Dru lavigne servers-tutorial

23
Installing, Securing and Maintaining FreeBSD Servers by Dru Lavigne [email protected] Edition for meetBSD 2005 Krakow, June 18, 2005

description

Presentation, MeetBSD 2005

Transcript of Dru lavigne servers-tutorial

Page 1: Dru lavigne servers-tutorial

Installing, Securing and Maintaining FreeBSD Servers

by Dru [email protected]

Edition for meetBSD 2005Krakow, June 18, 2005

Page 2: Dru lavigne servers-tutorial

Introduction

FreeBSD is renowned for providing a secure and stable server platform. FreeBSDsystem administrators have several tools available to them for patching their systemsand keeping any applications and the operating system itself secure and up- to- date.

The actual techniques used to configure a secure FreeBSD server will vary according tothe administrator and the server being setup. It is, however, always interesting to peekinto another administrator's techniques and learn new tips and tricks to try on onesown systems.

This tutorial covers some of the tools available to the FreeBSD systems administratorand offers some solutions for automating the maintenance of FreeBSD servers. Itincludes scripts which will work "out- of-the- box"; note that they are intended to be astarting point for the administrator to add his own customizations. This tutorial doesnot pretend to be comprehensive and to cover all the options available for securing aserver operating sytem.

This tutorial will cover:

• determining the partitioning and RAID schemes for the server

• deciding what to install

• editing make.conf

• rebuilding world to incorporate all changes since the operating system was lastreleased

• the whys and hows of compiling a stripped down kernel

• deciding which applications to install via packages and which via ports

• using make options

• creating a software upgrade scheme using portupgrade and porteasy

• creating a backup mechanism using scponly

• general hardening tips

Page 3: Dru lavigne servers-tutorial

Pre- installation Planning

Careful planning before the operating system install can greatly ease the maintenanceof the resulting server system. Questions that should be answered before the installare:

1. Will this server be using hardware or software RAID and what type of RAID (1, 5 or10)?

2. What is the purpose of the server? For example, will it be a web server, mail server,FTP server, file server, VPN device, firewall?

3. Which operating system components need to be installed?

4. Which applications need to be installed on the system?

Partitioning Scheme:

While it is convenient to take advantage of the default partitioning scheme availablewith the FreeBSD installer, the defaults are suitable for a workstation- -not for a server.

Here is an example of pressing "a" to create the default partition sizes; I've added themount points for clarity:

FreeBSD Disklabel Editor

Disk: ad0 Partition name: ad0s1 Free: 0 blocks (0MB)

Part Mount Size Newfs Part Mount Size Newfs---- ----- ---- ----- ---- ----- ---- -----ad0s1a <none> 256MB * /ad0s1b swap 614MB SWAPad0s1d <none> 256MB * /varad0s1e <none> 256MB * /tmpad0s1f <none> 13269MB * /usr

Notice that /var is way too small. You won't be fitting too many logs into thatpartition. You do have lots of room in /usr, though, and should recreate those twopartitions manually to more appropriate sizes.

What sizes are appropriate? That depends upon the purpose of the server, or theanswer to question number 2 above.

-1-

Page 4: Dru lavigne servers-tutorial

For example, a webserver without user directories doesn't need that much room in/us r. Calculate the space you'll need for /usr/bin and /usr/local , your existing HTMLcontent, leave some room for growth and add a few hundred MB for good measure.The balance of the space should go to /var to leave lots of room for logging.

A server with shell accounts will need a larger /usr . When doing your calculations,estimate the number of users and decide upon how much disk space to allocate eachuser. You may wish to enforce quotas; see the quota section of the FreeBSD handbook(http://www.freebsd.org/doc/en_US.ISO8859- 1/books/handbook/quotas.htm ) forconfiguration details.

If you're setting up a public FTP server, you should carefully choose the size of /usr aspart of your security considerations to prevent your site from becoming a warez site(http://www.eits.uga.edu/wsg/security/FTP/anonymous_ftp_abuses.html ).

Finally, keep in mind that you can never have too much space dedicated to logs. Ifyou're storing logs locally, consider dedicating a separate drive to /var . An alternativeis to configure syslog to log to another system.

