In the past few days, I've been sorting through my piles of notes and organizing the security tips I've gathered from various resources over the years. I thought some of them might interest you, so this week, I'll take a break from the archiving series and write a bit about securing your FreeBSD system.
Obviously, I won't be able to give a thorough coverage of such a broad topic in the confines of one article. Which is just as well, since it is impossible to create a one-size-fits-all list that will guarantee the security of any system.
As I sort through my notes, I notice that most are geared toward tightening the security of a FreeBSD system that acts as some sort of server (e.g. Web server, mail server). Which isn't so great, if you are instead using your FreeBSD system as your personal system, and desire full desktop functionality. You would be a very unhappy camper if a security setting broke some functionality that took you a week of struggle to learn how to get working in the first place.
For this reason, you'll note that, unlike most security tutorials, this article will not address changing any of the permissions on your FreeBSD system. This is intentional. Unless you're securing a production server and you know what you're doing, never change the permissions of any file. (If you must practice with permissions, stick to the files in your home directory). Otherwise, things might stop working; things you might miss like email, X Window System, sound. Strange things will happen at strange times, making it harder to clue in that they are related to the permission setting you played with a week ago Tuesday.
We all know that the Internet isn't always a friendly place and that you
probably don't want to give the rest of the world the same access to your
system as you give yourself. This means you don't want to be on the
Internet without being protected by some sort of firewall. Fortunately,
your FreeBSD system supports two firewalls:
better, the amount of easy-to-follow documentation has steadily improved
over the last year. If you're not behind a firewall, dedicate a Saturday
afternoon to do some reading and configure firewall functionality on your
system. You'll be glad you did. Here are some resources to get you
IPFilter and PF resources
Good security is always "defense in depth," meaning that if one mechanism fails, there is a backup mechanism. Even though your system is now protected by a firewall, you should also disable all services except for those you absolutely need. On a desktop system, you need very few services.
To see which services are listening for connection attempts on your system, use this command:
Your output will vary, depending upon what settings you selected during the final installation phase of FreeBSD and what ports and packages you have built since then.
It is very common to see port 6000 (X Window Server) in the output; if you don't,
start an X Window session and rerun
sockstat -4. Unfortunately, there
have been many X Window exploits over the years; fortunately, you don't need to
leave port 6000 open in order to use X on your system. Don't worry,
you'll still have a GUI if you close this port!
There are several ways to close this port; I've found the easiest is to become
the superuser and edit
/usr/X11R6/bin/startx. Find the
and change it so that it looks like this:
Once you've saved your changes, start X as a regular user and rerun
sockstat -4. If you didn't have any typos, X will start as usual, but port 6000 will be missing in your
sockstat -4 output.
If you'd like to read up on some of the security issues of leaving port 6000 open, here is a Crash Course in X Window Security.
Okay, that's one less service in your
sockstat -4 output. You probably
still have two ports that deal with email: ports 25 (
smtp) and 587
(submission). You don't need port 587 to send/receive email; to close it
you can edit
/etc/mail/sendmail.cf. Find this line:
O DaemonPortOptions=Port=587, Name=MSA, M=E
and put a
# in front of it to comment it out. Then, to tell
killall -HUP sendmail
-HUP won't stop
sendmail, but will tell it to read the changes you made
sockstat -4 and it should no longer
show port 587.
What about port 25? You may or may not need to leave this port open,
depending upon which program you use to send and read your email. If
you're running FreeBSD 4.6-RELEASE or higher, put this line in
This will tell
sendmail to only listen on the localhost, which will allow
any mail client to be able to send email. If you know that your mail
client has its own built-in SMTP agent or you're feeling adventurous, you
can try this line instead:
which will close port 25 completely. To see if you've broken the ability to send email, make sure you've closed all of your terminals and saved all of your work. Then, as the superuser:
Press enter when prompted, then type exit. Once you've logged back in, see if you can send a test message to your email account. If you can't, go back to the word "NO" and repeat the above to re-open port 25 for the localhost.
If port 111 (portmap) shows up in your "sockstat" output, remove it by
adding the following lines to
/etc/rc.conf (or, if a line already exists in
that file, change the
YES to a
nfs_server_enable="NO" nfs_client_enable="NO" portmap_enable="NO"
Portmap is only needed if you are running NFS, which you won't be on a stand-alone FreeBSD desktop. It also has a long history of security issues, so if you don't absolutely need it, disable it.
syslog (port 514) will probably also show in your output. You don't want to disable
syslog completely, as you do want to receive logging messages.
However, you don't need to have this port open to do so. In your
/etc/rc.conf file, make sure
syslog is enabled and add a second line with some options:
sses (make sure you have two, not just one) in the flags will disable logging from remote hosts and close that port, but still allow your localhost
to keep its logging capabilities.
Next, make sure
inetd_enable is not set to
inetd is showing up in your
sockstat output, something has been uncommented
/etc/inetd.conf. If you don't need it, put a
# back in front of
that line, and do a
If you get your address from your ISP's DHCP server, keep
68) open, or you won't be able to renew your IP address.
If you find anything else in your
sockstat output, skim through
rc.conf to see if there is an option to disable it. If there isn't, it
was most likely started with a startup script that was installed with a
package or a port. If this is the case:
to see which startup scripts have been added to your system. Most
packages/ports will install a sample script with a "sample" extension. As
long as it ends in "sample," that script will not run at startup. Other
packages/ports install a working script that is read at bootup and you
will find the culprit in this directory. The easiest way to disable the
script is to rename it with a "sample" extension, and then kill the daemon so that its port number no longer shows up in
sockstat -4. For example, I recently
ethereal and noticed that
snmpd showed up in my
sockstat -4 output. The
snmp daemon has a long history of exploits and I didn't want it
listening on my system, so I became the superuser and did this:
cd /usr/local/etc/rc.d mv snmpd.sh snmpd.sh.sample killall snmpd
You might also want to consider adding the following options to
This option prevents something known as OS fingerprinting, which is a scan technique used to determine the type of operating system running on a host. If you decide to enable this option, you will also have to rebuild your kernel with the following option included in your kernel configuration file:
Two related options are:
Pages: 1, 2