5

I know most of the general advice: "turn off unnecessary services", "no really, turn off unnecessary services", "least privilege", etc. I've also seen a few guides and/or tools, e.g., Bastille, for hardening Linux boxes, but nothing that seems tailored to NetBSD.

Assume for the sake of this list that I've already made sure root doesn't have SSH access, but that I haven't installed any server software.

What are your first steps for securing a new NetBSD box?

UPDATE: To be clear, I'm looking for specific steps. I'm entirely self-taught when it comes to server admin, but I feel I have a decent grasp of the general principles. I'm looking for details for two reasons:

  1. To see if there is anything NetBSD-specific that I've overlooked.
  2. To see if other people have better methods for putting the general principles into practice.

Thanks.

Hank Gay
  • 365
  • 3
  • 11
  • 1
    Also, check out ["Why should I firewall servers"](http://serverfault.com/questions/201298/why-should-i-firewall-servers). Lots of useful discussion about firewalls and security hardening in general. – Steven Monday Feb 02 '11 at 15:09

3 Answers3

5

Please see security(8) in NetBSD manual. You can:

  • Set securelevel in rc.conf to harden a production system
  • Enable security.curtain = 1 in sysctl.conf to limit users from seeing each other.
  • Make relevant files immutable or append only with chflags
  • Enable PaX mprotect and Address Space Layout Randomization (aslr) extensions in sysctl.conf (security.pax.mprotect.global=1, security.pax.aslr.global=1)
  • Consider Veriexec verified binaries

Please also see Elad Efrat's paper Recent Security Enhancements in NetBSD.

Please note that features that prevent changing binaries also prevent you from upgrading the system so prepare to make upgrades in single user mode.

PaX extensions may prevent some software such as gnu make from working at all. You can leave the .global flags disabled and set PaX flags on binary basis with paxctl.

jkj
  • 592
  • 4
  • 12
2

It's the same with every system:

  • Install and configure a firewall. Make it as restrictive as possible.
  • Make sure the system is updated regularly
  • Disable password login for ssh, only allow certificates
  • Set up good logging and log-analyzing procedures.
  • When setting up servers: If possible, but it behind bars (chroot jails)
  • Don't install X11, a web browser or any non-server software (except it's a workstation, of course ...).
  • Disconnect it from the network ;-)
Sven
  • 97,248
  • 13
  • 177
  • 225
1

As SvenW said, the basic concepts pretty well apply across the board.

For a detailed read, the Center for Internet Security has a Benchmark available for FreeBSD. I imagine that it should be fairly easy to translate to your environment.

Scott Pack
  • 14,717
  • 10
  • 51
  • 83