File System Security
There are certain files whose presence in the FreeBSD file system can present a security risk and should be remedied as soon as possible.
When the SUID (set user ID) or SGID (set group ID) bits are set on an executable, that program executes with the UID or GID of owner of the file, as opposed to the user executing it. This means that all executables with SUID bit set and are owned by root are executed with the UID of root. This situation is a security risk and should be minimized unless the program is designed for this risk.
To find all files on your file system that have the SUID or SGID bit set, execute:
- # find / -path /proc –prune –o –type
f –perm
+6000 -ls
World-writable files are a security risk as well. World-writable files and directories are dangerous since it allows anyone to modify, add or delete files.
To find all world-writable files and directories, execute:
- # find
/ -path /proc –prune –o –perm -2 ! –type
1 –ls
Another file permission issue are files not owned by any user or group. While this is not technically a security vulnerability, an audited system should not contain any unowned files. This is to prevent the situation where a new user is assigned a previous user’s UID, so now the previous owner’s files, if any, are all owned by the new user.
To find all files that are not owned by any user or group, execute:
- # find / -path /proc –prune –o –nouser –o –nogroup
Network Security
To get a list of listening network ports, run the following:
- # sockstat -4
Disable any ports that are not necessary. To do so, kill the PID shown by netstat. The only port that your server must be listening on is SSH (22/tcp). Other ports that will need to be listening depend on the specific purpose of your dedicated server. Note that by killing the PID of the process you are not preventing your server from starting the same service again on bootup. To disable services, see below.
FreeBSD utilizes the file /etc/rc.conf, as well as the /usr/local/etc/rc.d directory. The contents of rc.conf’s manpage will list all the programs that you can start and stop via rc.conf. Any file ending with the .sh file extension in the /usr/local/etc/rc.d directory will be executed upon startup. To disable any script from executing on startup, simply rename the file to another extension:
- # mv server-startup.sh server-startup.sh.disabled
User Security
The first thing you should take stock of are the users with unlocked accounts. Users with unlocked accounts are allowed to login if assigned a valid shell, and should be kept to a minimum.
To get a list of unlocked users, execute the following:
- # egrep –v ‘.*:\*|:!' /etc/shadow|awk
-F: '{print $1}'
If you do not recognize any user returned by the above command, check to see if that user owns any files by executing:
- #
find / -path /proc -prune -o -user <user_name> -ls
If the user does not own any files, or files that will not hinder the stability of your server, delete the user by executing:
- # rmuser <user_name>
TCP/IP Hardening
The following lines need to be added to the file /etc/rc.conf in order to take effect. Please note that changes will not take effect until a system restart.
| Prevent OS Fingerprinting | tcp_drop_synfin=”YES” |
| Prevent ICMP Redirect | icmp_drop_redirect=”YES” |
| Blackhole TCP Packets | net.inet.tcp.blackhole=2 |
| Blackhole UDP Packets | net.inet.udp.blackhole=1 |
| Route Cache Expire | net.inet.ip.rtexpire=2 |
| Minimum Route Cache Expire | net.inet.ip.rtminexpire=2 |
System Security
Clearing the /tmp directory on startup is a good practice, and should be implemented on any production server. In order to do so, add the following line to the file /etc/rc.conf:
- clear_tmp_enable=”YES”