These are general notes on hardening and maintaining FreeBSD.
Sept 2015
Subscribe to these mailing lists to keep abreast of releases and security alerts:
https://lists.freebsd.org/mailman/listinfo/freebsd-announce https://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
http://www.bsdnow.tv/tutorials/stable-current
-CURRENT is the bleeding edge. Analogous the Debian Unstable. Don’t use it unless we know why we need it (e.g. we’re doing FreeBSD development).
-STABLE is the main branch. It gets security updates, and some changes that have passed testing in CURRENT. Roughly analogous to Debian Testing.
-RELEASE is a snapshot STABLE that gets stamped as a point release (e.g. 10.1).This is usually what we want to use. Roughly analogous to Debian Stable. RELEASE gets security updates and critical fixes, and gets them as packaged binaries through freebsd-update.
Binary updates (i.e. freebsd-update) are only available for RELEASE.
Note: unlike Debian, on FreeBSD the base system and ports collection are separate, and updated/maintained separately. Also, home is located in /usr/home.
https://www.freebsd.org/doc/handbook/updating-upgrading.html
Assuming we’re using the stock kernel, we can do binary updates for our current version like:
# freebsd-update fetch
# freebsd-update install
If the kernel gets updated, restart the system.
If anything goes wrong, roll back the most recent updates with:
# freebsd-update rollback
Upgrade to a new version like:
# freebsd-update -r 10.2-RELEASE upgrade
# freebsd-update install
It’s strongly recommended to upgrade all packages/ports after a major version upgrade (kernel ABI changes tend to break third-party applications):
# pkg-static upgrade -f
# portmaster -af
# freebsd-update install
(If pkg is not already installed, run /usr/sbin/pkg and then pkg update.)
# pkg search foo
# pkg info foo
# pkg install foo
# pkg delete foo
# pkg autoremove
Updates:
# pkg update
# pkg upgrade
# pkg audit -F
(Download and extract the ports collection for the first time with portsnap fetch and postsnap extract.)
Keep the ports collection up to date with portsnap:
# portsnap fetch
# portsnap update
Find a port:
# whereis foo
foo: /usr/ports/whatever/foo
# cd /usr/ports
# make search name=foo
Install or de-install a port:
# cd /usr/ports/whatever/foo
# make config-recursive; make install; make clean
# make deinstall
Upgrade installed ports using portmaster:
# cd /usr/ports/port-mgmt/portmaster
# make install clean
# portmaster -a
Read the latest warnings /usr/ports/UPDATING before updating ports (the latest entries are at the top of the file).
FreeBSD offers several option. Use IPFW. https://www.freebsd.org/doc/handbook/firewalls-ipfw.html
Turn it on in /etc/rc.conf:
firewall_enable="YES"
It offers a number of pre-defined firewall profiles. See /etc/rc.firewall. A reasonable choice for a stand-alone server is the client profiles; put this in /etc/rc.conf and customize /etc/rc.firewall:
firewall_type="client"
Alternately, we can write our own rule set by setting this in /etc/rc.conf:
firewall_script="/etc/ipfw.rules"
Our /etc/ipfw.rules might look like this (see ipfw(8)):
add="ipfw -q add"
ipfw -q -f flush
pubip="10.0.1.55"
$add 10 pass all from any to any via lo0
$add 20 deny all from any to 127.0.0.0/8
$add 30 deny ip from 127.0.0.0/8 to any
$add 40 deny ip from any to ::1
$add 50 deny ip from ::1 to any
$add 100 pass tcp from any to any established
$add 110 pass all from any to any frag
$add 1000 pass tcp from any to $pubip 22 keep-state
$add 1200 pass tcp from any to any 80 out keep-state
$add 1300 pass tcp from any to any 443 out keep-state
$add 2000 pass udp from me to any 53 keep-state
$add 2050 pass tcp from me to any 53 keep-state
$add 2100 pass udp from me to any 123 keep-state
$add 2200 pass tcp from me to any 25
$add 65000 deny all from any to any
(We may want to use specific networks for some of these, particularly the rules for ssh and smtp.)
Restart ipfw and load the new rules like:
# service ipfw restart
We check the rules with:
# ipfw list
We may want to throttle logging by adding this to /etc/sysctl.conf:
net.inet.ip.fw.verbose_limit=5
Add our client key to ~/.ssh/authorized_keys.
Make sure root logins are disabled in /etc/ssh/sshd_config:
PermitRootLogin no
We don’t want password-only authentication. Use key-based auth or (on newer versions of sshd) key and password. Edit /etc/ssh/sshd_config:
PasswordAuthentication no
or
AuthenticationMethods publickey,password
Restart sshd:
# service sshd restart
We may also want to install sshguard (like fail2ban but with fewer dependencies):
# pkg install sshguard-ipfw
Add to /etc/rc.conf:
sshguard_enable="YES"
Start sshguard:
# service sshguard start
If we did not enable and configure ntp during install, do it now.
Configure the time zone:
# tzsetup
Add this to /etc/rc.conf:
ntpd_enable="YES"
ntpd_sync_on_start="YES"
Start ntpd:
# service ntpd start
https://www.freebsd.org/doc/handbook/mail.html
FreeBSD ships Sendmail. Its default config is reasonable.
If we don’t often log into this box as root, we must send important notifications to another email address that we do read.
Edit /etc/mail/aliases and add:
root: me@example.com
Run newaliases to update the aliases database.
See http://paulgorman.org/technical/freebsd-jails.txt
———————— Personal Preferences ————————
vim-lite sudo tmux git-lite curl
Use tcsh. Here’s a minimal .tcshrc:
set promptchars="%#"
set prompt = "--- %m %h %c %# "
setenv EDITOR vim
setenv VISUAL vim
setenv PAGER less
set autolist
alias l 'ls -FG'
alias la 'ls -FGa'
alias ll 'ls -FGlha'
alias h 'history 60 | sort -k2 | uniq -f2 | sort -bn'
setenv LSCOLORS "gxfxcxdxbxxggdabagacad"
bindkey "^W" backward-delete-word
After installing sudo, do visudo, and uncomment this line:
%wheel ALL=(ALL) NOPASSWD: ALL
Make sure our user account is a member of the wheel group.