Τετάρτη, Οκτωβρίου 03, 2007

video

Securing FreeBSD ( 1 )

Login: root
password: password


# ee /usr/X11R6/bin/startx

CHANGE the following

serverargs=""
to
serverargs="-nolisten tcp"

Save and Quit [ esc a a ]



# ee /etc/mail/sendmail.cf

CHANGE the following

O DaemonPortOptions=Port=587, Name=MSA, M=E
to
#O DaemonPortOptions=Port=587, Name=MSA, M=E

Save and Quit [ esc a a ]


# killall -HUP sendmail


# ee /etc/ssh/sshd_config

CHANGE the following

#Protocol 2
to
Protocol 2

and CHANGE the following

#PermitRootLogin no
to
PermitRootLogin no

Save and Quit [ esc a a ]



# ee /etc/ttys

CHANGE the following

console none unknown off secure
to
console none unknown off insecure

Save and Quit [ esc a a ]


# touch /var/account/acct
# accton /var/account/acct
# echo 'accounting_enable="YES"' >> /etc/rc.conf
# echo "net.inet.tcp.blackhole=2" >> /etc/sysctl.conf
# echo "net.inet.udp.blackhole=1" >> /etc/sysctl.conf
# echo "net.inet.icmp.drop_redirect=1">> /etc/sysctl.conf
# echo "net.inet.icmp.log_redirect=0">> /etc/sysctl.conf
# echo "net.inet.ip.redirect=0">> /etc/sysctl.conf
# echo "net.inet.ip.sourceroute=0">> /etc/sysctl.conf
# echo "net.inet.ip.accept_sourceroute=0">> /etc/sysctl.conf
# echo "net.inet.icmp.bmcastecho=0">> /etc/sysctl.conf
# echo "net.inet.tcp.log_in_vain=1">> /etc/sysctl.conf
# echo "net.inet.udp.log_in_vain=1">> /etc/sysctl.conf
# echo "kern.ipc.somaxconn=1024">> /etc/sysctl.conf
# echo "net.link.ether.inet.max_age=600">> /etc/sysctl.conf
# echo "net.inet.tcp.sack.enable=0 ">> /etc/sysctl.conf
# echo "net.inet.ip.random_id=1" >> /etc/sysctl.conf
# echo "net.inet.ip.check_interface=1">> /etc/sysctl.conf
# echo"net.inet.tcp.syncookies=0">> /etc/sysctl.conf
#echo "net.inet.icmp.maskrepl=0">> /etc/sysctl.conf


# ee /etc/sysctl.conf

CHANGE the following

# security.bsd.see_other_uids=0
to
security.bsd.see_other_uids=0

Save and Quit [ esc a a ]



# ee /etc/login.conf

CHANGE the following

:passwd_format=md5:\
to
:passwd_format=blf:\

Save and Quit [ esc a a ]


# cap_mkdb /etc/login.conf
# passwd username
# more /etc/master.passwd


# ee /etc/auth.conf

CHANGE the following

crypt_default = md5
to
crypt_default = blf

Save and Quit [ esc a a ]



Secure rc.conf

# ee /etc/rc.conf

sendmail_enable="NO"
nfs_server_enable="NO"
nfs_client_enable="NO"
portmap_enable="NO"
update_motd="NO"
inetd_enable="NO"
clear_tmp_enable="YES"
accounting_enable="YES"
fsck_y_enable="YES"
syslogd_enable="YES"
syslogd_flags="-ss"


#reboot




Τρίτη, Οκτωβρίου 02, 2007

OpenBSD : Updating and building your system and kernel

Login: root
password: password

# export PKG_PATH=ftp://filoktitis.noc.uoa.gr/pub/OpenBSD/4.1/packages/i386/
# pkg_add -v cvsup-16.1hp0-no_x11.tgz
#pkg_add -v ee-1.4.6p1.tgz

# cd /usr
# ee cvsup-file-src

Write the following

# Defaults that apply to all the collections
*default release=cvs
*default delete use-rel-suffix
*default umask=002
*default host=anoncvs2.de.openbsd.org
*default base=/usr
*default prefix=/usr
*default tag=OPENBSD_4_1

# If your network link is a T1 or faster, comment out the following line.
# *default compress

#OpenBSD-ports
#OpenBSD-all
OpenBSD-src
#OpenBSD-www
#OpenBSD-x11
#OpenBSD-xf4
#OpenBSD-xenocara


Save and Quit [ esc a a ]

# cvsup -g -L 2 cvsup-file-src
# cp /bsd /bsd.old
# cd /usr/src/sys/arch/i386/conf/
# config GENERIC
# cd /usr/src/sys/arch/i386/compile/GENERIC/
# make clean && make depend && make && make install
# reboot

Login: root
password: password

# rm -rf /usr/obj/*
# cd /usr/src
# make obj
# cd /usr/src/etc && env DESTDIR=/ make distrib-dirs
# cd /usr/src
# make build

# cd /usr/
# ee cvsup-file-ports

Write the following

# Defaults that apply to all the collections
*default release=cvs
*default delete use-rel-suffix
*default umask=002
*default host=anoncvs2.de.openbsd.org
*default base=/usr
*default prefix=/usr
*default tag=OPENBSD_4_1

