The BSDs seem to be more secure than other operating systems installations. Even though, they are less exposed to attacks, they are still not invulnerable. In the Last Year of BSD Security you will find the best security articles, published in BSD Magazine since May 2011 till September 2012. Many of these articles are written by system administrators, who were willing to share theirs experience with you. You will learn how to improve the security on BSD by proper configuration of your system components and by installing some additional Open Source Software compatible with BSD. You will find out how to secure the data on your hard disk and control the access to it. You will be able to detect intruder, resist the various attacks and debug already infected system.
By Michael Shirk, Edward Tan
Configuring a FreeBSD Stealth Logging Server
The collection of log files provides security administrators with the ability to have an audit trail for the behavior of an information system. In the event that a system is compromised, remote logging provides a forensic trail to determine what occurred on the system.
Hardening BSD with Security Levels
By default, BSD servers are more secure then other operating system installations but still require some changes in order to be production ready. Security levels are one of the tools that can be used in order to maintain the state of the system when being deployed in production. This article covers the configuration of security levels via securelevel for OpenBSD, FreeBSD, NetBSD and DragonFlyBSD.
Puppet on FreeBSD
This article aims to jumpstart a system administrator on how to use Puppet (configuration management tool), to manage server’s configurations, particularly on FreeBSD. From this article you will find out what is Puppet and how to deploy servers by using it.
Access Control & Authentication
By Antoine Jacoutot, Erwin Kooi
Taming the Blowfish with a Dog
This article is meant to be a quick, yet comprehensive overview of using Kerberos to manage user passwords and single-sign-on on OpenBSD. It is by no way an exhaustive documentation about Kerberos – entire books have been written about it!
Equip Your CA with HSM for <50 Euros
The CA is used for identification and authentication of servers, clients and users. Together with author take a closer look at the security of Certificate Authority in his own network.
By Michael W. Lucas, Michael Shirk, Svetoslav Chukov
freebsdupdate as Intrusion Detection System
One of the most annoying things a sysadmin can endure is a system intrusion. A script kiddie might only install an IRC bot, but a skilled intruder can carefully replace core system binaries so as to exploit more systems or extract more data. An Advanced Persistent Threat (APT) intruder might even patch and secure a penetrated system, so as to delay detection…
Building a Complete Intrusion Detection System with Snorby on BSD
FreeBSD and OpenBSD are a popular choice for installing the Open Source Snort intrusion detection. Documents have been written in the past for popular analysis tools such as BASE and Sguil, however nothing extensive has been created for Snorby.
NetBSD Intrusion Detection Server
Sometimes special type of systems are needed to be running on the server. This server will serve different purposes, it will take care of the network security.
FreeBSD IPS with Snort Inline
A number of articles have been written covering the basic configuration of Snort in IDS mode on the different BSD operating systems. One feature that is not typically discussed is Snort’s ability to integrate with ipfw that allow for inline IPS mode on FreeBSD. This article covers the basic configuration of Snort in IPS mode on a FreeBSD server
By Toby Richards, Benedikt Niessen
A Beginner’s Guide to PF
OpenBSD, FreeBSD, and PC-BSD use a built-in firewall called “Packet Filter”. This article is intended for a PF beginner to get a beginner’s understanding of how to use PF in OpenBSD.
NAXSI A Web Application Firewall for Nginx
When servers got compromised web applications present themselves very often as the entry point. In most cases the reason is an outdated script with known or unknown vulnerabilities or an in-house development which is not properly validating submitted data. Well this is nothing new to you, I hope. The questions is what we can do to prevent this. By reading this article you will learn how to set up a high performance, low maintenance Web Application Firewall in NGINX.
By Matthieu Bouthors, Stavros N. Shaeles
Fighting DDoS Attacks with PF
For a long time, Denial of Service attacks were disregarded, as they were considered to be the work of script kiddies.
Protecting Apache from DoS and DDos Attacks
DoS or DDoS, it is an attack where multiple compromised systems (which are usually infected with a Trojan) are used to target a single system in attempt to make the system resources (cpu,memory,network) unavailable to its intended users and causing system to crash.
By Stavros N. Shaeles
Protect Dynamic Websites Using Apache, php, MySQL and ModeSecurity
In the last years there is a tremendous increment in dynamic website and CMS using php. A very large piece of the market of this websites are served by Apache Webserver using Mysql as database basically in Unix systems. Also this tremendous increment of php in dynamic website and Open Source CMS like joomla increase and hackers attacks in order to compromise a website or hack the server to use it in botnet. So someone can wonder, is there anything that can protect my websites except from backups and upgrading our system and software? The answer is yes.
By Toby Richards, Richard Batka
Home Brew Captive Portal with OpenBSD
Have you ever used a public wireless network that has a splash screen such that you have to agree to certain terms before going to the Internet? The author of this article will show you step by step how to build one of those using OpenBSD’s Packet Filter (pf).
The world is a complex place. A term that means one thing to one person may mean something completely different to someone else. Take Load Balancers for example. How many different Load Balancers can you think of?
By Kris Moore, Benedict Reuschling
A Fresh Look at the Warden for PC-BSD 9.1
For the PC-BSD 8.x series, new jail management software named “Warden” was first introduced. This software provided users a brand new graphical method of managing FreeBSD jails on their desktops. For 9.1 Warden has been given a complete makeover, and incorporated directly into the base system. Read the article to find out what are the new features that make PC-BSD 9.1 more versatile than ever for jail administrators and users.
