware recipient programsSecurity-Related Configuration OptionsArbitrary program restrictionDon’t blame SendmailMasquerade your domainObfuscate greetingPermissions of transient filesPrivacy optionsRunning sendmail as nonprivileged usersSafe file environmentTrusted userTrusted usersLimiting Denial of Service AttacksBlocking Unwanted MailAccess databaseDNS blacklistsMiltersArbitrary content filteringVirus protectionAuthentication and EncryptionInstalling Sendmail+SASL+TLS on FreeBSDInstalling Sendmail+SASL+TLS on OpenBSDConfiguring Sendmail with SASL+TLSPostfixInstallation and Configuration: FreeBSDInstallation and Configuration: OpenBSDPostfix Security FoundationDo one thing, do it wellUnderstanding loggingChrootConfiguration filesSecurity-Related Configuration OptionsArbitrary program restrictionMasquerade your domainObfuscate smtpd bannerDisable unneeded commandsLimiting Denial of Service AttacksBlocking Unwanted MailAccess tableArbitrary content filteringDNS blacklistsVirus protectionAuthentication and EncryptionVerifying Postfix+SASL+TLS installationConfiguring Postfix with SASL+TLSqmailMail AccessGuidelines for Securing Mail Access—InternallyGuidelines for Securing Mail Access—ExternallyVirtual private networks (VPN)WebmailWrapping UpResourcesMTA SoftwareSpam Defense and AntivirusSMTP SecurityMail Access SoftwareSelected Mail-Related Request for Comments (RFCs)

Web Server AttacksWhy You CareSpecific Threats to Web ServersFile and data disclosureArbitrary program executionApplication abuseWeb ArchitectureServer Software ChoicesApacheInstalling ApacheFreeBSDMakefile optionsRecording your use of Apache 2OpenBSDConfigure parametersConfiguring ApacheUser overridesProtecting critical filesResisting denial of serviceModule Overviewmod_cgimod_phpPHP and permissionsmod_php Apache configurationPHP configurationmod_perlmod_includemod_davmod_autoindexmod_info and mod_statusmod_userdirApache Best PracticesEnable only modules you needMinimize information leaksAlways separate HTML and CGI locationsProtect sensitive configuration filesRun CGI programs as normal userscgiwrapmod_suexecSummaryEncrypting Web TrafficSSL and certificatesEnabling SSLSSL, TLS, and cipher choiceRestricting ciphers at the serverCPU usagethttpdInstalling thttpdConfiguring thttpdResisting Denial of ServiceAdvanced Web Servers with JailsUsing Jail or ChrootHow many instances?Building and installing into a jailFinding and adding support filesLaunching httpd in chroot(8) on OpenBSD or FreeBSDLaunching httpd in jail(8) on FreeBSDA Two-Tiered ArchitectureConfigure the internal jailsConfiguring the external jailJail versus chrootAdvantages and DisadvantagesUltimate separationPerformanceModularityWrapping UpResourcesApache Resourcesthttpd ResourcesGeneral ResourcesSelected Web-Related RFCs
Firewall ArchitecturesBump in the WireDMZSpiderTransparentHostHigh AvailabilityHost LockdownThe Options: IPFW Versus PFIPFWPFDifferencesBasic IPFW ConfigurationKernel ConfigurationStartup ConfigurationFirewall ConfigurationOptional argumentsRequired argumentsUsing the FirewallBasic PF ConfigurationKernel and Startup ConfigurationPF in FreeBSDFirewall ConfigurationUsing the FirewallLoggingHandling FailureCARPCARP ConfigurationpfsyncWrapping UpResources
No Magic BulletsMonitoring an IDSResponding to IDS EventsIDS ArchitecturesHost-Based IDSNetwork-Based IDSLog Analysis Versus IDSHoneypots Versus IDSIntrusion Prevention SystemsNIDS on BSDSnortSensor HardwareHost LockdownInstalling and Configuring SnortContaining SnortStoring Events in Flat FilesStoring Events in MySQLSnort with PFACIDInstalling ACIDConfiguring ACIDRunning ACIDHIDS on BSDOsirisInstalling and Configuring OsirisRunning OsirisWrapping UpResources
System LoggingLogging via syslogdsyslog.conf ConfigurationSyslog FacilitiesSyslog LevelsProgram and Hostname MatchingSyslog ActionsDebugging syslogdRunning syslogdAdditional socketssyslogd on FreeBSDsyslogd on OpenBSDsyslogd DrawbacksLack of access controlLack of reliabilityLack of integrity or confidentialityMonolithicsyslogd Replacementssyslog-ngminirsyslogdmsyslogCapturing LogsSecuring a LoghostBenefits of a LoghostLoghost System SecuritySyslog RelaySyslog relay configurationConclusionlogfile Managementnewsyslog OverviewConfiguring Log RotationSecuring logfilesAutomated Log MonitoringAutomated Auditing Using logcheckInstallationConfigurationDrawbacksAutomated Auditing Using swatchInstallationConfigurationRunning swatchCatching new messagesOngoing MonitoringAutomated Auditing ScriptsOpenBSD’s Security ScriptFreeBSD’s Periodic ScriptsWrapping UpResourcesLogging ToolsSecure Transport Providers for LoggingLog MonitoringSelected Logging-Related Request for Comments (RFCs)
Incident ResponsePreparationIdentifying resourcesTraining staffCreation of document templatesBuilding your bag of tricksIncident DetectionIncident AssessmentResponsePostmortem AnalysisForensics on BSDHow Serious Are You?Online and Offline AnalysisThings to Look ForChanged filesAdded usersStrange directoriesUnknown processes and LKMsKnown rootkits and hacker toolsDigging Deeper with the Sleuth KitHistory of the Sleuth KitInstalling and Understanding TSKUsing TSKAutopsyWrapping UpResources

