Home > BSD & Darwin > Installing a Secure BSD SystemInstalling a Secure BSD System Submitted by Fred C Williams 2003-09-22 BSD & Darwin 27 CommentsThe LittleWhiteDog web site posted an article showing how to configure and secure a BSD system.About The Author Eugenia LoliEx-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.Follow me on Twitter @EugeniaLoli 27 Comments 2003-09-22 4:43 am Comprehensive all-in-one-place reference. 2003-09-22 4:47 am Very good article. Recommended. 2003-09-22 5:15 am Great, fine, wonderful, but the sections at the beginning that bash other OSes and companies should have been left out. It’s a BSD article, not a bash Microsoft propaganda rag. This speaks poorly of the author’s skills. 2003-09-22 5:17 am >sections at the beginning that bash other OSes and companies should have been left out. It’s a BSD article, not a bash Microsoft propaganda rag.Fully agreed. Other than that, is a good article. 2003-09-22 5:43 am I agree, perhaps we should contract to this author and give him the feedbacks and comments? 2003-09-22 5:43 am >Great, fine, wonderful, but the sections at the beginning that bash other OSes and companies should have been left out. It’s a BSD article, not a bash Microsoft propaganda rag. This speaks poorly of the author’s skills. >its just having fun.. but i also agree.. 2003-09-22 6:03 am it seems to be focused on a purpose-built machine, not a general use server. The things he mentions are things that any admin worth his salt would do….While he bashes MS, he has taken the tack of a typical MS admin, or l00n1x nut…..he doesn’t have enough information on other systems to effectively comment on them. There are many distros that are better security-wise than RedHat (*cough*Debian*cough*), and worse (gentoo, most likely, with all the untested packages and strange optimizations….). Linux also allows UML, which is slightly better than FreeBSD jails (which he doesn’t mention at all). If I was concerned with making a very secure FreeBSD mail server, it’d be running qmail, and all of the public daemons in jail. Oh well.Nice article, but nothing special — typical “Teach Yourself $FREE_UNIX in 21 Days” stuff. 2003-09-22 11:56 am I’m aware that the title of the article is “Installing a Secure BSD System”, but I’d suggest that the OSNews title reflect the actual content of the story… “Installing a Secure FreeBSD System”.-fp 2003-09-22 12:41 pm > Great, fine, wonderful, but the sections at the beginning that bash other OSes and companies should have been left out. It’s a BSD article, not a bash Microsoft propaganda rag. This speaks poorly of the author’s skills. The “author’s skills” are not in question. A strong piece is always, of course, objective; I will not deny this. However, be careful when criticizing another writer’s “skills” as opposed to their objectivity. There is a big difference, friend. 2003-09-22 2:47 pm Twords the M$ bashing and other OS bashing.. Perhaps thats a little out of place. Though i was not trying to gear the article twords bashing the OS’s but show my opinion on them. I was hoping to get a laugh out of people and not take that seriously.>Install Linux, problem solved.EEK… *nuff said there*>I’m aware that the title of the article is “Installing a >Secure BSD System”, but I’d suggest that the OSNews title >reflect the actual content of the story… “Installing a >Secure FreeBSD System”.Actually the origional title was “Installing a secure freebsd mailserver” however the person who posted it on the Littlewhitedog website changed the title.And i could have gone into setting up jails or comparing the diffrences between UML, Chroot and jails, but why when it’s geared twords just freebsd. Any compitent system admin with enough experience should understand these systems. UML is something I dont know too much about only because i dont do linux anymore. I’m not bashing the other OS’s just stating that this is my preferance. 2003-09-22 3:02 pm I think that people seemed to miss the point of the article, it is about Securing a FreeBSD system, and why the author choose FreeBSD as his system of choice…do you expect a technical article to contain NO opinion at all? Of course he has an opinion, and makes choices based on those opinions. FreeBSD is a great operating system, that can be extremely secure and easy to maintain. He makes a point that MS is NOT secure (don’t try to tell me it is, cause your full of it) and linux has become overly complex for it’s own good, particularly when dealing with customized packages. That’s not too say that nobody should choose either of those Operating Systems, just that he would not and this is why. Can anyone just be thankfull that someone took the time to write such a detailed article on setting up a secure Freebsd system? Instead of reading the article and learning something, people nitpick at the title, or the author’s opinions. You keep doing that, meantime, my FreeBSD system is secure.Sorry about the rant, but the comments that I saw just pissed me off, and I would imagine, makes the author not want to contribute to the community again. 