# If your network link is a T1 or faster, comment out the following line.
# *default compress

OpenBSD-ports
#OpenBSD-all
#OpenBSD-src
#OpenBSD-www
#OpenBSD-x11
#OpenBSD-xf4
#OpenBSD-xenocara


Save and Quit [ esc a a ]

# cvsup -g -L 2 cvsup-file-ports
# cd /usr/ports/infrastructure/build/
# ./out-of-date

# cd/usr
# ee cvsup-file-xf4

Write the following

# Defaults that apply to all the collections
*default release=cvs
*default delete use-rel-suffix
*default umask=002
*default host=anoncvs2.de.openbsd.org
*default base=/usr
*default prefix=/usr
*default tag=OPENBSD_4_1

# If your network link is a T1 or faster, comment out the following line.
# *default compress

#OpenBSD-ports
#OpenBSD-all
#OpenBSD-src
#OpenBSD-www
#OpenBSD-x11
OpenBSD-xf4
#OpenBSD-xenocara

Save and Quit [ esc a a ]

# cvsup -g -L 2 cvsup-file-xf4

# export PKG_PATH=ftp://filoktitis.noc.uoa.gr/pub/OpenBSD/4.1/packages/i386/
#pkg_add -v tk-8.4.7p1.tgz

# rm -rf /usr/Xbld
# mkdir -p /usr/Xbld
# cd /usr/Xbld
# lndir ../XF4
# make build
# reboot

Login: root
password: password

# find /usr/ports/ -name opera
# cd /usr/ports/www/opera/
# make update

Πέμπτη, Σεπτεμβρίου 27, 2007

FreeBSD: Colourful console


Rise history size to 1000. Change console text to green. Read inverted documentation as yellow. Kernel messages will be blue.

Recompile kernel with these options:

options SC_HISTORY_SIZE=1000
options SC_NORM_ATTR=(FG_LIGHTGREENBG_BLACK)
options SC_NORM_REV_ATTR=(FG_YELLOWBG_BLACK)
options SC_KERNEL_CONS_ATTR=(FG_LIGHTBLUEBG_BLACK)
options SC_KERNEL_CONS_REV_ATTR=(FG_LIGHTREDBG_BLACK)

2) Dialup firewalling with FreeBSD ( IPFW)

Marc Silver
marcs@draenor.org

Login: root
password: password

Recompile kernel with these options:

options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options IPDIVERT
options TCP_DROP_SYNFIN


# ee /etc/rc.conf

firewall_enable="YES"
firewall_script="/etc/firewall/fwrules"
natd_enable="YES"
natd_interface="tun0"
natd_flags="-dynamic"

ppp_enable="YES"
ppp_mode="auto"
ppp_nat="YES"
ppp_profile="your_profile"

Save and Quit [ esc a a ]

# mkdir -p /etc/firewall
# cd /etc/firewall
# ee fwrules


Write the following

# Firewall rules
# Written by Marc Silver (marcs@draenor.org)
# http://draenor.org/ipfw
# Freely distributable

# Define the firewall command (as in /etc/rc.firewall) for easy
# reference. Helps to make it easier to read.
fwcmd="/sbin/ipfw"

# Force a flushing of the current rules before we reload.
$fwcmd -f flush

# Divert all packets through the tunnel interface.
$fwcmd add divert natd all from any to any via tun0

# Allow all data from my network card and localhost. Make sure you
# change your network card (mine was fxp0) before you reboot. :)
$fwcmd add allow ip from any to any via lo0
$fwcmd add allow ip from any to any via fxp0

# Allow all connections that I initiate.
$fwcmd add allow tcp from any to any out xmit tun0 setup

# Once connections are made, allow them to stay open.
$fwcmd add allow tcp from any to any via tun0 established

# Everyone on the internet is allowed to connect to the following
# services on the machine. This example specifically allows connections
# to ssh and apache.
$fwcmd add allow tcp from any to any 80 setup
$fwcmd add allow tcp from any to any 22 setup

# This sends a RESET to all ident packets.
$fwcmd add reset log tcp from any to any 113 in recv tun0

# Allow outgoing DNS queries ONLY to the specified servers.
$fwcmd add allow udp from any to x.x.x.x 53 out xmit tun0

# Allow them back in with the answers... :)
$fwcmd add allow udp from x.x.x.x 53 to any in recv tun0

# Allow ICMP (for ping and traceroute to work). You may wish to
# disallow this, but I feel it suits my needs to keep them in.
$fwcmd add allow icmp from any to any

# Deny all the rest.
$fwcmd add deny log ip from any to any


Save and Quit [ esc a a ]

# reboot






1) Dialup firewalling with FreeBSD ( IPFW )

Marc Silver
marcs@draenor.org

Login: root
password: password

Recompile kernel with these options:

options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=500


# ee /etc/rc.conf

firewall_enable="YES"
firewall_script="/etc/firewall/fwrules"
ppp_enable="YES"
ppp_mode="auto"
ppp_nat="YES"
ppp_profile=""your_profile"


