Installing A Secure FreeBSD Box 131
ltwally writes "The guys over at LittleWhiteDog have a how-to on securing FreeBSD. Topics range from the basics to custom kernels, blowfish encryption, smtp, and custom firewall scripts. Definitely worth a look if you're running a FreeBSD box, or are interested in *nix security in general."
One thing I hate... (Score:2, Interesting)
Never heard of Gentoo? How about LFS? How about downloading the source and compiling it yourself?
Re:One thing I hate... (Score:2, Funny)
I didn't know that packages in FreeBSD were actually source! I thought ports were source?
No no no, the author means that BSD programs originate with source code which is then compiled and distributed via packages, whereas linux binaries are generated by 1 million monkeys randomly typing bits until something useful emerges.
Hence, nothing in linux comes from source
Re:One thing I hate... (Score:4, Insightful)
First: Haven't heard of LFS, so please elucidate. TLA's don't google well (now there's an idiomatic phrase). As for downloading and compiling the source: that's precisely what ports do. More to the point that they download, patch, configure, compile, package, and install automatically but that you can manually intervene in any of these steps, and that you need only edit very modular and flexible makefiles to do so. Gentoo requires a special tool, and if emerge doesn't fit your needs for one purpose or another for a particular package, let's hope you're a very dedicated python hacker. There's a lot of very neat stuff portage does but it looks to have started complex, not based on anything all that simple or flexible.
> I didn't know that packages in FreeBSD were actually source! I thought ports were source?
Packages are binaries. Ports builds and installs a package. If you want custom, you just cd to the work/src/ directory and you have the source tree just like the author made it (modulo any patches) from which you're free to do the usual configure && make before going up to the port dir and doing a "make package" (or just "make install" if you want to auto install it). Compare this to the tedium of customizing a source RPM.
Re:One thing I hate... (Score:1)
Linux From Scratch [linuxfromscratch.org], a source-based disto. I used it for a while, and was quite happy with it, right up until I needed to uninstall some stuff.
Re:One thing I hate... (Score:2)
It's not that different from ports, ports integrated with portupgrade is about the same thing in functionality (only portage allows more than one version installed at a time but I'm not sure if that's really an advantage because it's also an invitation to breakage).
make world somewhat resembles emerge world or emerge system or whatever it was called (I played with it briefly
Re:One thing I hate... (Score:3, Informative)
I can only assume, given the context, that you meant that sarcastically, as though Slackware were something that hardly deserved to be mentioned as an option. I'll have you know that Slakcware is one of three distros I would ever consider using (the other two being Debian and Gentoo) for much the same reason that you hate RedHat. Slackware has a package system that works just fin
Re:One thing I hate... (Score:2)
Actually I prefer to use real Unix systems like Solaris. I have worked on: HP/UX, Solaris, SunOS, IRIX, AIX, BSD/OS, Open/Net/Free BSD and far too many Linux distributions. If you think RedHat is a well put together system, you need your head examined. To be honest, if you hadn't posted as an AC then perhaps someone would have cared what you think.
I also never sugges
Interesting (Score:3, Insightful)
OpenBSD's security is alot more than just services disabled by default, and is usefull well beyond a firewall.
A reason (Score:1, Interesting)
Named - running along fine than BLAM! Dead process.
Or rsync as another example.
I understand the 'why' - denial of service concerns via run away processes. But to deny a service you want by killing it? Naw, sorry. The cure is worse than the problem.
Re:A reason (Score:1)
Re:Interesting (Score:3, Interesting)
FreeBSD and NetBSD are just as secure as OpenBSD so stick with what you're comfortable with. As for new us
Re:Interesting (Score:1)
That's all fine and dandy. But the article was talking about SECURING FREEBSD. Installing ports is pretty much guaranteed to UNsecure FreeBSD (or Net, or Open...)
Is that your opinion or are you willing to back that up with errata logs? Are you sure that Free/Net has had no more than one remote exploit in more than seven years?
Re:Interesting (Score:1)
You might also say that Windows 95 and Windows 98 are just as secure as Windows 2000.
