Hardening FreeBSD

Some things to remember – unfortunately far from being complete.

Securelevel

Lowest: -1 Highest: 3

Set to highest:

# echo kern_securelevel_enable=\"YES\" >> /etc/rc.conf
# echo kern_securelevel=3 >> /etc/rc.conf

Open Ports

Check open ports using

# sockstat -4
# sockstat -6

Xorg

In /usr/X11R6/bin/startx add argument such that

serverargs="-nolisten tcp"

Check with sockstat, whether the open port 6000 has disappeared.

syslogd

If you don’t need logging from remote machines, change the /etc/rc.conf file by typing

# echo syslogd_enable=\"YES\" >> /etc/rc.conf
# echo syslogd_flags=\"-ss\" >> /etc/rc.conf

Clear \tmp

To clear the \tmp directory at startup do

# echo clear_tmp_enable=\"YES\" >> /etc/rc.conf

Prevent Remote Login

To prevent all remote login and allow only physical login change /etc/login.access to allow

-:wheel:ALL EXCEPT LOCAL