HM2K

This is a brief guide created to help configure a secure FreeBSD as an IRC shell server.

In this case I will be running FreeBSD 6.0, with bash shell, SSHd, named (bind), httpd (Apache2+PHP4), FTPd (pure-ftpd).

Note: In many cases, if you don’t wish to review the config when adding to it you can do: echo ‘<string>’ >> <file> (ie: echo ‘accounting_enable=”YES”‘ >> /etc/rc.conf)

sshd

• edit /etc/ssh/sshd_config
• Add line “Port 22” – This is default, BUT change to another port if you want to be even more secure.
• Add line “Protocol 2” – We don’t want protocol 1, just 2.
• Add line “LoginGraceTime 1m” – If you don’t login within 1 min, it will timeout.
• Add line “PermitRootLogin no” – You should not allow direct root login via ssh, use su.
• Add line “MaxAuthTries 3” – If you get your login incorrect 3 times, you’re doing something wrong anyway.
• Add line “X11Forwarding no” – You don’t run Xwindows on a server muppet!
• Add line “MaxStartups 15:30:60” – This means, after 15 concurrent unauthed connections, 30% of connections will be dropped, until it reaches a max of 60, then it’s full.

sysctl

• You can read each current setting by doing sysctl <setting> (ie: sysctl kern.securelevel)
• If you are unsure about using a setting you can use “sysctl -w <setting>” to temporary set, until you next reboot.
• edit /etc/sysctl.conf
• Add line “security.bsd.see_other_uids=0” – We don’t want users to see each other’s processes.
• Add line “kern.securelevel=1” – By default it is -1, you don’t need this unless you’re running Xwindows, run at least 0.
• Add line “net.inet.tcp.blackhole=2” – This will drop ALL tcp packets that are received on a CLOSED port and not reply.
• Add line “net.inet.udp.blackhole=1” – This will drop ALL udp packets that are received on a CLOSED port and not reply.
• Add line “kern.ipc.somaxconn=1024” – Default is 128, this means we can have more concurrent connections. If like you me you have plenty of bandwidth, this is best, otherwise if you get attacked, you’ll reach 128 very quickly.
• Add line “net.inet.icmp.icmplim=50” – Default is 200, you shouldn’t need this many, set it to 50 to reduce the amount of ICMPs sent back per second.
• Add line “net.inet.ip.rtexpire=2” – Default is 3600, See the FreeBSD handbook: Denial Of Service Attacks.
• Add line “net.inet.ip.rtminexpire=2” – Default is 10, See the FreeBSD handbook: Denial Of Service Attacks.
• Add line “net.inet.tcp.always_keepalive=1” – This will help discover dead connections and clears them.
• Add line “net.inet.ip.random_id=1” – This is optional, but I like the idea. It gives you random PIDs instead of sequential.

This is my “/etc/sysctl.conf”:

security.bsd.see_other_uids=0
kern.securelevel=1
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
kern.ipc.somaxconn=1024
net.inet.icmp.icmplim=50
net.inet.ip.rtexpire=2
net.inet.ip.rtminexpire=2
net.inet.tcp.always_keepalive=1
net.inet.ip.random_id=1

rc.conf

• edit /etc/rc.conf
• Add line ‘portmap_enable=”NO”‘ – You only need this if you’re using NFS, which we’re not.
• Add line ‘sendmail_enable=”NO”‘ – This will tell sendmail to only listen on the localhost, it’s not a good idea to leave a mail server open to spam on a shell server.
• Add line ‘nfs_server_enable=”NO”‘ – As above, we don’t need NFS.
• Add line ‘nfs_client_enable=”NO”‘ – Again, no NFS, not even a client.
• Add line ‘accounting_enable=”YES”‘ – This enables process accounting. (You need to do touch /var/account/acct && accton /var/account/acct).
• Add line ‘clear_tmp_enable=”YES”‘ – This will clear the “/tmp” dir at boot time.
• Add line ‘syslogd_flags=”-ss”‘ – This stops syslogd from broadcasting on port 514.
• Add line ‘enable_quotas=”YES”‘ – Assuming you’re running a shell server, you want quotas enabled.
• Add line ‘check_quotas=”YES”‘ – This will help keep your users within their quotas.
• Add line ‘ntpdate_enable=”YES”‘ – This will enable ntpdate, which will keep your date/time up-to-date.
• Add line ‘update_motd=”NO”‘ – This will ensure that the FreeBSD details aren’t added to the /etc/motd on each reboot. We don’t want to broadcast this information.
• Check for ‘inetd_enable’ – Set it to NO, or add inetd_enable=”NO”, if it’s not there.
• Check for ‘named_enable’ – Okay, so running named will increase overheads, but if this is a shell box it probably makes sense to run your own dns server as IRC relies a lot on resolving hosts.
• Check for ‘log_in_vain’ – You may have set this based on what you read else where, but I recommend having this as “NO”, because it logs events on non-open ports, which could cause a ddos.

The latter half of my “/etc/rc.conf” looks like this:

inetd_enable=”NO”
linux_enable=”YES”
sshd_enable=”YES”

portmap_enable=”NO”
sendmail_enable=”NO”
nfs_server_enable=”NO”
nfs_client_enable=”NO”
accounting_enable=”YES”
clear_tmp_enable=”YES”
syslogd_flags=”-ss”
enable_quotas=”YES”
check_quotas=”YES”
ntpdate_enable=”YES”
update_motd=”NO”
named_enable=”YES”

Firewall

For a shell server, a firewall may not be required, but for many others it may be required.

