FreeBSD security exercises ========================== 1. Figure out what is running on your machine --------------------------------------------- There are quite a few ways to approach this, but very quickly here are some useful commands: ps # processes netstat # network status sockstat # socket status grep -i yes /etc/rc.conf You should, as usual, read the man pages for "ps", "netstat", "sockstat". On other versions of Unix you may have the command "lsof" (List Open Files), and this can be installed as an optional extra package under FreeBSD too if you wish. Now here are some good options: $ ps -auxw | less $ netstat -an -f inet $ sockstat -4 -l You should try all of these commands and analyse what is being shown. For example, the command "sockstat -4 -l" may produce: $ sockstat -4 -l USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root syslogd 19072 5 udp4 *:514 *:* root sshd 19196 3 tcp4 *:22 *:* root sendmail 19202 4 tcp4 127.0.0.1:25 *:* What you are seeing is that the syslog daemon is listening for UDP traffic on port 514; sshd is listening for TCP connections on port 22; and sendmail is listening for TCP connections on port 25, but is only listening on IP address 127.0.0.1. That's the loopback address, so will only accept mail generated within the same machine, not from outside. An easy way to check what you've chosen to start at system boot is: $ grep -i yes /etc/rc.conf although some things may be started by default anyway. You can look through /etc/defaults/rc.conf for these, or try: $ grep -i '="yes"' /etc/defaults/rc.conf Finally, in a perfect world you should be able to type: $ ps -auxw | less and know what each and every item in the process list means and does. You can look for unusual items, and use available resources like "man" to try to figure out what all the items in the list mean. 2. Turn off any unnecessary services ------------------------------------ This exercise is very simple and short. You just finished looking at your system in much more detail. Did you see anything that should not be running, starting, etc? This is a *very* subjective question. If you did find something, then the likely place to turn the item off will be in the file /etc/rc.conf You usually do this by immediately shutting it down with: # /etc/rc.d/service stop (or just by 'kill _pid_'), and then adding an entry to /etc/rc.conf that reads: service_enable="NO" As you are using a fresh install of FreeBSD and it is a fairly minimal install there is probably nothing that needs to be turned off right now, but if you think there is, call an instructor over to discuss the item. 3. Understand your logs ----------------------- On a daily basis your server will receive two emails that are generated from a script that is run via the crontab facility. This script reads your log files, checks your system state, etc. and then generates the summary reports for you. The reports can be very useful, particularly if you do not have additional logging facilities in place to warn you immediately of potential attacks. First, have a look at the file: $ less /etc/syslog.conf to understand where logs are generated on your machine (full details of this file are in 'man syslog.conf', of course). Now go to the directory /var/log $ cd /var/log and look at all the log files available to you. These files can be invaluable when troubleshooting problems and checking for potential security issues. The log you are probably going to look at the most is "messages". To see what is happening on your system right at this moment you can try the command (as root): # tail -f /var/log/messages This will show you new items as they are written to your /var/log/messages file. To test this try switching to another virtual terminal (ALT-F2) and logging in (or logging out and in) to a session. Now switch back to your original virtual terminal where you issued the "tail" command (maybe ALT-F1), and see what is reported. This is a nice trick, but it's only useful as something to give you the general feel for what goes on in your system. You will need to take advantage of logging tools to be sure that unusual events are reported to you. Feel free to look at some/all of the log files. Some of the files are not text files, so you won't want to type them to the screen. And, some are empty. A quick way to check what files are text, binary, data, or empty is to do the following: # cd /var/log # file * The 'file' command tells you what type of file a file is, and the shell expands '*' to all the filenames in the current directory. The output from this command may look something like this: Xorg.0.log: ASCII English text Xorg.0.log.old: ASCII English text aculog: ASCII text auth.log: ASCII text connect-errors: ASCII text cron: ASCII text cron.0.bz2: bzip2 compressed data, block size = 900k cron.1.bz2: bzip2 compressed data, block size = 900k cron.2.bz2: bzip2 compressed data, block size = 900k debug.log: ASCII text debug.log.0.bz2: bzip2 compressed data, block size = 900k exim: directory lastlog: data lpd-errs: ASCII text maillog: ASCII text maillog.0.bz2: bzip2 compressed data, block size = 900k maillog.1.bz2: bzip2 compressed data, block size = 900k maillog.2.bz2: bzip2 compressed data, block size = 900k messages: ASCII English text messages.0.bz2: bzip2 compressed data, block size = 900k messages.1.bz2: bzip2 compressed data, block size = 900k messages.2.bz2: bzip2 compressed data, block size = 900k ppp.log: empty security: empty sendmail.st: empty sendmail.st.0: empty sendmail.st.1: empty sendmail.st.2: empty slip.log: empty userlog: ASCII text wtmp: data Files that are gzip compressed or bzip2 compressed can be read using one of the following commands: # gzip -dc filename.gz | less # bzip2 -dc filename.bz2 | less On a daily basis your server will receive two emails that are generated from a script that is run via the crontab facility. This script reads your log files, checks your system state, etc. and then generates the summary reports for you. The reports can be very useful, particularly if you do not have additional logging facilities in place to warn you immediately of potential attacks. If you want to generate the daily summary of your server right no you can issue the following command: # periodic daily It might take a minute or so to complete. Now type: # mail Mail version 8.1 6/6/93. Type ? for help. "/var/mail/root": 2 messages 2 new >N 1 root@localhost.local Sun Jan 9 11:02 37/1039 "localhost.localdomain" N 2 root@localhost.local Sun Jan 9 11:02 72/2440 "localhost.localdomain" Press "1" to see the first message. Press spacebar to scroll. Press "2" to see the next message. Type "quit" to exit from mail. Normally you'd set up a mail alias so that these system messages go somewhere other than to "root". You can look at your crontab file, /etc/crontab, to see how and at what time the daily cron items are done. For more information see $ man cron $ man -a crontab If you want to see how the periodic script works you can look at the file /etc/defaults/periodic.conf. It runs various scripts which are under the directory /etc/periodic: $ cd /etc/periodic $ ls daily monthly security weekly Now look in one of the directories, like 'daily': $ cd daily $ ls 100.clean-disks 210.backup-aliases 430.status-rwho 110.clean-tmps 300.calendar 440.status-mailq 120.clean-preserve 310.accounting 450.status-security 130.clean-msgs 330.news 460.status-mail-rejects 140.clean-rwho 400.status-disks 470.status-named 150.clean-hoststat 405.status-ata-raid 500.queuerun 200.backup-passwd 420.status-network 999.local These are all the scripts that can be run (if enabled in /etc/defaults/periodic.conf) each time the crontab calls the 'periodic daily' command. This is quite an advanced and complex topic, but it's important to begin to understand what is going on in the background on your machine.