Howto secure FreeBSD
Welcome to my FreeBSD hardening guide. While FreeBSD is quite secure and conservative by default, there is enough you can do to improve security of your FreeBSD system beyond the standard level. That's the focus of this Howto.
Harden the system
Change password hashing from MD5 to Blowfish:
Now rebuild the login database:
# cap_mkdb /etc/login.conf
kern.securelevel=2 security.bsd.see_other_uids=0 security.bsd.stack_guard_page=1 net.inet.ip.random_id=1
4. Setup and enable the firewall
I recommend to use the pf packet filter which FreeBSD got from OpenBSD. It's a good practice to only filter on one interface. Typically the external one.
root@bsdbox:/root # vi /etc/pf.conf # edit ruleset root@bsdbox:/root # pfctl -nf /etc/pf.conf # test ruleset root@bsdbox:/root # pfctl -f /etc/pf.conf # apply ruleset root@bsdbox:/root # pfctl -e # enable firewall
5. Kernel security
To carve the firewall ruleset in stone, run
sysctl kern.securelevel=3 in the shell. This prevents the kernel to overwrite the firewall ruleset once in securelevel 3. To make this setting permanent, add it to
/etc/sysctl.conf and it's set right at boot time.
root@bsdbox:/root # echo 'kern.securelevel=3' >> /etc/sysctl.conf
6. Monitor security updates of installed ports
portaudit from the ports collection to monitor your installed port if a securty fix is needed.
root@bsdbox:/root # cd /usr/ports/ports-mgmt/portaudit root@bsdbox:/usr/ports/ports-mgmt/portaudit # make install clean
7. Know which tcp and udp ports are open
FreeBSD by default has no applications that open ports, but adding a web- and/or mailservice, this changes. To know what ports are opened by which process use
root@bsdbox:/root # sockstat -4l USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS unbound unbound 7620 5 udp4 127.0.0.1:53 *:* unbound unbound 7620 6 tcp4 127.0.0.1:53 *:* root sendmail 831 3 tcp4 127.0.0.1:25 *:* root sshd 803 4 tcp4 *:22 *:* root syslogd 677 7 udp4 *:514 *:*
sockstat -4l displays listening IPv4 sockets. You can also use
sockstat -6l to display listening IPv6 sockets or even just
sockstat -l for both IPv4 and IPv6 sockets.
Here in my example, unbound and sendmail cannot be reached from the network because the services are bound to localhost (127.0.0.1), but sshd and syslogd could be reached. Depends on your firewall rules.
Audit your system
For further advice you can install and run an open source security auditing tool like Lynis.
# pkg install security/lynis root@bsdbox:/root # lynis
Did you know?
Did you know the HardenedBSD project? This is a side project that focusses on FreeBSD security by bringing ASLR and DEP to FreeBSD. Until a complete patch is finished, reviewed and accepted by the FreeBSD maintainers, a lot of time will go by. I recommend you to help testing HardenedBSD and share your experience with the community.
Your feedback is encouraged. Let me know what do you think is missing, what I should add or even you liked and what was helpful.