FreeBSD 5.4 with no Firewall?

Matthew Seaman m.seaman at infracaninophile.co.uk
Sun Jan 22 03:04:56 PST 2006 

Benjamin D Adams wrote:
> I'm moving my server to a colocation.  Its a web-server (Apache 2.0) on
> FreeBSD 5.4.  Should I get a gigabyte firewall first?(I plan on getting
> one soon) How important? What can I do to help secure the OS its self?
> Any built in programs I should install first?

Sure, you can run a stand-alone FreeBSD box on the Internet without a
separate firewall, if you configure it carefully.  Mind you, you still need
the same degree of care /with/ a firewall -- it just gives you another layer
behind which you can get away with a few things.

What you need to look out for when securing a machine against attack from
the network:

    a) processes with network listeners: if there's nothing listening
       at a particular network port, you can't be attacked through it.
       Use sockstat(1) to see what programs are listening on your network
       interfaces -- including the loopback interface.  Do you really
       need to run that program?  Can you reconfigure something that listens
       on all interfaces to bind to just the loopback interface?

    b) When considering processes that you have to run to provide the
       intended service -- are they configured to run as securely as
       possible?  Long-lived daemon processes, such as Apache should not
       be run as the root user[*].  Always run them under an unprivileged
       UID that does not have a real shell (/sbin/nologin exists for that
       purpose).  Make sure that UID cannot write to its home directory
       (setting daemon users homes to / is fine) or to any other significant
       locations -- a common mistake is to change the ownership of the
       webserver's document tree to the UID the web server runs under.  
       Make full use of chroot(8) and jail(8) to further isolate exposed
       processes from the rest of the system.

    c) Do your homework, and keep alert to various channels where security
       information is available.  Sites like Secunia (http://secunia.com/),
       the VuXML project (http://www.vuxml.org/freebsd/) and not least any
       mailing lists or newsgroups or fora dedicated to software you're
       running -- you should keep abreast of all such.  Understand the
       distinction between 'local' and 'remote' compromises or DoSes: it's
       the remote ones you should spend energy worrying about unless you
       are providing logins on your server to untrusted users.  Keep
       installed software up to date.  The ports tree is actually really
       good at getting security related updates committed promptly.

       Similarly you should regularly update the OS itself.  Track one of
       the -SECURITY branches, and upgrade when advisories come out.  

    d) Abhor the use of any program which transmits sensitive information
       across networks in plain text.  Use ssh(1) exclusively for remote 
       login access -- preferably with key based auth rather than using
       passwords.  Avoid ftp(1) for copying web content onto servers: any of
       scp(1), rsync(1) [over SSH] or WebDAV over HTTPS will serve you better.
       If you have to display X programs on a remote desktop, always tunnel
       the X traffic through ssh(1).

    e) Configure a local packet filter -- one of pf(4), ipfw(8),ipf(8). Your
       aim should be to be secure even without the firewall in place: it should
       be insurance rather than anything more.  Sometimes however it is the only
       answer to protecting processes you have to run, but that expose themselves 
       on the net.

       Although there is one class of attack you can eliminate easily using
       a packet filter which is hard to do otherwise: spoofing the loopback
       address.  If the machine you're protecting conforms to the 'weak routing
       model' (as FreeBSD does) then it will accept a packet destined for any of
       its network interfaces on any other interface irrespective of network
       routing.  pf(4) makes preventing this really easy.  This three line
       pf.conf(5)  will prevent a lot of potential attacks against daemons
       listening on the loopback address, although you'll probably want something
       a bit more comprehensive in actual use:

          scrub in
          pass all
          antispoof log quick for lo0

Keeping a server properly secured is not rocket science -- mostly it's just
common sense.  But you cannot just 'secure your server' and then forget about
it: lasting security means active maintenance.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       7 Priory Courtyard
                                                      Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
                                                      Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-chat/attachments/20060122/d56c8437/signature.bin

More information about the freebsd-chat mailing list