 BSD security fundamentals. This is just gonna like hopefully at the end of this talk you guys will have a little bit better understanding of some of the security mechanisms that are actually built right into BSD and a lot of people just don't make use of them and they're actually pretty nifty so yeah I'm just gonna get started. I'm gonna throw this presentation up, excuse my PowerPoint format it's not very polished I just throw as much stuff in there so I like remember I don't you know if I don't leave anything out I give in the talk so this will be up on the this is a little bit different to the one in your CD it's a couple more revisions to it so go ahead and the website is going to be subtrain.net slash presentations and you can get some of the other talks that the rest of the guys that I work with have done so subtrain.net slash presentations. Okay so for this whole talk I'm pretty much going to be focusing on free BSD that's like the main operating system that that my friends and I work with and it's really the most mainstream and I mean I'll like deviate a little bit and talk about some cool stuff with open BSD but it's mainly free BSD. It's just gonna be it's gonna be a refresher I mean some of you guys may already know a lot of this stuff but I mean I'm sure everybody will pick up a couple things that they didn't know or the things pretty cool and it's gonna it's gonna be emphasized on on host base security and I'm just gonna basically show you you know using a defense and death strategy you're able to secure a BSD server you know all the way up to the to the wire pretty much in and it's like it's like this the models of the security onion you know I mean you peel it away a lot of people I mean it's ridiculous with like the recent Apache chunking coding stuff I mean I'm sure some of you guys came across this but a lot of people actually went out of their way to start up Apache running his route because you know they need they didn't understand how file permissions work and and sim links work and they just wanted Apache to have access to their entire directory structure so once they got hit by the exploit they were you know they were toast so okay so BSD is actually in use in quite a few different products in today's like computer enterprise world and it's kind of behind the scenes a lot of times a lot of companies are kind of turning to open source right now with like the current state of the economy because they don't want to pay the high support cost for licensing Microsoft software or some other commercial variant and a lot of times the quality of the software is as you guys know usually better Nokia firewalls that actually they run checkpoint these what's called the ipso operating system which is like a hardened version of free BSC 3.2 and they've just went ahead and done some extra like file walking and stuff and they've got some proprietary stuff that they've added it's pretty cool and then all the juniper all the back blowing routers and stuff they all run free BSC I think it's called all of is the is the name of the product but it it's more or less a BSD machine you can do package that on it and all kinds of stuff they're pretty cool and of course everybody knows you know yahoo uses free BSC cluster machines to power all their web stuff and their mail stuff so alright so get started with the basics I mean everybody should know this but I thought just go over it anyways you know if you're not if you're messing with the system it's in a production environment you'll make backups and don't just you know don't make any changes you're not comfortable with you don't know what's gonna do go through your iNEDE comp file and RC comp file and just turn off what you're not using I mean free BSC is especially has gotten really good lately in the last couple releases and I think all the way back to like four three they've just turned almost everything off by default in iNEDE which is like I mean they're really like setting the pace for other vendors because I mean up till just like maybe a year ago the the standard was just you know vendors were more concerned about making stuff work out of the box rather than you know emphasizing security so I mean they would just turn everything on by default to make it easier for the customer which didn't turn out to be a very good security strategy if you're running a machine and all you need to do is send mail locally you can actually disable send mail disable the daemon or the send mail in the RC comp file with some flags and you can also turn off the submission port send mail comes to fall with free BSC in case some of you guys didn't know that and the submission port is just another I think it's it's new to like send mail like late versions 8.11 and 8.12 and most mail servers don't make use of it so you can fire it all it off or disable it in the RC comp I'll get into how to do that specifically in a little bit and obviously I mean you don't want to track the most stable version of the operating system if you're working in a production environment I would say probably rebuild the system and rebuild the kernel like every two months or maybe every month and a half obviously make exceptions and I just recently had some problems with open SSH and the free BSC team got the 3.4 stuff with the privilege separation put into the stable tree pretty quickly after that even though stable wasn't actually affected by the recent off by one and some of the other remote open SSH stuff that's been floating around if you're I mean if you're a hobbyist yeah I'd say go for it as much as possible I think I could probably count on one hand in the past three or four years at times that I've seen the stable tree really broke into the point where you couldn't you know kind of figure out what was wrong or maybe so maybe just made a made a fat finger something when they did their commitment you know I got taken care of you know within 30 minutes or an hour or so I think that I'm not sure about this I'm not sure