Detailed description of freebsd system security configuration

System security is a topic that every manager must pay attention. Some people say, "there is no insecure system, and there is only a lazy manager .」 Each system may have vulnerabilities. When a security vulnerability is generated, the issuing organization immediately releases an announcement and fixes the vulnerability, the responsibility of system administrators is to pay attention to the need to update vulnerabilities and to pay attention to vulnerabilities at any time.

System security is a topic that every manager must pay attention. Some people say, "there is no insecure system, and there is only a lazy manager .」 Each system may have vulnerabilities. When a security vulnerability is generated, the issuing organization immediately releases an announcement and fixes the vulnerability, the responsibilities of system administrators are to always pay attention to the need to update vulnerabilities and to detect system exceptions.

This chapter provides a detailed description of FreeBSD system security. After reading this chapter, you will be able to learn about the following topics:

• Security projects for basic system management.
• If the account is managed securely.
• Network security management.
• How to fix vulnerabilities.
1 Overview

FreeBSD is a relatively secure operating system, but sometimes the problem is not the operating system itself, but the software installed. In FreeBSD, a common scenario is to install software not defined in FreeBSD, but the software is included in ports, and FreeBSD will also give a warning. Therefore, we have to go to FreeBSD's website to see if there are system-secure messages that the Web site is http://www.freebsd.org/security/index.html. When an issue is found, it can be fixed according to the correction method provided in the published file.

Basically, as long as the computer powers on, the system will not have a safe day, not to mention connecting to the network to provide services. The range of system security is wide. From hard device security, personnel management, network planning, to system management, we do not intend to explain how to develop a security policy, we cannot describe all system security issues here. All we mention is the author's suggestions on FreeBSD. For more information about FreeBSD Security, refer to FreeBSD Handbook. We installed the doc in/usr/share/doc when installing FreeBSD Security, you can use lynx to view FreeBSD files. Example: # lynx/usr/share/doc/en_US.ISO8859-1/books/handbook/security.html

Tips

Lynx is not included in FreeBSD. You must first install it in/usr/ports/www/lynx before using it.
 
 

System security is not limited to how to prevent intrusion by others. It is equally important to prevent internal system problems. The main concept is to enable our system to provide services normally and protect the information we do not want others to obtain. However, to ensure system security, you must restrict the use of certain functions at the cost of convenience. As a system manager is often complained by users because of too many system restrictions, it is not easy to get the house. Because of this, a responsible manager must be highly vigilant and paranoid about security.

As system security is very important, before we begin to describe various software installation and server setup, we should first describe the precautions for system security. I hope that after reading this chapter, more conceptual about system security.

2. System Management

2.1 program execution path

Have you noticed that when we want to execute a program in the directory where the execution is located, for example, myscript. sh in the directory where the execution is located, We must input./myscript. sh. In the default PATH, the directory "." is not added to the PATH. If "." is added to the PATH setting, security issues may occur. For example, if the user addsLsThe content of the shell script isRm-Rf/usr, and we add "." To the path. When the root executes the ls command in/tmp, the consequences can be imagined. Therefore, when executing the command, it is best to specify the path name, such as/bin/ls, and check whether "." is added to the path in shell settings:

# Echo $ PATH
/Sbin:/bin:/usr/sbin:/usr/bin:/usr/games: /usr/local/sbin to prevent modification to important execution files such as/bin and/sbin, we can set the schg flag for these files:

# Chflags schg/bin /*
# Chflags scgh/sbin/* Of course, after setting schg, we need to increase the Kernel Security Level to 1 or above, so that even root cannot remove flags. However, after schg is set, we may not be able to execute some commands, such as make world.

2.2 reduce software installation risks

We can find a lot of free software on the Internet, which makes it easier for us to use the system, but it is difficult to ensure that they do not pose any harm to system security. Some software may have some loopholes. Even if we do not have any security issues before installation, we may still find Software defects in the future. Therefore, we should try our best not to install some miscellaneous software. After installation, we should update the software whenever we find security problems. Basically, you 'd better download the software from the official website to ensure security.

Not all software is correct. Do not install a new set of software directly on an important server. It is best to test the software on a less important computer first. In addition, when installing the software, pay attention to the reliability of the software source. If the software provides MD5 or PGP check, it is best to download and check before resolvingCompression. When installing the software, it is best to obtain the original code of the software to compile (or use port to install). We can browse the program code to understand itsArchitecture. Read MakeFileContent, understand the location where the software will be installed, first ensure that the program will not be generated where it should not appear.

2.3 kernel Security Level

FreeBSD has the so-called Security Level, which controls the core behavior of the system. Only super users can use commands to increase the Secruity Level, but cannot lower it. If you want to downgrade it, you must set it in rc. conf and restart the instance. The significance of each Secruity Level is as follows:

•-1: Never secure mode. This is the default value. If it is set to-1, it will always be executed in level 0 mode.
• 0: insecure mode. The user or root can use chflags to remove the flags of immutable and append-only. All devices can only be accessed according to their permissions.
• 1: security mode. You cannot remove flags of immutable and append-only. You cannot manually attach or remove LKM. Use,/dev/mem, and/dev/kmem can only be read-only, and cannot be attached to the file system of newfs.
• 2: high security mode. Newfs is not supported, regardless of whether the hard disk is attached or not. In additionTimeThe change is limited to one second. If it exceeds the limit, the "Time adjustment clampEdTo + 1 second ".
• 3: network security mode. In addition to the same limits as the security mode, there are also IP packet filtering rules (refer to ipfw and ipfireWallAnd cannot be adjusted.DuMmynet settings.
We can use sysctl to display or set the Security Level:

# Sysctl kern. securelevel if you want to set Security Level to 1:

# Sysctl-w kernel. securelevel = 1 when we set Security Level to 1 or above, we will find that there is no way to install the new kernel (because schg flag cannot be removed ), there is no way to use software such as big5con and X Window. If we use FreeBSD only as the server, instead of using big5con or X Window, we can increase the Security Level value by a little.

