Before I built a wall I’d ask to know What I was walling in or walling out, And to whom I was like to give offence. Something there is that doesn’t love a wall, That wants it down.
—Robert Frost “Mending Wall”
FreeBSD and OpenBSD are often considered the “other” free operating systems besides Linux. However, in recent Netcraft surveys, the five most reliable web sites on the planet run FreeBSD. OpenBSD, too, is deployed on thousands of security servers around the world. These two BSD-based operating systems are rapidly gaining traction in educational institutions, non-profits, and corporations worldwide.
Plenty of books exist to help you get a FreeBSD or OpenBSD system off the ground. All of them touch on security, but most only dedicate a chapter to it. In sharp contrast, we think it’s worth spending an entire book on the subject. FreeBSD and OpenBSD are rife with security “building blocks” that you can use to really take security and “kick it up a notch.”
These operating systems have kernel options and filesystem features that go well beyond traditional Unix permissions and controls. This power and flexibility is valuable, but the colossal range of possibilities will leave you dizzy if you don’t take things one step at a time. Mastering FreeBSD and OpenBSD Security complements existing books on FreeBSD and OpenBSD administration. Where others help you achieve functionality, we help you build security-minded deployments. This book walks you through the installation of a hardened operating system, the installation and configuration of critical services, and ongoing maintenance of your FreeBSD and OpenBSD systems.
This book is written by system administrators for system administrators. If you’re looking for a complete idiot or dummy guide, this book is not for you. We’re talking to administrators who have installed a Unix-like operating system before. Almost any will do, but this book is all about what sets FreeBSD and OpenBSD apart from other Unices. You’ll get the most out of this book if you’re comfortable administering BSD operating systems and want to take your experience one step farther.
Administrators at various skill levels and in organizations of any size can benefit from secure BSD systems. Junior administrators who know how to get a Unix system off the ground can use this book to develop a sound foundation in systems security. Experienced administrators, like experienced cooks, will find new recipes that they can add to their existing repertoire. If you’re part of (or all of) a small staff that runs only a handful of servers, you’ll see how choosing one of the BSDs can let you spend less time on security concerns and more on your other duties. If you’re part of a large staff running many servers, you’ll see how BSD servers can be solid pillars in your infrastructure. They’re easy to deploy and scale, and maintaining them is a breeze. Securing them is easy enough, too, with the help of this book.
We’re really focused on improving the skill set of an established system administrator, so we aren’t going to explain a lot of basics. We assume you can find your way to a command line and work your way through the filesystem with speed and grace. We expect that you already have a solid understanding of basic Unix permissions, are comfortable installing and configuring hardware and software, and so on.
If at any time you feel you’re in over your head, fear not. Both operating systems have strong followings and easy to find documentation for all the basics. You can look at FAQs, HOWTOs, and handbooks online, or you can buy one of the many good references in print. The “Resources” section at the end of every chapter always lists good resources that provide additional coverage of relevant topics. In many cases, these additional resources provide the foundation in the technology you need to leverage the recommendations in this book.
The Internet is everywhere, and every administrator needs a basic understanding of local- and wide-area networking. We’re not going to tell you what TCP/IP is, how DHCP works, or how to cable up your switches and hubs. We’ll explain what you need to know when we get into a security topic that is rooted in the deep, dark corners of a protocol specification or some other relatively obscure topic. Network security and configuration are important, but we assume you’ve already got that under control.
We’ve tried to break the book up into three sections. We begin by establishing a foundation in FreeBSD and OpenBSD, move on to discuss specific deployment scenarios based on this foundation, and we wrap up with a broader look at these operating systems in your existing network.
The goal of Part I is to give you the foundation for building and running secure systems with FreeBSD or OpenBSD.
Chapter 1 is an introduction to system security and general security topics that are relevant to the rest of our discussion. It tells you what you’re up against and gives you some ideas about how we’ll approach securing systems.
Chapter 2 is all about the fundamental building blocks you get for securing systems based on either OpenBSD or FreeBSD. There are some differences, so we highlight those as we go. We cover filesystem features, kernel features, inherent operating system features, and tweaking your kernel to enhance specific security postures.
Chapter 3 augments what you already know about installation. We explore the security-related options, trade-offs, and configurations you must consider when installing. We walk through installing both FreeBSD and OpenBSD, but dwell mainly on areas where choices at installation time can have important security ramifications.