Re:Interesting (Score:2)
Interesting piece, but (Score:5, Insightful)
NitPick 1: a cvsup cron job every 3 hours? Cvsup traffic is always high at the top of the hour because everyone does this. Fix: Look at the second hand / second readout on your watch right now. Pick that value as the minute your cron job does its thing. It's a simple psuedo-randomizer that makes things a little easier on the cvsup.freebsd.org servers.
NitPick 2: a cvsup cron job every 3 hours? (Is there an echo?) freefall.freebsd.org is the authoritative cvsup source. Its only client is cvs-master.freebsd.org, which checks freefall every 6 minutes. Official mirrors are allowed access to cvs-master, and generally update between 1 hour and 4 hours. If you're updating more often than once a day via cron, maybe you need to think about becoming a mirror. Besides, the smart thing to do is do a cvsup on your src and ports trees and keep it back a day and watch the mail lists to see if anyone else's machine burnt their toast. If there aren't (m)any complaints, go for it.
Nit 3: An official warning and a gruff "who the heck are you" getty message aren't going to keep kids from nmapping you. Try Fooling Nmap for Whatever Reason. [slashdot.org] If you're worried your OS and your kernel version will give you away, maybe you aren't keeping as up-to-date on your security lists?
Nit 4: Sendmail. Sure. You could run sendmail, but why not look into qmail [qmail.org], written by djb. While you're there, check out djbdns [djbdns.org] if you need DNS services.
Re:Interesting piece, but (Score:3, Informative)
Actually, a bit further down they the author recommends postfix. But gee, there is just so much ground to cover here, splitting this up would be good.
Re:Interesting piece, but (Score:1)
Re:Interesting piece, but (Score:2)
One line that made me laugh was ". .
I think not.
Re:*BSD is not dead! (Score:2)
You BSD Tro...
Erm...hang on...
Using FreeBSD as a firewall (Score:2, Funny)
things about it, and was excited to replace a dead Linux firewall with
this OS. Unfortunately as things turned out, FreeBSD proved to be more
nightmare than solution.
When not attending classes at my community college to get my
humanities degree, I work part-time at a printshop. Our Linux box
there finally gave up the ghost. I'd heard that FreeBSD was incredibly
secure so I talked my boss into putting that on as a replacement.
Part of the appeal
Re:MOD PARENT UP (Score:2, Funny)
"Then there was the OpenSSH holes. I would later learn that FreeBSD has
a history of remote exploits. Perhaps they should work with the team
at RedHat, as RH knows how to secure their distros."
This really has to be modded up as humorous.
Re:Using FreeBSD as a firewall (Score:1)
Re:FreeBSD vs Linux performance (Score:4, Funny)
take a quick look at Netcraft's longest-uptimes page [netcraft.com] and see what OS is most prominent on that page.
Here's a summary for you.
BSD/OS and FreeBSD: 50
GNU/Linux (all distros): 0
All other *NIX's combined: 0
Windows (98, XP, 2k and 2k3): 0
Mac OS and OS/X: 0
I'd have drawn a pie chart, but I think you know what a circle looks like already..
Re:FreeBSD vs Linux performance (Score:2)
Re:FreeBSD vs Linux performance (Score:2)
Re:FreeBSD vs Linux performance (Score:2)
Re:FreeBSD vs Linux performance (Score:1)
Security (Score:4, Funny)
Rus
here's something exciting for the mods (Score:3, Funny)
Nice and comprehensive (and the obvious but) (Score:5, Insightful)
The but is that I felt it could have included more information about *why* you'd do these kinds of things instead of just how. This information would help people who are newer to FreeBSD understand how to expand on this. While it is comprehensive, I feel it could give people a little more idea of the 'why' rather than the 'how' so that people could do some securing of their own
devil is in the details (Score:4, Interesting)
This request is outrageous. There is any amount of material on the net already about security theory and practice. I've read most of it myself. How much of it am I practicing myself? Not very much. I'm not a full time sysadmin, I sysadmin during my recess breaks from my development activities. Why do I not bother to take security measures I hear preached on every street corner? Because the devil is in the details, and I can't afford to have my FreeBSD server go offline because ICMP was accomplishing something I didn't know about.
This guide is more useful to me than another dozen sermons. It gives me confidence that I can lock down aspects of the system I don't have time to understand in depth with a modicum of confidence that the essential functions of my box will continue to perform.
