FreeBSD 1st Quarter 2015 Status Report

freebsd-logo-largeThe developers of FreeBSD have posted their quarterly status report. Follow the link below to hear reports from FreeBSD Bugmeister, Ports Collection, and the FreeBSD Core Team.

 

This report covers FreeBSD-related projects between January and March 2015. This is the first of four reports planned for 2015.

The first quarter of 2015 was another productive quarter for the FreeBSD project and community. FreeBSD is being used in research projects, and those projects are making their way back into FreeBSD as new and exciting features, bringing improved network performance and security features to the system. Work continues to improve support for more architectures and architecture features, including progress towards the goal of making ARM (32- and 64-bit) a Tier 1 platform in FreeBSD 11. The toolchain is receiving updates, with new versions of clang/LLVM in place, migrations to ELF Tool Chain tools, and updates to the LLDB and gdb debuggers. Work by ports teams and kernel developers is maintaining and improving the state of FreeBSD as a desktop operating system. The pkg team is continuing to make binary packages easier to use and upgrade.

Thanks to all the reporters for the excellent work!

The deadline for submissions covering the period from April to June 2015 is July 7th, 2015.

View the full report: https://www.freebsd.org/news/status/report-2015-01-2015-03.html

PC-BSD 10.1.2-RC1 Now Available

The developers of PC-BSD have made available the first release candidate for version 1.1.2.

Original announcement: http://blog.pcbsd.org/2015/05/pc-bsd-10-1-2-rc1-now-available/

pcbsd-logo

The PC-BSD team is pleased to announce the availability of RC1 images for the upcoming quarterly 10.1.2 release.

Please test these images out and report any issues found on our bug tracker.

PC-BSD 10.1.2 Notable Changes

  • New PersonaCrypt Utility allows moving all of users $HOME directory to an encrypted USB Drive. This drive can be connected at login, and used across different systems
  • Stealth Mode allows login to a blank $HOME directory, which is encrypted with a one-time GELI key. This $HOME directory is then discarded at logout, or rendered unreadable after a reboot
  • Tor mode switches the firewall to running transparent proxy, blocking all traffic except what is routed through Tor
  • Migrated to IPFW firewall for enabling VIMAGE in 10.2
  • Added sound configuration via the first boot utility
  • Support for encrypted iSCSI backups via Life-Preserver, including support for bare-metal restores via installer media
  • New HTML handbook, updated via normal package updates
  • Media Center support allowing direct login to Kodi and PlexHomeTheater for the 10ft user experience
  • Switch to new AppCafe interface, with remote support via web-browser
  • Improvements to Online Updater, along with GRUB nested menus for Boot-Environments
  • Migrate all ports to using LibreSSL instead of OpenSSL
  • Switch from NTP to OpenNTPD
  • Lumina desktop 0.8.4
  • Chromium 42.0.2311.90
  • Firefox 37.0.2
  • NVIDIA Driver 346.47
  • Pkg 1.5.1

[Read more…]

Increase disk space in FreeBSD

This short tutorial by user  shows us how to increase your disk space in FreeBSD.

I use gpart to manage disk partitions in FreeBSD, because it works, and is much easier than the old bsdlabel shenanigans. Increasing the size of the last partition on a disk is easy:

  • Power down
  • resize disk (e.g. increase virtual machine’s disk allocation)
  • boot into single user mode
gpart recover da0
gpart show -p da0
gpart resize -i 5 da0
gpart show -p da0
growfs /dev/da0p5
  • reboot

Original post: https://gregoryo.wordpress.com/2015/04/30/increase-disk-space-in-freebsd/

How To Use OPIE to Get One-Time Passwords for FreeBSD 10.1

This tutorial by FreeBSD user Hathy A (DigitalOcean) shows us how to set up “one-time” passwords on FreeBSD 10.1, a method to keep secure from unwanted access.

Original post: https://www.digitalocean.com/community/tutorials/how-to-use-opie-to-get-one-time-passwords-for-freebsd-10-1

Introduction

SSH is the most popular way to log in to a server remotely. It is a cryptographic protocol that protects your password against man-in-the-middle and replay attacks.

You must keep in mind, though, that SSH protects your data only while it is in transit. Attackers can discover your SSH password by other means, such as by using keyloggers or strategically placed cameras.

As long as you use a trusted computer (say, one that belongs to you or your company), and do so from a safe location, you don’t have to worry about such attacks. However, sometimes you might need to use a public computer. To protect your passwords in such scenarios, FreeBSD comes with a security feature called One-time Passwords In Everything, or OPIE.

In this tutorial, you will learn how to generate and use one-time passwords to log in to your remote FreeBSD server. You can pregenerate one or more one-time passwords when you’re in a safe location, and save them for later when you access your server from a less secure location. That way, even if your one-time password gets logged, it won’t ever be useful to an attacker.

Prerequisites

In order to follow this tutorial, you will need:

  • A FreeBSD 10.1 server which is accessible over SSH
  • A user who is allowed to switch to root; the default freebsd user on DigitalOcean is fine

[Read more…]

Mumblehard Malware Infects Thousands of Linux and FreeBSD Servers

A recent vulnerability has been found, affecting thousands of Linux and FreeBSD servers around the world. Norse encourages FreeBSD sysadmins to take proper measures to remedy this exploit. Check the whitepaper for more details.

m4lware

Researchers have documented a newly discovered family of malware that infected thousands of Linux and FreeBSD servers, making them part of a massive spam distribution campaign.

