PC-BSD Forums

PC-BSD Forums (http://forums.pcbsd.org/index.php)
-   General Questions (http://forums.pcbsd.org/forumdisplay.php?f=10)
-   -   Hardening PCBSD 9.1 (http://forums.pcbsd.org/showthread.php?t=18865)

maioral 12-23-2012 08:13 PM

Hardening PCBSD 9.1
 
I was reading this FREE BSD HARDENING GUIDE...
It is recommended in the pcbsd 9.0 guide but... it was written in 2005!!!

The link is http://www.bsdguides.org/2005/hardening-freebsd/

There are things like this below i would like to know if are already implemented by default in 9.1 PC-BSD, like stored password encryption strenghtening.

Quote:

Password Rules

By default, FreeBSD uses md5 for password hashing and encryption. Itís not bad, but blowfish is much better suited for passwords and we need to update some files to reflect blowfish. *Note: Passwords will not be converted to blowfish until they have been changed.

# echo "crypt_default=blf" >> /etc/auth.conf

You need to manually edit /etc/login.conf and change the password format in the default class to blf. We should also modify the default password policy to put a minimum password length requirement and mix upper and lower case. Letís also cause passwords to expire after 90 days and to automatically log users out if they are idle for 30 minutes. Itís also a good idea to set the default umask to prevent global access. The umask is the inverse to the chmod. So in this case when new files and directories are created, they will get the permissions of 0750.
Please, senior masters, tell me that this is already implemented by Kris Moore.

Plus, i read a lot of other recomendations:

Quote:

System Configuration for Daemon Startup

Now it is time to enable or disable certain services by editing /etc/rc.conf. Here we will disable sendmail as it is an insecure MTA. If you want to run a mail server, I recommend using qmail.

# echo 'sendmail_enable="NONE"' >> /etc/rc.conf

The default kernel level is -1, meaning not much gets protected. You probably only need the secure level at 2, but 3 is the most secure. If you want more information on the secure levels, read the man pages for init(8). Note: The securelevel can only increase once the kernel is loaded.

# echo 'kern_securelevel_enable="YES"' >> /etc/rc.conf
# echo 'kern_securelevel="3"' >> /etc/rc.conf

If you arenít running NFS, disable portmap:

# echo 'portmap_enable="NO"' >> /etc/rc.conf

inetd, or the network daemon dispatcher, is insecure so we want to make sure it is disabled.

# echo 'inetd_enable="NO"' >> /etc/rc.conf

Itís a good idea to clear your /tmp directory at startup to make sure there isnít anything malicious hanging around in your temp files.

# echo 'clear_tmp_enable="YES"' >> /etc/rc.conf

If you are not logging to a remote machine, it is a good idea to make sure syslogd does not bind to a network socket.

# echo 'syslogd_flags="-ss"' >> /etc/rc.conf

ICMP Redirect messages can be used by attackers to lead you to their router or some other router, which would be bad. Letís ignore those packets and log them.

# echo 'icmp_drop_redirect="YES"' >> /etc/rc.conf
# echo 'icmp_log_redirect="YES"' >> /etc/rc.conf

The following option is a good choice as it will log all attempts to closed ports. This is good to know if people are trying to access your box through a specific port.

# echo 'log_in_vain="YES"' >> /etc/rc.conf
When talking about a Desktop User, there are a lot of features that i believe come turned on by default that desktop users will never use.

I believe it would be good to make a "security wizard" or a "security options" in the Control Panel, since the kind of knowlage about the system for people that comes from other systems, like Windows and other migrating to Pc_BSD will be ZERO...

Things like...

- "allow remote connections?"
- "allow ssh?"
- "allow mail server?"

Or, in other Level...
- "Is this computer a STAND ALONE or is it connected and share files and printer over a network?"
- "Is this computer for desktop use only or will be used for server services?"

