Security is one of the most important things in administrating any sort of computer system. FreeBSD is certainly much more secure than Windows and other popular computer systems; however, most security problems lie within the user and other running software on the system than the OS itself. This guide will give a few hints and examples to make it a fair bit harder to violate your system.
- A FreeBSD system, however, with a few changes this can apply to most common *nix’s out there.
- Half a lick of sense.
- First of all, log in as root as sparingly as possible. DO NOT use the root account for the mundane day-to-day activities of using a computer. First of all, since there are no restrictions on root, its much easier for you to totally kill your system. Secondly, if you are logged in as root, and for example, using a chat client, that chat client could have a security hole someone could exploit to hijack your system. If you were logged in as a normal user, the chances are exponentially less that the hacker could do damage, however, running that program as root could allow them to do ANYTHING to your system.
- Use secure shell (SSH) to access your system remotely, instead of the basic telnet. SSH encrypts the connection, and prevents people from monitoring what you type and your passwords by sniffing packets. Telnet sends everything “in the clear”, allowing anyone with a little expertise to sniff your connection for useful information. You can enable SSH by running /stand/sysinstall, going to Configure->Networking and checking it on the list there. Disabling telnet will be covered in the next point.
- INETD listens to the networking ports on your system, and when somebody tries to connect to a port it recognizes, it loads up the daemon (server) software for that port, say the insecure telnet daemon, for the duration of the transaction and shuts it down after the transaction is complete. This seems very handy in that you don’t have to continuously run those daemons to provide those services. However, this is very insecure. First of all, you should only be running services that you need, thus cutting the ways a hacker has to attack you. Secondly, the INETD daemon isn’t exactly secure in and of itself. Therefore, you will want to run /stand/sysinstall and go to Configure->Networking and remove the check next to its name. If you for some reason REALLY need INETD, open up /etc/inetd.conf in your favorite text editor and comment (placing a # in front of the line) out all the daemons on there except for the ones you need.
- Sendmail is the ancient and notoriously complicated and insecure e-mail service that comes on just about every *nix system known to man. Sadly, FreeBSD installs it fully running when you first setup your system. Using the /stand/sysinstall utility to set it not to run won’t disable it. Therefore, you must go messing manually with your /etc/rc.conf file. Open up your /etc/rc.conf with your favorite text editor. Locate the line with sendmail_enable=(whatever) on it. Change that line to read sendmail_enable=\”none\”
Your system should now be reasonably secure. There are other steps you could take such as controlled access and running a firewall, but those are outside the scope of this tutorial. I may write one on the topic of firewalls at a later date. Remember to only run daemons that YOU NEED. If your system is just going to be running as a ftp file server, there is NO reason to be running Apache, MySQL or other daemons. The more daemons you run, the more complicated it will be to keep your system secure from attackers. Also, every daemon you run has its own methods to secure it that you must learn. If there is a hole somewhere that you don’t take measures to close up, you might as well just give up on it all.