Re: what do you think of these instructions for install & hardening?
- From: Giorgos Keramidas <keramida@xxxxxxxxxxxxxxx>
- Date: Thu, 26 Jan 2006 15:51:51 +0200
On Wed, 25 Jan 2006 17:06:59 -0500, "Notgiven" <notreallyme@xxxxxxxxxxxxxxx> wrote:
> I saw these instructions for install. post-install, hardeding and
> adding some ports.
>
> Since I am still new to this, what do you guys think of it?
>
> http://www.ccs.neu.edu/home/jabra/pub/snort-docs/freebsd-postinstall.html
>
> Everything look fine to do, safe, secure,...?
There are too many wrong thing with that reference. See comments
inline, below. The original text is the one quoted like this:
% This document was written and is being maintained by Joshua D.
% Abraham. It assumes the user has a basic understanding of computers.
% This document contains the steps for installing useful tools after
% the core install. This document contains the small differences
% between FreeBSD 5.4 and FreeBSD 6.0.
My comments follow every place where I found something questionable.
They are, of course, my own personal opinion, so YMMV:
% It assumes the user has a basic understanding of computers.
This is a very vague assumption and some times a very unsafe one to
make. What does `basic understanding' mean? Should you know enough
about BIOS partitions? What about networking, system services,
firewalls, installing applications, tracking problems and
troubleshooting?
Depending on the context, some of these things may be considered
`basic'. Other times, they are `advanced'.
% This document contains the steps for installing useful tools after the
% core install.
Useful to whom? Certainly ee(1) is barely useful to me. Network
interface addresses that match a network where I have absolutely no
access are pretty useless too.
% This document contains the small differences between FreeBSD 5.4
% and FreeBSD 6.0.
It doesn't.
The differences between 4.X and 5.X are listed and explained in the
``Migration Guide'' document that was packaged as part of the 5.X
releases.
The differences between 5.X and 6.X are not so many, but the definitive
reference for these are the release notes of the 6.X series, which are
available online at the release information page of `www.freebsd.org':
http://www.freebsd.org/releases/
% If you have any suggestions, comments or questions please feel free to
% email me at jabra (-at-) ccs (dot) neu (dot) edu.
I'll probably do. Someone may read this document and start doing
*exactly* as told, ending up with a whole lot of problems that shouldn't
really be there.
% Please note
% this is a two 2
% this is a z Z
Huh? While I agree that font problems plague users at some
environments, making it easy to get confused when capital 'I', lowercase
el 'l' and the number one '1' are used, this is not really a very good
way of adding a ``typographical conventions'' section -- if one can
speak of typographical conventions for plain text...
% 1a) Install cvsup-without-gui
%
% $ pkg_add -r cvsup-without-gui
Why? Some machines are not installed as ``build machines'', but only as
``production systems'', with only a specific release of FreeBSD, and the
bare minimum of programs necessary to run the system. CVSup is useful
only if you plan to download the sources and start compiling things on
your own. It very often makes sense, but it's not something like a
silver bullet that everyone should carry around in case they happen to
meet a werewolf.
% 1) Secure Machine
%
% $ ee /etc/rc.conf
%
% ADD the following lines
%
% sendmail_enable="NONE"
% inetd_enable="NO"
% ntpdate_flags="north-America.pool.ntp.org"
% ntpdate_enable="YES"
Why, again?
Why is Sendmail disabled? Cron jobs that mail root to localhost will
most certainly fail this way.
Why does inetd have to be set to "NO"? Its default value is "NO" already.
If it does matter to have a synchronized clock, why is only ntpdate
enabled and not ntpd too? The ntpdate utility will only run *ONCE* at
boot time, and then the clock will merrily start getting out of sync
again.
These settings are all wrong or make no sense.
