Neue Sicherheitsfunktionen bei Freebsd 11 nachträglich einschalten

pom

Well-Known Member
Hallo,

wenn man FreeBSD neu installiert kann man einige "Schalter" setzten, die die Sicherheit erhöhen sollen. Z.B. dass ein User nur noch seine eigenen Prozesse sieht.

Wie setzt man das bei einem System, das man von 10 nach 11 umgezogen hat nachträglich?

Gruß,
Peter
 
Code:
#!/bin/sh
##################################################################
##################################################################
#
#  The FreeBSD System Hardening Script
#  David Childers - 15 February, 2010
#
#  This software is released under the Attribution-ShareAlike version 3.0 Licence.
#  www.creativecommons.org/licenses/by-sa/3.0/
#
#  Article: http://www.bsdguides.org/2005/hardening-freebsd/
#
##################################################################
##################################################################
#
#  Portions of the script that are marked with bold face type require additional steps to be
#  performed.  If these additional steps are not completed, then the changes initiated by this
#  script will not function properly.
#
##################################################################
##################################################################
#
#  This script can be used with either an i386 or amd64 computer.
#
##################################################################
##################################################################
#
#  The file rc.conf contains descriptive information about the local host name, configuration details for
#  any potential network interfaces and which services should be started up at system initial boot time.
#
#  Ensure syslogd does not bind to a network socket if you are not logging into a remote machine.
#
echo 'syslogd_flags="-ss"' >> /etc/rc.conf
#
#  ICMP Redirect messages can be used by attackers to redirect traffic and should be ignored.
#
echo 'icmp_drop_redirect="YES"' >> /etc/rc.conf
#
#  sendmail is an insecure service and should be disabled.
#
echo 'sendmail_enable="NO"' >> /etc/rc.conf
#
#  The Internet Super Server (inetd) allows a number of simple Internet services to be enabled, including
#  finger, ftp ssh, and telnetd.  Enabling these services may increase risk of security problems by
#  increasing the exposure of your system.
#
echo 'inetd_enable="NO"' >> /etc/rc.conf
#
#  Network File System allows a system to share directories and files with other computers over a network
#  and should be disabled.
#
echo 'nfs_server_enable="NO"' >> /etc/rc.conf
#
echo 'nfs_client_enable="NO"' >> /etc/rc.conf
#
#  SSHD is a family of applications that can used with network connectivity tools.
#  This disables rlogin, RSH, RCP and telenet.
#
echo 'sshd_enable="NO"' >> /etc/rc.conf
#
#  Disable portmap if you are not running Network File Systems.
#
echo 'portmap_enable="NO"' >> /etc/rc.conf
#
#  Disable computer system details from being added to /etc/motd on system reboot.
#
echo 'update_motd="NO"' >> /etc/rc.conf
#
#  The /tmp directory should be cleared at startup to ensure that any malicious code that may have
#  entered into the temp file is removed.
#
echo 'clear_tmp_enable="YES"' >> /etc/rc.conf
#
##################################################################
##################################################################
#
#  The sysctl.conf file allows you to configure various aspects of a FreeBSD computer. This includes many
#  advanced options of the TCP/IP stack and virtual memory system that can dramatically improve
#  performance.
#
#  Prevent users from seeing information about processes that are being run under another UID.
#
echo 'security.bsd.see_other_uids=0' >> /etc/sysctl.conf
#
#  Generate a random ID for the IP packets as opposed to incrementing them by one.
#
echo 'net.inet.ip.random_id=1' >> /etc/sysctl.conf
#
#  This will discover dead connections and clear them.
#
echo 'net.inet.tcp.always_keepalive=1' >> /etc/sysctl.conf
#
#  Enabling blackholes for udp and tcp will drop all packets that are received on a closed port and will not
#  give a reply.
#
echo 'net.inet.tcp.blackhole=2' >> /etc/sysctl.conf
echo 'net.inet.udp.blackhole=1' >> /etc/sysctl.conf
#
##################################################################
##################################################################
#
#  The TCP/IP Stack is what controls the communication of the computer on a data network.
#
#  Disable ICMP broadcast echo activity.  This could allow the computer to be used as part of a Smurf
#  attack.
#
sysctl -w net.inet.icmp.bmcastecho=0
#
#  Disable ICMP routing redirects.  This could allow the computer to have its routing table corrupted by an
#  attacker.
#
sysctl -w net.inet.ip.redirect=0
sysctl -w net.inet.ip6.redirect=0
#
#  Disable ICMP broadcast probes.  This could allow an attacker to reverse engineer details of your
#  network infrastructure.
#
sysctl -w net.inet.icmp.maskrepl=0
#
#  Disable IP source routing.  This could allow attackers to spoof IP addresses that you normally trust as
#  internal hosts.
#
sysctl -w net.inet.ip.sourceroute=0
sysctl -w net.inet.ip.accept_sourceroute=0
#
##################################################################
##################################################################
#
#  Disable users from having access to configuration files.
#
chmod o= /etc/fstab
chmod o= /etc/ftpusers
chmod o= /etc/group
chmod o= /etc/hosts
chmod o= /etc/hosts.allow
chmod o= /etc/hosts.equiv
chmod o= /etc/hosts.lpd
chmod o= /etc/inetd.conf
chmod o= /etc/login.access
chmod o= /etc/login.conf
chmod o= /etc/newsyslog.conf
chmod o= /etc/rc.conf
chmod o= /etc/ssh/sshd_config
chmod o= /etc/sysctl.conf
chmod o= /etc/syslog.conf
chmod o= /etc/ttys
#
##################################################################
##################################################################
#
#  Enable root as the only account with the ability to schedule jobs.
#
echo "root" > /var/cron/allow
echo "root" > /var/at/at.allow
chmod o= /etc/crontab
chmod o= /usr/bin/crontab
chmod o= /usr/bin/at
chmod o= /usr/bin/atq
chmod o= /usr/bin/atrm
chmod o= /usr/bin/batch
#
##################################################################
##################################################################
#
#  Secure the root directory contents to prevent viewing.
#
chmod 710 /root
#
##################################################################
##################################################################
#
#  Disable user from having access to the system log file directory.
#
chmod o= /var/log
#
##################################################################
##################################################################
#
#  Merge all temporary file directories.
#
#  A single directory should be used for temporary files, not two.
#  The /var/tmp directory will be replaced with a link to /tmp.
#
#  The contents of the /var/tmp directory remain after a reboot.  The contents of the /tmp directory do not.
#
mv /var/tmp/* /tmp/
rm -rf /var/tmp
ln -s /tmp /var/tmp
#
##################################################################
##################################################################
#
#  Enable the use of blowfish password encryption for enhanced password security.
#
##########
##########
##
##  (#indicates a typed command.)
##
##  Manually edit /etc/auth.conf
##  # nano /etc/auth.conf
##
##  The following lines needs to be added to the /etc/auth.conf file
##  crypt_default=blf
##
##  Manually edit /etc/login.conf
##  # nano /etc/login.conf
##
##  The password format must be changed from md5 to blf.
##  passwd_format="blf"
##
##########
##########
#
##################################################################
##################################################################
#
#  Secure FreeBSD in single user mode
#
##########
##########
##
##  (#indicates a typed command.)
##
##  Edit the /etc/ttys file:
##  # nano /etc/ttys
##
##  Find this line in the /etc/ttys file
##  console none  unknown off secure
##
##  change the secure to insecure
##  console none  unknown off insecure
##
##  Insecure indicates that the console can be accessed by unauthorized persons, and is not
##  secure.
##
##  After rebooting and entering single user mode, the user will be prompted for a password to
##  gain access to the shell prompt.
##
##########
##########
#
##################################################################
##################################################################
#
#  Installing and configuring the Network Time Protocol service.
#
##########
##########
##
##  This will enable ntpdate, which will keep the computer date/time correct.
##
##  (#indicates a typed command.)
##
##  Manually edit /etc/rc.conf
##  # nano /etc/rc.conf
##
##  The following line needs to be placed in the /etc/rc.conf file
##  ntpdate_enable="YES"
##
##  Select the appropriate ntp server for your location.
##  psp2.ntp.org/bin/view/Servers/WebHome
##
##  Manually edit /etc/ntp.conf
##  # nano /etc/ntp.conf
##
##  The following lines need to be added to the file:
##  (Based upon the ntp server preferences you selected from the list.)
##
##  server ntplocal.example.com prefer
##  server timeserver.example.org
##  server ntp2a.example.net
##  driftfile /var/db/ntp.drift
##
##  The server option specifies which servers are to be used, with one server listed on each
##  line. If a server is specified with the prefer argument, as with ntplocal.example.com, that
##  server is preferred over other servers. A response from a preferred server will be
##  discarded if it differs significantly from other servers' responses, otherwise it will be used
##  without any consideration to other responses. The prefer argument is normally used for
##  NTP servers that are known to be highly accurate, such as those with special time
##  monitoring hardware.
##
##  The driftfile option specifies which file is used to store the system clock's frequency offset.
##
##########
##########
#
##################################################################
##################################################################
#
echo  "End of script."
#

