• Search for:

• About

  Welcome to the Phurix research and development labs. Here you'll find our experiments and findings as part of our on going Internet engineering.

• Projects

  • Bitcoin eWallet
  • Domain Name Whois
  • Down Or Me
  • Eggdrop TCL
  • PageRank Viewer
  • TrackJacker
  • URL Shortner
  • Validate an email address
  • What is my IP?

• Recent Comments

  • James Wade on Parts inside your printer are at the end of their service life
  • Marcel on Parts inside your printer are at the end of their service life
  • James Wade on PHP OpenSRS Client
  • Jon on PHP OpenSRS Client
  • James Wade on Google PageRank Script

• Subscribe to our newsletter

  Email Address :

← Developing a Facebook Application on PHP4 Why I registered mIRC →

Configuring a FreeBSD IRC Shell Server

Posted on August 22, 2007 by admin

This is a brief guide created to help configure a secure FreeBSD as an IRC shell server.

In this case I will be running FreeBSD 6.0, with bash shell, SSHd, named (bind), httpd (Apache2+PHP4), FTPd (pure-ftpd).

Note: In many cases, if you don’t wish to review the config when adding to it you can do: echo ‘<string>’ >> <file> (ie: echo ‘accounting_enable=”YES”‘ >> /etc/rc.conf)

sshd

• edit /etc/ssh/sshd_config
• Add line “Port 22″ – This is default, BUT change to another port if you want to be even more secure.
• Add line “Protocol 2″ – We don’t want protocol 1, just 2.
• Add line “LoginGraceTime 1m” – If you don’t login within 1 min, it will timeout.
• Add line “PermitRootLogin no” – You should not allow direct root login via ssh, use su.
• Add line “MaxAuthTries 3″ – If you get your login incorrect 3 times, you’re doing something wrong anyway.
• Add line “X11Forwarding no” – You don’t run Xwindows on a server muppet!
• Add line “MaxStartups 15:30:60″ – This means, after 15 concurrent unauthed connections, 30% of connections will be dropped, until it reaches a max of 60, then it’s full.

sysctl

• You can read each current setting by doing sysctl <setting> (ie: sysctl kern.securelevel)
• If you are unsure about using a setting you can use “sysctl -w <setting>” to temporary set, until you next reboot.
• edit /etc/sysctl.conf
• Add line “security.bsd.see_other_uids=0″ – We don’t want users to see each other’s processes.
• Add line “kern.securelevel=1″ – By default it is -1, you don’t need this unless you’re running Xwindows, run at least 0.
• Add line “net.inet.tcp.blackhole=2″ – This will drop ALL tcp packets that are received on a CLOSED port and not reply.
• Add line “net.inet.udp.blackhole=1″ – This will drop ALL udp packets that are received on a CLOSED port and not reply.
• Add line “kern.ipc.somaxconn=1024″ – Default is 128, this means we can have more concurrent connections. If like you me you have plenty of bandwidth, this is best, otherwise if you get attacked, you’ll reach 128 very quickly.
• Add line “net.inet.icmp.icmplim=50″ – Default is 200, you shouldn’t need this many, set it to 50 to reduce the amount of ICMPs sent back per second.
• Add line “net.inet.ip.rtexpire=2″ – Default is 3600, See the FreeBSD handbook: Denial Of Service Attacks.
• Add line “net.inet.ip.rtminexpire=2″ – Default is 10, See the FreeBSD handbook: Denial Of Service Attacks.
• Add line “net.inet.tcp.always_keepalive=1″ – This will help discover dead connections and clears them.
• Add line “net.inet.ip.random_id=1″ – This is optional, but I like the idea. It gives you random PIDs instead of sequential.

This is my “/etc/sysctl.conf”:

security.bsd.see_other_uids=0
kern.securelevel=1
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
kern.ipc.somaxconn=1024
net.inet.icmp.icmplim=50
net.inet.ip.rtexpire=2
net.inet.ip.rtminexpire=2
net.inet.tcp.always_keepalive=1
net.inet.ip.random_id=1

rc.conf

• edit /etc/rc.conf
• Add line ‘portmap_enable=”NO”‘ – You only need this if you’re using NFS, which we’re not.
• Add line ‘sendmail_enable=”NO”‘ – This will tell sendmail to only listen on the localhost, it’s not a good idea to leave a mail server open to spam on a shell server.
• Add line ‘nfs_server_enable=”NO”‘ – As above, we don’t need NFS.
• Add line ‘nfs_client_enable=”NO”‘ – Again, no NFS, not even a client.
• Add line ‘accounting_enable=”YES”‘ – This enables process accounting. (You need to do touch /var/account/acct && accton /var/account/acct).
• Add line ‘clear_tmp_enable=”YES”‘ – This will clear the “/tmp” dir at boot time.
• Add line ‘syslogd_flags=”-ss”‘ – This stops syslogd from broadcasting on port 514.
• Add line ‘enable_quotas=”YES”‘ – Assuming you’re running a shell server, you want quotas enabled.
• Add line ‘check_quotas=”YES”‘ – This will help keep your users within their quotas.
• Add line ‘ntpdate_enable=”YES”‘ – This will enable ntpdate, which will keep your date/time up-to-date.
• Add line ‘update_motd=”NO”‘ – This will ensure that the FreeBSD details aren’t added to the /etc/motd on each reboot. We don’t want to broadcast this information.
• Check for ‘inetd_enable’ – Set it to NO, or add inetd_enable=”NO”, if it’s not there.
• Check for ‘named_enable’ – Okay, so running named will increase overheads, but if this is a shell box it probably makes sense to run your own dns server as IRC relies a lot on resolving hosts.
• Check for ‘log_in_vain’ – You may have set this based on what you read else where, but I recommend having this as “NO”, because it logs events on non-open ports, which could cause a ddos.