% Tweaked configs for Your environment
%
% ifconfig_fxp0="inet 10.0.0.30 netmask 255.255.240.0"
% ifconfig_fpx1="inet 0.0.0.0 netmask 255.255.255.0"
% defaultrouter="10.0.0.1"
These *may* be useful if you happen to be part of a network similar to
the one of the author. Understanding *why* each one of these options is
necessary in that case and *what* you can use to match your local
network setup is a very different story than just copy-pasting a few
shell vars in `rc.conf' though.
The Handbook has a specia section explaining these things:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/config-network-setup.html
The rc.conf(5) manpage has a description of the `network_interfaces'
variable of `rc.conf':
# man 5 rc.conf
These are the documents you should read, not a random set of 2-3
options, which are almost certainly wrong for your own network.
% Save and Quit [ esc a a ]
% -------------------------
%
% $ ee /etc/ssh/sshd_config
%
% CHANGE the following
%
% #Protocol 2
% to
% Protocol 2
%
% and CHANGE the following
%
% #PermitRootLogin no
% to
% PermitRootLogin no
This is an entirely meaningless change. The `/etc/ssh/sshd_config' and
`/etc/ssh/ssh_config' files already have the default options as
comments, so that you can instantly see what their value will be if you
don't modify anything. Uncommenting a "default" setting is not really a
useful change.
It *does* create a problem though if you try to update these files with
mergemaster later on, because all these unnecessary manual tweaks will
increase the time you have to go through diffs and see if something
really important has to change.
% # changes the console to not logout
% $ ee /etc/ttys
%
% CHANGE the following
%
% console none unknown off secure
% to
% console none unknown off insecure
ABSOLUTELY NOT, unless you really know what you are doing!
There is no mention of having to create a non-root user so far, and if
you do this, then `root' cannot login to the system console. You will
be forced to log into the system as a non-root user and then use su(1)
to get administrator privileges.
For users who are new to FreeBSD and need a bit of hand-holding after
the initial installation, this is TERRIBLE advice. It's a recipy for
locking yourself out.
% $ ee /etc/netstart
Why? This is wrong. The comments near the top of this script are very
informational and you should pay attention to them:
# This file is NOT called by any of the other scripts - it has been
# obsoleted by /etc/rc.d/* and is provided here only for user
# convenience (if you're sitting in single user mode and wish to start
# the network by hand, this script will do it for you).
In short. Don't use /etc/netstart. It is obsolete, and not necessary
now that you can have more fine-grained control of what starts and what
is disabled.
To start all the interfaces, use the `/etc/rc.d/netif' script:
# /etc/rc.d/netif start
Similarly, you can stop all interfaces with:
# /etc/rc.d/netif stop
Note though that this is not a good idea, if you are connected to
the system through one of the interfaces. You will be disconnected
and left without network access to the system.
% 2) Install ports tree
%
% $ cp /usr/share/examples/cvsup/ports-supfile /root/
% $ cp /usr/share/examples/cvsup/stable-supfile /root/
%
% $ ee /root/ports-supfile
%
% CHANGE the following
%
% *default host=CHANGE_THIS.FreeBSD.org
% to
% *default host=cvsup4.FreeBSD.org
Do you need the Ports? Quite possibly, but not always. Many people
install the package of portupgrade and then use the -PP option to pull
only pre-compiled binaries from the public servers, saving time that
would be spent building programs from source.
Is this something you would do? I don't know. The choise is yours.
What you *should* do is read the relevant sections of the Handbook and
decide for yourself:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ports.html
% 3) Setup scripts for maintaining systems
%
% $ mkdir /root/scripts
% $ cd /root/scripts
%
% $ ee ports-update.sh
%
% Write the following
%
% #!/bin/sh
% # updating port
% echo "Beginning Ports Update"
% /usr/local/bin/cvsup -g -L 2 /etc/ports-supfile
% echo "Ports Update Complete"
Relatively good advice. But still, it's a requirement of the whole
"Ports" installation, which may not be what you need.
% $ ee src-update.sh
%
% Write the following
%
% #!/bin/sh
% # updating source
% echo "Beginning Source Update"
% /usr/local/bin/cvsup -g -L 2 /etc/stable-supfile
% echo "Source Update Complete"
See above for systems that don't have a need or use of the source tree.