Content preview from Mastering FreeBSD and OpenBSD Security

Chapter 3. Secure Installation and Hardening

So the combination is one, two, three, four, five. That’s the stupidest combination I’ve ever heard in my life. That’s the kinda thing an idiot would have on his luggage.

—Dark Helmet Spaceballs

Securing a system doesn’t necessarily begin with a running system. Given the option, it’s a good idea to start thinking about system security early on: before and during installation. In this chapter, we step through the installation process for both OpenBSD and FreeBSD and address some of the security implications of your early decisions.

Tip

If you are not comfortable with the install process for either operating system, now is the perfect time to read the relevant documentation. For FreeBSD, read Chapter 2 of the Handbook. For OpenBSD, see section 4 of the FAQ. If you have not signed up for the FreeBSD and OpenBSD security lists, do so immediately. Links to these lists are available in Section 3.8 at the end of this chapter.

Throughout this chapter we will be following the fundamental security principles laid out in Chapter 1 of this book. Keep in mind that in the context of system security it’s not always true that “more is better.” The consequences of increased security often include greater administrative overhead in maintenance and installation, more complicated configuration, and a general decrease in flexibility and convenience. Balance the trade-offs appropriately for your environment to arrive at a solution that meets both your usability ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Publisher Resources

ISBN: 0596006268Errata Page

Mastering FreeBSD and OpenBSD Security

by Paco Hope, Bruce Potter, Yanek Korff

Chapter 3. Secure Installation and Hardening

Tip

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Linux Server Security, Second Edition

Absolute FreeBSD, 3rd Edition

BSD Unix® Toolbox: 1000+ Commands for FreeBSD®, OpenBSD, and NetBSD®

FreeBSD Device Drivers

Publisher Resources

Chapter 3. Secure Installation and Hardening

Tip

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Linux Server Security, Second Edition

Absolute FreeBSD, 3rd Edition

BSD Unix® Toolbox: 1000+ Commands for FreeBSD®, OpenBSD, and NetBSD®

FreeBSD Device Drivers

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.