| 
  • If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • Finally, you can manage your Google Docs, uploads, and email attachments (plus Dropbox and Slack files) in one convenient place. Claim a free account, and in less than 2 minutes, Dokkio (from the makers of PBworks) can automatically organize your content for you.

View
 

FreeBSD

Page history last edited by PBworks 14 years, 6 months ago

Security related sysctl variables

 

# users can't see the processes, sockets, etc, of other users using ps, netstat, procfs, and other tools.

sysctl -w security.bsd.see_other_uids=0

 

# users can't see the processes, sockets, etc, of users in other groups using ps, netstat, procfs, and other tools.

sysctl -w security.bsd.see_other_gids=0

 

# unprivileged processes can't invoke system debugging primitives, such as ptrace, procfs, ktrace, etc.

sysctl -w security.bsd.unprivileged_proc_debug=1

 

# unprivileged processes can't read the system console message buffer.

sysctl -w security.bsd.unprivileged_read_msgbuf=0

 

# users can only hard link to objects that match their uid.

sysctl -w security.bsd.hardlink_check_uid=1

 

# users can only hard link to objects that match one of their gids.

sysctl -w security.bsd.hardlink_check_gid=1

 

# users can't request their live quota information.

sysctl -w security.bsd.unprivileged_get_quota=0

 

sysctl -w net.inet.ip.redirect=0

sysctl -w net.inet.icmp.drop_redirect=1

sysctl -w net.inet.icmp.log_redirect=1

 

# Maximum number of ICMP "Unreachable" and also TCP RST packets that will be sent back every second.

sysctl -w net.inet.icmp.icmplim=100

 

# Drop TCP SYN to a closed port without an RST reply

sysctl -w net.inet.tcp.blackhole=2

 

# Drop UDP without a port unreachable reply

sysctl -w net.inet.udp.blackhole=1

 

sysctl -w net.inet.ip.random_id=1

 

# Drop connections that take longer than 10 seconds to complete the TCP handshake.

sysctl -w net.inet.tcp.msl=10000

 

# Embryonic connection table size

sysctl -w kern.ipc.somaxconn=4096

 

Mount ISO Image on FreeBSD 5.x

 

# mdconfig -a -t vnode -f image.iso -u 0

# mount -t cd9660 /dev/md0 /mnt/iso

 

Unmount ISO Image on FreeBSD 5.x

 

# umount /mnt/iso

# mdconfig -d -u 0

 

Mount ISO Image on FreeBSD 4.x

 

# vnconfig -c vn0c image.iso

# mount -t cd9660 /dev/vn0c /mnt/whatever

 

Unmount ISO Image on FreeBSD 4.x

 

# umount /mnt/whatever

# vnconfig -u vn0c

 

Upgrade Perl Version from 5.8.6 to 5.8.8

 

1) Install the perl5.8 port

 

$ cd /usr/ports/lang/perl5.8

$ make install

 

2) Set the new version of perl to be the default. (This also turns off building perl as part of the base system):

 

$ use.perl port

 

3) Re-install any 3rd party modules, etc that you've installed so the new perl can access them.

 

$ find /usr/local/lib/perl5/{site_perl/5.8.6,5.8.6} -type f -print0 | xargs -0 -n 1 pkg_which | sort -u > /tmp/perl-ports

$ vi perl-ports (Be sure to sanity check the results)

$ portupgrade -f `cat /tmp/perl-ports`

 

Setting blowfish as the default password encryption method

 

In /etc/login.conf change

 

:passwd_format=md5:

 

to

 

:passwd_format=blf:

 

and recreate the login capability database:

 

$ cap_mkdb /etc/login.conf

 

Now have each user change their password. Start with your current login.

 

$ passwd

Changing local password for {current user}.

new password:

retype new password:

passwd: updating the database. . .

passwd: done

 

To confirm your changes, type:

$ grep ${USER} /etc/master.passwd | cut -d: -f2

 

The second field in your password file, which is the cipher of the passwords, should begin with $2 now which indicates the use of blowfish.

 

Then in /etc/auth.conf change

 

#crypt_default = md5 des

 

to

 

crypt_default = blf

 

All new users you now create with adduser will now have their password encrypted in Blowfish.

 

  • Configure syslog to listen to on a sinlge IPv4 interface

$ echo "syslogd_flags=\"-4 -b 192.168.0.205\" >> /etc/rc.conf

 

  • Creating a New File-Backed Disk with mdconfig

 

$ dd if=/dev/zero of=newimage bs=1k count=5k

5120+0 records in

5120+0 records out

$ mdconfig -a -t vnode -f newimage -u 0

$ bsdlabel -w md0 auto

$ newfs md0a

/dev/md0a: 5.0MB (10224 sectors) block size 16384, fragment size 2048

using 4 cylinder groups of 1.25MB, 80 blks, 192 inodes.

super-block backups (for fsck -b #) at:

160, 2720, 5280, 7840

$ mount /dev/md0a /mnt

$ df /mnt

Filesystem 1K-blocks Used Avail Capacity Mounted on

/dev/md0a 4710 4 4330 0% /mnt

Comments (0)

You don't have permission to comment on this page.