Security related sysctl variables
# users can't see the processes, sockets, etc, of other users using ps, netstat, procfs, and other tools.
sysctl -w security.bsd.see_other_uids=0
# users can't see the processes, sockets, etc, of users in other groups using ps, netstat, procfs, and other tools.
sysctl -w security.bsd.see_other_gids=0
# unprivileged processes can't invoke system debugging primitives, such as ptrace, procfs, ktrace, etc.
sysctl -w security.bsd.unprivileged_proc_debug=1
# unprivileged processes can't read the system console message buffer.
sysctl -w security.bsd.unprivileged_read_msgbuf=0
# users can only hard link to objects that match their uid.
sysctl -w security.bsd.hardlink_check_uid=1
# users can only hard link to objects that match one of their gids.
sysctl -w security.bsd.hardlink_check_gid=1
# users can't request their live quota information.
sysctl -w security.bsd.unprivileged_get_quota=0
sysctl -w net.inet.ip.redirect=0
sysctl -w net.inet.icmp.drop_redirect=1
sysctl -w net.inet.icmp.log_redirect=1
# Maximum number of ICMP "Unreachable" and also TCP RST packets that will be sent back every second.
sysctl -w net.inet.icmp.icmplim=100
# Drop TCP SYN to a closed port without an RST reply
sysctl -w net.inet.tcp.blackhole=2
# Drop UDP without a port unreachable reply
sysctl -w net.inet.udp.blackhole=1
sysctl -w net.inet.ip.random_id=1
# Drop connections that take longer than 10 seconds to complete the TCP handshake.
sysctl -w net.inet.tcp.msl=10000
# Embryonic connection table size
sysctl -w kern.ipc.somaxconn=4096
Mount ISO Image on FreeBSD 5.x
# mdconfig -a -t vnode -f image.iso -u 0
# mount -t cd9660 /dev/md0 /mnt/iso
Unmount ISO Image on FreeBSD 5.x
# umount /mnt/iso
# mdconfig -d -u 0
Mount ISO Image on FreeBSD 4.x
# vnconfig -c vn0c image.iso
# mount -t cd9660 /dev/vn0c /mnt/whatever
Unmount ISO Image on FreeBSD 4.x
# umount /mnt/whatever
# vnconfig -u vn0c
Upgrade Perl Version from 5.8.6 to 5.8.8
1) Install the perl5.8 port
$ cd /usr/ports/lang/perl5.8
$ make install
2) Set the new version of perl to be the default. (This also turns off building perl as part of the base system):
3) Re-install any 3rd party modules, etc that you've installed so the new perl can access them.
$ find /usr/local/lib/perl5/{site_perl/5.8.6,5.8.6} -type f -print0 | xargs -0 -n 1 pkg_which | sort -u > /tmp/perl-ports
$ vi perl-ports (Be sure to sanity check the results)
$ portupgrade -f `cat /tmp/perl-ports`
Setting blowfish as the default password encryption method
In /etc/login.conf change
to
and recreate the login capability database:
$ cap_mkdb /etc/login.conf
Now have each user change their password. Start with your current login.
$ passwd
Changing local password for {current user}.
new password:
retype new password:
passwd: updating the database. . .
passwd: done
To confirm your changes, type:
$ grep ${USER} /etc/master.passwd | cut -d: -f2
The second field in your password file, which is the cipher of the passwords, should begin with $2 now which indicates the use of blowfish.
Then in /etc/auth.conf change
to
All new users you now create with adduser will now have their password encrypted in Blowfish.
- Configure syslog to listen to on a sinlge IPv4 interface
$ echo "syslogd_flags=\"-4 -b 192.168.0.205\" >> /etc/rc.conf
- Creating a New File-Backed Disk with mdconfig
$ dd if=/dev/zero of=newimage bs=1k count=5k
5120+0 records in
5120+0 records out
$ mdconfig -a -t vnode -f newimage -u 0
$ bsdlabel -w md0 auto
$ newfs md0a
/dev/md0a: 5.0MB (10224 sectors) block size 16384, fragment size 2048
using 4 cylinder groups of 1.25MB, 80 blks, 192 inodes.
super-block backups (for fsck -b #) at:
160, 2720, 5280, 7840
$ mount /dev/md0a /mnt
$ df /mnt
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/md0a 4710 4 4330 0% /mnt
Comments (0)
You don't have permission to comment on this page.