Увеличение безопасности FreeBSD сервера (freebsd security howto)
Ключевые слова: freebsd, security, howto, (найти похожие документы)
Date: 9 Sep 2002
From: opennet
Subject: Увеличение безопасности FreeBSD сервера
По материалам "FreeBSD Operating System Security Checklist":
http://www.opennet.me/opennews/art.shtml?num=1491
http://sddi.net/FBSDSecCheckList.html
* Разбивка на разделы:
none (swap)
/
/tmp
/usr
/usr/home
/var
* чистка inetd.conf
* запрещение port_map если не используется NFS
* vi /etc/motd; cp /etc/motd /etc/issue
* vi /etc/ssh/sshd_config:
Port 22
Protocol 2
#Hostkey /etc/ssh/ssh_host_key
PermitRootLogin no
MaxStartups 5:50:10
X11Forwarding no
PrintLastLog yes
LogLevel VERBOSE
PasswordAuthentication no
PermitEmptyPasswords no
Banner /etc/issue
AllowGroups shellusers
* vi /etc/ssh/ssh_config
ForwardAgent no
ForwardX11 no
PasswordAuthentication no
CheckHostIP yes
Port 22
Protocol 2
* генерируем DSA ключи: ssh-keygen -d; cd .ssh; cat id_dsa.pub > authorized_keys2
* vi /etc/rc.conf
inetd_enable="NO"
syslogd_enable="YES"
syslogd_flags="-ss"
tcp_drop_redirect="YES"
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
clear_tmp_enable="YES"
portmap_enable="NO"
icmp_bmcastecho="NO"
fsck_y_enable="YES"
update_motd="NO"
tcp_drop_synfin="YES"
* vi /etc/login.conf
В default поменять md5 на blf: ":passwd_format=blf:"
:passwordtime=52d:
:mixpasswordcase=true:
:minpasswordlen=9:
baduser:
:cputime=30m:
:openfiles=24:
:maxproc=32:
:memoryuse=16m:
:tc=default:
cap_mkdb /etc/login.conf
* vi /etc/sysctl.conf
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
kern.ps_showallprocs=0
* vi /etc/fstab
/tmp ufs rw,noexec
/usr/home ufs rw,nosuid,noexec
/var ufs rw,noexec
* chmod 0600 /etc/crontab
* Конфигурация ядра
#pseudo-device bpf
options SC_NO_HISTORY
options SC_DISABLE_REBOOT
options SC_DISABLE_DDBKEY
options TCP_DROP_SYNFIN
* chmod 0700 /root; chmod 0600 /etc/syslog.conf; chmod 0600 /etc/rc.conf;
chmod 0600 /etc/newsyslog.conf; chmod 0600 /etc/hosts.allow;
chmod 0600 /etc/login.conf; chmod 0700 /usr/home/*
* TCP Wrappers, vi /etc/hosts.allow
sshd : localhost : allow
sshd : x.x.x.x, x.x.x.x : allow
sshd : all : deny
ftpd : ALL : deny
* Console, vi /etc/ttys
console none unknown off insecure
ttyv0 "/usr/libexec/getty Pc" cons25 on insecure
ttyv1 "/usr/libexec/getty Pc" cons25 on insecure
* Bash Shell, vi /usr/share/skel/.bash_logout
clear
* Анализ sockstat -4 и tcpdump -xX