Letīs not forget something:
HARDENING IS FOR MASTERS and pc-bsd is directed to NOOBS like me.
BSD users are used to expect at least a "considerable knowlage" from other users... But now, as alternative to microsoft for Desktop Users...

The average desktop level is LAY PERSON.
So is impossible to expect this kinda user will be able to configure security options alone, but is so easy for the masters here to make simple scripts that they would use in a desktop use machine...

So, experienced users, please write some desireble features in features request, for noobs like me, or please someone explain to us how to make changes for simple desktop use and turn off all server, local network and remote login options...

And some hardening tips. What is usefull from this old 2005 guide that we can use in pcbsd?

sg1efc 12-23-2012 10:14 PM

You might like to read the information in the BSD Magazines which come out each month. They have a lot of great info including security information:

http://bsdmag.org/

:)

maioral 12-23-2012 10:22 PM

I did it this afternoon :)
Only the jails article could be read by someone of my level and it only scared me lol.

sg1efc 12-23-2012 10:35 PM

Quote:

Originally Posted by maioral (Post 102559)
I did it this afternoon :)
Only the jails article could be read by someone of my level and it only scared me lol.

Thanks, I am glad that I am not the only person those articles scare, LoL. :) :)

Tigersharke 12-24-2012 09:21 PM

Best part about BSD (or any other OSS operating system) is that you *can* correct security issues yourself without having to wait for the authors (ie Microsoft) to realize that they should plug world-accessible hooks that reach deep into the system.. not to mention that afaik a Web Browser is only so integrated with the system as to be a security risk on Windows.

maioral 12-25-2012 05:20 AM

Still want to know about the questions i made...

Passwords are already blowfish here?
What of those recomendations of that 2005 post we must do?
And are there other ones?

sg1efc 12-25-2012 01:26 PM

Quote:

Originally Posted by maioral (Post 102590)
Still want to know about the questions i made...

Passwords are already blowfish here?
What of those recomendations of that 2005 post we must do?
And are there other ones?

It may take a bit of time for an expert to reply, as it is the season for major holidays where the experts live and they are busy with their families. :)

thnewguy 12-25-2012 06:53 PM

I had a little trouble understanding what is it you are asking. Are you wondering if you need to perform the steps mentioned in the article? Are you wondering if PC-BSD runs any network services by default? Are you curious as to what kind of hashing method the password file uses?

All of these the points mentioned above are generally concerns with regards to multiuser servers. Unless you are running network services on your PC-BSD box without the benefit of a jail these really are not things you need to worry about.

Edsel 12-26-2012 12:12 AM

First of all. Your assumptions are wrong. PC-BSD is not only for noobs but also very good for power users who want a stable, secure and flexible desktop :)

You can check the password hash algorithm by taking a look at the password file. If the hash starts with $2a$ you are using blowfish, or $6$ if you are using SHA256 or SHA512 which are all ok. I think it's best to leave all the options as they are unless you _exactly_ know what you are doing.

maioral 12-26-2012 06:52 AM

Quote:

First of all. Your assumptions are wrong. PC-BSD is not only for noobs but also very good for power users who want a stable, secure and flexible desktop
Edsel... FIRST OF ALL
Learn to read.
Nobody said is only for noobs and not for power users; By the way, nobody said NOTHING about being good for 1 category or another
I said is NOT EASY for noobs to configure those things.
I said this is based on BSD and that desktop users as lay persons will not be able to configure bsd like the normal users.
So i am asking directions about those recomendations.

Yes, is better to leave the options as they are unless you know what you are doing.
SO I AM HERE TO KNOW WHAT TO DO.
I am ASKING ABOUT THE GUIDE.
I am asking if those changes are already made.

Do you expect that 100 persons should find the hash alone or 1 person could answer about the hash?


All times are GMT. The time now is 11:57 PM.

Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.


Copyright 2005-2010, The PC-BSD Project. PC-BSD and the PC-BSD logo are registered trademarks of iXsystems.
All other content is freely available for sharing under the terms of the Creative Commons Attribution License.