FreeBSD
Geli Harddisk Encryption
On the following page, I explain how to implement harddisk encryption with Geli.
Replacing a Harddisk
Here, we explain how to move from an old disk to a new one using UFS.
# gpart destroy ada2
# gpart create -s gpt ada2
# gpart add -t freebsd-boot -l otrsboot -b 40 -s 512k -a 4k ada2
# gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 ada2
# gpart add -t freebsd-ufs -l otrsrootfs -b 1M -s 10G -a 4k ada2
# gpart add -t freebsd-swap -l otrsswap -s 16G -a 4k ada2
# gpart add -t freebsd-ufs -l otrsvarfs -s 2G -a 4k ada2
# gpart add -t freebsd-ufs -l otrstmpfs -s 500M -a 4k ada2
# gpart add -t freebsd-ufs -l otrsjotrs -s 100G -a 4k ada2
# gpart add -t freebsd-ufs -l otrsjworkstation -s 100G -a 4k ada2
# gpart add -t freebsd-ufs -l otrsjails -s 100G -a 4k ada2
# gpart add -t freebsd-ufs -l otrsusrfs-a 4k ada2
# gpart show -l da0
# newfs -U /dev/gpt/otrsrootfsnewfs -U /dev/gpt/otrsvarfs
# newfs -U /dev/gpt/otrstmpfs
# newfs -U /dev/gpt/otrsjotrs
# newfs -U /dev/gpt/otrsjworkstation
# newfs -U /dev/gpt/otrsjails
# newfs -U /dev/gpt/otrsusrfs
Mount all partitions in the right places and copy the old stuff to the new disk:
# tar czpf - / | tar xzf -
Auditing can be pretty useful. Turn it on by passing the following command:
# echo auditd_enable=\"YES\" >> /etc/rc.conf
See the Handbook chapter for further information.
Some Hardening Topics
Some things to remember – unfortunately far from being complete.
Securelevel
Lowest: -1, Highest: 3
Set to highest:
# echo kern_securelevel_enable=\"YES\" >> /etc/rc.conf
# echo kern_securelevel=3 >> /etc/rc.conf
Open Ports
Check for open ports using
# sockstat -4
# sockstat -6
Xorg
In /usr/X11R6/bin/startx add argument such that
serverargs="-nolisten tcp"
Check with sockstat, whether the open port 6000 has disappeared.
syslogd
If you don't need logging from remote machines, change the /etc/rc.conf file by typing
# echo syslogd_enable=\"YES\" >> /etc/rc.conf
# echo syslogd_flags=\"-ss\" >> /etc/rc.conf
Clear \tmp
To clear the \tmp directory at startup do
# echo clear_tmp_enable=\"YES\" >> /etc/rc.conf
Prevent Remote Login
To prevent all remote login and allow only physical login change /etc/login.access to allow
-:wheel:ALL EXCEPT LOCAL