What to Install:

When creating a server, especially an Internet- facing server, the less you install, thebetter. Choosing Minimal from the installation menu will install a working operatingsystem.

You don't need the overhead of the entire ports collection in order to keep your portsup- to- date, so don't install it. However, you will want src so you can recompile yourkernel and incorporate any changes to the operating system since it was released. Ifyour Internet connection is slow, you may prefer to choose Custom and select src --installing the src package is quicker than using cvsup to download each and every srcfile.

Note: depending upon your security requirements, you may choose to remove srcfrom the system as part of the hardening process. You can still keep your systempatched if you have another system available with source code for when you need torecompile a system binary or a kernel.

Since I usually ssh into my servers from a FreeBSD system, I don't install any docs ormanpages on the servers themselves.

X is not appropriate on a server system due to its overhead and inherent security risks.Fortunately, any FreeBSD administrative task can be performed at the command line.I recommend using a shell you are comfortable with and customizing your shellconfiguration file to ensure effectiveness at the command line. If you really must dosome administrative tasks from a GUI, install webmin (http://www.webmin.com ) onyour workstation and restrict and monitor webmin access to the server.

-2-

Page 5: Dru lavigne servers-tutorial

Post- installation Preparation

After you reboot into the new operating system, your next tasks are to:

1. rebuild world to incorporate any changes since the operating system was released

2. compile a custom kernel

Rebuilding world:

Unless you happen to install the operating system the same day it is released, therewill be changes and security fixes that you'll need to incorporate. After a fresh install,rebuilding world is an efficient way to incorporate those changes and ensure theoperating system is current to today's date.

Start by creating a cvsup file similar to this example:

# more /root/.bin/.cvs- supfile*default host=cvsup.pl.freebsd.org*default base=/usr /local/etc /cvsup*default prefix=/usr*default tag=RELENG_5_4*default release=cvs delete use- rel-suffix compresssrc-all

Using this default tag will incorporate all of the fixes and security advisories that effectany release starting with 5.4.

You'll need to install cvsup- without- gui before you can download or sync your src:

# pkg_add -r cvsup- without- gui# rehash

Then, create the cvsup directory and run cvsup :

# mkdir /usr/local/etc/cvsup# cvsup -L 2 /root/.bin/.cvs- supfile

If you have already installed src, only the changes since the operating system wasreleased will be downloaded. If you haven't installed src yet, this will download thelatest src.

-3-

Page 6: Dru lavigne servers-tutorial

Once src is downloaded, create a custom /etc/make.conf before rebuilding world:

# cp /usr/share/examples/make.conf /etc/make.conf

In your edits, don't forget to find and uncomment these 2 lines:

CFLAGS= -O -pipeNOPROFILE= true # Avoid compiling profiled libraries

You'll also want to review this section and determine which portions of the system youdon't want to build:

# To avoid building various parts of the base system:#NO_ACPI= true # do not build acpiconf(8) and related programs#NO_BOOT= true # do not build boot blocks and loader#NO_CVS= true # do not build CVS#NO_CXX= true # do not build C++ and friends#NO_BLUETOOTH= true # do not build Bluetooth related stuff<snip>

I like to keep a backup copy of /etc/make.conf so I don't have to re-edit on eachsystem I setup.

Once you're finished your edits, you're ready to update the operating system:

# cd /usr/src# make buildworld# make buildkernel# make installkernel# shutdown now# make installworld# shutdown -r now

Note that dropping to single- user mode (shutdown now ) isn't technically required ona server that you're still setting up and noone else is attached to. It is a good habit toget into, though, if you also rebuild world on production systems.

-4-

Page 7: Dru lavigne servers-tutorial

Customizing the Kernel:

I'm always amazed that many administrators are reluctant to recompile a kernel andonly do so when the handbook indicates they must in order to configure a certainfunctionality.