2003-09-22 3:03 pm Let’s start off by working with sendmail. You should notice both ports 25 and 587 belong to sendmail. First of all, we can completely close port 587, and I have no idea to this day why that is open by default. http://www.google.com/search?q=sendmail+587 2003-09-22 3:17 pm I agree to OS bashing gets to be very tedious. It is always nice to discuss technical OS issues without so much “my OS is better than yours banter” 2003-09-22 3:28 pm “Install Linux, problem solved.”I don’t know if that’s a troll or a joke. If it’s not a troll, dude your really need to be on stage because that was funny as hell. Made me LOL.If it’s a troll, then I guess I fell for it. As already mentioned, BSD isn’t Linux. But perhaps you should take a look at the following link.http://www.globetechnology.com/servlet/story/RTGAM.20030911.gtlinux…Nuff said! 2003-09-22 3:43 pm It is a fairly secure and easy to manage operating system, though not as secure as OpenBSDShouldn’t this be clarified to state that OpenBSD is more secure out of the box? Once a FreeBSD box is locked down, it is just as secure as OpenBSD! 2003-09-22 4:16 pm <quote>Let’s start off by working with sendmail. You should notice both ports 25 and 587 belong to sendmail. First of all, we can completely close port 587, and I have no idea to this day why that is open by default.</quote>From the sendmail release notes:“sendmail implements RFC 2476 (Message Submission), e.g., itcan now listen on several different ports. Use:O DaemonPortOptions=Name=MSA, Port=587, M=Eto run a Message Submission Agent (MSA); this is turned on bydefault in m4-generated .cf files; it can be turned off withFEATURE(`no_default_msa’).”Here’s a URL for RFC 2476:http://www.cis.ohio-state.edu/htbin/rfc/rfc2476.html 2003-09-22 4:17 pm 1. there is no 5.2_RELENG yet it is scheduled at the end of this year (Nov 19, 2003) for more info check http://www.freebsd.org/doc/en_US.ISO8859-1/articles/5-roadmap/sched…2. using anything than STABLE is controversial (well for home server one can use CURRENT too)3. while editing ttys, change ttyx to insecure too4. security.bsd.see_other_uids=0 is in 5.x not only in 5.2while kern.ps_shoallprocs=0 is in 4.x but not in 5.0, 5.1, 5-CURRENT5. keep source update and ports update separate othervise each time when running cvsup one wll have to make buildworld6. If not using IPv6 then set in kernel IPSEC_FAST (… because is fast -> incompatible yet with IPv6 -> will be resolved in upcoming 5.2)7. options CPU_ENABLE_SSEoptions CPU_ATHLON_SSE_HACKthis is server or workstation?8. options IPFIREWALL_DEFAULT_TO_ACCEPTleave it default and modify rc.conf instead. Otherwise if one change his/her mind then will have to re-kompile kernel (it is diffcult to controll all open ports)9. if moving to postfix then remember that /usr/sbin/sendmail (mailwrapper) invokes postfix so setting sendmail_enable to no will prevent postfix from running-options:modify rc.conf:sendmail_enable=”YES”sendmail_flags=”-bd”sendmail_outbound_enable=”NO”sendmail_submit_enable=”NO”sendmail_msp_queue_enable=”NO”-swap the commented lines (sendmail to postfix) in /etc/mailer.conf and add “postfix=YES” to /etc/rc.conf– more10. cyrus-sasl2 is broken use cyrus-sasl2-saslauthd instead11. keep mail users password separate from systemNo comments on using Gentoo as a server 2003-09-22 4:38 pm the article here ( http://www.globetechnology.com/servlet/story/RTGAM.20030911.gtlinux… ) doesn’t really say much, other than the fact that linux (as with all other OSes) is only as secure as it’s admin can make it, and also that the site is heavily funded by sun and microsoft. 2003-09-22 4:47 pm Not to start an MTA flamewar here, but especially given Postfix’s recent vulnerabilities (http://www.securityfocus.com/bid/8333) wouldn’t qmail seem in order for the level of security this article is aiming to provide?There just seem to be a number of Postfix zealots out there who like Postfix for no other reason than they hate both Sendmail and Dan J. Bernstein… 2003-09-22 4:55 pm Thanks for pointing out the errors in the document. I keep a PDF at home and have arlready made many changes to it.. I’ll Make those adjustments you pointed out as well..as for RELENG_5_2 Must have been the beer.. Because i know 5.2 isn’t out yet. 2003-09-22 5:47 pm properly secured sendmail with ssl will do too.In general this is personal choice as one never know where security problems will popup 2003-09-22 6:11 pm I did not notice at first the info about vulnerabilities.But it is linux specific as linux distros (RH,SUSE, Debian)still tends to instal by default postfix 1.x (probably not anymore)Version above 2.x is not vulnerablehttp://marc.theaimsgroup.com/?l=vulnwatch&m=106000570117585&w=2and that what is available on BSD* 2003-09-22 6:35 pm postfix-2.0.15,1 is the FreeBSD version.to the comment above about postfix’s recent vulnrability..what about the sendmail one that was issues last week. or the many before that. Postfix has less issues than sendmail and qmail is too much of a pain in the butt to install right. 2003-09-22 6:47 pm what about the sendmail one that was issues last week. or the many before that.I said nothing in praise of sendmail. I use qmail exclusively.Postfix has less issues than sendmail and qmail is too much of a pain in the butt to install right.On FreeBSD? Surely you jest. Installing any MTA on FreeBSD is as simple as installing any other…cd /usr/ports/mail/qmailmake installmake disable_sendmailmake enable_qmailAnd edit a few files in /var/qmail/control/That’s it… now was someone overstating their case? 2003-09-22 7:10 pm This article is about securing a FreeBSD system. Which is a BSD. Nevertheless the title could have been more descriptive stating it is about FreeBSD. So that us Net- and OpenBSD zealots didn’t have to click and didn’t have to waste our time. 2003-09-22 8:55 pm Screaming Electron.org represents! Good job Soup4You2! http://www.screamingelectron.org is one of the best *BSD sites out there. 2003-09-23 1:26 am If this article had been a OS News post it would have been moderated down. Jeez.