% $ chmod +x *.sh
%
% $ chmod 640 /etc/ports-supfile
% $ chmod 640 /etc/stable-supfile
That's ok. The only problem is that if you have followed the advice of
this document so far, there are no supfiles in `/etc'. They were copied
under `/root' ...
% $ cp /root/ports-supfile /etc/
% $ cp /root/stable-supfile /etc/
.... which is obvious if you reach this part.
% 4) Rebuild the entire machine and Kernel
%
% $ /root/scripts/src-update.sh
%
% $ cd /usr/src
%
% # Note if want to use a custom kernel copy the GENERIC file and
% # rebuild using KERNCONF=CUSTOM
%
% After you enter the following go to lunch ( THIS WILL TAKE A WHILE)
%
% $ make buildworld && make buildkernel KERNCONF=GENERIC
% $ make installkernel KERNCONF=GENERIC && make installworld
There is absolutely *NO* good reason to use the default compile options
and rebuild everything from source. What you will get is, essentially,
the same installation as the one you just completed.
Why waste all that time rebuilding from source something that is readily
available in your installation CD-ROMs?
% $ mergemaster -p
%
% $ reboot
DEFINITELY NOT! In this case, failing to run mergemaster correctly is
probably ok, as you are essentially rebuilding the release CD-ROM
binaries. But if you upgrade from source, running just "mergemaster -p"
and then rebooting is NOT a good idea.
The correct instructions for updating from source are listed in at leats
a couple of places:
* In the /usr/src/UPDATING file of your source tree.
* In the Handbook.
Please read these. Especially the `UPDATING' file. Look for that part
of `UPDATING' that starts with:
To rebuild everything and install it on the current system.
-----------------------------------------------------------
These are the instructions that you should follow.
% Login: root
% password: password
There's a tiny problem here.
If you did reboot after changing `/etc/ttys' to define the `console' as
insecure, you CANNOT log into the system as `root'. Oops! :)))
% $ cd /usr/src
% $ make clean
Slightly useful. That's probably a very slow way of cleaning up things
though. If you only follow the build instructions of `src/UPDATING',
you can simply wipe out everything under `/usr/obj' and be done:
# cd /usr/obj
# rm -fr *
% 5) Update ports
%
% $ pkg_add -r portupgrade
% $ /usr/local/bin/portsupgrade -a
What ports? There are no references to installation of any ports so far!
% 6) Adding applications
%
% $ pkg_add -r portaudit
% $ pkg_add -r zsh
% $ pkg_add -r wget
% $ pkg_add -r screen
% $ pkg_add -r sudo
% $ pkg_add -r pcre
This is backwards. If you really want to install new applications
(which do not necessarily match the list shown above, unless your
personal preferences match those of the author), then you should prefer
installing the applications *first* and updating the ports *afterwards*.
Having written all that, I want to add that it's ok to document one's
experience with FreeBSD. I've done it a lot of time.
But we should take care to use pointers to the official documentation as
much as possible. A huge number of people have put countless hours into
writing the documentation we have. Many man-years of work have gone
into correcting, rewriting, polishing, checking and improving these
documents in many other ways.
For these reasons, when it *is* available, the official documentation
should be your reference for a specific topic :)
- Giorgos
.
- Follow-Ups:
- Re: what do you think of these instructions for install & hardening?
- From: Notgiven
- Re: what do you think of these instructions for install & hardening?
- From: Bill Vermillion
- Re: what do you think of these instructions for install & hardening?
- References:
- Prev by Date: Re: FreeBSD 5.4 and Dell Servers
- Next by Date: Re: FreeBSD 5.4 and Dell Servers
- Previous by thread: Re: what do you think of these instructions for install & hardening?
- Next by thread: Re: what do you think of these instructions for install & hardening?
- Index(es):
Relevant Pages
|
