FreeBSD security (incl video)

These are some recent links with regards FreeBSD security:

1.  Using DenyHosts to help thwart SSH attacks on FreeBSD

DenyHosts is a script intended to be run by UNIX-like system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).

  1. % su
  2. # cd /usr/ports/security/denyhosts
  3. # make install clean
  4. # echo ‘denyhosts_enable=”YES”‘ >> /etc/rc.conf
  5. # echo ‘syslogd_flags=”-s -c”‘ >> /etc/rc.conf
  6. # echo “sshd : /etc/hosts.deniedssh : deny” >> /etc/hosts.allow
  7. # echo “sshd : ALL : allow” >> /etc/hosts.allow
  8. # touch /etc/hosts.deniedssh
  9. Edit /usr/local/etc/denyhosts.conf and uncoment the BLOCK_SERVICE = sshd entry.
  10. # /usr/local/etc/rc.d/denyhosts onestart

Source - linux-bsd-sharing.blogspot.com

2. Network Security Monitoring

Richard Bejtlich, from TAO Security, did a presentation on network security monitoring using FreeBSD.

In this presentation I’ll discuss my latest thinking on using FreeBSD to identify normal, suspicious, and malicious traffic in enterprise networks. FreeBSD is a powerful platform for network traffic inspection and log analysis, and I’ll share a few ways I use it in production environments.


3. FreeBSD supported branches update

The branches supported by the FreeBSD Security Officer have been updated to reflect the EoL (end-of-life) of FreeBSD 7.0. The new list is below and at . Please note that FreeBSD 7.0 was originally announced with an EoL date of February 28, 2009, but the EoL was delayed by two months in order to allow a 3 month window for systems to be upgraded to FreeBSD 7.1. [source]

The current designation and estimated lifetimes of the currently supported branches are given below. TheEstimated EoL (end-of-life) column gives the earliest date on which that branch is likely to be dropped. Please note that these dates may be extended into the future, but only extenuating circumstances would lead to a branch’s support being dropped earlier than the date listed.

  • RELENG_6 – 30 November 2010
  • RELENG_6_3 – 31 January 2010
  • RELENG_6_4 -  30 November 2010
  • RELENG_7 - last release + 2 years
  • RELENG_7_1 - 31 January 2011

These dates can also be found on the calendar at BSDEvents.net

4. How to harden FreeBSD

After a fresh install, it is important to harden the security on a server before it hits your network for use.  Not only making configuration changes aid in the security of your box, but there are some practical rules to abide by.  These are some hardening tips to make your FreeBSD box more secure and will apply to both the 5.x and 4.x branches, but I will assume you are running 5.x.  If a 4.x change is different, I will note it.

Instructions here (Tux Training)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>