Just as the default partitioning scheme isn't suited for a server, neither is the defaultkernel. Go in and take a close look at /usr/src/sys/i386/conf/GENERIC and askyourself the following questions:

• does this system really need IPv6 support?• do I really want NFS (and its inherent security risks) on an Internet facing server?• should I be loading filesystems I'll never use? (e.g. DOS, CD9660)• do I need SCSI drivers on a non- SCSI system?• do I need hardware RAID drivers if I'm using software RAID?• do I really need to load dozens of NIC drivers if I always buy the same brand of NIC?• do I need PCMCIA or wireless support on a non- laptop system?• will I be using USB or Firewire?

When building a server, you want to strip out the functionality you don't need for twoprimary reasons:

1. performance: since the kernel is loaded into memory, unused filesystems anddrivers waste RAM that could be better used elsewhere. This is particularly true formemory using servers such as HTTP.

2. security: you can't exploit something that doesn't exist. As an example, why subjecta server to a potential IPv6 vulnerability when the server doesn't even need IPv6functionality?

Besides stripping the kernel of unneeded functionality, you may also wish to addoptions that aren't present in the default kernel. On a 5.x system, take a read through / usr/src/sys/i386/conf/NOTES to see what applies to your specific hardware and yourserver's security and performance needs.

Once you have an idea of what you wish to take out and add to the default kernelconfiguration file:

# cd /usr/src/sys/i386/conf# cp GENERIC CUSTOM

and customize CUSTOM to your server's needs.

-5-

Page 8: Dru lavigne servers-tutorial

For each of my servers, I like to create a record of the modifications and store a copyon my workstation:

# diff -l GENERIC CUSTOM > ̀ hostname`_kernel_changes.`date +%d.%m.%y`

Once you have saved your changes, build and install the customized kernel and rebootinto it:

# cd /usr/src# make buildkernel KERNCONF=CUSTOM# make installkernel KERNCONF=CUSTOM# shutdown -r now

-6-

Page 9: Dru lavigne servers-tutorial

Software Installation

Remember the sysadmin's second mantra: document, document, document. Youwant to know exactly what software is required on a server and exactly how and whenit was installed. This is especially important if you want to successfully keep thatsoftware patched and up- to- date without breaking anything during that process.

First determine which software is required on the system and make a list. Often withserver software you'll want to research which application versions are available andwhich version is appropriate for that particular server's needs. For example, whensetting up a webserver, research the pros/cons between using Apache 1.x and Apache2.x. If setting up an SMTP server, take a look at the pros/cons of using Sendmail,Postfix, Qmail or other MTAs.

Pre-compiled binary or port?

Once you've settled on the applications and which versions, research eachapplication's website to see if there are any make options you wish to incorporate intoyour binary . Do record the make options you will need. You and any future sysadminswill thank you for your diligence.

For the software that doesn't require specific make options, it makes sense to usepkg_add to install the pre- compiled binary. Don't worry if that binary is out- of-date,you'll be upgrading all software before putting the server into operation.

Preparing the system for future software upgrades:

Before installing anything, prepare the system for a minimal ports tree. This is neededin order to see which applications need to be upgraded and to successfully useportupgrade to upgrade them. However, there are techniques you can use to ensureportupgrade only has the port skeletons you need without having to maintain theentire ports collection.

First, edit /root/.cshrc and add this line to the environmental variable section to setthe CVSROOT:

setenv CVSROOT :pserver:[email protected]/home/ncvs

then inform the shell of the change:

# source /root/.chsrc

Then, use cvs to install the minimum required ports tools:

# touch /root/.cvspass# cd /usr

-7-

Page 10: Dru lavigne servers-tutorial

# cvs loginLogging in to :pserver:[email protected]:2401/home/ncvsCVS Password: anoncvs

# cvs checkout -A -P ports/Mkcvs server: Updating ports/MkU ports/Mk/bsd.autotools.MkU ports/Mk/bsd.emacks.mkU ports/Mk/bsd.gcc.mkU ports/Mk/bsd.gnome.mkU ports/Mk/bsd.gnustep.Mk<snip>

# cvs checkout -A -P ports/Templatescvs server: Updating ports/TemplatesU ports/Templates/README.categoryU ports/Templates/README.portU ports/Templates/README.topU ports/Templates/config.guessU ports/Templates/config.sub

# cvs checkout -A -P ports/Toolscvs server: Updating ports/ToolsU ports/Tools/make_indexU ports/Tools/make_readmescvs server: Updating ports/Tools/portbuildU ports/Tools/portbuild/README<snip>

# cvs checkout -A -P ports/MakefileU ports/Makefile

Next, install porteasy. This utility downloads the required port skeletons, includingdependencies for any application you wish to install and keep up- to- date.

