By Xiujun Ma in FreeBSD

FreeBSD Security Best Practices

FreeBSD Security Best Practices

FreeBSD is renowned for its robustness, performance, and security features. However, to ensure your FreeBSD system remains secure, it's crucial to follow best practices. This guide will discuss essential security practices for FreeBSD administrators, including user management, secure SSH configurations, regular audits, and updates.

User Management

Effective user management is the foundation of a secure FreeBSD system. Here are some best practices to follow:

1. Use Strong Passwords

Ensure all user accounts have strong, unique passwords. Enforce password complexity by editing the /etc/login.conf file:

sudo nano /etc/login.conf

Add the following under the default class:

:passwd_check=\
        :minpassword=8:\
        :minpasswordlen=8:\
        :mixpasswordcase:\
        :extrachars:

Update the login class database:

sudo cap_mkdb /etc/login.conf

2. Create Limited User Accounts

Avoid using the root account for daily tasks. Instead, create individual user accounts with limited privileges. Use the adduser command to create new users:

sudo adduser

3. Use the Wheel Group for Privileged Users

Only allow users in the wheel group to use sudo for executing administrative commands. Add users to the wheel group:

sudo pw groupmod wheel -m username

Edit the sudoers file to ensure only wheel group members can use sudo:

sudo visudo

Uncomment the following line:

%wheel ALL=(ALL) ALL

Secure SSH Configuration

SSH is a critical service for remote administration. Secure your SSH configuration to prevent unauthorized access.

1. Disable Root Login

Edit the SSH configuration file to disable root login:

sudo nano /etc/ssh/sshd_config

Set the following directive:

PermitRootLogin no

2. Use SSH Key Authentication

Generate an SSH key pair on your local machine:

ssh-keygen -t rsa -b 4096

Copy the public key to the FreeBSD server:

ssh-copy-id username@your_freebsd_server

Edit the SSH configuration file to disable password authentication:

sudo nano /etc/ssh/sshd_config

Set the following directive:

PasswordAuthentication no

3. Change the Default SSH Port

Change the default SSH port to reduce the risk of automated attacks. Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Set a non-standard port (e.g., 2222):

Port 2222

Restart the SSH service:

sudo service sshd restart

Regular Audits

Conducting regular security audits helps identify and mitigate potential vulnerabilities.

1. Use Audit Tools

FreeBSD includes several audit tools, such as auditdistd and security/audit. Install and configure these tools to monitor system activities:

sudo pkg install security/audit

2. Review Logs Regularly

Regularly review system logs to detect unusual activities. Use tools like logcheck to automate log monitoring and receive alerts for suspicious events.

3. Enable Audit Logging

Enable audit logging by editing the /etc/rc.conf file:

sudo nano /etc/rc.conf

Add the following lines:

auditd_enable="YES"
auditdistd_enable="YES"

Start the audit services:

sudo service auditd start
sudo service auditdistd start

Regular Updates

Keeping your FreeBSD system and installed packages up-to-date is crucial for maintaining security.

1. Update the Base System

Regularly update the base system using the freebsd-update tool:

sudo freebsd-update fetch
sudo freebsd-update install

2. Update Installed Packages

Use the pkg system to update installed packages:

sudo pkg update
sudo pkg upgrade

3. Automate Updates

Automate the update process using cron jobs. Edit the root user's crontab:

sudo crontab -e

Add the following lines to schedule regular updates:

# Update the base system weekly
0 3 * * 0 freebsd-update fetch install

# Update packages daily
0 2 * * * pkg update && pkg upgrade -y

Additional Security Measures

1. Firewall Configuration

Configure a firewall using pf or ipfw to control incoming and outgoing traffic. For pf, enable and configure it by editing the /etc/pf.conf file:

sudo nano /etc/pf.conf

Add basic firewall rules:

# Default block rule
block all

# Allow traffic on the loopback interface
set skip on lo

# Allow incoming SSH connections
pass in on em0 proto tcp from any to any port 2222

# Allow outgoing connections
pass out all

Enable and start the pf service:

sudo sysrc pf_enable="YES"
sudo service pf start

2. Secure Network Services

Disable unnecessary network services to reduce the attack surface. Edit the /etc/rc.conf file to disable services:

sudo nano /etc/rc.conf

Set the following lines to disable unnecessary services:

inetd_enable="NO"
lpd_enable="NO"
sendmail_enable="NONE"

3. Use Mandatory Access Control (MAC)

FreeBSD's MAC framework provides additional security controls. Enable MAC policies by editing the /boot/loader.conf file:

sudo nano /boot/loader.conf

Add the following lines to load MAC modules:

mac_biba_load="YES"
mac_mls_load="YES"

Edit the /etc/sysctl.conf file to enable MAC policies:

sudo nano /etc/sysctl.conf

Add the following lines:

security.mac.biba.enabled=1
security.mac.mls.enabled=1

Conclusion

Implementing these FreeBSD security best practices will help you build a robust and secure system. By focusing on user management, secure SSH configurations, regular audits, and keeping your system updated, you can significantly reduce the risk of security breaches and ensure your FreeBSD system remains secure and reliable. Stay proactive with your security measures and continuously monitor and improve your system's defenses.