FreeBSD

Geli Harddisk Encryption

On the following page, I explain how to implement harddisk encryption with Geli.

Replacing a Harddisk

Here, we explain how to move from an old disk to a new one using UFS.


# gpart destroy ada2

# gpart create -s gpt ada2

# gpart add -t freebsd-boot -l otrsboot -b 40 -s 512k -a 4k ada2

# gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 ada2

# gpart add -t freebsd-ufs -l otrsrootfs -b 1M -s 10G -a 4k ada2

# gpart add -t freebsd-swap -l otrsswap -s 16G -a 4k ada2

# gpart add -t freebsd-ufs -l otrsvarfs -s 2G -a 4k ada2

# gpart add -t freebsd-ufs -l otrstmpfs -s 500M -a 4k ada2

# gpart add -t freebsd-ufs -l otrsjotrs -s 100G -a 4k ada2

# gpart add -t freebsd-ufs -l otrsjworkstation -s 100G -a 4k ada2

# gpart add -t freebsd-ufs -l otrsjails -s 100G -a 4k ada2

# gpart add -t freebsd-ufs -l otrsusrfs-a 4k ada2

# gpart show -l da0

# newfs -U /dev/gpt/otrsrootfsnewfs -U /dev/gpt/otrsvarfs

# newfs -U /dev/gpt/otrstmpfs

# newfs -U /dev/gpt/otrsjotrs

# newfs -U /dev/gpt/otrsjworkstation

# newfs -U /dev/gpt/otrsjails

# newfs -U /dev/gpt/otrsusrfs


Mount all partitions in the right places and copy the old stuff to the new disk:

# tar czpf - / | tar xzf -

Auditing can be pretty useful. Turn it on by passing the following command:

# echo auditd_enable=\"YES\" >> /etc/rc.conf


See the Handbook chapter for further information.

Some Hardening Topics

Some things to remember – unfortunately far from being complete.


Securelevel

Lowest: -1, Highest: 3

Set to highest:

# echo kern_securelevel_enable=\"YES\" >> /etc/rc.conf

# echo kern_securelevel=3 >> /etc/rc.conf


Open Ports

Check for open ports using

# sockstat -4

# sockstat -6


Xorg

In /usr/X11R6/bin/startx add argument such that

serverargs="-nolisten tcp"

Check with sockstat, whether the open port 6000 has disappeared.


syslogd

If you don't need logging from remote machines, change the /etc/rc.conf file by typing

# echo syslogd_enable=\"YES\" >> /etc/rc.conf

# echo syslogd_flags=\"-ss\" >> /etc/rc.conf


Clear \tmp

To clear the \tmp directory at startup do

# echo clear_tmp_enable=\"YES\" >> /etc/rc.conf


Prevent Remote Login

To prevent all remote login and allow only physical login change /etc/login.access to allow

-:wheel:ALL EXCEPT LOCAL