# pkg_add -r porteasy

Once porteasy is installed, use it to download its own port skeleton. You'll also want todownload the port skeleton for cvsup- without- gui , which is the only other applicationcurrently installed:

-8-

Page 11: Dru lavigne servers-tutorial

# pwd/usr# porteasy -u misc/porteasyU .cvsignoreU CHANGESU LEGALU MOVEDU READMEU UPDATINGU misc/MakefileU porteasy/MakefileU porteasy/pkg- descrU porteasy/pkg- plistU porteasy/src/porteasy.8U porteasy/porteasy.plU lang/MakefileU perl5.8/Makefile<snip>

# porteasy -u net/cvsup- without- guiU net/MakefileU cvsup- without- gui/Makefile<snip>U ezm3/Makefile<snip>U devel/MakefileU gmake/Makefile<snip>U gettext/Makefile<snip>U converters/MakefileU libiconv/Makefile<snip>U libtool15/Makefile

Notice how porteasy downloads all of the dependencies as well as the portssubdirectories (e.g. net, devel, converters) required by those dependencies.

-9-

Page 12: Dru lavigne servers-tutorial

Installing Packages:

Now you have a routine. For each application you wish to install, use pkg_add -r toinstall it, followed by porteasy -u to download its port skeleton which will be used tosee if the binary is out- of-date, and if so, to upgrade it to the latest version.

Note that porteasy requires the location of the application within the ports structure.If you don't know the path, run this command after using pkg_add -r:

# pkg_info -ox cvsup- without- guiInformation for cvsup- without- gui-16.1h_2:Origin:net/cvsup- without- gui

One application you will want to build is portupgrade:

# pkg_add -r portupgrade# porteasy -u sysutils/portupgradeU sysutils/MakefileU portupgrade/Makefile<snip>U databases/MakefileU ruby18/Makefile<snip>

-10-

Page 13: Dru lavigne servers-tutorial

Preserving make Options:

If you have any applications that require make options, first download the requiredports skeletons. Here is an example for Apache2:

# porteasy -u www/apache2U www/MakefileU apache2/Makefile<snip>

The Apache2 port is particularly complex as it supports many make options organizedinto categories. You'll want to work your way through the three make targets:

# cd /usr/ports/www/apache2# make show- options|moreAvailable knobs:By default, modules are compiled as dynamically loadable (DSO) modules:Modules knobs philosophy:Modules are split in categoreies, "make show- categories" shows youwhich modules they contain. You can enable/disable/customize a category:- To enable a category: WITH_<CATEGORY>MODULES=yes

[WITH_PROXY_MODULES=yes]- To disable a category: WITHOUT_<CATEGORY>_MODULES=yes

[WITHOUT_DAV_MODULES=yes]- To customize a category: WITH_CUSTOM_<CATEGORY>

<snip>Available make targets:

show- options: prints this messageshow- modules: prints list of available modulesshow- categories: prints list of modules sorted by category

<snip>

To see which modules are enabled/disabled by default:

# make show- modules|moreaccess: enabled (shared)auth: enabled (shared)auth_anon: enabled (shared)auth_dbm: enabled (shared)auth_digest: enabled (shared)dav: enabled (shared)dav_fs: enabled (shared)bucketeer: disabled<snip>

-11-

Page 14: Dru lavigne servers-tutorial

And to view the possible categories:

# make show- categories|moreAUTH contains these modules: access auth auth_anon auth_dbm auth_digestDAV contains these modules: dav dav_fs<snip>

Here is an example where Apache2 will be compiled with the PROXY module (which isdisabled by default) and with a customized AUTH module that only includes access,auth and auth_anon:

# make -DWITH_PROXY_MODULES WITH_CUSTOM_AUTH="access auth \auth_anon" install cleanTo enable a module category: WITH_<CATEGORY>MODULESTo disable a module category: WITHOUT_<CATEGORY>_MODULESPer default categories are: AUTH DAV MISCCategories available: AUTH DAV EXPERIMENTAL LDAP MISC PROXY SSL SUEXEC THREADSTo see all available knobs, type make show- optionsTo see all modules in different categories, type make show- categoriesYou can check your modules configuration by using make show- modulesTo save apache.org bandwidth, please use the closestmirror. Hit Ctrl+C now and do a make print- closest- mirrors.To automatically update /etc/make.conf do:make print- closest- mirrors >> /etc/make.conf=> httpd- 2.0.54.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/apache2.=> Attempting to fetch from http:/ /www.apache.org/dist /httpd.<snip>

Note how I specified my make options. It is equally correct to use either-DWITH_PROXY_MODULES or WITH_PROXY_MODULES=yes . However, sinceWITH_CUSTOM_AUTH="access auth auth_anon" includes an equals sign, you can'tstart that option with -D .

While your customized binary is compiling, edit /usr/local/etc/pkgtools.conf . If youdon't, you will lose your make options when portupgrade upgrades your binary.

If this file isn't on your system, copy over the sample file:

# cp usr/local/etc/pkgtools.conf.sample /usr/local/etc/pkgtools.conf

Open up the file in your favourite editor and search for the MAKE_ARGS section:

-12-

Page 15: Dru lavigne servers-tutorial

# MAKE_ARGS: hash # # This is a hash of ports glob or package glob => arguments mapping. # portupgrade(1) and portinstall(1) look it up to pick command line # arguments to pass to make(1). You can use wildcards ("ports glob" # or "package glob"). If a port/package matches multiple entries, # all the arguments are joined using the space as separator. # # cf. -m/- -make- args of portupgrade(1), ports_glob(1) # # You can alternatively specify a procedure instead of a string if # you want to specify arguments which can vary depending on the port. # The procedure is called with a port origin as an argument. # # e.g.: # MAKE_ARGS = { # 'databases/mysql323- *' => 'WITH_CHARSET=ujis', # 'ruby18- *' => 'RUBY_VER=1.8', # 'ruby16- *' => 'RUBY_VER=1.6', # } # # To specify multiple arguments for each port, use one of the # following: # # MAKE_ARGS = { # # a) Separate them with the space # 'databases/mysql41- *' => 'WITH_LINUXTHREADS=1 SKIP_DNS_CHECK=1', # # # b) Specify them using an array # 'databases/mysql41- *' => [ # 'WITH_LINUXTHREADS=1', # 'SKIP_DNS_CHECK=1', # ], # }

Those comments are meant to get you started. Your customizations belong in thissection which immediately follows the comments:

MAKE_ARGS = { }

-13-

Page 16: Dru lavigne servers-tutorial

For the preceding Apache2 example, this would be the modification:

MAKE_ARGS = { 'www/apache2- *' => [ ' WITH_PROXY_MODULES=yes', 'WITH_CUSTOM_AUTH=access auth auth_anon',], }

You should check this file for syntax errors by running portversion -l "<". If you dohave a syntax error, it will be marked with the ^ marker as in this example where Iforgot to include a comma at the end of the WITH_PROXY_MODULES line. Noticethat the marker is at the character after the missing comma:

# portversion -l "<"** Error occured reading /usr/local/etc /pkgtools.conf:

/usr/local/etc /pkgtools.conf:313: syntax error'WITH_CUSTOM_AUTH=access auth auth_anon',

^/usr/local/etc /pkgtoosl.conf:313: syntax error

It's always a good idea to keep a copy of each server's customized pkgtools.conf onyour administrative workstation.

/var/db/ports:

Some ports present you with an ncurses menu which allows you to pick and chooseyour make options. Use the make config target to determine if this is the case.

