Home arrow Security arrow Secure Your Server
Secure Your Server PDF
Saturday, 26 November 2005
This documentation will describe measures to secure your server against Internet attacks.

For beginners a good start could be to read man page security(7).

1. Secure your SSH
---------------------
Every day in a server's  life SSH tentative to break into your server are made by trying to guess ssh users and passwords. By default FreeBSD does not permit to root user to login via ssh which is good.

Measures to be done:
a) permit SSH access only for the users you need, for the rest of users disable SSH access. This is done by adding the following line in /etc/ssh/sshd_config: AllowUsers john, bob

You could also permit SSH login to wheel group, adding in /etc/ssh/sshd_config the line:
AllowGroups wheel
If you need other users to login, add them all in a group and permit ssh login to that group too.

b) if you login to your server via SSH only from known IPs, you could allow logins only from those IPs.

c) change your SSH port. This measure blocks almost 80% of worms, automated programs/scripts.

d) update SSH at regular times. This would help to protect against bugs/exploits found in SSH.

Always run SSH protocol 2 (which is enabled by default in SSH daemon).
Another idea would be to edit /root/.cshrc file and add a line to email you when somebody log in as root, ading the date and time too.

If you offer SSH access to your users, enforce them to use secure passwords.

2. Secure your console
-------------------------

a) Secure your console so nobody could boot into single mode and change root password in order to break in.

Edit /etc/ttys, change line
console none                            unknown off secure
to
console none                            unknown off insecure

b) Disable reboot of machine using Ctrl+Alt+Del
edit your configuration kernel file, add the following option and compile/reinstall the kernel:
options SC_DISABLE_REBOOT

3. Turn off non esential services
-----------------------------------
You should always turn off the services you do not need/use.


4. Scan for open ports
To see if there are any open ports scan your server with a tool like nmap.
( /usr/ports/security/nmap). You will need to have ports open only for your needed services.

5. Protect from DOS/DDOS.
-----------------------------
Some measures can be taken to add some level of protection to DOS attacks. Total protectin is almost impossible to achieve because when your server is flooded is already too late to do anything. You should contact your ISP. Also if you have multiple sources of attack is very hard to do something.

You will need to tune up some sysctl variable:
kern.ipc.somaxconn=32768    # to defend against SYN attacks

Increasing somaxconn variable SYN attacks to some level will have no effect (or low effect) on the availability of the server.

An attacker can use IP redirects to modify the routing table on your machine.
net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=1
net.inet.ip.redirect=0
net.inet6.ip6.redirect=0


6. Make a checksum for your files
------------------------------------
If your machine will be compromised, it will be useful to check the sum of your files, to see if was not modified. You can install an application like tripwire (/usr/ports/security/tripwire-131) to build a MD5 sum of your every file.

6. Other security measures
------------------------------
net.inet.tcp.msl=7500

msl = maximum segment life = maximum amount of time to wait for an ACK in reply to SYN-ACK or FIN-ACK, in miliseconds

net.inet.tcp.blackhole=2
This variable defines what will happend when your machine receive a TCP packet on a closed port. (1 - SYN packets are dropped, 2 - all packets are dropped).

net.inet.udp.blackhole=1

net.inet.icmp.icmplim=50
This variable controls the maximum number of ICMP "Unreachable" and TCP RST to return at every second.

For the following NIC: dc, em, fxp, nge, rl, sis, turn on kernel DEVICE_POLLING option to reduce CPU time in processing inbound traffic.
After enabling in kernel config file and recompilling/installing the kernel the following sysctl variable must be configured.
kern.pooling.enable=1


Last Updated ( Sunday, 27 November 2005 )
 

Other BSD Systems

OpenBSD

Misc

Solaris

Polls

Best BSD firewall?