Lars Sommer, lasg@lasg.dk, 2007-10-18DISCLAIMER: This is a personal note made for personal usage. It might not be easy usable nor explaining. Install these ports: security/chkrootkit security/rkhunter rkhunter install options: make options: WITH_LSOF=true WITH_NMAP=true --- chkrootkit usage: Run sometimes with: sudo chkrootkit -q Or add to /etc/crontab like weekly: 10 10 * * 2 root /usr/local/sbin/chkrootkit -q > /var/log/chkrootkit.log --- rkhunter usage: You should keep your rkhunter database up-to-date. This can be done automatically by putting this line to /etc/periodic.conf: daily_rkhunter_update_enable="YES" Also, you can run rkhunter as a part of the daily security check by putting this line to /etc/periodic.conf: daily_rkhunter_check_enable="YES" Add this "--quiet --createlogfile --no-verbose-logging" to: /usr/local/etc/periodic/security/415.rkhunter so relevant log is done

Lars Sommer, lasg@lasg.dk, 2009-05-20DISCLAIMER: This is a personal note made for personal usage. It might not be easy usable nor explaining. Install these ports: sysutils/jailutils sysutils/ezjail If "make buildworld" just has been done, then ezjail-admin update -i to install the recently build world is fine. Otherwise, do ezjail-admin update -b first, and wait some time for world building Fix a nice jail flavour: cd /usr/jails/flavours cp -Rv default teknix Uncomment the sshd in etc/rc.conf Copy the config files from backup into the flavour --- Create examples: ezjail-admin create -f teknix lasg-ws 192.168.1.54 ezjail-admin create -f teknix -i -s 5G -c eli tor 192.168.1.53 /usr/local/etc/rc.d/ezjail.sh start lasg-ws /usr/local/etc/rc.d/ezjail.sh start tor Automatic start of…

Lars Sommer, lasg@lasg.dk, 2011-06-20 Install the port security/denyhosts Add to /etc/rc.conf denyhosts_enable="YES" add syslogd_flags="-c" in /etc/hosts.allow add: sshd : /etc/hosts.deniedssh : deny sshd : ALL : allow Or, if anything should be denied from these hosts who fails ssh login; insert ALL instead of sshd. If done so, change the BLOCK_SERVICE line in denyhosts.conf from sshd to ALL as well. touch /etc/hosts.deniedssh /etc/rc.d/syslogd restart /usr/local/etc/rc.d/denyhosts start

Also called Host IDS or just HIDSLars Sommer, lasg@lasg.dk, 2009-01-07DISCLAIMER: This is a personal note made for personal usage. It might not be easy usable nor explaining. In ports in security, there are several HIDS utilities: aide integrit osiris ossec-hids-local samhain But which should I use, and why? ------ aide Aide aims to be a Tripwire ripoff, and a bit more. It is _very_ easy to install and configure. Installation: pkg_add -r aide or build the port security/aide Configuration: cd /var/db/aide aide --init mv databases/aide.db.new databases/aide.db Take a look in the config file /usr/local/etc/aide.conf Usage: Run with "aide" Should be a cronjob e.g.: 10 20 * * 2 root /usr/local/bin/aide > /var/log/aide.log…

Lars Sommer, lasg@lasg.dk, 2010-01-27 Based on: http://www.freebsd.org/doc/handbook/disks-encrypting.html I am using harddrives two and two in RAID1 with geom_mirror. After creating a mirror, I encrypt it using GELI. Loading the GELI module for now: kldload geom_eli Insert into /boot/loader.conf: geom_eli_load="YES" In this example my geom_mirror is called gm2 and resides in /dev/mirror/gm2 Create the master key and attach it to the GELI provider. Then doing a new filesystem on it, and at last mounting it. dd if=/dev/random of=/root/gm2.key bs=64 count=1 geli init -s 4096 -K /root/gm2.key /dev/mirror/gm2 geli attach -k /root/gm2.key /dev/mirror/gm2 dd if=/dev/random of=/dev/mirror/gm2.eli bs=1m newfs /dev/mirror/gm2.eli mount /dev/mirror/gm2.eli /data/2 Consider moving the master key to somewhere safer. I use an USB…

Lars Sommer, lasg@lasg.dk, 2008DISCLAIMER: This is a personal note made for personal usage. It might not be easy usable nor explaining. Create a jail: ezjail-admin create -f lasg -i -s 5G -c eli tor 192.168.1.53passphrase: mysecretpw /usr/local/etc/rc.d/ezjail.sh start tor Port forward port 9001 if using IPF:YOU SHOULD USE pf INSTEAD!!! Edit /etc/ipnat.rulesAdd this line:rdr xl0 0.0.0.0/0 port 9001 -> 192.168.1.53 port 9001 /etc/rc.d/ipnat restart Install TOR portsnap fetch extract updatecd /usr/ports/security/tormake install Configure it cd /usr/local/etc/tor/cp torrc.sample torrcvi torrc Add:Nickname ITPOL3ContactInfo Lars Sommer, abuse@lasg.dkBandwidthRate 2560 KBBandwidthBurst 2570 KBORPort 9001ExitPolicy reject : Add to rc.conf:tor_enable=”YES”

Installed in a bridge setup, not a routed setup. Install the port:security/openvpn mkdir /usr/local/etc/openvpncp /usr/local/share/doc/openvpn/sample-config-files/server.conf \/usr/local/etc/openvpn/openvpn.confcd /usr/local/etc/openvpn/vi openvpn.conf Add to /boot/loader.conf:if_tap_load=”YES” And load it:kldload if_tap Add to rc.conf:openvpn_enable=”YES”openvpn_if=”tap”

10-12-2008, Lars Sommer, lasg@lasg.dk Install the port security/denyhosts Add to /etc/rc.conf denyhosts_enable=”YES”syslogd_flags=”-c” Add to /etc/hosts.allow sshd : /etc/hosts.deniedssh : denysshd : ALL : allow Add to /usr/local/etc/denyhosts.conf BLOCK_SERVICE = sshd touch /etc/hosts.deniedssh/usr/local/etc/rc.d/denyhosts start