# How Secure is FreeBSD?



## srzxj2 (Dec 16, 2011)

Hello 

I am extremely new to this platform and just starting to get the hang of it and forgetting everything I know since I'm coming over from a Windows/Dos background.

Out of the box, how secure is FreeBSD?

Reason I am asking is that I plan to do some web server hosting with possible ecommerce down the line. 

Thanks!

J


----------



## SirDice (Dec 16, 2011)

srzxj2 said:
			
		

> Out of the box, how secure is FreeBSD?


Secure enough. Why is this relevant? You're going to have to configure the box anyway.

See security(7) and [thread=4108]Unofficial FreeBSD Security Checklist / Links / Resources[/thread]


----------



## srzxj2 (Dec 16, 2011)

Thanks for the quick reply SirDice 

Yes I will need to configure the box but at the same time I don't want to open myself up to vulnerabilities. Again I am extremely new to this.

I'll read through the provided links, much appreciated!

J


----------



## SirDice (Dec 16, 2011)

srzxj2 said:
			
		

> Yes I will need to configure the box but at the same time I don't want to open myself up to vulnerabilities.


After you installed FreeBSD make sure you update it. Even FreeBSD has its security problems but they are far and few between.

FreeBSD Security Information
FreeBSD Security Advisories

One thing you probably will have to get used to is the strict separation of the base OS and ports. It's more or less comparable to Windows Update (which basically only updates Windows itself) and the various update tools and services third party applications use.


----------



## AndyUKG (Dec 16, 2011)

If you are totally new to the UNIX world (including Linux) then it would be good to know:

Unlike Windows, a UNIX server doesn't have to be listening on many OS related ports (this is great for security).
For example, if you want to have a web server, you can have it only listening on port 80 (probably you will have Ssh too) and then your server is as secure as your web server (ie Apache HTTPD).
For keeping on top of known vulnerabilites, always install packages via ports (where available) and use portaudit(1) to regularly check for problems on installed packages.

From a security point of view FreeBSD is really a great system once you get to know it for things like portaudit.


----------



## anomie (Dec 16, 2011)

srzxj2 said:
			
		

> Out of the box, how secure is FreeBSD?



How tall is the sky? 

Really, it's subjective. I can think of at least two OSes that I'd consider more secure following a _default_ installation. But an installation of the latest -RELEASE branch, even with sshd(8) enabled at install time, is quite a tight ship. 

Now then: if you can explain a bit about your environment, and what you'll be using FreeBSD for exactly, it will be easier to speak to specifics.


----------



## srzxj2 (Dec 16, 2011)

anomie said:
			
		

> How tall is the sky?
> 
> Really, it's subjective. I can think of at least two OSes that I'd consider more secure following a _default_ installation. But an installation of the latest -RELEASE branch, even with sshd(8) enabled at install time, is quite a tight ship.
> 
> Now then: if you can explain a bit about your environment, and what you'll be using FreeBSD for exactly, it will be easier to speak to specifics.



Basically I am in the process of moving a website off of a service provider that provides a Unix platform that runs Apache/MySql/PhpMyAdmin. When I said I was extremely new, I should have just said I installed FreeBSD a few days ago for the first time ever.

So what I am looking to achieve is to have a website hosted on this FreeBSD box to play around with. The reason I've asked about security is that because I know how much work I need to do to make a windows box secure and even then there are still some vulnerabilities.

What I've achieved so far is an installation of FreeBSD, installed Apache22, MySql, php and phpMyAdmin. All this by just following some step-by-step instructions I dug up off the web with extreemly limited knowledge.

Thanks for your help!


----------



## SirDice (Dec 16, 2011)

Keep an eye on this thread too: Thread 28366. It's an almost identical setup.


----------



## anomie (Dec 16, 2011)

I'd also mention: FreeBSD is not going to be the weak link in that chain. To help harden your default installation, you may consider enforcing strong passwords and enabling a packet filtering firewall. (That's in addition to necessary steps like applying base system and Port security updates, and monitoring system / application logs.) 

Your main focus will be on properly securing Apache web server and MySQL. For the former, I highly recommend reading _Apache Security_ by Ivan Ristic. (I don't get paid for suggesting that.) For the latter, I recommend at very least implementing what vermaden suggested in the other thread -- have MySQL listen on localhost, or "skip networking" altogether and listen on a unix socket. 

As for phpMyAdmin, put it behind HTTP digest authentication. No need to expose its login screen to the 'net.


----------



## gkontos (Dec 16, 2011)

srzxj2 said:
			
		

> Basically I am in the process of moving a website off of a service provider that provides a Unix platform that runs Apache/MySql/PhpMyAdmin. When I said I was extreemly new, I should have just said I installed FreeBSD a few days ago for the first time ever.
> 
> So what I am looking to achieve is to have a website hosted on this FreeBSD box to play around with. The reason I've asked about security is that because I know how much work I need to do to make a windows box secure and even then there are still some vulnerabilities.
> 
> ...



Welcome! 

As far as OS security is concerned, you are on the right path 

Web server security though is a very different story. Especially when it comes to e-commerce hosting, you have to be very careful and take a step further into hardening the application layer. 

Best Regards,
George


----------



## fonz (Dec 16, 2011)

gkontos said:
			
		

> As far as OS security is concerned, you are on the right path
> 
> Web server security though is a very different story.


Well put.

Security is a complex thing because there are many components. Total security is the sum of the security of the individual components and the security between each interacting component. Chain, weakest link, you get the idea. Running the most secure operating system ever isn't going to do much good if the third party server application you're running on it has a gaping hole (or even a tiny one, for that matter).

