In this BSD Now episode, hosts Allan Jude and Kris Moore interview Christos Zoulas, NetBSD security officer, regarding his project called blacklistd–aiming to stop bruteforce attacks. Hit play below to tune in:
This tutorial by Michael Ragusa of DigitalOcean shows us how to customize and recompile your kernel on FreeBSD 10.1.
The FreeBSD operating system utilizes the
GENERICkernel by default. This is a default configuration used to support a large variety of hardware out of the box. However, there are many different reasons for compiling a custom kernel, which include security, enhanced functionality, or better performance.
FreeBSD utilizes two branches of code for its operating system: stable and current. Stable is the current code release that is that is production ready. Current is the latest code release from the development team and has some of the latest bleeding edge features but is more prone to bugs and system instability. This guide will utilize the stable branch.
In this tutorial, we will recompile a FreeBSD kernel with a custom configuration.
To follow this tutorial, all you will need is:
- One FreeBSD 10.1 Droplet.
If you’re new to FreeBSD, you can check out the Getting Started with FreeBSD series of tutorials.
Step 1 — Obtaining the Source Code
FreeBSD user asteriskRoss shows us how to get amd64 UEFI boot (with encrypted ZFS root) working in FreeBSD 10.1 using GELI.
In this HOWTO, we’ll walk through installing FreeBSD 10.1-RELEASE as the sole operating system on a UEFI-enabled amd64/x86-64 PC to a single hard disk, with all except the /boot directory installed to a ZFS pool encrypted using geli(8).
The /boot directory will reside on an unencrypted UFS partition.
If you’re reading this for a later version of FreeBSD then it will probably work, but there may be a better and easier way of achieving the same goal. FreeBSD 10.1 was the latest release at time of writing.
Understanding technical limitations
UEFI support was added to FreeBSD in the 10.1 release for the amd64 architecture, but has some limitations:
- It only supports booting from a UFS partition (that is, not ZFS)
- It does not support UEFI Secure Boot.
PC manufacturers’ implementations of UEFI vary in quality. During the transition from legacy BIOS booting to UEFI, many manufacturers include a method of booting from both. This might be configurable or the firmware may decide which one to use based on the disk partitioning type (MBR or GPT) or presence of boot sector code. Even if your PC supports UEFI, implementation issues may prevent this method working for you.
The configuration described here is not compatible with the ZFS Boot Environment management utilities sysutils/beadm or manageBE, since both of these make assumptions about the filesystem layout that aren’t true here.
A brief discussion on risk mitigation, disk encryption and GELI
This is not a HOWTO on different disk encryption techniques but you should understand what protection this configuration offers and what it doesn’t. When designing security, it is important to keep in mind whom you are defending against. In this configuration, I’m aiming to prevent someone reading my data if I lose the computer (all too common for laptops) or if it is stolen by a thief more interested in selling the hardware for cash than for any secrets on the hard disk. I am not looking to protect my data from espionage level attacks or from covert modification.
Encrypting information on a disk protects an attacker from accessing it “at rest”, that is, when the computer is powered off. It offers no protection at all against attacks while the computer is powered on and you have made that information available in its decrypted (plain text) form. This is true for all disk encryption. The configuration described here has further shortcomings. Secure Boot is disabled, the kernel and its modules are available in unencrypted form on the disk and I will be using GELI without enabling data authentication. This means that if someone sneaky wants to plant attack software on the machine, conduct an “evil maid” style attack or even modify the encrypted data so it decrypts to something different, they can and you won’t know about it.
If I had different requirements, I would consider putting my UEFI boot files and kernel on a removable disk that I kept with me, enabling data integrity verification for my GELI partition, encrypting with AES 256-bit keys rather than 128-bit, physically securing my PC and making it tamper evident, locking down the firmware configuration, rewriting the UEFI bootloader to support Secure Boot, using a PC with a TPM chip, reviewing the FreeBSD source code, never connecting my computer to the Internet, installing an alarm system in my office, training an attack dog to guard my computer… you get the idea. You can hire me for security consultancy or attack dog training at competitive rates but for now, let’s get on with the show.
FreeBSD user David Delony speaks about the history of the operating system, its uses, as well as what’s in store for the future.
Takeaway: FreeBSD is widely used in numerous everyday application.
Despite its age, it still pops up in places you wouldn’t expect. If you use an Apple device, chat on WhatsApp or watch a movie on Netflix, you’re interacting with FreeBSD. Here we take a look at this Unix-like operating system.
FreeBSD has its roots in the original BSD version of Unix that was first created in 1977 by Bill Joy, who would later co-found Sun Microsystems. We’ve covered the history of BSD in general in detail in another article.