# mkdir -p /etc/firewall
# cd /etc/firewall
# ee fwrules


Write the following

# Define the firewall command (as in /etc/rc.firewall) for easy
# reference. Helps to make it easier to read.
fwcmd="/sbin/ipfw"

# Define our outside interface. With userland-ppp this
# defaults to tun0.
oif="tun0"

# Define our inside interface. This is usually your network
# card. Be sure to change this to match your own network
# interface.
iif="fxp0"

# Force a flushing of the current rules before we reload.
$fwcmd -f flush

# Check the state of all packets.
$fwcmd add check-state

# Stop spoofing on the outside interface.
$fwcmd add deny ip from any to any in via $oif not verrevpath

# Allow all connections that we initiate, and keep their state.
# but deny established connections that don't have a dynamic rule.
$fwcmd add allow ip from me to any out via $oif keep-state
$fwcmd add deny tcp from any to any established in via $oif

# Allow all connections within our network.
$fwcmd add allow ip from any to any via $iif

# Allow all local traffic.
$fwcmd add allow all from any to any via lo0
$fwcmd add deny all from any to 127.0.0.0/8
$fwcmd add deny ip from 127.0.0.0/8 to any

# Allow internet users to connect to the port 22 and 80.
# This example specifically allows connections to the sshd and a
# webserver.
$fwcmd add allow tcp from any to me dst-port 22,80 in via $oif setup keep-state

# Allow ICMP packets: remove type 8 if you don't want your host
# to be pingable.
$fwcmd add allow icmp from any to any via $oif icmptypes 0,3,8,11,12

# Deny and log all the rest.
$fwcmd add deny log ip from any to any

Save and Quit [ esc a a ]

# reboot










FreeBSD: Rebuild the World, and Recompile the Kernel ( STABLE)

Login: root
password: password

Install cvsup-without-gui

# pkg_add -r cvsup-without-gui
# pkg_add -r fastest_cvsup

If you want to install these items via ports, the way would be like this "but as I mentioned, you can use the pkg_add method for these 2 applications without fear"

# cd /usr/ports/net/cvsup-without-gui; make install clean
# cd /usr/ports/sysutils/fastest_cvsup; make install clean

# ee /etc/ssh/sshd_config

CHANGE the following

# Protocol 2
to
Protocol 2

and CHANGE the following

# PermitRootLogin no
to
PermitRootLogin no

Save and Quit [ esc a a ]

changes the console to not logout

# ee /etc/ttys

CHANGE the following

console none unknown off secure
to
console none unknown off insecure

Save and Quit [ esc a a ]

Install ports tree

# cp /usr/share/examples/cvsup/ports-supfile /root/
# cp /usr/share/examples/cvsup/stable-supfile /root/

# ee /root/ports-supfile

CHANGE the following

*default host=CHANGE_THIS.FreeBSD.org
to
*default host=cvsup4.FreeBSD.org

Save and Quit [ esc a a ]

# ee /root/stable-supfile

CHANGE the following

*default host=CHANGE_THIS.FreeBSD.org
to
*default host=cvsup4.FreeBSD.org

Save and Quit [ esc a a ]

Setup scripts for maintaining systems

# mkdir /root/scripts
# cd /root/scripts
# ee ports-update.sh

Write the following

#!/bin/sh
# updating port
echo "Beginning Ports Update"
/usr/local/bin/cvsup -g -L 2 /etc/ports-supfile
echo "Ports Update Complete"


Save and Quit [ esc a a ]

# ee src-update.sh

Write the following

#!/bin/sh
# updating source
echo "Beginning Source Update"
/usr/local/bin/cvsup -g -L 2 /etc/stable-supfile
echo "Source Update Complete"

Save and Quit [ esc a a ]

# chmod +x *.sh
# cp /root/ports-supfile /etc/
# cp /root/stable-supfile /etc/

# chmod 640 /etc/ports-supfile
# chmod 640 /etc/stable-supfile

Rebuild the entire machine and Kernel

# /root/scripts/src-update.sh
# cd /usr/src/sys/i386/conf
# cp GENERIC CUSTOM

# cd /usr/src/
# make buildworld
# make buildkernel KERNCONF=GENERIC
# make installkernel KERNCONF=GENERIC
# reboot

Login: root
password: password

# fsck -p
# mount -u /
# mount -a -t ufs
# swapon -a

# cd /usr/src
# mergemaster -p
# make installworld
# mergemaster
# reboot

Login: root
password: password

# cd /usr/src
# make clean

Update ports now

# pkg_add -r portupgrade
# /usr/local/bin/portupgrade -a

Adding applications

# pkg_add -r portaudit
# pkg_add -r zsh
# pkg_add -r wget
# pkg_add -r screen

If pkg_add -r screen fails try the following

# cd /usr/ports/sysutils/screen
# make install clean

# pkg_add -r sudo
# pkg_add -r pcre

# cd /root/scripts
# ee check-ports.sh

Write the following

#!/bin/sh
#check ports
/usr/local/sbin/portaudit -Fda


Save and Quit [ esc a a ]

# chmod +x check-ports.sh