FreeBSD security exercises
==========================

1. Figure out what is running on your machine
---------------------------------------------

There are quite a few ways to approach this, but very quickly here are some
useful commands:

    ps                       # processes
    netstat                  # network status
    sockstat                 # socket status
    grep -i yes /etc/rc.conf

You should, as usual, read the man pages for "ps", "netstat", "sockstat". On
other versions of Unix you may have the command "lsof" (List Open Files),
and this can be installed as an optional extra package under FreeBSD too if
you wish.

Now here are some good options:

    $ ps -auxw | less
    $ netstat -an -f inet
    $ sockstat -4 -l

You should try all of these commands and analyse what is being shown. For
example, the command "sockstat -4 -l" may produce:

    $ sockstat -4 -l
    USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
    root     syslogd    19072 5  udp4   *:514                 *:*
    root     sshd       19196 3  tcp4   *:22                  *:*
    root     sendmail   19202 4  tcp4   127.0.0.1:25          *:*

What you are seeing is that the syslog daemon is listening for UDP traffic
on port 514; sshd is listening for TCP connections on port 22; and sendmail
is listening for TCP connections on port 25, but is only listening on IP
address 127.0.0.1. That's the loopback address, so will only accept mail
generated within the same machine, not from outside.

An easy way to check what you've chosen to start at system boot is:

    $ grep -i yes /etc/rc.conf

although some things may be started by default anyway. You can look through
/etc/defaults/rc.conf for these, or try:

    $ grep -i '="yes"' /etc/defaults/rc.conf

Finally, in a perfect world you should be able to type:

    $ ps -auxw | less

and know what each and every item in the process list means and does. You
can look for unusual items, and use available resources like "man" to try to
figure out what all the items in the list mean.

2. Turn off any unnecessary services
------------------------------------

This exercise is very simple and short. You just finished looking at your
system in much more detail. Did you see anything that should not be running,
starting, etc? This is a *very* subjective question. If you did find
something, then the likely place to turn the item off will be in the file

    /etc/rc.conf

You usually do this by immediately shutting it down with:

    # /etc/rc.d/service stop

(or just by 'kill _pid_'), and then adding an entry to /etc/rc.conf that
reads:

    service_enable="NO"

As you are using a fresh install of FreeBSD and it is a fairly minimal
install there is probably nothing that needs to be turned off right now, but
if you think there is, call an instructor over to discuss the item.

3. Understand your logs
-----------------------

On a daily basis your server will receive two emails that are
generated from a script that is run via the crontab facility. This
script reads your log files, checks your system state, etc. and then
generates the summary reports for you. The reports can be very useful,
particularly if you do not have additional logging facilities in place
to warn you immediately of potential attacks.
   
First, have a look at the file:
   
     $ less /etc/syslog.conf

to understand where logs are generated on your machine (full details of this
file are in 'man syslog.conf', of course). Now go to the directory /var/log

    $ cd /var/log

and look at all the log files available to you. These files can be
invaluable when troubleshooting problems and checking for potential security
issues.

The log you are probably going to look at the most is "messages". 

Feel free to look at some/all of the log files. Some of the files are not
text files, so you won't want to type them to the screen. And, some are
empty. A quick way to check what files are text, binary, data, or empty is
to do the following:
   
    # cd /var/log
    # file *

The 'file' command tells you what type of file a file is, and the shell
expands '*' to all the filenames in the current directory. The output from
this command may look something like this:

    Xorg.0.log:       ASCII English text
    Xorg.0.log.old:   ASCII English text
    aculog:           ASCII text
    auth.log:         ASCII text
    connect-errors:   ASCII text
    cron:             ASCII text
    cron.0.bz2:       bzip2 compressed data, block size = 900k
    cron.1.bz2:       bzip2 compressed data, block size = 900k
    cron.2.bz2:       bzip2 compressed data, block size = 900k
    debug.log:        ASCII text
    debug.log.0.bz2:  bzip2 compressed data, block size = 900k
    exim:             directory
    lastlog:          data
    lpd-errs:         ASCII text
    maillog:          ASCII text
    maillog.0.bz2:    bzip2 compressed data, block size = 900k
    maillog.1.bz2:    bzip2 compressed data, block size = 900k
    maillog.2.bz2:    bzip2 compressed data, block size = 900k
    messages:         ASCII English text
    messages.0.bz2:   bzip2 compressed data, block size = 900k
    messages.1.bz2:   bzip2 compressed data, block size = 900k
    messages.2.bz2:   bzip2 compressed data, block size = 900k
    ppp.log:          empty
    security:         empty
    sendmail.st:      empty
    sendmail.st.0:    empty
    sendmail.st.1:    empty
    sendmail.st.2:    empty
    slip.log:         empty
    userlog:          ASCII text
    wtmp:             data

Files that are gzip compressed or bzip2 compressed can be read using one of
the following commands:

    # gzip -dc filename.gz | less
    # bzip2 -dc filename.bz2 | less

On a daily basis your server will receive two emails that are
generated from a script that is run via the crontab facility. This
script reads your log files, checks your system state, etc. and then  
generates the summary reports for you. The reports can be very useful,
particularly if you do not have additional logging facilities in place
to warn you immediately of potential attacks.

If you want to generate the daily summary of your server right no you can
issue the following command:

    # periodic daily

It might take a minute or so to complete. Now type:

    # mail
    Mail version 8.1 6/6/93.  Type ? for help.
    "/var/mail/root": 2 messages 2 new
    >N  1 root@localhost.local  Sun Jan  9 11:02  37/1039  "localhost.localdomain"
     N  2 root@localhost.local  Sun Jan  9 11:02  72/2440  "localhost.localdomain"

Press "1" to see the first message. Press spacebar to scroll. Press "2"
to see the next message. Type "quit" to exit from mail.

Normally you'd set up a mail alias so that these system messages go
somewhere other than to "root".

You can look at your crontab file, /etc/crontab, to see how and at what time
the daily cron items are done. For more information see

    $ man cron
    $ man -a crontab

If you want to see how the periodic script works you can look at the file
/etc/defaults/periodic.conf. It runs various scripts which are under the
directory /etc/periodic:

    $ cd /etc/periodic
    $ ls
    daily           monthly         security        weekly

Now look in one of the directories, like 'daily':

    $ cd daily
    $ ls
    100.clean-disks         210.backup-aliases      430.status-rwho
    110.clean-tmps          300.calendar            440.status-mailq
    120.clean-preserve      310.accounting          450.status-security
    130.clean-msgs          330.news                460.status-mail-rejects
    140.clean-rwho          400.status-disks        470.status-named
    150.clean-hoststat      405.status-ata-raid     500.queuerun
    200.backup-passwd       420.status-network      999.local

These are all the scripts that can be run (if enabled in
/etc/defaults/periodic.conf) each time the crontab calls the 'periodic
daily' command.

This is quite an advanced and complex topic, but it's important to begin to
understand what is going on in the background on your machine.