if they've if they've gotten gotten rid of this but there's another branch called the security branch and basically that's like an option for you if you you're running a production system and you don't want to you don't think stable is really stable basically but you want all the security fixes and all they do is commit anything like the the recent like IO smash stuff they just commit patches to that and then you all you that's all you get and a lot of people prefer that if they're looking to run a really stable environment and there's that there's the recent open SSL stuff that I was checking out before I head out the black hat this week but it looks like there have been five or six new vulnerabilities found in open SSL so rebuild your systems when you get home okay encrypted communications I mean especially at DEF CON I was really amazed the amount of people that were still like popping their mail and everything at like DEF CON 10 it's kind of ridiculous but more or less I don't think there's a there's an excuse to not encrypt stuff that you're doing between SSH tunnels are using a tunnel to wrap stuff with SSL I mean what I mean what's your excuse for not doing that you know and open SSH has been included in the free BSD base since I think free BSD 4.0 a lot of people have chosen to track the port though and use port upgrade to just keep it current and you can actually there's an RC CON variable but I think it's SSHD underscored demon and you can just specify the path to your SSH Damon so you can you can put it wherever you want personally I just stick with what's instable I never had a problem with it even if with some of the the recent open SSH disclosures people are kind of muddy as to as to what was affected where and under what circumstances so I mean I just recommend going through and upgrading all your systems to 3.4 and disabling SSH version one where you can on some older systems especially some legacy stuff like I know like picks firewalls and stuff they only listen on to SSH version one for the protocol so I mean that might be a problem but on on your BSD systems you really you know have no no excuse not to and you can turn on privilege separation it's not enabled by default with 3.4 you have to go in there and turn it on it's an option in the SSHD config file it's just like I think it's enable or use privilege separation and basically I was fork off a process when somebody authenticates to your machine successfully and it'll drop some privileges I'll get into that a little bit later as to how some of that stuff works SFTP this is kind of recent I think it's like open SSH 2.9 brought it in to the tree like as a standard thing but it's just basically a way to use you know connect to your system to transfer files over SSH and obviously I mean the problems with FTP everybody knows some of you guys may have caught J Bills talk yesterday about hardening FTP the FTP is 20 years old and you know pass this stuff in the clear and uses on an authenticated channel for data and everything it's just this this way it's encrypted this has full like public key support so I mean you know it's basically just like you're making a administrative connection into the machine and there's some new clients for Windows like secure FX and I'm not sure if buddy has a file transfer client or not but it's just it's a lot more secure than using using regular FTP okay a public key authentication just talking about this a little bit really what's gonna get you I mean most people are pretty good like keeping their systems patched that are in the security industry and you know they're a security engineer at their company or what have you I mean they understand the importance of rolling patches out in a timely manner but what's gonna get you are your users usually with weak passwords and so I'm gonna talk quite a bit about how to secure your user accounts and what it comes down to is you know users don't really give a crap about security and that's just that's just the way it is I don't know if that'll ever change because I mean people want convenience and they want to be able to use their system and and security and security and convenience are just kind of like the opposite so I'm gonna talk about public key authentication I'm gonna heavily recommend switching all users to public key authentication if your users are savvy enough to handle it you know you may have to have them set up help them set up the the public private key pair and everything but once you do it you can actually start out their password fields in the password database and you know they won't be able to log in with a Unix password scheme anymore if you can't do that I've got some alternatives later in the talk that I'll get into okay so I'm just gonna get started like as you're installing like you know you set up a new machine or whatever it's always good to consider security right as you're as you're building the system and how your partition scheme looks is really important to that as much as you can break it up into different partitions so at the minimum here I've got like a root partition user of our temp as a minimum slash home should definitely be considered as a separate partition just because it I mean depending on the level of security you're looking for on your BSD machine with some of the mount options and and and some of the other stuff you can do you can really restrict what users can and can't do on the file system so like anything except user or slash because of that spin you can mount those with the no-suit argument and basically that's just gonna if there's a file with a suit bit set on it it won't execute with that flag pass through mount and I would also recommend setting that on your home partition to just because you know users if they're messing around with something and it's suede especially if it's suede route you don't you don't really know what they're doing go through your file system and remove suede bits I was looking through the free BSD handbook just