Howto secure FreeBSD

Introduction

Welcome to my FreeBSD hardening guide. While FreeBSD is quite secure and conservative by default, there is enough you can do to improve security of your FreeBSD system beyond the standard level. That's the focus of this Howto.

Harden the system

1. /etc/login.conf

Change password hashing from MD5 to Blowfish:

:passwd_format=blf:\
Now rebuild the login database:
# cap_mkdb /etc/login.conf

2. /etc/sysctl.conf

kern.securelevel=2
security.bsd.see_other_uids=0
security.bsd.stack_guard_page=1
net.inet.ip.random_id=1

3. /etc/periodic.conf

daily_clean_tmps_enable="YES"

4. Setup and enable the firewall

I recommend to use the pf packet filter which FreeBSD got from OpenBSD. It's a good practice to only filter on one interface. Typically the external one.

root@bsdbox:/root # vi /etc/pf.conf      # edit ruleset
root@bsdbox:/root # pfctl -nf /etc/pf.conf  # test ruleset
root@bsdbox:/root # pfctl -f /etc/pf.conf   # apply ruleset
root@bsdbox:/root # pfctl -e            # enable firewall

5. Kernel security

To carve the firewall ruleset in stone, run sysctl kern.securelevel=3 in the shell. This prevents the kernel to overwrite the firewall ruleset once in securelevel 3. To make this setting permanent, add it to /etc/sysctl.conf and it's set right at boot time.

root@bsdbox:/root # echo 'kern.securelevel=3' >> /etc/sysctl.conf

Software security

6. Monitor security updates of installed ports

Install portaudit from the ports collection to monitor your installed port if a securty fix is needed.

root@bsdbox:/root # cd /usr/ports/ports-mgmt/portaudit
root@bsdbox:/usr/ports/ports-mgmt/portaudit # make install clean

7. Know which tcp and udp ports are open

FreeBSD by default has no applications that open ports, but adding a web- and/or mailservice, this changes. To know what ports are opened by which process use sockstat command.

root@bsdbox:/root # sockstat -4l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS    
unbound unbound 7620 5 udp4 127.0.0.1:53 : unbound unbound 7620 6 tcp4 127.0.0.1:53 : root sendmail 831 3 tcp4 127.0.0.1:25 : root sshd 803 4 tcp4 :22 : root syslogd 677 7 udp4 :514 :
sockstat -4l displays listening IPv4 sockets. You can also use sockstat -6l to display listening IPv6 sockets or even just sockstat -l for both IPv4 and IPv6 sockets.

Here in my example, unbound and sendmail cannot be reached from the network because the services are bound to localhost (127.0.0.1), but sshd and syslogd could be reached. Depends on your firewall rules.

Audit your system

For further advice you can install and run an open source security auditing tool like Lynis.

# pkg install security/lynis
root@bsdbox:/root # lynis

Did you know?

Did you know the HardenedBSD project? This is a side project that focusses on FreeBSD security by bringing ASLR and DEP to FreeBSD. Until a complete patch is finished, reviewed and accepted by the FreeBSD maintainers, a lot of time will go by. I recommend you to help testing HardenedBSD and share your experience with the community.

Feedback

Your feedback is encouraged. Let me know what do you think is missing, what I should add or even you liked and what was helpful.