Τετάρτη, Οκτωβρίου 03, 2007
Securing FreeBSD ( 1 )
Login: root
password: password
# ee /usr/X11R6/bin/startx
CHANGE the following
serverargs=""
to
serverargs="-nolisten tcp"
Save and Quit [ esc a a ]
# ee /etc/mail/sendmail.cf
CHANGE the following
O DaemonPortOptions=Port=587, Name=MSA, M=E
to
#O DaemonPortOptions=Port=587, Name=MSA, M=E
Save and Quit [ esc a a ]
# killall -HUP sendmail
# ee /etc/ssh/sshd_config
CHANGE the following
#Protocol 2
to
Protocol 2
and CHANGE the following
#PermitRootLogin no
to
PermitRootLogin no
Save and Quit [ esc a a ]
# ee /etc/ttys
CHANGE the following
console none unknown off secure
to
console none unknown off insecure
Save and Quit [ esc a a ]
# touch /var/account/acct
# accton /var/account/acct
# echo 'accounting_enable="YES"' >> /etc/rc.conf
# echo "net.inet.tcp.blackhole=2" >> /etc/sysctl.conf
# echo "net.inet.udp.blackhole=1" >> /etc/sysctl.conf
# echo "net.inet.icmp.drop_redirect=1">> /etc/sysctl.conf
# echo "net.inet.icmp.log_redirect=0">> /etc/sysctl.conf
# echo "net.inet.ip.redirect=0">> /etc/sysctl.conf
# echo "net.inet.ip.sourceroute=0">> /etc/sysctl.conf
# echo "net.inet.ip.accept_sourceroute=0">> /etc/sysctl.conf
# echo "net.inet.icmp.bmcastecho=0">> /etc/sysctl.conf
# echo "net.inet.tcp.log_in_vain=1">> /etc/sysctl.conf
# echo "net.inet.udp.log_in_vain=1">> /etc/sysctl.conf
# echo "kern.ipc.somaxconn=1024">> /etc/sysctl.conf
# echo "net.link.ether.inet.max_age=600">> /etc/sysctl.conf
# echo "net.inet.tcp.sack.enable=0 ">> /etc/sysctl.conf
# echo "net.inet.ip.random_id=1" >> /etc/sysctl.conf
# echo "net.inet.ip.check_interface=1">> /etc/sysctl.conf
# echo"net.inet.tcp.syncookies=0">> /etc/sysctl.conf
#echo "net.inet.icmp.maskrepl=0">> /etc/sysctl.conf
# ee /etc/sysctl.conf
CHANGE the following
# security.bsd.see_other_uids=0
to
security.bsd.see_other_uids=0
Save and Quit [ esc a a ]
# ee /etc/login.conf
CHANGE the following
:passwd_format=md5:\
to
:passwd_format=blf:\
Save and Quit [ esc a a ]
# cap_mkdb /etc/login.conf
# passwd username
# more /etc/master.passwd
# ee /etc/auth.conf
CHANGE the following
crypt_default = md5
to
crypt_default = blf
Save and Quit [ esc a a ]
Secure rc.conf
# ee /etc/rc.conf
sendmail_enable="NO"
nfs_server_enable="NO"
nfs_client_enable="NO"
portmap_enable="NO"
update_motd="NO"
inetd_enable="NO"
clear_tmp_enable="YES"
accounting_enable="YES"
fsck_y_enable="YES"
syslogd_enable="YES"
syslogd_flags="-ss"
#reboot
password: password
# ee /usr/X11R6/bin/startx
CHANGE the following
serverargs=""
to
serverargs="-nolisten tcp"
Save and Quit [ esc a a ]
# ee /etc/mail/sendmail.cf
CHANGE the following
O DaemonPortOptions=Port=587, Name=MSA, M=E
to
#O DaemonPortOptions=Port=587, Name=MSA, M=E
Save and Quit [ esc a a ]