to see what the the projects stance was on this and they say you know anything that's set suede in the in the default installation is probably pretty safe but if you're not using stuff for example if any of the you see p stuff I mean you can actually strip that right out in your make.com file you can just say don't build you see p because you know who uses that anymore but just go through your file system and and look for suede and sgid files and just get rid of this anything you don't use either just remove the bit or just set the file zero zero zero so nobody if nobody's using it the ch flag stuff I'm gonna get into that right now and in the next couple slides like extended most people actually don't really know about this is kind interesting to me that most people didn't find out about this but this is like other variables you can set on a file that when you're using kernel secure levels you can like restrict access to the file a couple of the ones I've got here like the s append like a log file that'd be like a log file or text file type of a thing where you've got data incrementing to the file but you don't want anything else you know anything else you don't want someone going there and erasing their tracks or something so all they can do is append data that all the file system will let them do is append data you can't do anything else and the s chg bit you can set on binary system binaries and that'll basically that'll just prevent modification overriding deleting and as long as you're running in a secure level of one or higher not even root can modify that so it kind of makes it a pain if you're rebuilding your system because you have to reboot into a non-secure mode and then clear all this you know rebuild your system whatever over at the binaries and then reset all the very the flags to whatever you had before so I mean it depends on the amount of time that you want to spend configuring this stuff if you get really granular the only actually the interesting thing I ran into was people were complaining that you know if you set your whole like espion and bin directories with the s chg flag you couldn't tell if somebody had broken into your system because they weren't able to modify data people are getting pissed off because they weren't getting any tripwire reports because nobody could modify the files thanks okay so kernel secure levels basically you can change these are variables you can change on the fly you can't you can't lower them though when once the system is in multi-user mode the only real fault with kernel secure levels is that it doesn't the secure level doesn't get set until very late in the boot process so if you like if you're kind of paranoid about that and and you think maybe one of your startup scrups has been modified and and somebody's doing something nasty before your your secure level gets raised it's always best to like set that s chg bit on your your rc files or some of your other startup files to prevent modification of those so the levels go from negative one to three a negative one and zero are kind of the same thing they're just in secure mode and secure level one is you know that you can set like the append in the s chg flags and you can't disable them once they're set and you can't load any lkm's load of kernel modules you can't load or unload those in secure level one secure level two is the same thing but you can't write to disks in a raw fashion except for mount and also time changes any changes to the system clock are clamped to plus or minus one second change so if you're running like a PC or something with a doesn't keep time very well you know when you reboot your system to drop it into secure level zero to rebuild your system you're gonna want to go ahead and set your clock then because if you don't it'll you'll just get errors in your in your log files about the time changes clamped to one second okay so yeah we just talked about that setting the a chg flag on on some of the your system binary directors okay this is a lot of data I know and if you can't read it that's cool I just grabbed the this is all in the on the CD and this is gonna be up on the website too basically the sysctl variables that's also the secure level configurations for free bsd is a sysctl variable and it's just a numerical value negative one to three but these are some other settings that a lot of people don't really know about that can actually kind of help you strengthen your network stack a little bit and kind of keep people guessing as to what you're running and it kind of pisses people off they're trying to port scan you the tcp black hole variables the first one I'll talk about and you can set that to zero one or two basically I'm just gonna recommend to and almost any case which is a totally silent mode where it's just not gonna generate a reset packets back to the source on any connection attempts to a port that hasn't you know no socket open nothing listening so if somebody throws a port scan at you that opens up port zero through ten thousand you've got like three things running on this those ten thousand ports they're just gonna get you're just gonna sit there and they're in time out they're just gonna be waiting for a reset packet back to see if if your port is closed or not and there's the same setting for utp and basically that's the same same procedure same idea except that it won't generate an icmp port unreachable message on a port with no socket listening so the same thing that will break trace route to your system so if you care about people being able to trace route to you may want to drop that to to zero or disable it but so here's some other RC comp settings that you can do this is how you turn on secure levels in the main RC comp file you have to enable it specify enable it and then set the number that you want secure level 3 is the same thing as secure level 2 except you can't modify IPFW rules which can kind of be a pain if you're initially building your system or something or you're