• edit /etc/firewall.rules – for a shell server, you can do the following:
  • You need to allow new connections for services on the following ports: 21 (ftpd), 22 (sshd), 53 (dns), 80 (httpd).
  • If you are running any other core services, you will need to open the ports for those too. Remember, the first 1024 ports are reserved for root services.
  • If you run an IRC shell server, you should open a range (ie: 2000-4000) for your users services. (such as eggdrops and psybncs).
  • No other new connections to other ports should be allowed.
  • All other traffic is okay.
• Don’t forget to “chmod 600 /etc/firewall.rules”
• Add line ‘firewall_enable=”YES”‘ – We want a firewall enabled.
• Add line ‘firewall_logging=”YES”‘ – Logging the firewall can be useful.
• Add line ‘firewall_script=”/etc/firewall.rules”‘ – It needs to know where to find the rules. (don’t forget to touch /etc/firewall.rules)

Date and Time

You must ensure your system’s date/time is correct, otherwise SSH may fail and logs will be incorrect.

• As above, ensure you have ‘ntpdate_enable=”YES”‘ in your “rc.conf”.
• For first time use: “touch /etc/ntp.conf && echo /etc/ntp.conf >> server uk.pool.ntp.org prefer && echo /etc/ntp.conf >> driftfile /var/db/ntp.drift”
• Run: ntpdate uk.pool.ntp.org

Login.conf

Using login.conf you can create custom classes for your users giving them all sorts of limits and restrictions.

• edit /etc/login.conf
• If you change the “passwd_format” in the Default class to read “:passwd_format=blf:\”, this will give you blowfish password hashes, for better security, but you need to rebuild your login database by doing: “cap_mkdb /etc/login.conf”, and update all passwords by doing “passwd <user>” as root (check “/etc/master.passwd” all passwords will start with $2 if done correctly), don’t forget to edit /etc/auth.conf to “crypt_default=blf” also. This step isn’t required, but recommended.
• There are lots more options, you need to read the handbook for the “login.conf” file.
• Run “cap_mkdb /etc/login.conf” when you’re done to update the database.

pure-ftpd

Instructions are as follows:

• cd /usr/ports/ftp/pure-ftpd && make install
• cp /usr/local/etc/pure-ftpd.conf.sample /usr/local/etc/pure-ftpd.conf
• edit /usr/local/etc/pure-ftpd.conf (if required)
  • Change “NoAnonymous no” to yes
• /usr/local/sbin/pure-config.pl /usr/local/etc/pure-ftpd.conf
• echo ‘pureftpd_enable=”YES”‘ >> /etc/rc.conf

Apache 2

• edit /usr/local/etc/apache2/httpd.conf
• change the “ServerAdmin” line with your email address.
• change the “ServerTokens” line from “Full” to “Prod”, this means only “Apache” will be displayed.
• echo ‘httpd_enable=”YES”‘ >> /etc/rc.conf

oidentd

• echo ‘oidentd_enable=”YES”‘ >> /etc/rc.conf
• edit /usr/local/etc/oidentd.conf
• Ensure the defaults deny everything, and that root has a different reply, ie:

default {
default {
deny spoof
deny spoof_all
deny spoof_privport
deny random
deny random_numeric
deny numeric
deny hide
}
}

user root {
default {
force reply “UNKNOWN”
}
}

Note: You can add a user, if you want to allow spoof for certain users, and allow that.

Files and Permissions

• “find / -perm -2000 -ls && find / -perm -4000 -ls” – This lists binaries that everyone can currently access.
• Use “chmod a-s <file>” to remove access or “chmod o-rwx <file>” to allow just for wheel users.
• “chmod 640 /etc/crontab” – This will allow only root and wheel users to see it. Users don’t need to know what processes are started by cron.
• “chmod 600 /etc/rc.conf” – Users don’t need to access this.
• “chmod 600 /etc/sysctl.conf” – Users don’t need to access this.
• “chmod 0750 /root” – Stops non-wheel users from viewing root files.
• “chmod 640 /var/db/locate.database” – You don’t want all users to see all the files on your system.
• edit /etc/motd – Change this to say what you like.
• “touch /etc/COPYRIGHT” – This will remove the copyright info.

ToDo

• Provide an in-depth example of a firewall script
• Provide details about working with Quotas
• Provide better usage of login.conf

Additional Security

• Try checking system integrity with tripwire.
• Keep things up to date with cvsup.

Resources

• FeeBSD Security Information
• Defcon1 Security Guide
• A basic guide to securing FreeBSD (DALnet)
• Hardening FreeBSD (bsdguides.org)
• Protecting yourself with FreeBSD
• sysctl.conf Sample (Freebsdblog.org)
• Securing FreeBSD (ONlamp.com)
• FreeBSD Security HowTo (windowssecurity.com)
• tris’ FreeBSD setup info
• cPanel FreeBSD Seminar

Final notes

I’ve written this as more of a reference, i’ve more than likely missed a few things, so feel free to add your own comments.