Basic Security Measures for FreeBSD
by Szekely Ervin - Thursday, 19 June 2003.

This document will describe the basic security measures that should be applied to a FreeBSD 4.x workstation. Mostly all of these measures should be applied in a server environment too with some extra measures (CGI/PHP security for webservers, SQL security for databases, etc.)

The basics

FreeBSD is a pretty secure OS, although security aware people shouldn't rely on default OS security because even if the installed release is secure at the moment, our security system should protect us not only from current vulnerabilities but from ALL of them, even the undiscovered/undisclosed ones.

The first thing to do after we install FreeBSD is disabling to services we don't need. Let's say that you need FTP for file transfer and a SSHD (that you will only use in your local network). In order to disable all other services edit /etc/rc.conf like this.

Now edit /etc/inetd.conf and uncomment ftp. The rest of the services should be left commented unless you don't need something else too (but remember that more services mean more risk).

Ok, now you should check the /usr/local/etc/rc.d/ directory. That's where httpd, rpcd, and other daemons are initialized just chmod -x the scripts you don't need (or just move/delete them if you feel more comfortable with it).

Now reboot your system and type this .

If you see any other open service that you don't need you probably missed something in /usr/local/etc/rc.d/.

User management

If you are the only one who's using the workstation you should have at least 2 users besides root. The first one should be used for ftp access. That's because ftp transfers are not encrypted and they can be sniffed. This user should have the lowest security level and SHOULD NOT BE PART OF THE WHEEL GROUP. This is very important, this is the reason for having 2 users. The difference between regular users and users added to the wheel group is that while those in the wheel group are able to "su root", regular users can't access root even if they would have the root password.

The second user should be part of the wheel group and it will be used ONLY for ssh. This user's password shouldn't be exposed to unencrypted protocols (like ftp, telnet, pop, etc). In order to make sure that you will never accidentally log in to ftp, you should add this user to /etc/ftpusers. If you need multiple users you should use this scheme for all of them (depending on their needs). I guess it's useless to say that you should use different passwords for these users :).


Firewalls are usually designed to prevent outsiders from accessing services on our network, they're also used to prevent DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks.

FreeBSD comes with a superb firewalling tool called ipfw. It's very flexible has tons of options yet it's pretty easy to use & set up. Now we're going to discuss how to set up a firewall for a workstation connected to the internet trough a dial-up connection (that's what I have at home), however you can use this document for other connection types too.

First of all you have to reconfigure your kernel. If you don't know how to do that, check in the FreeBSD handbook.

Edit your own kernel and add the following lines.

Now all you have to do is recompile the kernel. But don't reboot yet. We're gonna still need to do some changes in /etc/rc.conf.

Open /etc/rc.conf in your favorite text editor and add these lines.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th