FreeBSD - Security Tips

Security has always been a major topic alongside with Open Source systems. A weak entry-point in any system may allow hackers to gain access to critical servers and information and then cause a backdoor or heavy damage in the entire network.

When applying security measures to a system, it is highly advised to start by securing the basic system configurations, and then up to secure the network layer so that it complies to the system policy and the organization’s security procedures. Many corporations already have a security policy that covers all configurations of  the internal technology devices. The policy should include the security configuration of workstations, user desktops, mobile devices, phones and servers.

There are some general and became-traditional steps that FreeBSD admins are always doing, such as employing password hashes & password policy enforcement or activating the Binary verification where a specific software application, intrusion prevention system (IDS), that is natively supported by FreeBSD, is to verify every change in the system files and report them to security teams. However, It is essential that you create a security plan, not just activating default procedures that hackers really know, to secure your server immediately upon installation. Do not leave it up without first securing it. Here are the basic recommended concepts, you need to do in order to secure your server:

• Run only the services you plan on using
• Use only the services that are necessary
• Use secure passwords
• Force users on your machine to use secure passwords
• Restrict root access to a minimal set of services
• Restrict access to these services via tcpwrappers
• Restrict access to your box using IP Firewall services (ipfw)
• Log events on your machine and understand what logs are being kept
• Install some type of system change detection software, so that you can tell if your server has been compromised
• Back up your server’s data so that if it is compromised, you can reinstall from scratch, but still have your data available
• Finally, physical security is important. The more people who have physical access to the machine, the less secure your server is

There are some services you should not ever run, At the top of this list, is Telnet. You should access your servers using Secure Shell (SSH) as all information is encrypted. Telnet is very insecure since it passes all information in clear text across the network. In addition, other common services with this problem include FTP, POP, and IMAP. If you are just starting out as an ISP, this is your chance to work with SSH and SCP clients for your users, as well as encrypted POP and IMAP email clients, or secure Webmail servers using SSL.