For example:

# cd /usr/ports/www/apache2# make config===> No options to configure

This port doesn't offer a menu to choose options which is why we went to the troubleof researching the various modules and categories. However, this port does:

-14-

Page 17: Dru lavigne servers-tutorial

# cd /usr/ports/ftp/pure- ftpd# make config

The nice thing about these ports is that they save your selection to /var/db/ports to beavailable the next time the binary is recompiled (say, during an upgrade):

# more /var/db/ports/pure- ftpd/options# This file is auto- generated by 'make config'.# No user- servicable parts inside!# Options for pure- ftpd- 1.0.20_3_OPTIONS_READ=pure- ftpd- 1.0.20_3WITHOUT_LDAP=trueWITHOUT_MYSQL=trueWITH_PAM=trueWITHOUT_PGSQL=trueWITHOUT_PRIVSEP=trueWITHOUT_PERUSERLIMITS=trueWITHOUT_THROTTLING=trueWITH_BANNER=true

-15-

Page 18: Dru lavigne servers-tutorial

Upgrading Software

Now that your software is installed, create some simple scripts to assist you in keepingthe applications up- to- date.

Here is an example that will notify you if any software needs upgrading, but stillrequires manual intervention to do the actual upgrade:

# more /root/.bin/.check_upgrades#!/bin/sh# check to see if /src has changed

cvsup -L2 /root/.bin /.cvs- supfile

# download latest port index and incorporate into database of installed softwarecd /usr /portsmake fetchindexportsdb -u

# report on which applications are out- of-dateecho "The following ports need upgrading"portversion -l "<"

This script is very light- weight, runs very quickly and gets the job done. You can eitherinstruct cron to run the script and email the contents to root or run the scriptmanually as part of your administrative routine. I prefer to use the results of the scriptto help me identify an upgrade path. Depending upon the software that needsupgrading, I may decide to schedule the upgrade for a time that will least impact usersand can research if there have been any configuration changes I need to be aware of inthe new version of the software.

Note: don't forget the importance of reading /usr/ports /UPDATING.

Remember, when you do decide to upgrade a program, first use porteasy to downloadthe required port skeletons. Once you have the port skeletons, remember to informportupgrade to also upgrade any dependencies. For example:

# cd /usr# porteasy -u net/cvsup- without- gui# portupgrade -rR cvsup- without- gui

-16-

Page 19: Dru lavigne servers-tutorial

On some systems I also like to use portaudit to inform me of any existingvulnerabilities:

# cd /usr# porteasy -u security/portaudit# pkg_add -r portaudit===> To check your installed ports for known vulnerabilities now, do:

/usr/local/sbin /portaudit -Fda

# rehash# portaudit -Fdaauditfile.tbz 100% of 24 kB 58 kBpsNew database installed.Database created: Thu May 26 15:10:09 EDT 20050 problem(s) in your installed packages found.

Adding that line to your check- upgrades script will keep you informed of any newsecurity vulnerabilities. Sometimes there will be a time lag between when avulnerability is found and a patch or a new version of the application that addressesthe vulnerability is released. Using the results of your script, you can determine thebest course of action until the vulnerability is addressed.

-17-

Page 20: Dru lavigne servers-tutorial

Creating a Backup Solution

If document, document, document is the sysadmin's second mantra, backup, backup,backup is the first. The backup solution you implement will vary from scenario toscenario. Some questions to ask yourself:

• what will I be backing up to? tape, another drive on the local system, anothersystem on the same or a different network, etc.

• what files or filesystems do I want to backup?

• do I have the storage space to handle full backups or should I do incremental?

• how time sensitive are the backups? Should I sync two systems, or can I afford atime lag between backups?

There are many tools available to create a custom backup solution, ranging from thebuilt- in FreeBSD utilities to third- party software applications available through theports collection. In a more complex scenario you may wish to investigate:

• bacula http://www.bacula.org• rsnapshot http://www.rsnapshot.org• boxbackup http://www.fluffy.co.uk/boxbackup/

Homegrown Solution Using scponly:

In a simpler scenario where backups aren't time sensitive and you wish to backup toanother system, consider creating your own script. Choose your favourite archiver(tar, cpio, pax) and use scp to protect the backup while it traverses the network. Inaddition, use scponly (http:/ /www.sublimation.org/scponly/) to protect the backupaccount by ensuring it is only used for scp .

