Configuring a FreeBSD IRC Shell Server
August 22, 2007This is a brief guide created to help configure a secure FreeBSD as an IRC shell server.
In this case I will be running FreeBSD 6.0, with bash shell, SSHd, named (bind), httpd (Apache2+PHP4), FTPd (pure-ftpd).
Note: In many cases, if you don’t wish to review the config when adding to it you can do: echo ‘<string>’ >> <file> (ie: echo ‘accounting_enable=”YES”‘ >> /etc/rc.conf)
sshd
- edit /etc/ssh/sshd_config
- Add line “Port 22″ – This is default, BUT change to another port if you want to be even more secure.
- Add line “Protocol 2″ – We don’t want protocol 1, just 2.
- Add line “LoginGraceTime 1m” – If you don’t login within 1 min, it will timeout.
- Add line “PermitRootLogin no” – You should not allow direct root login via ssh, use su.
- Add line “MaxAuthTries 3″ – If you get your login incorrect 3 times, you’re doing something wrong anyway.
- Add line “X11Forwarding no” – You don’t run Xwindows on a server muppet!
- Add line “MaxStartups 15:30:60″ – This means, after 15 concurrent unauthed connections, 30% of connections will be dropped, until it reaches a max of 60, then it’s full.
sysctl
- You can read each current setting by doing sysctl <setting> (ie: sysctl kern.securelevel)
- If you are unsure about using a setting you can use “sysctl -w <setting>” to temporary set, until you next reboot.
- edit /etc/sysctl.conf
- Add line “security.bsd.see_other_uids=0″ – We don’t want users to see each other’s processes.
- Add line “kern.securelevel=1″ – By default it is -1, you don’t need this unless you’re running Xwindows, run at least 0.
- Add line “net.inet.tcp.blackhole=2″ – This will drop ALL tcp packets that are received on a CLOSED port and not reply.
- Add line “net.inet.udp.blackhole=1″ – This will drop ALL udp packets that are received on a CLOSED port and not reply.
- Add line “kern.ipc.somaxconn=1024″ – Default is 128, this means we can have more concurrent connections. If like you me you have plenty of bandwidth, this is best, otherwise if you get attacked, you’ll reach 128 very quickly.
- Add line “net.inet.icmp.icmplim=50″ – Default is 200, you shouldn’t need this many, set it to 50 to reduce the amount of ICMPs sent back per second.
- Add line “net.inet.ip.rtexpire=2″ – Default is 3600, See the FreeBSD handbook: Denial Of Service Attacks.
- Add line “net.inet.ip.rtminexpire=2″ – Default is 10, See the FreeBSD handbook: Denial Of Service Attacks.
- Add line “net.inet.tcp.always_keepalive=1″ – This will help discover dead connections and clears them.
- Add line “net.inet.ip.random_id=1″ – This is optional, but I like the idea. It gives you random PIDs instead of sequential.
This is my “/etc/sysctl.conf”:
security.bsd.see_other_uids=0
kern.securelevel=1
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
kern.ipc.somaxconn=1024
net.inet.icmp.icmplim=50
net.inet.ip.rtexpire=2
net.inet.ip.rtminexpire=2
net.inet.tcp.always_keepalive=1
net.inet.ip.random_id=1
rc.conf
- edit /etc/rc.conf
- Add line ‘portmap_enable=”NO”‘ – You only need this if you’re using NFS, which we’re not.
- Add line ‘sendmail_enable=”NO”‘ – This will tell sendmail to only listen on the localhost, it’s not a good idea to leave a mail server open to spam on a shell server.
- Add line ‘nfs_server_enable=”NO”‘ – As above, we don’t need NFS.
- Add line ‘nfs_client_enable=”NO”‘ – Again, no NFS, not even a client.
- Add line ‘accounting_enable=”YES”‘ – This enables process accounting. (You need to do touch /var/account/acct && accton /var/account/acct).
- Add line ‘clear_tmp_enable=”YES”‘ – This will clear the “/tmp” dir at boot time.
- Add line ‘syslogd_flags=”-ss”‘ – This stops syslogd from broadcasting on port 514.
- Add line ‘enable_quotas=”YES”‘ – Assuming you’re running a shell server, you want quotas enabled.
