Setup A Freebsd Server– Part 1– Lock It Down

on August 17, 2011 in Freebsd

When you get your raw freebsd srever from your hosting provider, you will usually find it is very out of date and not very secure. Our very first step is to lock down our server.

1. Secure Access To Your Server

The first thing I like to do is restrict ssh access from the internet to be only available from a singe non root user account. You will be amazed when you check your logs how many people try to break into your server via the front ssh door, and root, admin and webmaster are the accounts most people use. So pick something obscure but easy to rember e.g. red1978

useradd red1978

- when asked to Invite red1978 into other groups, select the wheel group this will give red1978 access to “su” to root.

spike# grep wheel /etc/group

wheel:*:0:root,red1978

Now red1978 is the only account that can “su – root” and enter the root password to become root.

We are still not quite secure because people can still ssh as root from outside.

edit /etc/ssh/sshd_config

and change the corresponding lines to the following

AllowUsers red1978

PermitRootLogin no

For the change to take effect run the following

/etc/rc.d/sshd reload

NOTE: Be very careful here and don’t log out of your current session

if sshd won’t start you might have an error in the configuration file, see below

spike# /etc/rc.d/sshd start

Starting sshd.

/etc/ssh/sshd_config: line 45: Bad configuration option: AuthUsers <— should be AllowUsers

/etc/ssh/sshd_config: terminating, 1 bad configuration options

To verify check your log

/var/log/messages

Jan 4 13:54:22 spike sshd[32339]: error: PAM: authentication error for illegal user red1978 from 192.168.1.42

2. Upgrade Your OS to the latest version

Follow the steps on the freebsd.org website to update your operating system to the latest version. You will set the instructions in the release notes for the latest release.

It goes something like this.

# freebsd-update upgrade -r X.x-RELEASE

During this process, FreeBSD Update may ask the user to help by merging some configuration files or by confirming that the automatically performed merging was done correctly.

# freebsd-update install

The system must be rebooted with the newly installed kernel before continuing.

# shutdown -r now

After rebooting, freebsd-update needs to be run again to install the new userland components:

# freebsd-update install

At this point, users of systems being upgraded from FreeBSD 7.4-RELEASE or earlier will be prompted by freebsd-update to rebuild all third-party applications (e.g., ports installed from the ports tree) due to updates in system libraries.

After updating installed third-party applications (and again, only if freebsd-update printed a message indicating that this was necessary), run freebsd-update again so that it can delete the old (no longer used) system libraries:

# freebsd-update install

Finally, reboot into x.x-RELEASE:

# shutdown -r now

3. Upgrade port snapshot database

It is really important that you keep up with the latest patches to software. So lets set this up.

Next build /var/db/portsnap database. This will take a long time depending on your host internet connection speed (50MB). The manual says you can disconnect from the internet and this will continue.

spike# portsnap fetch

Looking up portsnap.FreeBSD.org mirrors… 4 mirrors found.

Fetching public key from portsnap2.FreeBSD.org… done.

Fetching snapshot tag from portsnap2.FreeBSD.org… done.

Fetching snapshot metadata… done.

Fetching snapshot generated at Fri Jan 4 09:34:18 XXX 2008:

a9579afcd7adc26b4946d0ac331d0f1d4c3330ec8cf540 77% of 50 MB 131 kBps 01m26s

…

..

Since this is the first time we need to extract the ports directory structure. This will also take a long time to run.

spike# mkdir /usr/ports

spike# portsnap extract

If you do a ls /usr/ports you will see a lot of package snapshots have been installed. It’s not the packages themselves just Makefiles and information on where to retrieve the sources for the packages from.

4. Install some basic packages

First it is important to make sure that no graphics libraries are compiled into your packages where possible. Since you are building a server not a desktop. To do this add the following lines to /etc/make. There are also a number of other options included that should be disabled.

NO_X=true
WITHOUT_X11=true
NO_BLUETOOTH= true    # do not build Bluetooth related stuff
NO_FORTRAN=    true    # do not build g77 and related libraries
NO_GDB=        true    # do not build GDB
NO_GPIB=       true    # do not build GPIB support
NO_I4B=        true    # do not build isdn4bsd package
NO_LPR=        true    # do not build lpr and related programs
NO_NIS=        true    # do not build NIS support and related programs
NO_SHAREDOCS= true    # do not build the 4.4BSD legacy docs
NO_VINUM=      true    # do not build Vinum utilities
NO_ATM=        true    # do not build ATM related programs and libraries
NO_GAMES=      true    # do not build games (games/ subdir)
NO_PROFILE=    true    # Avoid compiling profiled libraries

screen

screen is a must have as it make take hours to compile packages if you have not upgraded them in a while. The benefit of screen is that your work session will stay running if you lose your connection to your server while compiling.