adding services because you have to bounce the machine if you want to make any changes to your firewall rule base so I just maybe something you want to keep in mind as you're setting that up ICMP drop redirect this is going to drop any redirect packets from supposedly they're supposed to come from a router but it's going to drop them from anywhere and it's just going to prevent people from modifying the path that that your traffic is taking and then there's the the TCP drop sin fin and that's just going to drop any packets with the sin and the fin bed sets and it does break an RFC technically it's not RFC compliant but you know there's no legitimate use for traffic with both of those bits set at the same time so yeah I'd recommend enabling it anyways clear temp enable is kind of cool it'll just go through and wipe stuff in your temp directory on reboot and one other one I don't know if I put it in here later or not is fsck underscore y underscore enable equals yes it's really handy setting if your machine is co-located or something and you don't have physical access to it if your machine gets balanced or if it crashes or something and it comes back up and starts up fsck to check out your file systems this will just automatically you know accept any changes that fsck is going to make so you won't have to call somebody up and go hey go over to the console and press y y y a few times go ahead yeah it's fsck underscore y underscore enable equals yes you can't I've I've heard of people compiling like the riser FS stuff under BSD but that's all like I've got a friend of mine in the UK that works on the current stuff a lot and he's he's really into like the cutting-edge stuff I've heard that they're thinking of integrating drilling stuff into UFS for 50 but I haven't confirmed that yet so not but not by default I don't think good well yeah soft it's kind of a it's a philosophical this guy pointed out soft updates is a is an option that you can set on your file systems soft updates is kind of interesting in the way that it writes to the disc sometimes it won't actually write changes to the disc for up to a minute and so it's it's kind of a trade-off if you want to enable that or not if you're doing a lot like heavy disc intensive stuff free BSD recommends you turn on soft updates and and I think it actually turns it on by default when you set up a partition where does it start what he says he says where the where the updates stored they're in memory and they're just waiting to be written to the disc right if your machine crashes your SOL for whatever data was written up to a minute or prior to a minute okay I mean the two kind of like the parts of this talk are encrypting your traffic and starting services in a jail environment I mean so many services that you're gonna see run nowadays have either native support for jail like a bind or Apache or you can actually you can use this jail functionality built into free BSD you can build a separate jail for for any service that you're running pretty much and I mean you can lock that down to a specific part of the file system and restore people and I mean by default I mean SSH is kind of the newest one to do this with the privilege separation and kind of and fork off a separate process for each user but by default I think that probably services like bind and Apache's already done this where when you do a free BSD install you're gonna get the the WWW user and I think the Apache ports tree is updated now where the default username and group name that Apache runs under is WWW so I mean people been using nobody for a while but people didn't really understand that if you use nobody and you run four or five different services as nobody it's not an unprivileged user anymore so I mean you definitely need to break it out into separate users and with SSH they've also they've added an SSH user and the the jail for that is slash bar slash empty okay for for log in vain this is this is kind of like this will pop up in your D message and you can configure this to drop into your messages file through syslog this is just gonna show any connections to your machine on ports that aren't listening so obviously this is gonna sort of conflict with some of the black hole stuff that I was talking about a few slides back but if you set this you know you're quickly gonna tell if somebody's port scanning you or something you're gonna see a bunch of connections on ports that you aren't even listening on so this is it's definitely a lot of people kind of mistake this this this RC comfortable for some kind of packet filtering stuff it's not that all it does is report people connecting on on ports that you're not using so you know use it in conjunction with a nice IPF or IPFW rule set okay so the next the next thing is is using IPF on almost any system and a lot of people take the the mindset that you know they're they're behind their fire their corporate firewall you know they're inside their their their office network you know nobody really malicious is doing anything but even if it's just you know your laptop or something I mean they can't hurt to throw a nice IPFW rule set on your laptop and and keep people out I'm sure a lot of people had that pay off at Defconn this year you know and it's really easy if you go to if you look at in the ETC directory there's an RC firewall file and I think I get into that later on but I can't come I get ahead of it go ahead he says what's the the performance impact on a couple dozen rule set IPFW setup on a busy system it depends what you define as a busy system and it depends how fast your link speed is and it depends on the specs of the machine personally I've seen a machine take like 80 or 90 megabits of traffic that it was filtering and it was like it was like a 1 gigahertz penny and three or something and then you could tell that the load is noticeable I don't really have any measurable data to give you but I would say probably like a 20 or 30 percent impact but that's that's with the