How to Secure a FreeBSD system for use as an NLANR workstation

This documentation was written for FreeBSD 3.4. Therefore, it may need to be modified for use with future versions of FreeBSD.

It is assumed that there are no added daemons, such as apache or tftp.

To begin:

• Disable all daemons running that can be attacked by an attacker. This includes shutting down inetd, which starts daemons on demand.
• Following this, install SSH (which will be your method of logging into the system remotely). This program replaces telnet and ftp with an encrypted data session.
• After installing the SSH program, check the SSH(1) and SCP(1) main pages for additional information on how to use them. SSH and SCP not only enable access your own system, but, they are the only method allowed to connect to our servers.

First File: /etc/rc.network

Comment out the portmap line (approx. line 292), this is the command that starts portmap when the system boots. It is used for NFS protocol and is very susceptible to network attacks. By putting a # at the beginning of the line we tell the programming running this script to ignore the command.

Second file: /etc/rc

Comment out the command that starts inetd (approx. line 316), this is the program that starts all of the other network programs that can be accessed should someone connect to a well known port. These programs include telnet, finger, ftp, echo... and tend to be susceptible to attack. We remove the whole set of them because that forces people to use encrypted connections to our machines so that their passwords can not be snooped by someone listening on the network. Think about it the next time you login from some foreign network... Additionally, we disable these to prevent any unknown security bugs from being used to attack our systems... this allows us to worry about security bugs in fewer components.

Comment out the command that starts sendmail (approx. line 328), this is the program that allows you to receive mail on your system. The default installation is full of security holes and doesn't even have smurf protection installed by default. Anyway, this disables incoming mail reception and closes the security holes. We have a central mail server (oceana.nlanr.net) where you can get your mail from so we prefer that you not receive mail on your local machine. If you do want to send mail from your local machine (like a file to another machine but you don't want to scp it) you can do so and sendmail will be activated temporarily to send it. You can verify that the email did leave your system with the mailq command. If for some reason the mail is stuck on your system for a long time you will want to run the sendmail daemon directly to trigger it to send unsent mail. However, you don't want to start it in daemon mode.

After all of that is done you have a secure system that is nearly impossible to use... the next step is to download and install ssh.

connect to:   ftp://ftp.cs.hut.fi/

find ssh, (probably in /pub/ssh)

get ssh-1.2.x.tar.gz (the x is the final version number, currently 27)

be sure to get a version of ssh that begins with 1... otherwise you will get an incompatible version. However, be sure you get the newest version or you might get some security holes into your system. Anyway, after you download it, you need to untar it.

tar xvzf ssh-1.2.x.tar.gz

then cd into the directory and do ./configure

then make then as root make install

you have now installed ssh and you can ssh to other machines. You need to load the daemon so that you can ssh to your own system.

create a file /etc/rc.local and put the line in it...

echo -n " sshd"; /usr/local/sbin/sshd

then save the file.

That should be everything. When you reboot you should be running a secure system with no excess daemons and ssh installed. You should check to see what is running by using the command ps -ax.