- Add line ‘check_quotas=”YES”‘ – This will help keep your users within their quotas.
- Add line ‘ntpdate_enable=”YES”‘ – This will enable ntpdate, which will keep your date/time up-to-date.
- Add line ‘update_motd=”NO”‘ – This will ensure that the FreeBSD details aren’t added to the /etc/motd on each reboot. We don’t want to broadcast this information.
- Check for ‘inetd_enable’ – Set it to NO, or add inetd_enable=”NO”, if it’s not there.
- Check for ‘named_enable’ – Okay, so running named will increase overheads, but if this is a shell box it probably makes sense to run your own dns server as IRC relies a lot on resolving hosts.
- Check for ‘log_in_vain’ – You may have set this based on what you read else where, but I recommend having this as “NO”, because it logs events on non-open ports, which could cause a ddos.
The latter half of my “/etc/rc.conf” looks like this:
inetd_enable=”NO”
linux_enable=”YES”
sshd_enable=”YES”portmap_enable=”NO”
sendmail_enable=”NO”
nfs_server_enable=”NO”
nfs_client_enable=”NO”
accounting_enable=”YES”
clear_tmp_enable=”YES”
syslogd_flags=”-ss”
enable_quotas=”YES”
check_quotas=”YES”
ntpdate_enable=”YES”
update_motd=”NO”
named_enable=”YES”
Firewall
For a shell server, a firewall may not be required, but for many others it may be required.
- edit /etc/firewall.rules – for a shell server, you can do the following:
- You need to allow new connections for services on the following ports: 21 (ftpd), 22 (sshd), 53 (dns), 80 (httpd).
- If you are running any other core services, you will need to open the ports for those too. Remember, the first 1024 ports are reserved for root services.
- If you run an IRC shell server, you should open a range (ie: 2000-4000) for your users services. (such as eggdrops and psybncs).
- No other new connections to other ports should be allowed.
- All other traffic is okay.
- Don’t forget to “chmod 600 /etc/firewall.rules”
- Add line ‘firewall_enable=”YES”‘ – We want a firewall enabled.
- Add line ‘firewall_logging=”YES”‘ – Logging the firewall can be useful.
- Add line ‘firewall_script=”/etc/firewall.rules”‘ – It needs to know where to find the rules. (don’t forget to touch /etc/firewall.rules)
Date and Time
You must ensure your system’s date/time is correct, otherwise SSH may fail and logs will be incorrect.
- As above, ensure you have ‘ntpdate_enable=”YES”‘ in your “rc.conf”.
- For first time use: “touch /etc/ntp.conf && echo /etc/ntp.conf >> server uk.pool.ntp.org prefer && echo /etc/ntp.conf >> driftfile /var/db/ntp.drift”
- Run: ntpdate uk.pool.ntp.org
Login.conf
Using login.conf you can create custom classes for your users giving them all sorts of limits and restrictions.
- edit /etc/login.conf
- If you change the “passwd_format” in the Default class to read “:passwd_format=blf:\”, this will give you blowfish password hashes, for better security, but you need to rebuild your login database by doing: “cap_mkdb /etc/login.conf”, and update all passwords by doing “passwd <user>” as root (check “/etc/master.passwd” all passwords will start with $2 if done correctly), don’t forget to edit /etc/auth.conf to “crypt_default=blf” also. This step isn’t required, but recommended.
- There are lots more options, you need to read the handbook for the “login.conf” file.
- Run “cap_mkdb /etc/login.conf” when you’re done to update the database.
pure-ftpd
Instructions are as follows:
- cd /usr/ports/ftp/pure-ftpd && make install
- cp /usr/local/etc/pure-ftpd.conf.sample /usr/local/etc/pure-ftpd.conf
- edit /usr/local/etc/pure-ftpd.conf (if required)
- Change “NoAnonymous no” to yes
- /usr/local/sbin/pure-config.pl /usr/local/etc/pure-ftpd.conf
- echo ‘pureftpd_enable=”YES”‘ >> /etc/rc.conf
Apache 2
- edit /usr/local/etc/apache2/httpd.conf
- change the “ServerAdmin” line with your email address.
- change the “ServerTokens” line from “Full” to “Prod”, this means only “Apache” will be displayed.