full out 80 megabit right across a fast Ethernet link it was dropping every single packet so okay a lot of people have have kind of they say you know it's I'd like SFTP and everything but I'm either I'm running an anonymous file archive or I've got users who need FTP they don't want to learn a new client even though it's kind of transparent as to the differences you know they have some old scripts or something they're using FTP that they can convert whatever reason I would not recommend using FTP really anymore unless you're running an anonymous archive and I'll kind of show you how to how to lock it down but you know if you've got any users logging in individually put their username in the ETC FTP CH root file and that's just going to basically restrict them to their home directory by default they're not going to be restricted they're going to just be able to move all around the file system and so if you've been kind of waxed with your file permission somewhere else you know they may have access to something that you don't want to have access to if you start FTP from INETD you can go in and stick all some of these flags right at the end dash L twice will enable extended logging and then you actually have to turn on logging for the FTP facility in syslog that's that's going to give you each connection each user is connecting you know time and date and also any files that they're uploading or downloading and so the files can be kind of robust it's kind of similar to the extra log functionality in Linux and so if you're running an anonymous archive use like capital dash A and dash R and capital A is only going to allow anonymous connections nothing else which is handy because nobody's gonna figure out that they can FTP into your machine when you really don't want them to even though they're a legitimate user and dash R is read only mode where the daemon will actually restrict itself from making any write calls to the system at all so in the event that somebody figures out how to overflow your FTP because FTP runs its route so you know if somebody figures out how to overflow that it's not going to be able to write anything to the machine okay logging is obviously very important keeping track of your system and before getting any of this you know obviously logging you have to spend the time looking at your logs on your system so you know what's routine and you know what's not routine because if you see something out of the ordinary that kind of looks out of the ordinary just because you say that's not really right if you don't have like data to back that up you know say I haven't I haven't seen something like that in a month or something or I've never seen that before that's going to be a lot you know more of a clue into you that hey something something funny is going on if you start if you're running like a regular workstation I would recommend this start syslog with the dash SS flags and that's just going to prevent the daemon from opening the UDP port 514 by default FreeBSD won't let any users connect to your syslog daemon to log and a lot operating systems didn't used to do that and so people could you know fill up your logs at the very at the very worst fill up your whole file system if you didn't have permission set up right some would just allow unauthenticated connections from anywhere this is just going to keep anybody from being able to connect to your syslog daemon at all I would recommend setting up a centralized syslog file especially if you're running an enterprise and you've got 10 or 20 different servers maybe it's much easier to send all the data to a central place and then you know even even pull the data into some kind of you know an Excel spreadsheet or something for quick quick sorting or a database this is the syntax to do it you just this is the wild card right here is just saying log anything on any facility to remotehost.org and you can obviously fill in with a local IP address or something you will not be able to use this dash SS thing up here though with this machine that you're sending the logs to obviously it needs to have that that board open to be able to accept the logs in the unersyslog.com file add this VAR log FTPD or whatever you want to call it if you're running an FTP server so that you can you know you get more information about what's going on with FTP I think by default doesn't log anything that's going on with FTP at all or maybe it drops it into messages which is kind of kluji because there's so much other stuff going on in that file it's kind of hard to keep track the security file IPFW uses the security facility and so do a few other applications but at the end of your your IPFW rule base drop like a you know if because it will just do it it just goes down the rule base and if a packet doesn't match it will drop to the next rule at the end put it like a log any rule and anything that didn't match any of your your other packets is going to go ahead and get dropped into that file there's a there's a I'm sure most of you guys have heard this is a DShield.org project and they have a client framework for IPFW logs and it's like it's just a plural script that goes through and parses it out and changes the data into the DShield to compatible data and you could set up a Cron script or something to to email at data every night or something you know people connecting to your machine and then you can go and log into the web and take a look at it and you can coordinate it with other people submit their logs out on the world it's pretty cool yeah right yeah and and what he said the the FTP users file you can drop users in there that you don't want to be able to use FTP at all and so obviously you're gonna want to drop like root and and obviously any privileged user you know you don't want them passing their password in clear text and that's that's that's a good add-on to the rest of the FTP stuff the FTP CHR and everything else so this stuff is kind of interesting this isn't this isn't default with BSD