Using Qjail to Set up the basejail
FreeBSD’s jail system offers process isolation within a separate environment in order to secure the host system. In case of a compromised service, only the jail running that service is affected. In a similar fashion, ZFS allows the creation of a separate filesystem for each jail. Benedict, in his article, explains how jails can be quickly instantiated using a third party wrapper script called Qjail.
By Matthieu Bouthors,Toby Richards, Joseph Kong
Full Disk Encryption on FreeBSD
On systems (for instance laptop computers) that may be physically accessed or stolen by untrusted persons, encrypting sensitive pieces of data should be mandatory.
Data Classification Policy
A good sysadmin realizes that security is more than firewalls, encryption, patching, and other technical considerations. One common saying is: “The only secure computer is one that’s not plugged into the network.” Humbug! A clever intruder will easily trick the user into plugging that Ethernet cable back into its socket. The weakest point in any network is the human element.
Synchronization Problems or: How I Learned to Stop Worrying and Love the Sleep Mutex
When two or more threads executing on different processors simultaneously manipulate the same data structure, that structure can be corrupted. Fortunately, FreeBSD contains multiple solutions to this problem. Joseph addresses his article to the problem of data and state corruption caused by concurrent threads.
By Carlos Antonio Neira
Introduction to DTrace
There are times you wish you had a comprehensive tool for profiling and debugging without having to maintain a chain of tools, merge their outputs and put some glue here and there to extract meaningful information from it. We now have a tool called DTrace, originally developed by Sun. From this article you will find out how to setup DTrace in your Freebsd box. The author will test also some of the providers available for DTrace and see the output.
GDB(1) and Truss for Debugging
Sometimes you are lucky to have the source code for the program you need to debug. However, there are times when the source code isn’t available. When all hell is breaking loose, what do you do? On your unix machine there are tools that can save the day. OpenBSD, FreeBSD and NetBSD all have the ktrace utility for following the various kernel related activities of a given process. FreeBSD has a tool specifically for tracing system calls. It’s called truss(1) and when used together with gdb(1) it can give you a clearer view into a black box.
By Rob Somerville
Anatomy of FreeBSD Compromise – Part 1
While the BSD family is more secure than most, no server or IT system is invulnerable to attack. In this article the author will examine best practices to prevent disruption and what to do when the worst does happen. Read and learn more about (in)security in BSD world.
In this part the author will look at the ways that “the bad guys” can gain access and what can be done to mitigate this risk. As mentioned in the previous article, the author highlighted this time some of the reasons why servers and systems are inherently insecure and why it is impossible to 100% secure any system. In this article, he will examine some of the common techniques used to gain control and what we can do to mitigate the risks.
Herw we will examinate the tools essential to securing and exploiting systems.In the previous articles, the author looked at the culture and processes behind hacking exploits, as well as some possible real-life examples. In this article we will look at some of the tools used to penetrate, test and secure devices as well performing analysis and discovering vulnerabilities. While the examples here are non-destructive, it is recommended that these tests are carried out on a private test network and definitely not on the Internet or without your employer’s approval. To do so may well be in breach of your ISP’s or employers Acceptable Use Policy and could lead to legal action against you.
Continuing our security series, we will look at the vulnerabilities on our test network. From the last article, we discovered that to penetrate a system we continually needed to move from the general to the specific, and to identify the most vulnerable system on our network depending on what services were running on it
In the penultimate part in our series, we will compromise a FreeBSD server using different techniques. The *BSD family are some of the most secure operating systems available today. Security is very much a fundamental philosophy and mindset, as it is very difficult to implement once software is written. Earlier versions are not so secure (unless patched) so I have created another FreeBSD 7.0 test server, as well as our 6.1 and 5.0 hosts. Let’s see what happened…
While it is impossible to secure a server against every possible form of attack that the dark side may muster, by taking defensive steps the system administrator can make life exceedingly difficult for the hacker and can delay if not totally avoid a successful attack. Rob claims that while many of the suggestions are probably second nature to most admins, it cannot be stressed enough with busy schedules and tight deadlines the importance of preventative maintenance which has a tendency to slip down the priority list. Rob also examines some techniques that can assist in identifying and delaying attacks.
Multilevel Security Model
By Michael Shirk
Hardening FreeBSD with TrustedBSD and Mandatory Access Controls (MAC)
Most system administrators understand the need to lock down permissions for files and applications. In addition to these configuration options on FreeBSD, there are features provided by TrustedBSD that add additional layers of specific security controls to fine tune the operating system for multilevel security. From this article you will learn the configuration of the Mandatory Access Controls provided by FreeBSD. You fill also find out how to apply the concepts of multilevel security model to FreeBSD.
By Dru Lavigne
Why Should I Become BSDA Certified?
If you are reading this magazine, you are interested in learning more about BSD systems. Perhaps you have seen this magazine’s ads for BSD Certification and want to learn more about this certification program or perhaps you think that certification is not for you. This article addresses some common misconceptions about certification and describes why you should be BSDA certified. This article outlined some of the benefits provided by a psychometrically valid certification program as well as some tips for learning the skills needed to pass a certification exam.
How Do I Study for the BSDA Certification?
The previous article in this series addressed some common misconceptions about certification and described why you should be BSDA certified. This article will discuss how to prepare for the BSDA certification exam.
Taking the BSDA Certification Exam
The first article in this series (in the February 2012 issue) addressed some common misconceptions about certification and described why you should be BSDA certified. The second article in this series (in the March 2012 issue) discussed how to prepare for the BSDA certification exam. This article will provide some background information on how the exam is delivered and why. It will then describe where to take the exam and how to arrange for an exam if there currently isn’t an examination event or testing center near your location.