The latter half of my “/etc/rc.conf” looks like this:

inetd_enable=”NO”
linux_enable=”YES”
sshd_enable=”YES”

portmap_enable=”NO”
sendmail_enable=”NO”
nfs_server_enable=”NO”
nfs_client_enable=”NO”
accounting_enable=”YES”
clear_tmp_enable=”YES”
syslogd_flags=”-ss”
enable_quotas=”YES”
check_quotas=”YES”
ntpdate_enable=”YES”
update_motd=”NO”
named_enable=”YES”

Firewall

For a shell server, a firewall may not be required, but for many others it may be required.

• edit /etc/firewall.rules – for a shell server, you can do the following:
  • You need to allow new connections for services on the following ports: 21 (ftpd), 22 (sshd), 53 (dns), 80 (httpd).
  • If you are running any other core services, you will need to open the ports for those too. Remember, the first 1024 ports are reserved for root services.
  • If you run an IRC shell server, you should open a range (ie: 2000-4000) for your users services. (such as eggdrops and psybncs).
  • No other new connections to other ports should be allowed.
  • All other traffic is okay.
• Don’t forget to “chmod 600 /etc/firewall.rules”
• Add line ‘firewall_enable=”YES”‘ – We want a firewall enabled.
• Add line ‘firewall_logging=”YES”‘ – Logging the firewall can be useful.
• Add line ‘firewall_script=”/etc/firewall.rules”‘ – It needs to know where to find the rules. (don’t forget to touch /etc/firewall.rules)

Date and Time

You must ensure your system’s date/time is correct, otherwise SSH may fail and logs will be incorrect.

• As above, ensure you have ‘ntpdate_enable=”YES”‘ in your “rc.conf”.
• For first time use: “touch /etc/ntp.conf && echo /etc/ntp.conf >> server uk.pool.ntp.org prefer && echo /etc/ntp.conf >> driftfile /var/db/ntp.drift”
• Run: ntpdate uk.pool.ntp.org

Login.conf

Using login.conf you can create custom classes for your users giving them all sorts of limits and restrictions.

• edit /etc/login.conf
• If you change the “passwd_format” in the Default class to read “:passwd_format=blf:\”, this will give you blowfish password hashes, for better security, but you need to rebuild your login database by doing: “cap_mkdb /etc/login.conf”, and update all passwords by doing “passwd <user>” as root (check “/etc/master.passwd” all passwords will start with $2 if done correctly), don’t forget to edit /etc/auth.conf to “crypt_default=blf” also. This step isn’t required, but recommended.
• There are lots more options, you need to read the handbook for the “login.conf” file.
• Run “cap_mkdb /etc/login.conf” when you’re done to update the database.

pure-ftpd

Instructions are as follows:

• cd /usr/ports/ftp/pure-ftpd && make install
• cp /usr/local/etc/pure-ftpd.conf.sample /usr/local/etc/pure-ftpd.conf
• edit /usr/local/etc/pure-ftpd.conf (if required)
  • Change “NoAnonymous no” to yes
• /usr/local/sbin/pure-config.pl /usr/local/etc/pure-ftpd.conf
• echo ‘pureftpd_enable=”YES”‘ >> /etc/rc.conf

Apache 2

• edit /usr/local/etc/apache2/httpd.conf
• change the “ServerAdmin” line with your email address.
• change the “ServerTokens” line from “Full” to “Prod”, this means only “Apache” will be displayed.
• echo ‘httpd_enable=”YES”‘ >> /etc/rc.conf

oidentd

• echo ‘oidentd_enable=”YES”‘ >> /etc/rc.conf
• edit /usr/local/etc/oidentd.conf
• Ensure the defaults deny everything, and that root has a different reply, ie:

default {
default {
deny spoof
deny spoof_all
deny spoof_privport
deny random
deny random_numeric
deny numeric
deny hide
}
}

user root {
default {
force reply “UNKNOWN”
}
}

Note: You can add a user, if you want to allow spoof for certain users, and allow that.

