This document will describe the basic security measures that should be applied to a FreeBSD 4.x workstation. Mostly all of these measures should be applied in a server environment too with some extra measures (CGI/PHP security for webservers, SQL security for databases, etc.)
FreeBSD is a pretty secure OS, although security aware people shouldn't rely on default OS security because even if the installed release is secure at the moment, our security system should protect us not only from current vulnerabilities but from ALL of them, even the undiscovered/undisclosed ones.
The first thing to do after we install FreeBSD is disabling to services we don't need. Let's say that you need FTP for file transfer and a SSHD (that you will only use in your local network). In order to disable all other services edit
/etc/inetd.confand uncomment ftp. The rest of the services should be left commented unless you don't need something else too (but remember that more services mean more risk).
Ok, now you should check the
/usr/local/etc/rc.d/directory. That's where httpd, rpcd, and other daemons are initialized just chmod -x the scripts you don't need (or just move/delete them if you feel more comfortable with it).
Now reboot your system and type this .
If you see any other open service that you don't need you probably missed something in
If you are the only one who's using the workstation you should have at least 2 users besides root. The first one should be used for ftp access. That's because ftp transfers are not encrypted and they can be sniffed. This user should have the lowest security level and SHOULD NOT BE PART OF THE WHEEL GROUP. This is very important, this is the reason for having 2 users. The difference between regular users and users added to the wheel group is that while those in the wheel group are able to "su root", regular users can't access root even if they would have the root password.
The second user should be part of the wheel group and it will be used ONLY for ssh. This user's password shouldn't be exposed to unencrypted protocols (like ftp, telnet, pop, etc). In order to make sure that you will never accidentally log in to ftp, you should add this user to
/etc/ftpusers. If you need multiple users you should use this scheme for all of them (depending on their needs). I guess it's useless to say that you should use different passwords for these users :).
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.