- echo ‘httpd_enable=”YES”‘ >> /etc/rc.conf
oidentd
- echo ‘oidentd_enable=”YES”‘ >> /etc/rc.conf
- edit /usr/local/etc/oidentd.conf
- Ensure the defaults deny everything, and that root has a different reply, ie:
default {
default {
deny spoof
deny spoof_all
deny spoof_privport
deny random
deny random_numeric
deny numeric
deny hide
}
}user root {
default {
force reply “UNKNOWN”
}
}
Note: You can add a user, if you want to allow spoof for certain users, and allow that.
Files and Permissions
- “find / -perm -2000 -ls && find / -perm -4000 -ls” – This lists binaries that everyone can currently access.
- Use “chmod a-s <file>” to remove access or “chmod o-rwx <file>” to allow just for wheel users.
- “chmod 640 /etc/crontab” – This will allow only root and wheel users to see it. Users don’t need to know what processes are started by cron.
- “chmod 600 /etc/rc.conf” – Users don’t need to access this.
- “chmod 600 /etc/sysctl.conf” – Users don’t need to access this.
- “chmod 0750 /root” – Stops non-wheel users from viewing root files.
- “chmod 640 /var/db/locate.database” – You don’t want all users to see all the files on your system.
- edit /etc/motd – Change this to say what you like.
- “touch /etc/COPYRIGHT” – This will remove the copyright info.
ToDo
- Provide an in-depth example of a firewall script
- Provide details about working with Quotas
- Provide better usage of login.conf
Additional Security
- Try checking system integrity with tripwire.
- Keep things up to date with cvsup.
Resources
- FeeBSD Security Information
- Defcon1 Security Guide
- A basic guide to securing FreeBSD (DALnet)
- Hardening FreeBSD (bsdguides.org)
- Protecting yourself with FreeBSD
- sysctl.conf Sample (Freebsdblog.org)
- Securing FreeBSD (ONlamp.com)
- FreeBSD Security HowTo (windowssecurity.com)
- tris’ FreeBSD setup info
- cPanel FreeBSD Seminar
Final notes
I’ve written this as more of a reference, i’ve more than likely missed a few things, so feel free to add your own comments.
I think pretty much in freebsd 6.0+
kern.ps_showallprocs=0
kern.ps_argsopen=0
Are no longer required, and a replaced by…
security.bsd.see_other_uids=0
hi!
this is the most useful guide for shell admin
i’ll bookmark this
thanks a lot!
hi my psybnc ident has ~ string for example ~test@xx.xxx.xxx.xx
how to fix it?
thanks
realy nice
thank you!
great guide so far, any info on how to setup some sort of signup form that would allow a user to pick the user name and whatnot and have it added to the system?
A perfect guide for a shell co. administrator.
Thanks!
Hey Ruslie,
You’ll need to install oidentd or similar on the system in which your psyBNC runs on. (Identd Daemon!)
(prez@DALnet / prez@EFnet / prez@Rizon)
email: prez@dal.net
waw it has been 2 years since i asked that question
and thank you prez
No problem Ruslie. I figure, better late than never.
Haha.
I actually can’t seem to get my FreeBSD 8.1 auth to work with IRC either. I’ve tried using the built-in auth, oidentd and pidentd. I’ve modifed the configuration files for both oidentd and pidentd and have tried using .oidentd.conf in a user’s home directory too. I have verified that the IRC servers are sending the request and that my host is answering those requests (/var/log/security and the verbose logging through ipfw). I have disabled the router firewall completely, but have not tried router DMZ mode. Still, I can not get any IRC servers to say anything other than * No Ident Response.
Here’s the funny thing though:
“auth” always returns user as root. I can not figure out why and have been wondering for a few days how to change that.
“pidentd” always returns the user the daemon is running as (ie: the one configured in /usr/local/etc/identd.conf). If I omit the daemon server user, it will default to nobody. The latest version of pidentd also gives me a strange response, where it omits a space before the username so it smacks the username right up against the : before it. I’m not sure if that matters or not.
“oidentd” didn’t seem to work for me either, but most people seem to be using this. I don’t really want to use that if I can get the built-in “auth” to return something other than root, though.
Anyways, I know this comment section is not specifically for ident issues but I just thought I would mention it since I saw someone else comment about that too.
Thanks for putting this page up; the suggestions are very useful.