Quelle:
https://jonlabelle.com/snippets/view/shell/freebsd-system-hardening-script

Bitte nicht blind ausführen, sind einige Punkte enthalten, die evtl. keinen Sinn machen. Ist eine schöne referenz, die man nach und nach abarbeiten könnte (und finde ich auch sollte).

Nachtrag: Bitte für die Abschaltung von sendmail einen speraten Guide nutzen, weiß nicht wie arg sich das auf das System auswirkt.
 
Hmm,

bei den syslogd_flags gehe ich mit.

Folgende Werte jedoch sind bereits in /etc/defaults/rc.conf deaktiviert und müssen also nur noch in der /etc/rc.conf auskommentiert bzw. gar nicht gesetzt werden:
Code:
nfs_server_enable
nfs_client_enable
inetd_enable
sshd_enable

portmap_enable gibt es gar nicht als Variable.

ntpdate_enable aktiviert eben NICHT den ntp-daemon, sondern führt beim Booten einmalig ntpdate aus.
Besser ist
Code:
ntpd_enable="YES"
ntpd_sync_on_start="YES"

Rob
 
auf der shell:

Code:
bsdinstall hardening

danach findest du die erstellten datein in :

Code:
/tmp/bsdinstall_etc/

die settings kannst du nun manuell übernehmen.
 
Zurück
Oben