If you want to set the Security Level at startup, you can set the Security Level in/etc/rc. conf in the following two lines:

Kern_securelevel _Enable= YES # Whether to enable Security Level

Kern_securelevel = 1 # level from-1 to 3

2.4 view system records

In/var/log, many system information is recorded. We should always check them. These files are shown in the following table:

Archive usage
ADdThe user uses the adduser record.
The record of the cron scheduled schedule.
Maillog email record.
Messages system message record.
Security records, such as firewalls.

In addition to system records, if other services are provided, more log data will be generated.

If we have other programs to leave log files, it is best to set regular backup compression in/etc/newsyslog. conf to avoid excessive files. In addition, when setting the permission (mode) in newsyslog. conf, it is best to set the backup log file to 600 to prevent other users from reading the data.

FreeBSD regularly performs analysis tasks on a daily basis and sends the results to the root user. It is recommended that you read them every day. We can go to/etc/mail/AliasAdd the following line to the beginning of es:

Root: me@my.domain.com

Change me@my.domain to your email. After setting up, executeNewaliasesTo make the settings take effect. In this way, all emails sent to the root user are automatically transferred to the specified mailbox. Every day, the root will receive the "daily run output" and "security check output" messages, which follow the instructions in/etc/defaults/periodic. the output result of scheduled execution set in conf. In the task executed by daily, the default setting is not set to regularly clear/tmp. In principle, the system cleans/tmp at startup. If we do not often reactivate the instance, you can set daily/tmp cleanup in periodic. conf.

2.5 data preservation

In the security protection of UNIX systems, the first line of defense is the security protection of computer entities to prevent irrelevant people from accessing computers and peripheral facilities. If unfortunately, when outsiders are close to the system, the second line of defense is system password protection. We will describe the account protection in the next chapter. However, if the password is disclosed or cracked, there is a third line of defense, namely, user permissions and archive permission control in UNIX systems. If a user account is compromised, We can restrict its activity scope and resource access. The fourth line of defense is to encode and protect important data. Even if the data is stolen by users, at least one more protection measure is required. The last line of defense is data backup. We should have a sound backup plan at ordinary times. Once a system error or destruction occurs, at least it can be restored.

Let's talk about how to encrypt data encoding. We can use the crypt command to encrypt our files. For example, a file named myfile.txt uses the key string mykey and the encrypted file name is myfile. cyp. You can use the following commands:

# After crypt mykey <myfile.txt> myfile. cyp is encrypted, you can delete myfile.txt. To decrypt data in the future, run the following commands:

# Crypt mykey <myfile. cyp> myfile. outcrypt is a well-established coding software. It is not actually very secure, but we can encrypt the file several times to encrypt it again. Just remember the key you used:

# Crypt mykey1 <myfile.txt | crypt mykey2 | crypt mykey3> If You Want To decrypt myfile. cyp, you only need to reverse it:

# Crypt mykey3 <myfile. cyp | crypt mykey2 | crypt mykey1> myfile. out in addition to crypt, we can also use other good encoding programs, such as pgp. Pgp is not included in FreeBSD, but we can use ports to install it:

#Cd/Usr/ports/security/pgp
# Make install after pgp is installed, we must first generate key pair. Run pgpk-g:

First, create a directory to store the pgp key in your home directory.
$Mkdir~ /. Pgp
$ Pgp-kg
Pretty Good Privacy (tm) 2.6.3ia-Public-key eNcRyption for the masses.
(C) 1990-96 Philip Zimmermann, Phil \'s Pretty Good Software.
International version-not for use in the USA. Does not use RSAREF.
Current time: 2004/04/27 18:05 GMT

Pick your RSA key size:
1) 512 bits-Low commercial grade, fastLessSecure
2) 768 bits-High inclucial grade, medium speed, good security
3) 1024 bits-Military grade, slow, highest security
Choose 1, 2, or 3, or enter desired number of bits: 3 (length of the Input key)

Generating an RSA key with a 1024-bit modulus.

You need a user ID for your public key. The desired form for this
User ID is your name, followed by your E-mail address encloSedIn
, If you have an E-mail address.
ForExAmple: John Q. Smith <12345.6789@compuserve.com>
Enter a user ID for your public key: (Enter the user name)
John Chung

You need a pass phrase to protect your RSA secret key.
Your pass phrase can be any sentence or phrase and may have quit
Words, spaces, punctuation, or any other printable characters.

Enter pass phrase: (Enter the password)
Enter same pass phrase again: (Enter the password again to confirm it is correct)
Note that key generation is a lengthy process.

We need to generate 944 random bits. This is done by meaSuRing
Time intervals between your keysTrOkes. Please enter some random text
On your keyboard until you hear the beep:
(Enter some words randomly on the keyboard until the number is zero)
0 *-Enough, thank you.