Tell about your best practices setting up a FreeBSD server

nibori

There are many guides on setting up / hardening your server. Books, the manual, all good resources.

I don't expect you to reproduce full books worth of content, or dump a lifetime of experience into a single post - but certainly anything you think important, under-covered or underappreciated in the "usual" resources, would be keen to know!

To start, if I had to call out one best practice that stuck on me, it would be keeping the base system minimal, and putting services into jails (or, maybe daemonless going forward).

nibori

Sidenote: some of the search results coming up

• https://docs.freebsd.org/en/books/handbook/security/
• https://github.com/wravoc/harden-freebsd (comments at https://forums.freebsd.org/threads/my-freebsd-hardening-script.89523/)
• https://www.freebsdsoftware.org/blog/hardening-freebsd-server/
• https://vez.mrsk.me/freebsd-defaults
• https://hardenedbsd.org/content/about

pertho@mastodon.bsd.cafe

@nibori Wouldn't mind a list of sysctl.conf keys & values people use!

nuintari

A few things I always do.

1. Use ZFS. Unless you are severely memory constrained, ZFS is the sane choice. I even use ZFS for single disk installations.

2. Set a ZFS refreservation to prevent the disk from filling up completely. ZFS does NOT like full disks.

zfs create -o refreservation=<5-10 percent of total pool space> <poolname>/reserved\n

3. Enable automagick ZFS scrubbing:

sysrc -f /etc/periodic.conf daily_scrub_zfs_enable=YES
sysrc -f /etc/periodic.conf daily_scrub_zfs_default_threshold=7

4. My "standard" set of sysctl.conf settings, most of these can be set during installation. Most of them are security oriented, the last one is because the ZFS default is almost always too low.

security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.see_jail_proc=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=1
vfs.zfs.vdev.min_auto_ashift=12

5. enable jumbo frames, sizing is card dependent, and changes if I am using VLANs or not. But I aim for interfaces that are directly speaking IP to have an MTU of 9000, because damn near everything supports that.

ex:

ifconfig_ix0="up mtu 9100 ... "
create_args_vlan1005="vlan 1005 vlandev ix0 mtu 9000 ... "

6. Disable various NIC offloading capabilities. I have never seen them work well under load. Your mileage may vary, and admittedly I haven't retested this since probably 13.something-RELEASE, but I was getting an order of magnitude better performance with it all switched off:

ifconfig_ix0="... -rxcsum -rxcsum6 -txcsum -txcsum6 -tso -lro -vlanhwtag -vlanhwtso -vlanhwcsum -mextpg

7. Disable password authentication in /etc/ssh/sshd_config:

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

7. Install rocinante, and bastille if this is going to be a jail host. I try to keep my base systems fairly lean.

BigSneakyDuck

I recently submitted a Bugzilla PR for the FreeBSD Handbook's Security chapter, noting that it does not contain the phrase "hardening" or cover the how to perform the kind of hardening measures that I've seen documented in other OSes, or mandated by workplace policies.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294167

This is far from my area of expertise so any additional comments there on what the Handbook should include would be welcome. Obviously there will be some hardening requirements for personal laptops that are different to hardening for servers and vice versa, which makes structuring the chapter a bit tricky. In fact one of my complaints in the PR is that advice which should be drilled into all users, like taking note of FreeBSD Security Advisories, is at the very bottom of a long page - anybody who reads that far will have to get past a lot of material only relevant for more specialist use cases.

https://docs.freebsd.org/en/books/handbook/security/