TUCoPS :: BSD :: freebsd.txt

FreeBSD How I Secured my FreeBSD System

How I Secured my FreeBSD System 
by che guevara
of the phonerangers


I'm really paranoid. I am also a geek. I got a kick out of doing this, and feel like 
sharing. This is how I made my FreeBSD system as secure to the outside world as I could.

  I still run X, Netscape 4.5,  etc. on my system, so it isn't as secure as it could 
be. If I made as secure as possible, I wouldn't be able to use it and that would suck. 

	Well, my paranoia paid off. Two seperate times my computer has come under what 
I considered attack. The first time it came from some big corporation's server. It was 
an attempt to use Back Orifice on me (which is kinda stupid cause i run freebsd, bo 
only works on windows!). The second was more interesting.

 Somebody portscanned me, both TCP/UDP,  about ten minutes after I finger'd them. 
Strange, retaliating to an unagressive finger with a portscan. I noticed the portscan 
because of the unique noise my hard drive made as it wrote over thirteen hundred log 
entries to disk. Well, this person found no ports open on my machine, and I found 27 
open on his (without even trying UDP!).  He left his SMTP port wide open.... So I sent 
him some mail asking him to cut it out.  Well, those were the times my security 
actually stopped attacks against my machine. 

	The outermost layer of my security is a firewall. Your basic, everyday packet 
filtering chunk of kernel code. I want to be able to talk to the outside world, but I
don't want anybody being able to talk to me. Since I have no need for other computers 
to be able to initiate a connection to my machine, as few as possible can. 

   First the firewall allows everything to pass internally . This is accomplished with: 

                ipfw add 1000 pass all from any to any via lo0 

    I need my DNS,  because being able to resolve hostnames is a good thing.  I have to 
use four lines here, two for my primary DNS server and two for my secondary. So: 

                ipfw add 1010 pass udp from  {DNS server's IP} to {My IP} 
                ipfw add 1011 pass udp from  {My IP} to {DNS server's IP} 
                ipfw add 1015 pass udp from  {DNS server's IP} to  {My IP} 
                ipfw add 1016 pass udp from  {My IP} to {DNS server's IP} 

    I want to be able to connect outwards, but I don't want any connections coming in. 
I enable out going TCP setup, and disable incoming TCP setup. I also have a rule passing 
established TCP data, so that once I get my connection setup I can get subsequent data 
in and out of my system. The setup denial rule is global, because it comes after the
out going setup rule and so the first one matches. 

                ipfw add 1020 pass tcp from {My IP} to any setup 
                ipfw add 1030 deny log tcp from any to any setup 
                ipfw add 1040 pass tcp from any to any established 

    Next I pass all ICMP,  which is really only so I can ping. 

               ipfw add 1050 pass icmp from any to any 

    Finally, everything else gets denied. 

               ipfw add 2000 deny log ip from any to any 

    I have a dynamic IP dialup connection to the outside world, and so I need to be able 
to change {My IP} every time I dialup and initialize my firewall. I have written two 
simple scripts to get my IP out of my routing table and then sets my firewall rules 

    The first of these scripts gets my IP and then calls the second. It is named getip, 
and reads: 


                netstat -rn | 
                grep {Terminal server's IP} | 
                grep UH | 
                awk '{print $2}' | 
                xargs -t /root/firewall_rules 

    This script lists the contents of my routing table,  finds the route leading  to my 
IP, and then sticks my IP in as the first argument to /root/firewall_rules, the second 
script.  This script reads: 

                ipfw -f flush 
                ipfw add  1000 pass all from any to any via lo0 
                ipfw add   1010 pass udp from {DNS server's IP} to $1 

    This allows me to dynamically initialize my firewall according to the new IP which 
I get assigned every time I dialup. 


    After my firewall, any intruder will have to deal with tcp_wrappers. My wrapper's 
configuration is simple,  is contained in /usr/local/etc/hosts.deny, and reads: 

               ALL : ALL EXCEPT localhost 

    This denies all hosts except localhost access to all daemons. 

    Alternatively, if an  intruder wishes to access any port which is not covered by 
inetd, they must deal with Abacus Sentry. I run Sentry in both standard TCP and UDP 
modes, and cover the following ports: 
                TCP:    1,7,9,11,15,25,70,79,80,109,110,111,119,138,139, 143,512,513,514

                UDP:   1,7,9,25,66,67,68,69,111,137,138,161,162,474,513,517,518, 

    This provides extensive screening of  often targeted ports. 

    As well as running sentry, I run fakebo on UDP port 31337. This program mimics a 
Back Orifice server,  and will treat all recieved commands as if they were successfully 

    I have also taken some other miscelaneous precautions. 

    Behind every port on my computer I have set my kernel to log packets that were sent 
to a given port but not recieved by any program bound to that port. I have done this by 
changing  net.inet.{tcp|udp}.log_in_vain to 1.  A useful side effect of this is that it 
catches TCP SYN stealth scans that hit unbound ports of my computer. 

    I do not run sendmail or any other MTA. 

    I have good passwords (as in, contain spaces, variable capitalization, etc.). 

    I read my logs for sign of intrusion. 

    I listen to my hard drive for sign of intrusion. Yes, this is true. The noise of all 
those log entries getting written to disk when my security picks up on the fact that I 
am getting port scanned  is (in my experience) unique, and since I have a loud hard 
drive I can hear it. Heehee, I love being a geek. 

Other sites:

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH