Bearbeiten von „StuRa:Server/FreeBSD“
Zur Navigation springen
Zur Suche springen
Die Bearbeitung kann rückgängig gemacht werden. Bitte prüfe den Vergleich unten, um sicherzustellen, dass du dies tun möchtest, und veröffentliche dann unten deine Änderungen, um die Bearbeitung rückgängig zu machen.
Aktuelle Version | Dein Text | ||
Zeile 1: | Zeile 1: | ||
Dokumentation für den FreeBSD-Server | |||
= Sicherheit = | |||
* ports aktuell halten: | |||
** portsnap /var/db/portsnap/INDEX | |||
** edit /etc/crontab: | |||
** <code>0 13 * * * root portsnap -I cron fetch && portsnap update && pkg_version -vIL=</code> | |||
* tägliches Audit der (installierten) Ports: | |||
** portaudit /var/db/portaudit/auditfile.tbz | |||
** edit /etc/crontab: | |||
** <code>0 14 * * * root portaudit -Fda</code> | |||
0 13 * * * root portsnap -I cron fetch && portsnap update && pkg_version -vIL= | |||
</ | |||
0 14 * * * root portaudit -Fda | |||
</ | |||
* [http://www.vuxml.org/freebsd/ VuXML] abonnieren | * [http://www.vuxml.org/freebsd/ VuXML] abonnieren | ||
* [http://security.freebsd.org/ http://security.freebsd.org/] mal durchlesen | * [http://security.freebsd.org/ http://security.freebsd.org/] mal durchlesen | ||
* [http://nvd.nist.gov/ National Vulnerability Database] [http://nvd.nist.gov/download/nvd-rss.xml (NVD RSS)] abonnieren | * [http://nvd.nist.gov/ National Vulnerability Database] [http://nvd.nist.gov/download/nvd-rss.xml (NVD RSS)] abonnieren | ||
== Paketfilter == | |||
* [http://www.openbsd.org/faq/pf/ OpenBSD pf] | |||
* | * in /etc/rc.conf: | ||
pf_enable="YES" | |||
pf_rules="/etc/pf.conf" | |||
pf_enable="YES" | pflog_enable="YES" | ||
pf_rules="/etc/pf.conf" | # host system is gateway for jails | ||
pflog_enable="YES" | gateway_enable="YES" | ||
# host system is gateway for jails | |||
gateway_enable="YES" | |||
* syslogd an Hauptmaschine binden | * syslogd an Hauptmaschine binden | ||
* | ** in /etc/rc.conf: (evtl. -ss flag?) | ||
** <code>syslogd_flags="-b $MAIN_IP"</code> | |||
syslogd_flags="-b $MAIN_IP" | |||
</ | |||
* Paketfilter starten: | * Paketfilter starten: | ||
* | ** <code>/etc/rc.d/pf start</code> | ||
* | ** <code>/etc/rc.d/pflog start</code> | ||
* <code>/etc/pf.conf</code> ( | * pf.config: (check via <code>pfctl -vnf /etc/pf.conf</code>) (inzwischen veraltet) | ||
### MAKROS | |||
### MAKROS | thishost = "$MAIN_IP" | ||
thishost = "$MAIN_IP" | # portsnap5 204.9.55.80 | ||
# portsnap5 204.9.55.80 | portsnap_freebsd = "{ 204.109.56.116 204.9.55.80 }" | ||
portsnap_freebsd = "{ 204.109.56.116 204.9.55.80 }" | # auditfile.tbz is beeing fetched from portaudit.freebsd.org | ||
# auditfile.tbz is beeing fetched from portaudit.freebsd.org | portaudit_freebsd = "69.147.83.36" | ||
portaudit_freebsd = "69.147.83.36" | # dnsserver from resolv.conf | ||
# dnsserver from resolv.conf | dnsserver = "{ 85.214.73.63 217.79.186.148 27.110.120.30 204.152.184.76 194.150$ | ||
dnsserver = "{ 85.214.73.63 217.79.186.148 27.110.120.30 204.152.184.76 194.150$ | ### RULES | ||
### RULES | # default deny | ||
# default deny | block in all | ||
block in all | block out all | ||
block out all | # lokales interface darf ohne einschränkungen | ||
# lokales interface darf ohne einschränkungen | pass in quick on lo0 all | ||
pass in quick on lo0 all | pass out quick on lo0 all | ||
pass out quick on lo0 all | ## HOST | ||
## HOST | # allow ssh | ||
# allow ssh | pass in on bce0 proto tcp from any to $thishost port $SSH_PORT | ||
pass in on bce0 proto tcp from any to $thishost port $SSH_PORT | pass out on bce0 proto tcp from $thishost port $SSH_PORT to any | ||
pass out on bce0 proto tcp from $thishost port $SSH_PORT to any | ## allow outbound icmp | ||
## allow outbound icmp | # echo request | ||
# echo request | pass out inet proto icmp icmp-type 8 code 0 keep state | ||
pass out inet proto icmp icmp-type 8 code 0 keep state | # echo reply | ||
# echo reply | pass in inet proto icmp icmp-type 0 code 0 keep state | ||
pass in inet proto icmp icmp-type 0 code 0 keep state | # destination unreachable | ||
# destination unreachable | pass in inet proto icmp icmp-type 3 keep state | ||
pass in inet proto icmp icmp-type 3 keep state | # allow DNS lookups {also via tcp?} port 53 | ||
# allow DNS lookups {also via tcp?} port 53 | # what about traversal??? | ||
# what about traversal??? | pass out on bce0 proto udp from $thishost to $dnsserver port 53 keep state | ||
pass out on bce0 proto udp from $thishost to $dnsserver port 53 keep state | # allow portsnap to fetch from freebsd.org (ports?) | ||
# allow portsnap to fetch from freebsd.org (ports?) | pass in on bce0 proto tcp from $portsnap_freebsd to $thishost | ||
pass in on bce0 proto tcp from $portsnap_freebsd to $thishost | pass out on bce0 proto tcp from $thishost to $portsnap_freebsd | ||
pass out on bce0 proto tcp from $thishost to $portsnap_freebsd | # allow portaudit to fetch auditfile.tbz via http | ||
# allow portaudit to fetch auditfile.tbz via http | pass in on bce0 proto tcp from $portaudit_freebsd port 80 to $thishost | ||
pass in on bce0 proto tcp from $portaudit_freebsd port 80 to $thishost | pass out on bce0 proto tcp from $thishost to $portaudit_freebsd port 80 | ||
pass out on bce0 proto tcp from $thishost to $portaudit_freebsd port 80 | ## JAIL Beispiel (uneingeschränkt -> '''dumme Idee''', ports dienstabhänging freigeben | ||
## JAIL Beispiel (uneingeschränkt -> '''dumme Idee''', ports dienstabhänging freigeben | pass in on bce0 proto { tcp udp icmp } from any to $jail_srs14 | ||
pass in on bce0 proto { tcp udp icmp } from any to $jail_srs14 | pass out on bce0 proto { tcp udp icmp } from $jail_srs14 to any | ||
pass out on bce0 proto { tcp udp icmp } from $jail_srs14 to any | |||
* regeln überprüfen: <code>pfctl -vnf /etc/pf.conf</code> | |||
* | |||
=== Paketfilter bedienen === | |||
* anschalten | * anschalten: <code>pfctl -e</code> | ||
* ausschalten: <code>pfctl -d</code> | |||
* ausschalten | * sanity check: <code>pfctl -vnf /etc/pf.conf</code> | ||
* alte Regeln ins Klo und neue in die Auslage: <code>pfctl -Fa -f /etc/pf.conf</code> | |||
* sanity check | |||
* alte Regeln ins Klo und neue | |||
==== | === Verweise === | ||
* [http://openbsd.org/faq/pf/de/index.html PF: Der OpenBSD Packet Filter] | * [http://openbsd.org/faq/pf/de/index.html PF: Der OpenBSD Packet Filter] | ||
* [http://www.amazon.com/Building-Firewalls-OpenBSD-PF-2nd/dp/8391665119 Jacek Artymiak - Building Firewalls with OpenBSD and PF, 2nd edition] | * [http://www.amazon.com/Building-Firewalls-OpenBSD-PF-2nd/dp/8391665119 Jacek Artymiak - Building Firewalls with OpenBSD and PF, 2nd edition] | ||
* [http://www.nostarch.com/pf2.htm Peter N. M. Hansteen: The Book of PF, 2nd Edition - A No-Nonsense Guide to the OpenBSD Firewall] | * [http://www.nostarch.com/pf2.htm Peter N. M. Hansteen: The Book of PF, 2nd Edition - A No-Nonsense Guide to the OpenBSD Firewall] | ||
== FreeBSD audit == | |||
* faschistoides Logging von Systemcalls | * faschistoides Logging von Systemcalls | ||
* präventiv wirkungslos, aber in der post-mortem Analyse extrem hilfreich | * präventiv wirkungslos, aber in der post-mortem Analyse extrem hilfreich | ||
* [ | * [http://www.freebsd.org/doc/de_DE.ISO8859-1/books/handbook/audit.html FreeBSD Kapitel 17. Security Event Auditing] | ||
* | * in /etc/rc.conf: <code>auditd_enable="YES"</code> | ||
* start auditd: <code>/etc/rc.d/auditd start</code> | |||
auditd_enable="YES" | * in /etc/security/audit_control: | ||
</ | flags:lo,aa,ex | ||
* auditd | policy:cnt,argv | ||
synchronize config: audit -s | |||
* | * cronjob für die logs: /etc/crontab | ||
** <code> "0 */12 * * * root /usr/sbin/audit -n"</code> | |||
flags:lo,aa,ex | |||
policy:cnt,argv | |||
synchronize config: audit -s | |||
* cronjob für die logs | |||
0 */12 * * * root /usr/sbin/audit -n | |||
</ | |||
== [ | = Jails = | ||
Jails dienen der Virtualisierung von Betriebssysteminstanzen. Näheres dazu im [http://www.freebsd.org/doc/de_DE.ISO8859-1/books/handbook/jails.html FreeBSD Handbuch Kapitel 15 - Jails]. | |||
== | == Anlegen eines Jails == | ||
* <code>cd /usr/src</code> | |||
* evtl. erst Sourcen installieren: sysinstall-> configure -> distributions | |||
* evtl. <code># make buildworld</code> | |||
* Jails liegen unter /home/jails/$JAILNAME | |||
* System für jail bauen: | |||
<code> | |||
# make installworld DESTDIR=/home/jails/$JAILNAME | |||
# make distribution DESTDIR=/home/jails/$JAILNAME</code> | |||
* device nodes ins jail packen | |||
Jails | ** <code># mount -t devfs devfs /home/jails/$JAILNAME/dev</code> | ||
* resolv.conf vom Host kopieren: <code>cp /etc/resolv.conf /home/jails/$JAILNAME/etc/resolv.conf</code> | |||
* rc.conf editieren: | |||
jail_enable="YES" | |||
jail_list="$JAILNAME" | |||
ifconfig_bce0_alias0="$JAIL_IP netmask 255.255.255.0" | |||
jail_$JAILNAME_rootdir="/usr/home/jails/$JAILNAME" | |||
jail_$JAILNAME_hostname="$JAILNAME.stura.htw-dresden.de" | |||
jail_$JAILNAME_ip="$JAIL_IP" | |||
jail_$JAILNAME_devfs_enable="YES" | |||
jail_$JAILNAME_devfs_ruleset="devfs_rules_jail" | |||
* jail starten: <code>/etc/rc.d/jail start</code> | |||
* | * Prozess im jail starten: <code>jexec $JAIL_ID tcsh</code> | ||
* | ** $JAIL_ID aus <code>jls</code> ermittelbar | ||
** portscollection etc. installieren ... | |||
** <code>portsnap fetch && portsnap extract && portsnap update</code> | |||
* | ** evtl. ssh anschalten (in rc.conf): <code>sshd_enable="YES"</code> | ||
* Jails liegen unter | |||
* System für | |||
* device nodes ins | |||
* | |||
* | |||
* | |||
jail_enable="YES" | |||
jail_list="$JAILNAME" | |||
ifconfig_bce0_alias0="$JAIL_IP netmask 255.255.255.0" | |||
jail_$JAILNAME_rootdir="/ | |||
jail_$JAILNAME_hostname="$JAILNAME. | |||
jail_$JAILNAME_ip="$JAIL_IP" | |||
jail_$JAILNAME_devfs_enable="YES" | |||
jail_$JAILNAME_devfs_ruleset=" | |||
* | |||
* | |||
** <code> | |||
** | |||
** <code>portsnap fetch extract | |||
* | |||
sshd_enable="YES" | |||
== Löschen eines Jails == | |||
* ins jailroot wechseln (/home/jails/$JAILNAME) | |||
* | chflags -R noschg * | ||
rm -rf * | |||
cd .. && rm -r $JAILNAME | |||
== Tricks, Probleme etc. == | |||
* sich evtl. | * sich evtl. ezjail mal anschauen (war damals kaputt) | ||
* ping aus jails heraus erlauben | * ping aus jails heraus erlauben | ||
** host: allow_raw_socket=1 via | ** host: allow_raw_socket=1 via | ||
** | *** <code>#sysctl security.jail.allow_raw_sockets=1</code> | ||
*** bzw. in | *** bzw. in /etc/sysctl.conf setzen | ||
*** [http://www.cyberciti.biz/faq/freebsd-jail-allow-ping-tracerouter-commands/ Quelle] | *** [http://www.cyberciti.biz/faq/freebsd-jail-allow-ping-tracerouter-commands/ Quelle] | ||
* ssh | * ssh: | ||
** | ** etc/ssh/sshd_config: <code>ListenAddress 0.0.0.0</code> | ||
ListenAddress 0.0.0.0 | |||
</ | |||
= ssh = | |||
* [http://openssh.com/ openssh] | |||
* ssh auf anderen | * ssh auf anderen port legen | ||
* Vorschläge | * Vorschläge für /etc/ssh/sshd_config: | ||
<code> | |||
VersionAddendum | |||
VersionAddendum | Port $SSH_PORTNUMMER | ||
Port $SSH_PORTNUMMER | ListenAddress $JAIL_IP | ||
ListenAddress $JAIL_IP | Protocol 2 | ||
Protocol 2 | SyslogFacility AUTH | ||
SyslogFacility AUTH | LogLevel INFO | ||
LogLevel INFO | LoginGraceTime 1m | ||
LoginGraceTime 1m | PermitRootLogin no | ||
PermitRootLogin no | StrictModes yes | ||
StrictModes yes | MaxAuthTries 4 | ||
MaxAuthTries 4 | MaxSessions 5 | ||
MaxSessions 5 | AllowUsers $DER_COOLE_LEUTE_CLUB | ||
AllowUsers $DER_COOLE_LEUTE_CLUB | PermitEmptyPasswords no | ||
PermitEmptyPasswords no | X11Forwarding no | ||
X11Forwarding no | Banner none | ||
Banner none | </code> | ||
</ | * immer schön manpage lesen und mit dem Feinkamm durchgehen | ||
* immer schön manpage | * keys + passwörter zur Authentifizierung | ||
* keys + | * in jails:<code>ListenAddress 0.0.0.0</code> | ||
* in | |||
ListenAddress 0.0.0.0 | |||
</ | |||
= Email = | |||
* MTA: [http://www.postfix.org/ postfix] | * MTA: [http://www.postfix.org/ postfix] | ||
* MDA | * MDA: [http://www.dovecot.org/ dovecot] | ||
* MUA (clientseitig) empfohlen: | * MUA (clientseitig) empfohlen: | ||
** [https://www.mozilla.org/de/thunderbird/ Mozilla Thunderbird] | ** [https://www.mozilla.org/de/thunderbird/ Mozilla Thunderbird] | ||
** [http://www.mutt.org/ mutt] | ** [http://www.mutt.org/ mutt] | ||
== MTA: postfix == | |||
* in the email jail | * in the email jail | ||
* <code># cd /usr/ports/mail/postfix</code> | * <code># cd /usr/ports/mail/postfix</code> | ||
Zeile 331: | Zeile 193: | ||
mail_spool_directory = /var/spool/mail | mail_spool_directory = /var/spool/mail | ||
relay_domains = stura.htw-dresden.de | relay_domains = stura.htw-dresden.de | ||
smtpd_recipient_restrictions = reject_invalid_hostname, | smtpd_recipient_restrictions = reject_invalid_hostname, | ||
reject_unknown_recipient_domain, | reject_unknown_recipient_domain, | ||
Zeile 343: | Zeile 203: | ||
smtpd_client_restrictions = reject_rbl_client dnsbl.sorbs.net | smtpd_client_restrictions = reject_rbl_client dnsbl.sorbs.net | ||
== | == MDA: dovecot == | ||
* optionen: kqueue, ssl, managesieve, mysql | |||
* <code>#echo 'dovecot_enable="YES"' >> /etc/rc.conf</code> | |||
* <code>#cp /usr/local/share/examples/dovecot/dovecot.conf /usr/local/etc/dovecot.conf</code> | |||
* <code>#cp /usr/local/share/examples/dovecot/dovecot-sql.conf /usr/local/etc/dovecot-sql.conf</code> | |||
* | |||
* in /usr/local/etc/dovecot.conf: (vorerst zum testen) | * in /usr/local/etc/dovecot.conf: (vorerst zum testen) | ||
<code> protocols = imap pop3 | |||
disable_plaintext_auth = no | disable_plaintext_auth = no | ||
ssl = no | ssl = no | ||
Zeile 372: | Zeile 219: | ||
* '''Krypto drankleben (imap -> imaps, pop3 -> pop3s)''' | * '''Krypto drankleben (imap -> imaps, pop3 -> pop3s)''' | ||
== Tricks etc. == | |||
* alias-Adressen anlegen | * alias-Adressen anlegen | ||
** edit: /usr/local/etc/postfix/main.cf: | ** edit: /usr/local/etc/postfix/main.cf: | ||
alias_maps = hash:/etc/aliases, hash:/etc/aliases.stura | alias_maps = hash:/etc/aliases, hash:/etc/aliases.stura | ||
alias_database = hash:/etc/aliases,hash:/etc/aliases.stura | alias_database = hash:/etc/aliases,hash:/etc/aliases.stura | ||
* edit /etc/aliases.stura | ** edit /etc/aliases.stura: | ||
* | ** <code>newaliases</code> | ||
** <code>postfix reload</code> | |||
** <code># usr/local/etc/rc.d/postfix restart</code> | |||
* SMTP testen: | * SMTP testen: | ||
** <code> nc $JAIL_IP 25</code> | |||
** <code>HELO microsoft.com</code> | |||
** <code>MAIL FROM:<bill@microsoft.com></code> | |||
** <code>RCPT TO:<test@stura.htw-dresden.de></code> | |||
** <code>DATA</code> | |||
** <code>From: <bill@microsoft.com></code> | |||
** <code>To: <stest@stura.htw-dresden.de></code> | |||
** <code>Subject: hui</code> | |||
** <code>das hätte nicht passieren sollen</code> | |||
** <code>.</code> | |||
** <code></code> | |||
* | ** <code>QUIT</code> | ||
<code> | |||
</code> | |||
= Plone = | |||
* JoSch damals gebaut, zwischenzeitlich grundsaniert | * JoSch damals gebaut, zwischenzeitlich grundsaniert | ||
* [http://www.freebsdforums.org/how-to-install-apache-for-freebsd/ Apache] installiert | * [http://www.freebsdforums.org/how-to-install-apache-for-freebsd/ Apache] installiert | ||
Zeile 442: | Zeile 254: | ||
* [http://plone.org/products/plone/releases http://plone.org/documentation/kb/freebsdploneapache/preparefreebsd] | * [http://plone.org/products/plone/releases http://plone.org/documentation/kb/freebsdploneapache/preparefreebsd] | ||
= DNS = | |||
* genutzt werden DNS Server des [https://www.foebud.org/ FoeBuD] und des CCC | * genutzt werden DNS Server des [https://www.foebud.org/ FoeBuD] und des CCC | ||
* zusätzlich (für [http://www.opennicproject.org/ OpenNIC]) | * zusätzlich (für [http://www.opennicproject.org/ OpenNIC]) | ||
Zeile 462: | Zeile 260: | ||
** NZ 27.110.120.30 ns1.nz.dns.opennic.glue Dean Gardiner yes (24 hrs) | ** NZ 27.110.120.30 ns1.nz.dns.opennic.glue Dean Gardiner yes (24 hrs) | ||
= Tipps, Tricks etc. = | |||
* die Änderungen an Konfigurationsdateien (z.b. in /etc) via [http://git-scm.com/ git] tracken | * die Änderungen an Konfigurationsdateien (z.b. in /etc) via [http://git-scm.com/ git] tracken | ||
* disk quotas für jails einrichten | * disk quotas für jails einrichten | ||
Zeile 472: | Zeile 270: | ||
# return | # return | ||
# exit | # exit | ||
= | = Verweise etc. = | ||
* [http://www.freebsd.org FreeBSD.org] - [http://www.freebsd.org/doc/de_DE.ISO8859-1/books/handbook/ Handbuch] | * [http://www.freebsd.org FreeBSD.org] - [http://www.freebsd.org/doc/de_DE.ISO8859-1/books/handbook/ Handbuch] | ||
* [http://www.freebsdwiki.net/ FreeBSD-wiki] | * [http://www.freebsdwiki.net/ FreeBSD-wiki] | ||
* [http://cb.vu/unixtoolbox.xhtml Unix Toolbox] | * [http://cb.vu/unixtoolbox.xhtml Unix Toolbox] | ||
* [http://openbsd.org/faq/pf/de/index.html PF: Der OpenBSD Packet Filter] | * [http://openbsd.org/faq/pf/de/index.html PF: Der OpenBSD Packet Filter] | ||
== | == Bücher == | ||
* [http://nostarch.com/abs_bsd2.htm Absolute FreeBSD, 2nd Edition] | * [http://nostarch.com/abs_bsd2.htm Absolute FreeBSD, 2nd Edition] | ||
* [http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0470376031.html BSD UNIX Toolbox: 1000+ Commands for FreeBSD, OpenBSD and NetBSD] | * [http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0470376031.html BSD UNIX Toolbox: 1000+ Commands for FreeBSD, OpenBSD and NetBSD] |