In my development life there are some aspects of security I work with daily: OpenSSH (tunnels, authpf), OpenSSL, IPsec. Despite my meager time budget to practice host-based security, I'm far from clueless about good security practices.
Do people forget what an incredible sinkhole of human productivity security has become? A simple overview of X.509 destroyed a week of my time. Yet another horror show more easily avoided in theory than practice.
One of the problems with Google is that you never see the thickness of the fully assembled tome. I recall an era where system documentation was measured in shelf-feet. Whenever I had the urge to make my life more complicated than necessary, I just had to look at that bookshelf and ask myself "do I really want to go there?"
I'm at the point in my life where I'm never again going to set aside whole days to master intricacies like all the special perm bits on the FreeBSD implementation of FFS.
I cherish the people out there who return from the trenches with a tattered cheat sheet with the barbed wire, machine gun nests, and landmine locations carefully documented. And then I read highly rated comments from the Rear Admiral types that "this is all well and good, but it isn't another volume of War and Peace". I would love to find to a complete set of VAX manuals on Ebay to donate to this idiot, but I don't think I could afford the shipping charge.
What this article needs is not more theory, but more warnings about "if you experience this kind of problem after making these changes, you took your security measures too far too fast". The art of security is not in knowing what you ought to be doing, it's knowing *what you get away with hardening* given other constraints, such as having any time left over to accomplish something productive.
I always remember the famous quote about building the Fermilab accelerator. When challenged about how Fermilab improved national security, someone shot back: Fermilab is the kind of project that makes America *worth* defending. People and nations who can't grasp that response end up eating their own tails.
Sendmail (Score:2, Interesting)
Re:Sendmail port 587? (Score:1)
submission 587/tcp
submission 587/udp
%cat
sendmail_submit_enable="YES" # Start a localhost-only MTA for mail submission
sendmail_submit_flags="-L sm-mta -bd -q30m -ODaemonPortOptions=Addr=localhost"
Re:Sendmail port 587? (Score:2)
http://www.ling.helsinki.fi/~reriksso/unix/award.h tml [helsinki.fi]
Re:Sendmail port 587? (Score:1)
Re:Sendmail (Score:4, Informative)
It's all spelled out in RFC2476 [faqs.org]
Re:Sendmail (Score:2)
BSD vs Linux (Score:1)
Re:BSD vs Linux (Score:1)
Very useful (Score:1)
Congrats to the wonderful person who wrote this document, I found it increadably useful!
Re-worded a bit to help make the parent clearer (Score:2, Funny)
To secure my box I had to understand security! I attempted to read a How-To that would tell me the command to secure my box, but the How-To's were so LONG and complicated. I tried this to no avail:
I submitted the parent. (Score:1, Insightful)
And while the post was somewhat tongue-in-cheek, at the same time it outlined an underlying truth.
NAT was cutting edge circa 1997; it's now 2003, very nearly 2004, and that means NAT is paleolithic technology. I am well aware that traditionally FreeBSD is thought to possess one of the nicest TCP/IP stacks in the business, and that much of that stack has made its way into commercial offerings, but still, at this point in time, the stack ought to be sufficiently modular that a computer with two network car
Re:I submitted the parent. (Score:2, Informative)
Re:I submitted the parent. (Score:1, Funny)
Go to a NANOG or IETF meeting and yell that REALLY loud. To make the trip profitable, I recommend an associate who sells sticks next to you labeled 'IP End to end connectivity'.
Yes, you'll be beaten with sticks, but by selling the sticks you'll make alot of money.
Re:I submitted the parent. (Score:1)
I think it is no inferior to iptables
of linux based on my experience of both.
Basically, I believe *BSD is more unix
than linux.
Re:Do you still have to re-compile the kernel? (Score:1)
Re:Do you still have to re-compile the kernel? (Score:1)
The authoritive answer to *BSD setup questions is almost always on the *BSD website. Linux is a hodgepodge of out-of-date HOWTOs that usually refer to some obscure, now-abandonded beta software, and are often specific to a kernel version.
Re:not a great article (Score:2)
jooz fuX0red my b0x! (Score:2)
I tried that and now my friends can't get my emails. You don't know SHIT about locking down a box.
Yes, I'm joking.
Re:Howto Secure a FreeBSD box (Score:1)