Chapter 4 is a tour de force of administration concerns. You’ve got it installed, you’re running it day-to-day, so now what? We describe controlling access, installing and upgrading software, network security, backups, and system monitoring.
Every server has a specific purpose in life, and FreeBSD and OpenBSD systems are ideal candidates for handling critical infrastructure services like DNS servers, firewalls, mail gateways, and web servers. Part II covers these deployments and how you can leverage specific BSD features to improve the security posture of the services you provide. We don’t tell you everything about deploying the specific service, however; just the extra options and special circumstances where you can take advantage of OpenBSD or FreeBSD. The goal of this section is to offer guidelines for securely deploying the software that will run critical services in your network.
With each of these critical network services, we take time to explain the kinds of risks you face, the sorts of attacks you might need to repel, and why you and your organization care about running the service securely. When we talk about installing and configuring software, though, we refer back to the general techniques and building blocks that we laid out in Part I. You’ll want to be at least passingly familiar with the techniques, because we combine them in interesting and sometimes subtle ways.
Chapter 5 describes DNS and how to build a secure DNS server. DNS is critical to every Internet service, and getting it right is fundamentally important, so we cover it first. We talk about both BIND and djbdns and how they can be installed, configured, and operated securely.
Chapter 6 covers mail: arguably the most critical electronic communication you support in your organization. We discuss setting up a secure mail architecture as well as filtering and rejecting unwanted mail. We describe both Sendmail and Postfix and how to securely install, configure, and administer them.
Chapter 7 offers a wealth of information on
securing Apache-based web servers. We cover risks and threats,
configuration and installation, and managing what options your users
can set. We also describe
thttpd, a small, fast,
no-frills web server that can perform admirably in certain
situations. In the end we talk about some interesting combinations of
FreeBSD’s jails and web servers to isolate and
contain lots of web sites in their own sandboxes.
Chapter 8 is about building firewalls. OpenBSD
and FreeBSD make excellent choices as firewall platforms. Getting a
firewall operational isn’t too hard, but making sure
that it’s appropriately secured needs to be done
carefully. In this chapter, we’ll talk about
ipfw on FreeBSD and
available on both platforms.
Chapter 9 outlines the topic of intrusion detection system (IDS) on FreeBSD or OpenBSD. We cover the purposes for using IDSes as well as alternative approaches such as log analysis and intrusion prevention. We give you some good guidance on how to build an effective architecture and monitor it for nefarious activity.
Auditing and incident response are topics in system administration theory that are critical but often overlooked. They are not specific services that you run as much as concerns you keep in the back of your mind all the time.
Chapter 10 talks about managing the audit trails. A properly configured system should be warning you about suspicious activity, but how do you manage all the alerts and warnings? We talk about what you want to log, how you can log it securely, and how to manage the logs you generate.
Chapter 11 describes incident response and computer forensics. When the inevitable happens and you have an incident to respond to, how will you do it? We talk about responding to attacks, and tracking down how the attack succeeded, through forensic analysis.
We use both typography and common Unix documentation conventions to give you additional information in the text.
- Plain text
Indicates menu titles, menu options, menu buttons, and keyboard accelerators (such as Alt and Ctrl).
Indicates new or technical terms, system calls, URLs, hostnames, email addresses, filenames, file extensions, pathnames, and directories.
Indicates commands, options, switches, variables, attributes, keys, functions, types, objects, HTML tags, macros, the contents of files, or the output from commands.
Constant width bold
Shows commands or other text that should be typed literally by the user.
Constant width italic
Shows text that should be replaced with user-supplied values.
There are times when it is very important to pay attention to the
typography because it distinguishes between two similarly named, but
different concepts. For example, the
and the /etc/hosts file, or the
jail(2) system call versus the
jail(8) command. Sometimes the typeface is an
important clue to help you remember which one we’re
referring to in a given context.
You will see two different prompts in the examples we give for
running commands. We follow the time-honored Unix convention of using
% to represent a non-root shell (e.g., one running
as your normal user ID) and
# to represent a
root-equivalent shell. Commands that appear after a
% prompt can (and probably should) be run by an
unprivileged user. Commands that appear after a
prompt must be run with root privileges. Example P-1
shows three different commands that illustrate this point.
