注:写的不错 , 虽然只是提纲 , 看了会有所收获 。
BSD security fundamentalsSean Lewis
sml@subterrain.net
http://www.subterrain.net
Scope and Scale
Focus: FreeBSD – enterprise hardware supportmost ‘mainstream" ?
Security refreshersome new and interesting BSD security information.
Emphasis on host-based security, one of the first layers of the security ‘onion".
The Basics
If modifying an existing system, MAKE BACKUPS!
Unnecessary services – prune /etc/inetd.conf and rc.conf – ‘explicit service enable". 4.4-R = safer inetd.conf
Work with the latest version of the OS – tracking STABLE or the new RELEASE branch is recommended.
Encrypted communication
Immediately disable telnet and use SSH – OpenSSH is included in FreeBSD installation.
Use the sftp server function built into the ssh2 protocol rather than a standard ftpd.
Set up public key authentication with SSH to prevent passWord transmission.
File-system lockdown
Mount non /usr or / [for /sbin] filesystems with the ‘nosuid" argument, especially /tmp.
Search for and remove the suid bits off of non-used binarIEs [especially uucp – setgid]
Use the chflags to set variables such as sappnd on log files, schg on system binaries, etc.
Kernel Securelevels
Kernel securelevels allow variable security level increases on the fly.
Levels range from –1 -> 3, -1 and 0 being “insecure mode”.
Securelevels may only be raised, not lowered once the system is in multiuser mode.
Securelevels controlled via sysctl controls.
Securelevel 1 – sappnd and schg flags can not be disabled – LKMs may not be loaded / unloaded.
Securelevel 2 – securelevel 1no writing to disks except for mount(2). Time changes also clamped to 1sec.
Securelevel 3 – securelevel 2ipfw rules cannot be modified.
Schg on files in / for maximum effectiveness
Sysctl/rc.conf variables
net.inet.tcp.blackhole=2 and net.inet.udp.blackhole=1 – don"t generate RSTs on portscan, replaces RESTRICT_RST.
kern_securelevel_enable=“YES” kern_securelevel=“X”
icmp_drop_redirect=“YES”
fsck_y_enable=“YES”
Secure your services
Start potentially dangerous programs such as bind in a chroot"d environment.
Log_in_vain=“YES” in rc.conf will show connections to tcp/udp ports with no service bound to them.
Use packet filtering software such as ipfw or ipfilter to restrict access to services.
Serving files with ftpd
FreeBSD powers large ftp software sites such as ftp.cdrom.com - securely!
Put individual users in the /etc/ftpchroot file to restrict them to their $HOME.
Start ftpd with –l –l [twice] to enable extended logging.
If running a large anonymous archive, use ftpd –A [only anonymous allowed] and –r [read-only mode for the server].
Serving web pages with apache
Why apache? Reliable, widely-used, runs in a relatively secure fashion.
Run httpd processes as non-root user, ‘nobody" is default, creating ‘www" user may offer more granularity.
Run apache in a jailed environment to limit access.
Use suEXEC to execute CGIs as a non-priveleged user.
Logging
Start syslogd with the ‘-s –s" flags to prevent it from opening 514/udp.
Add a /var/log/ftpd entry for ftp.* in syslog.conf.
Create a /var/log/security entry for security.* and auth.info syslog levels.
Enable ipfw logging to syslog.
Keeping people out.
Use tcp wrappers [/etc/hosts.allow] to allow/deny access to certain tcp-based services.
Use the AllowUsers/AllowGroups SSH configuration options to allow certain users and groups to connect via SSH.
Give users who only require ftp access the /sbin/nologin shell to prevent access to a real shell.
How to check your security
/usr/ports/security/nmap – port scan yourself to check for strange services.
/usr/ports/security/whisker – audit your web server for potential vulnerabilities.
/usr/ports/security/tripwire-1.31 – ASR of tripwire, file integrity assurance.
推荐阅读
- 从网络安装最新的FreeBSD-Stable
- 如何看FreeBSD的系统日志
- 猪场生物安全包括哪些
- 在 FreeBSD 安装 notebook PCMCIA 网路卡
- 1 FreeBSD 5.0中强制访问控制机制的使用与源代码分析
- 在freeBSD下编译linux kernel
- 1 FreeBSD handbook中文版 2 开始安装FreeBSD
- 如何在 FreeBSD 下压 MP3
- FreeBSD的起源
- FreeBSD其他相关系统和组织