but I ran across a couple of these projects just doing a little bit of research trojanproof.org they actually have a really cool white paper on their web page about how they developed this tool but I think they started with open BSD and they moved to free BSD for development and it's kind of like it's almost like tripwire but in the kernel and it can tell you if there are any mv5 variations if something's changed with files that are executing on your system so as they're executing it goes ahead and does the hash on a file to see if it's changed and it it they have some performance specs because a lot of people were concerned about performance on a you know an enterprise machine obviously and and I think to benchmark it they like built the kernel with this enabled in the kernel and then this without and I think there's like a 12 second difference or two second difference I can't remember which but it really wasn't that bad and so that kind of works well with with another file integrity tool like tripwire and that's just gonna that's just gonna give you the the kernel level mv5 checking and go ahead and check out the website they've got they can explain much better than I can as far as if you're interested in the specifics of how it works the next one is is server.sf.net this does like system call interception and logging of any what you might deem potentially dangerous system calls so I've got a few listed here exact VEP trace set UID you can configure every single one of these through sysctl commands so you can say you know I think that that set UID calls your dangerous alert or and block it or you can say I think ptrace I just want to log any of that or I don't want to do anything with exact VEP for example so I mean you can configure to whatever settings you want and the author actually has some some recommended settings if you're not really sure what's what you really kind of have to tweak it for your environment to see you know what what your system is using and there's a there's a tool called systrace there's actually written for open BSD and a guy at black hat this this week showed that he'd be ported it to free BSD and what systrace does is it'll basically log system calls that are being used by a particular process and then block ones that are not in what's called like a rules file for it so you initially set it up and you run it with like a wrapper like a TCP wrapper so you execute systrace and then things like dash a and then the the demon and it'll start up into a log of the syscalls that it uses so you can go through go ahead and put it through its paces we'll say for SSH you log in you know do an scp copy a file over whatever and then it'll drop all that stuff into a text file it's like a rules file and you can say okay that's everything that it can do don't let it do anything else and so you know if you attempt like an off-by-one exploit or something on your SSH Damon it's gonna if it uses a system call it isn't used by SSH legitimately it's gonna it's just gonna drop it so that's kind of nifty BPF in your kernel is enabled by default I think it's you only allowed two concurrent BPF filters in the generic kernel but if you're running a production machine you have no needs for promiscuous mode or any kind of real raw packet sniffing type stuff on your your system you should probably turn this off if you do this in conjunction with setting secure levels on your machine so an intruder couldn't load a kernel module or something to to make a change that's just gonna prevent people from from sniffing on your wire and another thing that you may want to do is is write a script to check your eMessage output to see if anyone's put your interface into promiscuous mode and you don't know about it so you could use like swatch or something to monitor the logs and sending email but I mean BPF is used by other things any kind of like some like real raw IP stuff may use it so you probably want to test it out on a non-production system before you do that on on anything that that's production okay this part's called keeping people out and it's it's some of it's pretty basic but a lot of people don't really use TCP wrappers that then they should for for non-public services for like SSH authentication stuff that people aren't connecting to anonymous honestly for example like people sending you email connecting to your SMTP server or or you know browsing the website or whatever I mean you can't do you can't use TCP wrappers with that stuff obviously because you don't know who's coming but for SSH and FTP if you know you've only got a select group of losing FTP I mean the more you lock it down the better you're off and and so like TCP wrappers combined with a nice IP FW rule set is just gonna give you that defense in depth and you know you never know when it can pay off so the next one is a lot of users and allow groups arguments in the SSHD config file you can specify certain users or certain groups respectively that are allowed to connect to SSH using SSH so if you know you've got a user who's an FTP user and you need to give Michelle for some reason but you don't want to come in through SSH you obviously use this to not allow them I think it's disallowed users to not allow you to double check that so go ahead this works well with with TCP wrapper usage and privilege separation and open SSH and this last one is give users people that are only FTP into the machine give them a no login shell obviously people have been doing that for years that's pretty basic so these are some tools that you can use to check your system and if you don't know what MF as you're probably in the wrong building whiskers is pretty cool there's a new whisker version to that RFP is developing that's the author and it's a little more modular so his website is wiretrip.net you may want to check that out but the one in the ports tree is is whisker 1.4 which is it works okay for for auditing real basic stuff you know if you've got an old phf vulnerability on your network