"FreeBSD-SFTP"

Published: Sun 26 September 2021

In content.

  1. Update pkg to latest
root@freebsd-sftp:~ # mkdir -p /usr/local/etc/pkg/repos
root@freebsd-sftp:~ # vi /usr/local/etc/pkg/repos/FreeBSD.conf

```
FreeBSD: {
  url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest"
}
```
  1. FreeBSD update
    freebsd-update fetch install
    pkg update
    pkg update -f && pkg upgrade -f
  2. Firewall Setup - PF
    sysrc pf_enable=yes
    sysrc pf_flags=''
    sysrc pf_rules='/etc/pf.conf'
    sysrc pflog_enable=yes
    sysrc pflog_logfile='/var/log/pflog'
    sysrc pflog_flags=''
    service pf start
    service pflog start
# To protect the server incase of front-end breach
# Author: vgnshlvnz and couple of website examples
# DO NOT MODIFY THE FILE WITHOUT PERMISSION

#Interface
extif='em0'

#ICMP Types
icmp_types = '{ echoreq unreach}'

#RFC6890 address block table

table <rfc6890> { 0/8 10/8 100.64/10 127/8 169.254/16          \
                  172.16/12 192/24 192/29 192.0.2/24 192.88.99/24 \
                  192.168/16 198.18/15 198.51.100/24 203.0.113/24 \
                  240/4 255.255.255.255/32 }

#Scrubbing traffic
scrub log on $extif all random-id min-ttl 15 set-tos 0x1c fragment reassemble max-mss 1440

#Skip Loopback
set skip on lo0
set debug urgent
set block-policy drop
set loginterface $extif
set state-policy if-bound
set fingerprints "/etc/pf.os"
set ruleset-optimization none
set optimization aggressive

#RFC6890 ruleset
block log (all, to pflog0) in quick on egress from <rfc6890>
block log (all, to pflog0) return out quick on egress to <rfc6890>

#Anti-spoofing
antispoof quick for $extif

#Block all connections
block log (all, to pflog0)

#Allow SSH in
pass in log (all, to pflog0) on $extif  proto tcp to port 22

#Pass out SSH DNS NTP and WEB SERVICES
pass out proto {tcp, udp} to port {22,53,80,123,443}

#Allow ICMP echorequest
pass out inet proto icmp icmp-type $icmp_types

  1. Setup Disks
    Create a pool with mirror

  2. zpool create zstorage mirror <disk>
    Create /home/ directories

  3. zfs create zstorage/home
  4. zfs create zstorage/home/<USERNAME>

Set quota and refquota for the directories

  • zfs set quota=<size> zstorage/home/<USERNAME>

  • zfs set refquota=<size> zstorage/home/<USERNAME>

  • Setting appropriate permissions

  • chown root:sftp /home/<USERNAME>

  • chown <USERNAME>:sftp /home/<USERNAME>/uploads

  • Set up SSH to act as SFTP server

  • vi /etc/ssh/sshd_config

Match Group sftp
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

  1. Set up ClamAV

  2. pkg install clamav

  3. Insert following into rc.conf
clamav_clamd_enable=YES
clamav_freshclam_enable=YES
  • service clamav-freshclam onestart
  • /usr/local/bin/freshclam
  • service clamav-clamd onestart

  • Precaution: run /usr/local/bin/freshclam after starting clamd

  • Snort Installation & Configuration

  • pkg install snort

  • sed -i '' '/^include \$RULE_PATH\/.*.rules$/d' /usr/local/etc/snort/snort.conf
- ipvar HOME_NET [YOU_NEED_TO_SET_HOME_NET_IN_snort.conf]
- ipvar EXTERNAL_NET any
+ ipvar HOME_NET [192.168.0.0/16,10.0.0.0/8]
+ ipvar EXTERNAL_NET !$HOME_NET
- var WHITE_LIST_PATH ../rules
- var BLACK_LIST_PATH ../rules
+ var WHITE_LIST_PATH rules
+ var BLACK_LIST_PATH rules
- # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
+ output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types
+ include $RULE_PATH/local.rules
+ include $RULE_PATH/snort.rules
  • cp /usr/local/etc/pulledpork/pulledpork.conf.sample /usr/local/etc/pulledpork/pulledpork.conf
  • mkdir /usr/local/etc/snort/so_rules
  • mkdir /usr/local/etc/snort/rules/iplists
  • touch /usr/local/etc/snort/rules/local.rules
  • cp /usr/local/etc/snort/preproc_rules/sensitive-data.rules-sample /usr/local/etc/snort/preproc_rules/sensitive-data.rules
  • touch /usr/local/etc/snort/rules/white_list.rules
  • touch /usr/local/etc/snort/rules/black_list.rules

Configure Pulledpork

  • grep -Ev '^$|^#' /usr/local/etc/pulledpork/pulledpork.conf
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|XXXX
rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
rule_url=https://www.snort.org/reg-rules/|opensource.gz|XXXX
ignore=deleted.rules,experimental.rules,local.rules
temp_path=/tmp
rule_path=/usr/local/etc/snort/rules/snort.rules
local_rules=/usr/local/etc/snort/rules/local.rules
sid_msg=/usr/local/etc/snort/sid-msg.map
sid_msg_version=1
sid_changelog=/var/log/snort/sid_changes.log
sorule_path=/usr/local/etc/snort/so_rules/
snort_path=/usr/local/bin/snort
config_path=/usr/local/etc/snort/snort.conf
distro=FreeBSD-9-0
black_list=/usr/local/etc/snort/rules/iplists/default.blacklist
IPRVersion=/usr/local/etc/snort/rules/iplists
snort_control=/usr/local/bin/snort_control
version=0.7.0

Grab all the rules

  • pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf -l
  • snort -A console -q -c /usr/local/etc/snort/snort.conf -i em0

Insert into rc.conf following lines

  • snort_enable="YES"
  • snort_interface="em0"

Written with StackEdit.

social