On the system that is to receive the backups:

# pkg_add -r scponlyFetching ftp://ftp.freebsd.org/pub/FreeBSD/ports /i386/packages- 5.4-release/Latest /scponly.tbz...DoneUpdating /etc/shells

On the system to receive the backups, create a backup user, giving it a shell of /usr/local/bin/scponly. Become that user and create this directory:

# su -l bkp$ mkdir .ssh

-18-

Page 21: Dru lavigne servers-tutorial

On the system you are backing up, create the same backup user and su to that accountin order to generate a public/private key with an empty passphrase:

# su -l bkp$ ssh- keygen -t rsaGenerating public/private rsa key pair.Enter file in which to save the key (/home/bkp /.ssh/id_rsa):Created directory '/home/bkp/.ssh'.Enter passphrase (empty for no passphrase):Enter same passphrase again:Your identification has been saved in /home/bkp/.ssh/id_rsa.Your public key has been saved in /home/bkp/.ssh/id_rsa.pub.The key fingerprint is:20:42:b9:e6:41:73:c6:28:57:5a:cc:d8:cb:49:12:80 [email protected]

Then, copy over the public key to the system which will be receiving the backups:

$ scp .ssh/id_rsa.pub 1.1.1.1:/usr/home/bkp/.ssh/authorized_keysPassword:id_rsa.pub 100% 231 0.2KB/s 00:00

Verify that public key authentication is working by ssh ing to the system to receive thebackups:

$ ssh 1.1.1.1$ exit

Once it is, change the shell to /sbin/nologin for the bkp account on the system beingbacked up.

A Simple Backup Script:

Next, on the system you wish to backup, create your script. Here is a simple exampleto get you started:

# more /root/.bin/.backup#!/bin/shcd /usr /backupstar czvf etc_backup.`date +%d.%m.%y`.tgz /usr/local/etc/scp etc_backup.`date +%d.%m.%y`.tgz [email protected]:/usr/home/bkp /rm /usr/backups/etc_backup.`date +%d.%m.%y`.tgz

-19-

Page 22: Dru lavigne servers-tutorial

Don't forget to create the /usr/backups directory as a temporary holding place for thebackup until it is scp 'd over to the backup host. This particular tar statement makes acompressed archive of /usr/local/etc saved with a datestamp in the filename. Notethat when you use scponly , the backup is meant to be placed in the home directory ofthe user account running the scponly shell. This script then removes the temporarybackup from /usr/backups once the file has been copied over to the backup host. Amore sophisticated script would include checks to ensure the scp was successful.Finally, note that this script is owned by root so it is able to backup any files youspecify; however the scp is executed by the restricted bkp shell.

Once you have a script, test it at the command line to ensure it works and your scp issuccessful. Then, use cron to schedule your backup script.

-20-

Page 23: Dru lavigne servers-tutorial

General Hardening Tips

A FreeBSD server with a minimal install running the minimum required applicationswith a mechanism to keep the operating system and applications up- to- date is well onits way to becoming a secure system. Besides protecting the system itself with firewallrules and monitoring applications, there are other tweakables available on the systemitself.

Consider:

• restricting ssh access using the AllowUsers keyword in / etc/ssh/sshd_config

• using chflags to set the schg flag on system binaries and configuration files thatdon't require modifications

• implementing a file integrity checking system such as tripwire(http:/ /www.tripwire.com), aide (http:/ /www.cs.tut.fi/~rammer/aide.html)orimplementing your own using mtree

• changing /etc/motd , adding an ssh banner, and removing the COPYRIGHT notice

• subscribing to the FreeBSD security advisories mailing list(http:/ /lists.freebsd.org/mailman /listinfo/freebsd- security- notifications)

• reviewing mount(8) to see if any options are applicable to your filesystems

• reviewing your sysctl(8) settings; http:/ /sysctl.enderunix.org/ provides somehelpful descriptions

• reviewing your rc.conf(5) settings

Finally, do:

• read root's emails daily and have a log review action plan

-21-