or something tripwire tripwire is a commercial entity now but what's called the academic source release of tripwire is still available for free use and all you have to do is go in the ports tree and build it and you actually have to go get the source yourself it doesn't use the traditional dis files ports distribution method just because of the way the licensing works but you can I mean tripwire it you know installed on your system I generate the database and then keep the database on a floppy disk or something and go through and just verify that you know anything that's been changed you know you know about and that can give you real peace of mind as far as as what's going on on your system but again it's only as granular as how you make it and how many files you have a check and if you have it look at everything you're going to drive yourself crazy just because the amount of file changes that get take place they you know you don't really realize and sort a lot of people are using snort on there they're just their host machines now because it's a lot easier than you know kind of doing the combined like log analysis or everything and looking at some of the other you know your firewall logs and everything else with snort I mean if something trips a signature you're kind of interested in what's going on go ahead yeah actually yes I can I use snort for any kind of a defensive mechanism and there's a tool called hogwash and they address for this hog wash dot source forage net and it's written or co-written by one of the snort developers and it's actually being integrated into the snort CVS tree right now for snort 1.9 it's going to be called inline snort it's just going to be a compile time option but basically instead of like an alert you know rewrite a snort rule instead of the alert variable to like you know all over and right to a file or something you can do drops and so for a TCP connection it'll send a reset back as soon as it realizes that the packet matches the payload for say like a code red attack or something and it also has content replacement so you know going back to code red you could say replace cmd.exe with xyz.com or replace the first you know four or five bytes of the of a shell code slide or something with with nulls and those you know even if even if your your system is impatched you're still going to be protected to an extent because you're just basically screwing up the exploit and and it kind of it kind of confuses the attacker because if they're sending like a cmd.exe request they're just going to get back you know 404 or something because their request is being modified halfway through so it can and that's kind of a mixed blessing because if they really a clever and they start going well hey what's going on I know that I was able to get to that you know two days ago or something they started digging in deeper they may be able to figure out that you're running something like hogwash on your network but a lot of people are actually deploying that outside their firewall to grab stuff before it hits their DMZ and it's pretty effective. Go ahead. Yeah he just mentioned AID is another file integrity tool. I really like TripR I like the signature syntax it's really flexible and it's pretty easy to write some pretty custom rules really fast. Okay just some miscellaneous stuff you should throw these on all your machines like you know use NTP date, crontab it and have it sync time with you know an internal time server or something out on the internet so you know your logs are always in sync and up to date. I know all some of the stuff seems basic but a lot of people don't do it. In the TTYS file change the secure flag to insecure on all your local TTYS and that's just basically going to prevent root from logging in directly so you're just going to have to force somebody to log in as themselves and then like sudo root or use sudo or something and also in SSHD config there's a permit root login and I think by default it's yes so obviously you know change that to know you don't want people logging into your system as root I mean never whenever possible don't use the root password for some kind of authentication that the very most use it you know sudo root or something but if you can use sudo because it's you just can be able to restrict the who knows the root password on your system and you can granularly lock down you know who can do what on your machine and they don't need the root password. The last one is a kernel configuration that you can do it's a sudo device that you can able called the SNP device and you can go ahead and and use that I think the tool is called watch in the user SPIN directory and you can attach to a TTY on your machine and it's non interactive you can type back but you can watch what somebody's doing and you can you can monitor them as they're as they're going along okay so here's some some related stuff here's the link that this presentation is going to be available with some of the updated info and freebsd.org slash security I mean you definitely want to bookmark that and and check that out pretty often because that's where they post all the security advisories and they also there's like a security how to those it's kind of outdated those written a few years ago but it's got some good info and I've got some free stuff for you guys from the freebsd mall guys I think I've almost got enough for every single person in here and so yeah Murray Murray the guy who runs freebsd mall heard I was gonna be talking about freebsd and so we're talking if you guys want to come up I've got actually hand let me do t-shirts first everybody likes t-shirts I've got I've got I've got to give my plug first these are these are made by my friend Tim and he works for a company called hacksawware.com and nobody else has these t-shirts these are all like zero What was your question sir? What was his comment man? That's what happens when you resist arrest. Very good sir you must be a cop. Next year folks, spot the fed.