Fonz


----------



## fluca1978 (Dec 19, 2011)

srzxj2 said:
			
		

> Hello
> 
> I am extremely new to this platform and just starting to get the hang of it and forgetting everything I know since I'm coming over from a Windows/Dos background.
> 
> ...



I guess this _out of the box_ confusion is due to another BSD project that clearly states it is the most secure OS with only two holes so far in the default installation. The problem is that users usually do not run a default installation, or better, the default installation is not what a user will install as his default.
The more services you enable, the more you are at risk. The operating system can do a great job or a bad job trying to make the services more secure, and FreeBSD is doing a great job. But this does not mean that every service is more secure if ran on FreeBSD than if ran on XXX. What FreeBSD (and other good operating systems) can do is to provide a valid platform for application/service developers to use, as well as a good platform for admins to take care of such applications. What application developers can do is to integrate with the operating systems trying to explore the good api layer, and what can do admins is to grant right permissions (and resources) to a service so even if it will perform a `# rm -r /` it will fail.
FreeBSD gives you, as an admin, a very good platform, and as application developer a good platform too. But both sides must do their work to make the system secure.


----------



## Beeblebrox (Dec 19, 2011)

Let's not forget
1. jails for each service (http/php and sql in separate jails) and
2. Other less bloated web servers (like lighttpd or varnish or nginx)


----------



## vermaden (Dec 19, 2011)

> How Secure is FreeBSD?


Very secure. (general question - general answer)


----------



## vertexSymphony (Dec 19, 2011)

> How Secure is FreeBSD?



The "secureness" of FreeBSD is as good as the person securing it.
But you start with a good set of tools.

If you know linux the better, stay there ... later when you have some knowledge of FreeBSD you can deploy servers with more responsibility and don't expect the system to do what you are supposed to be doing.


----------



## gkontos (Dec 19, 2011)

I was in a presentation of a new major web application firewall product in Frankfurt from a large vendor two years ago. 

It was a 2 day event covering some of the basic features. I am not mentioning the brand nor their (fruit) reference client.

During the presentation I asked a question about the functionality and the features of the demo web site that was being protected. My observation was that there is not much user interaction here. Not many online capabilities in this site. Therefore not really a hard thing to protect.

The answer was simple yet stunning. 

_"It is not stunning but it is safe"_

I thing that said it all !


----------



## Simba7 (Dec 20, 2011)

vertexSymphony said:
			
		

> If you know linux the better, stay there ... later when you have some knowledge of FreeBSD you can deploy servers with more responsibility and don't expect the system to do what you are supposed to be doing.


Linux is the same way. There isn't a "one size fits all" to any *n*x OS.

One reason I moved back to FreeBSD was ZFS.. another was me getting sick of the time lapse between headers/sources (Gentoo) which was jacking a few packages up. Their reply was "Why do you need that?"

I'd say, experiment. If you're new to the whole UNIX world, find an old box and throw FreeBSD on it. Then, if you screw up, you won't toss any vital info into the shredder. It's best not to dive into a shark tank unless you have the proper training on how to protect yourself.

One vital piece of information.. The Handbook. You can buy it or print it (get a couple reams of paper and a duplex-capable printer). It'll teach you the basics and some of the more advanced stuff.


----------



## amilojko (Dec 26, 2011)

*What?*



			
				AndyUKG said:
			
		

> If you are totally new to the UNIX world (including Linux) then it would be good to know:
> 
> Unlike Windows, a UNIX server doesn't have to be listening on many OS related ports (this is great for security).
> For example, if you want to have a web server, you can have it only listening on port 80 (probably you will have Ssh too) and then your server is as secure as your web server (ie Apache HTTPD).
> ...



I am not sure I understand. What are OS related ports?

OS doesn't have any ports and doesn't need any ports. What you are probably thinking about is all the file sharing services that Windows has enabled by default.
This is no different than HTTPD.
The difference is that FreeBSD asks you if you want to enable NFS and other file sharing, while Windows does it without prompting. It's assumed that Windows server is used for file sharing, while it's not assumed that FreeBSD is used for file sharing.

But really, FreeBSD, and any OS for that matter, is as secure as the knowledge of the admin taking care of it.
Mind you Windows security "discoveries" happen a lot more than FreeBSD.


----------



## Crivens (Dec 26, 2011)

Port, in this context, does not refer to the ports of the TCP/IP protocol.
In FreeBSD, a port can also denote a software package which can be installed. Since ports live in the ports system, installation is said to be done by means of ports.


----------



## UNIXgod (Dec 26, 2011)

It's a good idea to subscribe to the FreeBSD security advisory list. 

FreeBSD has a vetted group dealing with issues as they arise.

More information here:
http://www.freebsd.org/security/


----------



## amilojko (Dec 27, 2011)

Crivens said:
			
		

> Port, in this context, does not refer to the ports of the TCP/IP protocol.
> In FreeBSD, a port can also denote a software package which can be installed. Since ports live in the ports system, installation is said to be done by means of ports.



Ports in the context of the fellow I was replying to refers to both TCP ports and the ports collection.
The ports collection is used to install programs that listen on ports.
Get it? :e

I was aiming at this bit:
"Unlike Windows, a UNIX server doesn't have to be listening on many OS related ports (this is great for security)" which is not true.
Windows doesn't have any OS related ports. It's all file sharing/name resolutions related.
Much like NFS/RPC/BIND
OS can live without this. Can't do much, but can live without it.


----------



## fonz (Dec 27, 2011)

"OS related ports" sounds a bit vague to me. Judging from what I've read so far, I suspect "privileged ports" (port numbers under 1024) is what's actually meant.

Hth,

Fonz


----------

