#!/bin/sh ################################################################## ################################################################## # # The FreeBSD System Hardening Script # David Childers - 15 February, 2010 # # This software is released under the Attribution-ShareAlike version 3.0 Licence. # www.creativecommons.org/licenses/by-sa/3.0/ # ################################################################## ################################################################## # # If you find this script useful, please consider making a small donation. # https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=10870717 # ################################################################## ################################################################## # # Portions of the script that are marked with bold face type require additional steps to be # performed. If these additional steps are not completed, then the changes initiated by this # script will not function properly. # ################################################################## ################################################################## # # > If you modify the script, make absolutely sure that you use standard quotation marks " " and not word # > processor quotation marks “ “ in elements that you use the echo function for adding entries to files. # > Using word processor quotation marks ” “ inside the script will cause the script to not function # > properly. # ################################################################## ################################################################## # # This script can be used with either an i386 or amd64 computer. # ################################################################## ################################################################## # # The file rc.conf contains descriptive information about the local host name, configuration details for # any potential network interfaces and which services should be started up at system initial boot time. # # Ensure syslogd does not bind to a network socket if you are not logging into a remote machine. # echo 'syslogd_flags="-ss"' >> /etc/rc.conf # # ICMP Redirect messages can be used by attackers to redirect traffic and should be ignored. # echo 'icmp_drop_redirect="YES"' >> /etc/rc.conf # # sendmail is an insecure service and should be disabled. # echo 'sendmail_enable="NO"' >> /etc/rc.conf # # The Internet Super Server (inetd) allows a number of simple Internet services to be enabled, including # finger, ftp ssh, and telnetd. Enabling these services may increase risk of security problems by # increasing the exposure of your system. # echo 'inetd_enable="NO"' >> /etc/rc.conf # # Network File System allows a system to share directories and files with other computers over a network # and should be disabled. # echo 'nfs_server_enable="NO"' >> /etc/rc.conf # echo 'nfs_client_enable="NO"' >> /etc/rc.conf # # SSHD is a family of applications that can used with network connectivity tools. # This disables rlogin, RSH, RCP and telenet. # echo 'sshd_enable="NO"' >> /etc/rc.conf # # Disable portmap if you are not running Network File Systems. # echo 'portmap_enable="NO"' >> /etc/rc.conf # # Disable computer system details from being added to /etc/motd on system reboot. # echo 'update_motd="NO"' >> /etc/rc.conf # # The /tmp directory should be cleared at startup to ensure that any malicious code that may have # entered into the temp file is removed. # echo 'clear_tmp_enable="YES"' >> /etc/rc.conf # ################################################################## ################################################################## # # The sysctl.conf file allows you to configure various aspects of a FreeBSD computer. This includes many # advanced options of the TCP/IP stack and virtual memory system that can dramatically improve # performance. # # Prevent users from seeing information about processes that are being run under another UID. # echo 'security.bsd.see_other_uids=0' >> /etc/sysctl.conf # # Generate a random ID for the IP packets as opposed to incrementing them by one. # echo 'net.inet.ip.random_id=1' >> /etc/sysctl.conf # # This will discover dead connections and clear them. # echo 'net.inet.tcp.always_keepalive=1' >> /etc/sysctl.conf # # Enabling blackholes for udp and tcp will drop all packets that are received on a closed port and will not # give a reply. # echo 'net.inet.tcp.blackhole=2' >> /etc/sysctl.conf echo 'net.inet.udp.blackhole=1' >> /etc/sysctl.conf # ################################################################## ################################################################## # # The TCP/IP Stack is what controls the communication of the computer on a data network. # # Disable ICMP broadcast echo activity. This could allow the computer to be used as part of a Smurf # attack. # sysctl -w net.inet.icmp.bmcastecho=0 # # Disable ICMP routing redirects. This could allow the computer to have its routing table corrupted by an # attacker. # sysctl -w net.inet.ip.redirect=0 sysctl -w net.inet.ip6.redirect=0 # # Disable ICMP broadcast probes. This could allow an attacker to reverse engineer details of your # network infrastructure. # sysctl -w net.inet.icmp.maskrepl=0 # # Disable IP source routing. This could allow attackers to spoof IP addresses that you normally trust as # internal hosts. # sysctl -w net.inet.ip.sourceroute=0 sysctl -w net.inet.ip.accept_sourceroute=0 # ################################################################## ################################################################## # # Disable users from having access to configuration files. # chmod o= /etc/fstab chmod o= /etc/ftpusers chmod o= /etc/group chmod o= /etc/hosts chmod o= /etc/hosts.allow chmod o= /etc/hosts.equiv chmod o= /etc/hosts.lpd chmod o= /etc/inetd.conf chmod o= /etc/login.access chmod o= /etc/login.conf chmod o= /etc/newsyslog.conf chmod o= /etc/rc.conf chmod o= /etc/ssh/sshd_config chmod o= /etc/sysctl.conf chmod o= /etc/syslog.conf chmod o= /etc/ttys # ################################################################## ################################################################## # # Enable root as the only account with the ability to schedule jobs. # echo "root" > /var/cron/allow echo "root" > /var/at/at.allow chmod o= /etc/crontab chmod o= /usr/bin/crontab chmod o= /usr/bin/at chmod o= /usr/bin/atq chmod o= /usr/bin/atrm chmod o= /usr/bin/batch # ################################################################## ################################################################## # # Secure the root directory contents to prevent viewing. # chmod 710 /root # ################################################################## ################################################################## # # Disable user from having access to the system log file directory. # chmod o= /var/log # ################################################################## ################################################################## # # Merge all temporary file directories. # # A single directory should be used for temporary files, not two. # The /var/tmp directory will be replaced with a link to /tmp. # # The contents of the /var/tmp directory remain after a reboot. The contents of the /tmp directory do not. # mv /var/tmp/* /tmp/ rm -rf /var/tmp ln -s /tmp /var/tmp # ################################################################## ################################################################## # # Enable the use of blowfish password encryption for enhanced password security. # ########## ########## ## ## (#indicates a typed command.) ## ## Manually edit /etc/auth.conf ## # nano /etc/auth.conf ## ## The following lines needs to be added to the /etc/auth.conf file ## crypt_default=blf ## ## Manually edit /etc/login.conf ## # nano /etc/login.conf ## ## The password format must be changed from md5 to blf. ## passwd_format="blf" ## ########## ########## # ################################################################## ################################################################## # # Secure FreeBSD in single user mode # ########## ########## ## ## (#indicates a typed command.) ## ## Edit the /etc/ttys file: ## # nano /etc/ttys ## ## Find this line in the /etc/ttys file ## console none unknown off secure ## ## change the secure to insecure ## console none unknown off insecure ## ## Insecure indicates that the console can be accessed by unauthorized persons, and is not ## secure. ## ## After rebooting and entering single user mode, the user will be prompted for a password to ## gain access to the shell prompt. ## ########## ########## # ################################################################## ################################################################## # # Installing and configuring the Network Time Protocol service. # ########## ########## ## ## This will enable ntpdate, which will keep the computer date/time correct. ## ## (#indicates a typed command.) ## ## Manually edit /etc/rc.conf ## # nano /etc/rc.conf ## ## The following line needs to be placed in the /etc/rc.conf file ## ntpdate_enable="YES" ## ## Select the appropriate ntp server for your location. ## psp2.ntp.org/bin/view/Servers/WebHome ## ## Manually edit /etc/ntp.conf ## # nano /etc/ntp.conf ## ## The following lines need to be added to the file: ## (Based upon the ntp server preferences you selected from the list.) ## ## server ntplocal.example.com prefer ## server timeserver.example.org ## server ntp2a.example.net ## driftfile /var/db/ntp.drift ## ## The server option specifies which servers are to be used, with one server listed on each ## line. If a server is specified with the prefer argument, as with ntplocal.example.com, that ## server is preferred over other servers. A response from a preferred server will be ## discarded if it differs significantly from other servers' responses, otherwise it will be used ## without any consideration to other responses. The prefer argument is normally used for ## NTP servers that are known to be highly accurate, such as those with special time ## monitoring hardware. ## ## The driftfile option specifies which file is used to store the system clock's frequency offset. ## ########## ########## # ################################################################## ################################################################## # echo "End of script." #