# killall -HUP sendmail
# ee /etc/ssh/sshd_config
CHANGE the following
#Protocol 2
to
Protocol 2
and CHANGE the following
#PermitRootLogin no
to
PermitRootLogin no
Save and Quit [ esc a a ]
# ee /etc/ttys
CHANGE the following
console none unknown off secure
to
console none unknown off insecure
Save and Quit [ esc a a ]
# touch /var/account/acct
# accton /var/account/acct
# echo 'accounting_enable="YES"' >> /etc/rc.conf
# echo "net.inet.tcp.blackhole=2" >> /etc/sysctl.conf
# echo "net.inet.udp.blackhole=1" >> /etc/sysctl.conf
# echo "net.inet.icmp.drop_redirect=1">> /etc/sysctl.conf
# echo "net.inet.icmp.log_redirect=0">> /etc/sysctl.conf
# echo "net.inet.ip.redirect=0">> /etc/sysctl.conf
# echo "net.inet.ip.sourceroute=0">> /etc/sysctl.conf
# echo "net.inet.ip.accept_sourceroute=0">> /etc/sysctl.conf
# echo "net.inet.icmp.bmcastecho=0">> /etc/sysctl.conf
# echo "net.inet.tcp.log_in_vain=1">> /etc/sysctl.conf
# echo "net.inet.udp.log_in_vain=1">> /etc/sysctl.conf
# echo "kern.ipc.somaxconn=1024">> /etc/sysctl.conf
# echo "net.link.ether.inet.max_age=600">> /etc/sysctl.conf
# echo "net.inet.tcp.sack.enable=0 ">> /etc/sysctl.conf
# echo "net.inet.ip.random_id=1" >> /etc/sysctl.conf
# echo "net.inet.ip.check_interface=1">> /etc/sysctl.conf
# echo"net.inet.tcp.syncookies=0">> /etc/sysctl.conf
#echo "net.inet.icmp.maskrepl=0">> /etc/sysctl.conf
# ee /etc/sysctl.conf
CHANGE the following
# security.bsd.see_other_uids=0
to
security.bsd.see_other_uids=0
Save and Quit [ esc a a ]
# ee /etc/login.conf
CHANGE the following
:passwd_format=md5:\
to
:passwd_format=blf:\
Save and Quit [ esc a a ]
# cap_mkdb /etc/login.conf
# passwd username
# more /etc/master.passwd
# ee /etc/auth.conf
CHANGE the following
crypt_default = md5
to
crypt_default = blf
Save and Quit [ esc a a ]
Secure rc.conf
# ee /etc/rc.conf
sendmail_enable="NO"
nfs_server_enable="NO"
nfs_client_enable="NO"
portmap_enable="NO"
update_motd="NO"
inetd_enable="NO"
clear_tmp_enable="YES"
accounting_enable="YES"
fsck_y_enable="YES"
syslogd_enable="YES"
syslogd_flags="-ss"
#reboot
Τρίτη, Οκτωβρίου 02, 2007
OpenBSD : Updating and building your system and kernel
Login: root
password: password
# export PKG_PATH=ftp://filoktitis.noc.uoa.gr/pub/OpenBSD/4.1/packages/i386/
# pkg_add -v cvsup-16.1hp0-no_x11.tgz
#pkg_add -v ee-1.4.6p1.tgz
# cd /usr
# ee cvsup-file-src
Write the following
# Defaults that apply to all the collections
*default release=cvs
*default delete use-rel-suffix
*default umask=002
*default host=anoncvs2.de.openbsd.org
*default base=/usr
*default prefix=/usr
*default tag=OPENBSD_4_1
# If your network link is a T1 or faster, comment out the following line.
# *default compress
#OpenBSD-ports
#OpenBSD-all
OpenBSD-src
#OpenBSD-www
#OpenBSD-x11
#OpenBSD-xf4
#OpenBSD-xenocara
Save and Quit [ esc a a ]