Files and Permissions

• “find / -perm -2000 -ls && find / -perm -4000 -ls” – This lists binaries that everyone can currently access.
• Use “chmod a-s <file>” to remove access or “chmod o-rwx <file>” to allow just for wheel users.
• “chmod 640 /etc/crontab” – This will allow only root and wheel users to see it. Users don’t need to know what processes are started by cron.
• “chmod 600 /etc/rc.conf” – Users don’t need to access this.
• “chmod 600 /etc/sysctl.conf” – Users don’t need to access this.
• “chmod 0750 /root” – Stops non-wheel users from viewing root files.
• “chmod 640 /var/db/locate.database” – You don’t want all users to see all the files on your system.
• edit /etc/motd – Change this to say what you like.
• “touch /etc/COPYRIGHT” – This will remove the copyright info.

ToDo

• Provide an in-depth example of a firewall script
• Provide details about working with Quotas
• Provide better usage of login.conf

Additional Security

• Try checking system integrity with tripwire.
• Keep things up to date with cvsup.

Resources

• FeeBSD Security Information
• Defcon1 Security Guide
• A basic guide to securing FreeBSD (DALnet)
• Hardening FreeBSD (bsdguides.org)
• Protecting yourself with FreeBSD
• sysctl.conf Sample (Freebsdblog.org)
• Securing FreeBSD (ONlamp.com)
• FreeBSD Security HowTo (windowssecurity.com)
• tris’ FreeBSD setup info
• cPanel FreeBSD Seminar

Final notes

I’ve written this as more of a reference, i’ve more than likely missed a few things, so feel free to add your own comments.

Related posts:

1. Setting up a FreeBSD socks proxy server for use with mIRC Update: Looking for the sss.pl? Try the Simple Sockets Server...
2. Installing Subversion on a cPanel Server It should be easy right? Just “yum install subversion”. Nope. You...
3. The requested URL /cpanel was not found on this server If you run cPanel servers, then you may at some...
4. error: no dbpath has been set I’ve recently been having trouble with a OpenVZ VPS upgraded...
5. How to find the fastest CVSUP mirror server Some time ago I wrote about using fastest_cvsup, to find...

About admin

The author formerly known as HM2K is now the Phurix Labs administrator.

10 Responses to Configuring a FreeBSD IRC Shell Server

1. hm2k says:

   September 3, 2007 at 8:22 pm

   I think pretty much in freebsd 6.0+

   kern.ps_showallprocs=0
   kern.ps_argsopen=0

   Are no longer required, and a replaced by…

   security.bsd.see_other_uids=0
2. rdns says:

   October 16, 2007 at 4:33 am

   hi!

   this is the most useful guide for shell admin
   i’ll bookmark this
   thanks a lot!
3. ruslie says:

   January 19, 2008 at 5:03 am

   hi my psybnc ident has ~ string for example ~test@xx.xxx.xxx.xx
   how to fix it?
   thanks
4. krasko says:

   July 3, 2008 at 10:02 am

   realy nice

   thank you!
5. deadpan says:

   August 28, 2008 at 3:25 am

   great guide so far, any info on how to setup some sort of signup form that would allow a user to pick the user name and whatnot and have it added to the system?
6. Taimur says:

   September 28, 2008 at 6:06 am

   A perfect guide for a shell co. administrator.

   Thanks!
7. prez says:

   October 19, 2008 at 6:34 am

   Hey Ruslie,

   You’ll need to install oidentd or similar on the system in which your psyBNC runs on. (Identd Daemon!)

   (prez@DALnet / prez@EFnet / prez@Rizon)
   email: prez@dal.net
8. Ruslie says:

   March 26, 2010 at 3:32 pm

   waw it has been 2 years since i asked that question

   and thank you prez
9. prez says:

   June 14, 2010 at 1:56 am

   No problem Ruslie. I figure, better late than never. Haha.
10. t1m1976 says:

    December 8, 2010 at 5:44 am

    I actually can’t seem to get my FreeBSD 8.1 auth to work with IRC either. I’ve tried using the built-in auth, oidentd and pidentd. I’ve modifed the configuration files for both oidentd and pidentd and have tried using .oidentd.conf in a user’s home directory too. I have verified that the IRC servers are sending the request and that my host is answering those requests (/var/log/security and the verbose logging through ipfw). I have disabled the router firewall completely, but have not tried router DMZ mode. Still, I can not get any IRC servers to say anything other than * No Ident Response.

    Here’s the funny thing though:

    “auth” always returns user as root. I can not figure out why and have been wondering for a few days how to change that.

    “pidentd” always returns the user the daemon is running as (ie: the one configured in /usr/local/etc/identd.conf). If I omit the daemon server user, it will default to nobody. The latest version of pidentd also gives me a strange response, where it omits a space before the username so it smacks the username right up against the : before it. I’m not sure if that matters or not.

    “oidentd” didn’t seem to work for me either, but most people seem to be using this. I don’t really want to use that if I can get the built-in “auth” to return something other than root, though.

    Anyways, I know this comment section is not specifically for ident issues but I just thought I would mention it since I saw someone else comment about that too.

    Thanks for putting this page up; the suggestions are very useful.