Security dan Troubleshooting Freebsd 5.4
description
Transcript of Security dan Troubleshooting Freebsd 5.4
![Page 1: Security dan Troubleshooting Freebsd 5.4](https://reader034.fdocuments.in/reader034/viewer/2022051700/563dba62550346aa9aa529cd/html5/thumbnails/1.jpg)
Securing FreeBSD
Presented by: AdamWien
Training Seminar 2006
![Page 2: Security dan Troubleshooting Freebsd 5.4](https://reader034.fdocuments.in/reader034/viewer/2022051700/563dba62550346aa9aa529cd/html5/thumbnails/2.jpg)
Main Topics
● hosts.allow● sshd● login.conf● cvsup● IPFW
Training Seminar 2006
![Page 3: Security dan Troubleshooting Freebsd 5.4](https://reader034.fdocuments.in/reader034/viewer/2022051700/563dba62550346aa9aa529cd/html5/thumbnails/3.jpg)
hosts.allow
● Location:– /etc/hosts.allow
● Layout:– service : FROM : allow/deny
● Default is to allow all services– ALL : ALL : allow
Training Seminar 2006
![Page 4: Security dan Troubleshooting Freebsd 5.4](https://reader034.fdocuments.in/reader034/viewer/2022051700/563dba62550346aa9aa529cd/html5/thumbnails/4.jpg)
Editing hosts.allow
● We want to deny all and allow some.● ftpd: ALL : allow● sshd: ALL : allow● exim : ALL : allow● ALL : ALL : deny
![Page 5: Security dan Troubleshooting Freebsd 5.4](https://reader034.fdocuments.in/reader034/viewer/2022051700/563dba62550346aa9aa529cd/html5/thumbnails/5.jpg)
sshd
● Improving on default security.● Location:
– /etc/ssh/sshd_config
![Page 6: Security dan Troubleshooting Freebsd 5.4](https://reader034.fdocuments.in/reader034/viewer/2022051700/563dba62550346aa9aa529cd/html5/thumbnails/6.jpg)
Secure Shell(SSH) Public KeyAuthentication
● Only someone with the public and private keymay access your server.
● More administrator involvement in who isprovided shell access.
● Disables the need to authenticate against theservers password file only.
![Page 7: Security dan Troubleshooting Freebsd 5.4](https://reader034.fdocuments.in/reader034/viewer/2022051700/563dba62550346aa9aa529cd/html5/thumbnails/7.jpg)
Enabling Public KeyAuthentication
● Edit /etc/ssh/sshd_config● Uncomment PublicKeyAuthentication andchange it to “yes”
● Uncomment AuthorizedKeysFile● Restart sshd
– /etc/rc.d/sshd restart
![Page 8: Security dan Troubleshooting Freebsd 5.4](https://reader034.fdocuments.in/reader034/viewer/2022051700/563dba62550346aa9aa529cd/html5/thumbnails/8.jpg)
Generating Public and PrivateKeys
● ssh-keygen -t dsa -f server.key● This will create two files:
– server.key● private key
– server.key.pub● public key
● Install your public key into your, or the user'shome directory under .ssh/authorized_keys.
![Page 9: Security dan Troubleshooting Freebsd 5.4](https://reader034.fdocuments.in/reader034/viewer/2022051700/563dba62550346aa9aa529cd/html5/thumbnails/9.jpg)
Accepting only SSH2Connections
● We want to enable only ssh2 compliantconnections.
● Edit /etc/ssh/sshd_config● Uncomment “Protocol 2”● Restart sshd
– /etc/rc.d/sshd restart
![Page 10: Security dan Troubleshooting Freebsd 5.4](https://reader034.fdocuments.in/reader034/viewer/2022051700/563dba62550346aa9aa529cd/html5/thumbnails/10.jpg)
Disabling Local PAMAuthentication in SSH
● We want to disable local passwordauthentication completely so a user musthave a valid key pair to gain shell access tothe server.
● Edit /etc/ssh/sshd_config● Change both PasswordAuthentication andUsePAM to “no”.
● Restart sshd(/etc/rc.d/sshd restart)● Be sure you have generated a public key pairand are able to access your server usingthem or this step will lock you out!
![Page 11: Security dan Troubleshooting Freebsd 5.4](https://reader034.fdocuments.in/reader034/viewer/2022051700/563dba62550346aa9aa529cd/html5/thumbnails/11.jpg)
Setting User Limits withlogin.conf
● Location:– /etc/login.conf
● You can either make changes in /etc/login.conf or create a file in a user's homedirectory called .login_conf.
![Page 12: Security dan Troubleshooting Freebsd 5.4](https://reader034.fdocuments.in/reader034/viewer/2022051700/563dba62550346aa9aa529cd/html5/thumbnails/12.jpg)
Setting User Limits withlogin.conf
Username:\:maxproc=50:\:memoryuse=50M:\openfiles=20:– Run cap_mkdb to build the login.conf databasefile.
![Page 13: Security dan Troubleshooting Freebsd 5.4](https://reader034.fdocuments.in/reader034/viewer/2022051700/563dba62550346aa9aa529cd/html5/thumbnails/13.jpg)
cvsup
● cvsup is a program used for downloadingsources using a cvsup server.
● Installation: 'pkg_add -r cvsup-without-gui'● We need to copy our cvsup configuration file.We'll just use an existing example and edit it.