# cvsup -g -L 2 cvsup-file-src
# cp /bsd /bsd.old
# cd /usr/src/sys/arch/i386/conf/
# config GENERIC
# cd /usr/src/sys/arch/i386/compile/GENERIC/
# make clean && make depend && make && make install
# reboot
Login: root
password: password
# rm -rf /usr/obj/*
# cd /usr/src
# make obj
# cd /usr/src/etc && env DESTDIR=/ make distrib-dirs
# cd /usr/src
# make build
# cd /usr/
# ee cvsup-file-ports
Write the following
# Defaults that apply to all the collections
*default release=cvs
*default delete use-rel-suffix
*default umask=002
*default host=anoncvs2.de.openbsd.org
*default base=/usr
*default prefix=/usr
*default tag=OPENBSD_4_1
# If your network link is a T1 or faster, comment out the following line.
# *default compress
OpenBSD-ports
#OpenBSD-all
#OpenBSD-src
#OpenBSD-www
#OpenBSD-x11
#OpenBSD-xf4
#OpenBSD-xenocara
Save and Quit [ esc a a ]
# cvsup -g -L 2 cvsup-file-ports
# cd /usr/ports/infrastructure/build/
# ./out-of-date
# cd/usr
# ee cvsup-file-xf4
Write the following
# Defaults that apply to all the collections
*default release=cvs
*default delete use-rel-suffix
*default umask=002
*default host=anoncvs2.de.openbsd.org
*default base=/usr
*default prefix=/usr
*default tag=OPENBSD_4_1
# If your network link is a T1 or faster, comment out the following line.
# *default compress
#OpenBSD-ports
#OpenBSD-all
#OpenBSD-src
#OpenBSD-www
#OpenBSD-x11
OpenBSD-xf4
#OpenBSD-xenocara
Save and Quit [ esc a a ]
# cvsup -g -L 2 cvsup-file-xf4
# export PKG_PATH=ftp://filoktitis.noc.uoa.gr/pub/OpenBSD/4.1/packages/i386/
#pkg_add -v tk-8.4.7p1.tgz
# rm -rf /usr/Xbld
# mkdir -p /usr/Xbld
# cd /usr/Xbld
# lndir ../XF4
# make build
Login: root
password: password
# find /usr/ports/ -name opera
# cd /usr/ports/www/opera/
# make update
password: password
# export PKG_PATH=ftp://filoktitis.noc.uoa.gr/pub/OpenBSD/4.1/packages/i386/
# pkg_add -v cvsup-16.1hp0-no_x11.tgz
#pkg_add -v ee-1.4.6p1.tgz
# cd /usr
# ee cvsup-file-src
Write the following
# Defaults that apply to all the collections
*default release=cvs
*default delete use-rel-suffix
*default umask=002
*default host=anoncvs2.de.openbsd.org
*default base=/usr
*default prefix=/usr
*default tag=OPENBSD_4_1
# If your network link is a T1 or faster, comment out the following line.
# *default compress
#OpenBSD-ports
#OpenBSD-all
OpenBSD-src
#OpenBSD-www
#OpenBSD-x11
#OpenBSD-xf4
#OpenBSD-xenocara
Save and Quit [ esc a a ]
# cvsup -g -L 2 cvsup-file-src
# cp /bsd /bsd.old
# cd /usr/src/sys/arch/i386/conf/
# config GENERIC
# cd /usr/src/sys/arch/i386/compile/GENERIC/
# make clean && make depend && make && make install
# reboot
Login: root
password: password
# rm -rf /usr/obj/*
# cd /usr/src
# make obj
# cd /usr/src/etc && env DESTDIR=/ make distrib-dirs
# cd /usr/src
# make build
# cd /usr/
# ee cvsup-file-ports
Write the following
# Defaults that apply to all the collections
*default release=cvs
*default delete use-rel-suffix
*default umask=002
*default host=anoncvs2.de.openbsd.org
*default base=/usr
*default prefix=/usr
*default tag=OPENBSD_4_1
# If your network link is a T1 or faster, comment out the following line.
# *default compress
OpenBSD-ports
#OpenBSD-all
#OpenBSD-src
#OpenBSD-www
#OpenBSD-x11
#OpenBSD-xf4
#OpenBSD-xenocara
Save and Quit [ esc a a ]
# cvsup -g -L 2 cvsup-file-ports
# cd /usr/ports/infrastructure/build/
# ./out-of-date
# cd/usr
# ee cvsup-file-xf4
Write the following
# Defaults that apply to all the collections
*default release=cvs
*default delete use-rel-suffix
*default umask=002
*default host=anoncvs2.de.openbsd.org
*default base=/usr
*default prefix=/usr
*default tag=OPENBSD_4_1
# If your network link is a T1 or faster, comment out the following line.
# *default compress
#OpenBSD-ports
#OpenBSD-all
#OpenBSD-src
#OpenBSD-www
#OpenBSD-x11
OpenBSD-xf4
#OpenBSD-xenocara
Save and Quit [ esc a a ]
# cvsup -g -L 2 cvsup-file-xf4
# export PKG_PATH=ftp://filoktitis.noc.uoa.gr/pub/OpenBSD/4.1/packages/i386/
#pkg_add -v tk-8.4.7p1.tgz
# rm -rf /usr/Xbld
# mkdir -p /usr/Xbld
# cd /usr/Xbld
# lndir ../XF4
# make build
# reboot
Login: root
password: password
# find /usr/ports/ -name opera
# cd /usr/ports/www/opera/
# make update
Εγγραφή σε:
Αναρτήσεις (Atom)