FreeBSD, as well as all the other major BSD variants, including NetBSD, are descended from 386BSD, the first BSD version to run on PC hardware. For various reasons William Jolitz, the creator of 386BSD, stalled on the project. Other groups stepped in with their own modifications, known as “patchkits.” The group that would become FreeBSD was one of them.
A lawsuit by AT&T asserting copyright over the BSD code distracted the community, but the terms were worked out and FreeBSD moved to the BSD 4.4 “Lite” codebase that had no AT&T code in version 2.0.
FreeBSD got a lot of attention in the ’90s, being used to run a number of ISPs and websites. Yahoo was a notable user. The current version of FreeBSD is 10, and it’s still going strong, even as the computer world has changed.
Microsoft has recently made CoreCLR to work on FreeBSD.
It was back in February that Microsoft open-sourced CoreCLR, the execution engine of the core .NET stack. Besides coming to Linux and other platforms, this MIT-licensed engine has now been ported and is working for FreeBSD.
As of this week the CoreCLR code can now produce a working build on FreeBSD and are setting up FreeBSD as part of their continuous integration infrastructure to ensure the FreeBSD support remains in top condition moving forward.
FreeBSD user KENNETH ENZ shows us how to get FreeBSD 10.1 set up as a domain controller.
Getting FreeBSD and Samba configured to function as a domain controller similar to Active Directory is a straightforward process. After installation & configuration of the server, a Windows 8.1 machine is added to the newly created domain.
For more tutorials by KENNETH ENZ: https://www.youtube.com/user/EmployeeOfTheMinute
FreeBSD user gnugr shows us how to get ownCloud set up in a FreeBSD jail.
Original post: http://gnugr-blog.info/node/17
owncloud | ezjail | jails | freebsd | nginx
Moving to FreeBSD
I’ve had a ownCloud installation running for a good year or so on my unRAID server. As for ownCloud itself, I’ve been very happy with it. Managing non-unRAID things on unRAID though… not so fun. With that said, I’ve decided to move my installation to a FreeBSD 10.1 based system running on a Mac Mini. This box already services some minor things such as Murmur for our World of Warcraft guild The ORLY Factor, Git, etc. but is nearly idle most of the time.
A great feature of FreeBSD is jails. With a jail you can isolate an environment from the rest of the system such that if it comprimised, the rest of the system is not. Installations do not much with each other as well. All great stuff — lets put ownCloud in a jail!
For jail management I choose ezjail. This makes working with jails… er, a bit eaezsier.
Install & Prepare ezjail
I did not have ezjail already installed. Below are the steps I took to get ezjail installed and prepped on the system:
Install (alternatively, cd /usr/ports/sysutils/ezjail && make install clean):
sudo pkg install ezjail
Create a base jail & update it:
sudo ezjail-admin install -sp
sudo ezjail-admin update -P
A few entries need added to /etc/rc.conf:
This tutorial from The Geeky Linux shows us how to get PC-BSD and Crunchbang Linux to dual boot together.
This is a tutorial which shows how to dual boot Linux and PC-BSD 10. PC-BSD 10 uses ZFS as the file system and grub for the boot manager. I was able to successfully dual boot PC-BSD and CrunchBang Linux in my laptop.
I was able to achieve this after lots of trial and error methods. I have not found a valid guide in the internet to do it. All the tutorials were outdated or at least not working for me. I have spend a lot of time in the pc-bsd/freebsd irc channels and finally able to achieve this after trying out different suggestions from the irc members. Thanks to them all for the guidance.
If you want to dual boot PC-BSD, first install the Linux os (in this case, CrunchBang Linux) and then install PC-BSD 10. This is because most of the Linux OS won’t be able to detect ZFS (the default file system in PC-BSD 10). But PC-BSD grub will be able to detect EXT4 the default file system in most of the Linux distros. If you are looking for a tutorial for PC-BSD with UFS and Linux, you can find lot of guides in the interwebs. My guide only applies to PC-BSD with ZFS file system.
1. Install Crunch Bang Linux
2. Copy the relevant part from the Crunch Bang Linux grub menu. You can get it from the configuration file /boot/grub/grub.cfg . There will be lot of unwanted details in this menu but we will only need the one starts after the line “### BEGIN /etc/grub.d/10_linux ###” in this file .
For example, below given is the relevant part from my Crunch Bang Linux grub configuration :
In this BSD Now episode, hosts Kris Moore and Allan Jude interview Antoine Jacoutot regarding M:Tier’s use of BSD in their business. In addition, they discuss the various releases models of BSD, and the types they enjoy using the most. Hit play below to tune in:
Original page: http://www.bsdnow.tv/episodes/2015_04_22-business_as_usual
FreeBSD user Anderson Costa shows us how to get Phalcon 2 set up on FreeBSD 10.1.