Hans Kristian — My Logs Board

Hardening is a method to secure your system, in this tutorial i’ve only write a little tips for your machine… so it doesn’t provide perfect security for your system….

Filesystem structure

this command line will replace /var/temp with /tmp

# mv /var/tmp/* /tmp/
# rm -rf /var/tmp
# ln -s /tmp /var/tmp

Disable Local root access

System won’t treat “root” as a regular user, so when you want t be root, you must login as another regular user and using command line “su”. To do this, open /etc/ttys with text editor and replace the word “secure” to “insecure” so the file must be like this :

console none unknown off insecure
#
ttyv0 “/usr/libexec/getty Pc” cons25 on insecure
# Virtual terminals
ttyv1 “/usr/libexec/getty Pc” cons25 on insecure
ttyv2 “/usr/libexec/getty Pc” cons25 on insecure
ttyv3 “/usr/libexec/getty Pc” cons25 on insecure
ttyv4 “/usr/libexec/getty Pc” cons25 on insecure
ttyv5 “/usr/libexec/getty Pc” cons25 on insecure
ttyv6 “/usr/libexec/getty Pc” cons25 on insecure
ttyv7 “/usr/libexec/getty Pc” cons25 on insecure
ttyv8 “/usr/X11R6/bin/xdm -nodaemon” xterm off insecure
# Serial terminals
# The ‘dialup’ keyword identifies dialin lines to login,
fingerd etc.
ttyd0 “/usr/libexec/getty std.9600″ dialup off insecure
ttyd1 “/usr/libexec/getty std.9600″ dialup off insecure
ttyd2 “/usr/libexec/getty std.9600″ dialup off insecure
ttyd3 “/usr/libexec/getty std.9600″ dialup off insecure
# Dumb console
dcons “/usr/libexec/getty std.9600″ vt100 off insecure

SSH Login

This will only permitted wheel group who can login when the system has another group called sshlogins who can’t to be super user. Then our system only will SSHv2 instead of SSHv1 which is lower in security.

# cat << EOF >> /etc/ssh/sshd_config
# PermitRootLogin=no
# AllowGroups wheel sshlogins
# Protocol 2
# X11Forwarding=no
# VersionAddendum
# EOF
# echo “Banner /etc/welcomemsg” >> /etc/ssh/sshd_config
# cat << EOF > /etc/welcomemsg
# !!WARNING!!!
# READ THIS BEFORE ATTEMPTING TO LOGON
#
# Blalalalalllablablablablablablablablablablablablablab
# EOF

Password Encryption

the default encryption for FreeBSD is md5, we will change it to blowfish instead of md5 because blowfish is more secure than md5.

# echo “crypt_default=blf” >> /etc/auth.conf

edit file /etc/login.conf

default:\
:passwd_format=blf:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/motd:\
:setenv=MAIL=/var/mail/
$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\
:path=/sbin /bin /usr/sbin /usr/bin /usr/games /usr/
local/sbin /usr/local/bin /usr/X11R6/bin ~/bin:\
:nologin=/var/run/nologin:\
:cputime=unlimited:\
:datasize=unlimited:\
:stacksize=unlimited:\
:memorylocked=unlimited:\
:memoryuse=unlimited:\
:filesize=unlimited:\
:coredumpsize=unlimited:\
penfiles=unlimited:\
:maxproc=unlimited:\
:sbsize=unlimited:\
:vmemoryuse=unlimited:\
:priority=0:\
:ignoretime@:\
:minpasswordlen=8:\
:mixpasswordcase=true:\
:passwordtime=90d:\
:idletime=30:\
:umask=027:

update login database

# cap_mkdb /etc/login.conf

Restrict User Access Â

this will restrict user access in the system

#echo “root” > /var/cron/allow
#echo “root” > /var/at/at.allow
#chmod o= /etc/crontab
#chmod o= /usr/bin/crontab
#chmod o= /usr/bin/at
#chmod o= /usr/bin/atq
#chmod o= /usr/bin/atrm
#chmod o= /usr/bin/batch

We will do restrict for file access/execution:

#chmod o= /etc/fstab
#chmod o= /etc/ftpusers
#chmod o= /etc/group
#chmod o= /etc/hosts
#chmod o= /etc/hosts.allow
#chmod o= /etc/hosts.equiv
#chmod o= /etc/hosts.lpd
#chmod o= /etc/inetd.conf
#chmod o= /etc/login.access
#chmod o= /etc/login.conf
#chmod o= /etc/newsyslog.conf
#chmod o= /etc/rc.conf
#chmod o= /etc/ssh/sshd_config
#chmod o= /etc/sysctl.conf
#chmod o= /etc/syslog.conf
#chmod o= /etc/ttys

restrict user to access system log :

#chmod o= /var/log
#chflags sappnd /var/log
#chflags sappnd /var/log/*

restrict user to execute some default programs :

#chmod o= /usr/bin/users
#chmod o= /usr/bin/w
#chmod o= /usr/bin/who
#chmod o= /usr/bin/lastcomm
#chmod o= /usr/sbin/jls
#chmod o= /usr/bin/last
#chmod o= /usr/sbin/lastlogin

Some services must be disable to increase security :

#chmod ugo= /usr/bin/rlogin
#chmod ugo= /usr/bin/rsh

restrict another “dangerous” to be accessed by regular user :

#chmod o= /usr/local/bin/nmap
#chmod o= /usr/local/bin/nessus

Set Kernel States

this will prevent user see information about running processes in another UID

#echo “security.bsd.see_other_uids=0″ >> /etc/sysctl.conf

Disable port scanning ti the system :

#echo “net.inet.tcp.blackhole=2″ >> /etc/sysctl.conf
#echo “net.inet.udp.blackhole=1″ >> /etc/sysctl.conf

this will generate random ID for IP packets :

#echo “net.inet.ip.random_id=1″ >> /etc/sysctl.conf Â

OK I think that’s enough i’ll update later if i had time hehehehehe ;p

Good Luck.

What is JUNK??? I think you’ll need it…

JUNK is abbreviation of “JUNK is UNdetected Key”. It’s
basically a software where you can type your secret
word (username, password, PIN) without being able to
correctly logged by any keylogger.

It works by everytime you type something in it’s text
entry, it will generate random iteration of randomly
pressed keys, thus make any keylogger will also logged
those random keys, so your originally pressed key will
be masked in other random keys.

No installation procedure needed, just extract it and
run the junk.exe file.

Download here:
http://rapidshare.com/files/95844451/junk2.zip.html