● cp /usr/share/examples/cvsup/stable-supfile /root
● Edit /root/stable-supfile
![Page 14: Security dan Troubleshooting Freebsd 5.4](https://reader034.fdocuments.in/reader034/viewer/2022051700/563dba62550346aa9aa529cd/html5/thumbnails/14.jpg)
stable-supfile
● *default host=cvsup11.freebsd.org● *default base=/var/db● *default prefix=/usr● *default release=cvs tag=RELENG_5● *default delete use-rel-suffix● *default compress● src-all● ports-all tag=.
![Page 15: Security dan Troubleshooting Freebsd 5.4](https://reader034.fdocuments.in/reader034/viewer/2022051700/563dba62550346aa9aa529cd/html5/thumbnails/15.jpg)
stable-supfile Explained
● The only line you should really be concernedwith here is the release line. SpecifyingRELENG_5 will give you the latest version ofFreeBSD 5 STABLE. SpecifyingRELENG_5_4 will provide you with the latestRELEASE of FreeBSD 5.4.
![Page 16: Security dan Troubleshooting Freebsd 5.4](https://reader034.fdocuments.in/reader034/viewer/2022051700/563dba62550346aa9aa529cd/html5/thumbnails/16.jpg)
Downloading Sources
● Next we need to suck down our sources byrunning 'cvsup -g -L 2 stable-supfile'.
● This will take a while depending on yourconnection speed.
![Page 17: Security dan Troubleshooting Freebsd 5.4](https://reader034.fdocuments.in/reader034/viewer/2022051700/563dba62550346aa9aa529cd/html5/thumbnails/17.jpg)
Adding IPFW and QUOTAsupport to your kernel
● Enter the directory /usr/src/sys/`uname -p`/conf/ copy the GENERIC kernel to CPANEL.
![Page 18: Security dan Troubleshooting Freebsd 5.4](https://reader034.fdocuments.in/reader034/viewer/2022051700/563dba62550346aa9aa529cd/html5/thumbnails/18.jpg)
Kernel Options
● options IPFIREWALL● optionsIPFIREWALL_DEFAULT_TO_ACCEPT
● options IPFIREWALL_VERBOSE● options DUMMYNET● options QUOTA
![Page 19: Security dan Troubleshooting Freebsd 5.4](https://reader034.fdocuments.in/reader034/viewer/2022051700/563dba62550346aa9aa529cd/html5/thumbnails/19.jpg)
Recompiling your Kernel
● Enter the /usr/src directory and issue thefollowing command– make buildkernel KERNCONF=CPANEL
● Next we need to install the new kernel byissuing– make installkernel KERNCONF=CPANEL
![Page 20: Security dan Troubleshooting Freebsd 5.4](https://reader034.fdocuments.in/reader034/viewer/2022051700/563dba62550346aa9aa529cd/html5/thumbnails/20.jpg)
Rebuilding System Binaries
● Enter the /usr/src directory and issue– make buildworld
● When this finishes we need to install thosebinaries by running– make installworld
● When this finishes we need to run– mergemaster
![Page 21: Security dan Troubleshooting Freebsd 5.4](https://reader034.fdocuments.in/reader034/viewer/2022051700/563dba62550346aa9aa529cd/html5/thumbnails/21.jpg)
Enabling IPFW
● First we need to edit– /etc/rc.conf
● firewall_enable=”YES”● firewall_script=”/etc/rc.firewall”● firewall_type=”/etc/ipfw.rules”● firewall_quiet=”NO”● firewall_logging=”YES”● firewall_flags=””
![Page 22: Security dan Troubleshooting Freebsd 5.4](https://reader034.fdocuments.in/reader034/viewer/2022051700/563dba62550346aa9aa529cd/html5/thumbnails/22.jpg)
Basic Rule
● This rule will allow all traffic coming in fromthe lo0 interface(loopback). There should beno need to filter this.
● add allow ip from any to any in via lo0● add, add a rule● allow, allow this connection● ip, all ip protocals● from, source● any, anywhere● to, destination● any, anywhere
![Page 23: Security dan Troubleshooting Freebsd 5.4](https://reader034.fdocuments.in/reader034/viewer/2022051700/563dba62550346aa9aa529cd/html5/thumbnails/23.jpg)
Basic Rule(continued)
● in, inbound packets● via, via an interface● lo0, loopback interface
![Page 24: Security dan Troubleshooting Freebsd 5.4](https://reader034.fdocuments.in/reader034/viewer/2022051700/563dba62550346aa9aa529cd/html5/thumbnails/24.jpg)
Allowing Resolving Nameserver
● We need to allow the nameservers listed in– /etc/resolv.conf
● Here's an example using cPanel's primarynameserver.
add allow udp from any to 69.90.250.18 out viaxl0
add allow udp from 69.90.250.18 in via xl0
![Page 25: Security dan Troubleshooting Freebsd 5.4](https://reader034.fdocuments.in/reader034/viewer/2022051700/563dba62550346aa9aa529cd/html5/thumbnails/25.jpg)
Default Deny Rule
● Deny and log everything.
add deny log logamount 1000 all from any toany in via xl0
![Page 26: Security dan Troubleshooting Freebsd 5.4](https://reader034.fdocuments.in/reader034/viewer/2022051700/563dba62550346aa9aa529cd/html5/thumbnails/26.jpg)
Conclusion
● FreeBSD is a very secure and capableoperating system.
● It is the operating system of choice for largescale Company's such as Yahoo and iswidely used at cPanel.
● Included on the CD's provided is thecomplete list of firewall rules for a defaultcPanel® installation.
● Questions and Answers