Example 1. Several commands with different prompts
ls -lo /var/log%
sudo ifconfig lo0 127.0.0.2 netmask 255.255.255.255#
shutdown -r now
ls command runs as a normal user. The
ifconfig command runs as root, but only because a
normal user uses
sudo to elevate his privileges
sudo is discussed in detail in Chapter 4). The last command shows the
# prompt, assuming that you have already become
root somehow before executing the
This book is here to help you get your job done. In general, you may use the code in this book in your programs and documentation. You do not need to contact us for permission unless you’re reproducing a significant portion of the code. For example, writing a program that uses several chunks of code from this book does not require permission. Selling or distributing a CD-ROM of examples from O’Reilly books does require permission. Answering a question by citing this book and quoting example code does not require permission. Incorporating a significant amount of example code from this book into your product’s documentation does require permission.
We appreciate, but do not require, attribution. An attribution usually includes the title, author, publisher, and ISBN. For example: Mastering FreeBSD and OpenBSD Security by Yanek Korff, Paco Hope, and Bruce Potter. Copyright 2005 O’Reilly Media, Inc., 0-596-00626-8.
If you feel your use of code examples falls outside fair use or the permissions given above, feel free to contact us at email@example.com.
Please address comments and questions concerning this book to the publisher:
|O’Reilly Media, Inc.|
|1005 Gravenstein Highway North|
|Sebastopol, CA 95472|
|(800) 998-9938 (in the United States or Canada)|
|(707) 829-0515 (international or local)|
|(707) 829-0104 (fax)|
We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at:
To comment or ask technical questions about this book, send email to:
For more information about our books, conferences, Resource Centers, and the O’Reilly Network, see our web site at:
When you see a Safari® Enabled icon on the cover of your favorite technology book, that means the book is available online through the O’Reilly Network Safari Bookshelf.
Safari offers a solution that’s better than e-books. It’s a virtual library that lets you easily search thousands of top tech books, cut and paste code samples, download chapters, and find quick answers when you need the most accurate, current information. Try it for free at http://safari.oreilly.com.
Many people helped make this book possible, some of them in big ways and others in critical, yet nearly invisible ways. We’d like to acknowledge them here.
First and foremost, I’d like to thank my wife, whose patience continues to surprise me. This book would never have been possible without her help and her support. Also, although she’s not old enough to harbor a grudge or appreciate gratefulness, I’d like to thank my one-year-old daughter. She’s only ever known a workaholic father and doesn’t realize she should be jealous.
An obvious thank you to my parents for putting me on the road to geekdom back in early 90s, and of course putting me through college. May my educators forgive me for everything I’ve forgotten.
I’d also like to thank Viren Shah who introduced me to FreeBSD. I wouldn’t be where I am today without the support and mentoring he’s provided me over the years.
Finally, thanks to my good friend Matt Rowley, owner of much computer junk. Some of that junk and the advice that came with it were integral to this book’s creation.
I’d like to thank my wife, Rebecca, who administered everything that doesn’t run FreeBSD (like children, houses, and pets) while I was building Frankenstein’s BSD lab in our basement. I am grateful for my time in the Department of Computer Science at the University of Virginia, where I cut my teeth as a system administrator. I thank the folks at Cigital, Inc. for introducing me to risk-based approaches to software and system security. Lastly, I thank Adrian Filipi, who gave me my first BSD/386 floppies back in 1993.
I would like to thank my wife for being incredibly understanding throughout the writing of this book and the million other things I had going on in the last year. She was amazing, even when I was not. I’d like to thank my kids, Terran and Bobby, and “Uncle Andy” for giving me time to write. Also, I would like to thank all the members of The Shmoo Group for helping me become the geek I am today. Without their friendship and expertise, I don’t know where my career would be today (full of moose, no doubt). The same goes to my folks who supported me through my fits and starts in college. And finally, a specific thanks to Joel Sadler, who gave me my first FreeBSD disk in 1995 telling me, “Here, try this. It’s better than Linux.”
We appreciate all the feedback we received from our technical reviewers. They definitely kept us on our toes and made this book better by lending their expert advice and opinions. Thanks to Flávio Marcelo Amaral, Ren Bitonio, Mark Delany, Adrian Filipi, Eric Jackson, Jose Nazario, Neil Neely, Wayne Pascoe, Viren Shah, and Shi-Min Yeh.
Finally, we thank the staff at O’Reilly, especially Tatiana Diaz, Nathan Torkington, Allison Randal, David Chu, Andrew Savikas, and the innumerable others who have made this book a reality without our knowledge of their existence. An extra thank you goes to Tatiana for helping us reboot this effort after it locked up in the middle of 2004.