The unusually sophisticated malware, dubbed Mumblehard, has two main components which are both written in Perl and leverage the same custom packer which is written in assembly language to produce ELF binaries that work to obfuscate the source code.

“Our analysis and research also shows a strong link between Mumblehard and Yellsoft. Yellsoft sells software, written in Perl, designed to send bulk e-mails. This program is called DirectMailer,” the researchers said.

“The first link between them is that the IP addresses used as C&C servers for both the backdoor and spamming components are located in the same range as the web server hosting yellsoft.net. The second link is that we have found pirated copies of DirectMailer online that actually silently install the Mumblehard backdoor when run. The pirated copies were also obfuscated by the same packer used by Mumblehard’s malicious components.”

The team discovered Mumblehard after a system administrator reported that a server had been blacklisted for sending spam, and they proceeded to dump the memory of a process that was connecting to different SMTP servers.

“The memory dump clearly showed it to be a Perl interpreter. We investigated and found the executable file in the /tmp directory. We started analyzing this ELF binary and discovered what we now call Mumblehard,” the researchers explained.

“We got interested in this threat because the way the Perl scripts used by the cybercriminals are packed inside ELF executables is uncommon and more complex than the average server threat.”

Key findings in the analysis include:

  • Perl scripts were packed inside ELF binaries written in assembly language, showing a higher level of sophistication than average
  • A total of 8,867 unique IP addresses were seen in our sinkhole over a 7-month period
  • The highest number of unique IP addresses seen in a single day is as high as 3,292
  • Mumblehard has been active since at least 2009
  • Among the compromised machines, web servers are the most susceptible to being infected
  • There is a strong link between Mumblehard and Yellsoft, an online company selling software to send bulk e-mail messages

“Victims should look for unsolicited cronjob entries for all the users on their servers. This is the mechanism used by the Mumblehard backdoor to activate the backdoor every 15 minutes.” the researchers noted.

“The backdoor is usually installed in /tmp or /var/tmp. Mounting the tmp directory with the noexec option prevents the backdoor from starting in the first place.”

A detailed white paper on Mumblehard is available here (PDF).

Original post: http://blog.norsecorp.com/2015/04/30/mumblehard-malware-infects-thousands-of-linux-and-freebsd-servers/

How To Customize and Recompile Your Kernel on FreeBSD 10.1

This tutorial by Michael Ragusa of DigitalOcean shows us how to customize and recompile your kernel on FreeBSD 10.1.

Original link: https://www.digitalocean.com/community/tutorials/how-to-customize-and-recompile-your-kernel-on-freebsd-10-1

Introductionfreebsd-logo-large

The FreeBSD operating system utilizes the GENERIC kernel by default. This is a default configuration used to support a large variety of hardware out of the box. However, there are many different reasons for compiling a custom kernel, which include security, enhanced functionality, or better performance.

FreeBSD utilizes two branches of code for its operating system: stable and current. Stable is the current code release that is that is production ready. Current is the latest code release from the development team and has some of the latest bleeding edge features but is more prone to bugs and system instability. This guide will utilize the stable branch.

In this tutorial, we will recompile a FreeBSD kernel with a custom configuration.

Prerequisites

To follow this tutorial, all you will need is:

  • One FreeBSD 10.1 Droplet.

If you’re new to FreeBSD, you can check out the Getting Started with FreeBSD series of tutorials.

Step 1 — Obtaining the Source Code

[Read more…]

HOWTO: FreeBSD 10.1 amd64 UEFI boot with encrypted ZFS root using GELI

FreeBSD user asteriskRoss shows us how to get amd64 UEFI boot (with encrypted ZFS root) working in FreeBSD 10.1 using GELI.

Introduction
In this HOWTO, we’ll walk through installing FreeBSD 10.1-RELEASE as the sole operating system on a UEFI-enabled amd64/x86-64 PC to a single hard disk, with all except the /boot directory installed to a ZFS pool encrypted using geli(8).

The /boot directory will reside on an unencrypted UFS partition.

If you’re reading this for a later version of FreeBSD then it will probably work, but there may be a better and easier way of achieving the same goal. FreeBSD 10.1 was the latest release at time of writing.

Understanding technical limitations
UEFI support was added to FreeBSD in the 10.1 release for the amd64 architecture, but has some limitations:

  • It only supports booting from a UFS partition (that is, not ZFS)
  • It does not support UEFI Secure Boot.

PC manufacturers’ implementations of UEFI vary in quality. During the transition from legacy BIOS booting to UEFI, many manufacturers include a method of booting from both. This might be configurable or the firmware may decide which one to use based on the disk partitioning type (MBR or GPT) or presence of boot sector code. Even if your PC supports UEFI, implementation issues may prevent this method working for you.

The configuration described here is not compatible with the ZFS Boot Environment management utilities sysutils/beadm or manageBE, since both of these make assumptions about the filesystem layout that aren’t true here.

If you’re using an SSD, you should know that geli(8), which we are using here for encryption, doesn’t yet support TRIM, which will unfortunately have implications for your write performance.

A brief discussion on risk mitigation, disk encryption and GELI
This is not a HOWTO on different disk encryption techniques but you should understand what protection this configuration offers and what it doesn’t. When designing security, it is important to keep in mind whom you are defending against. In this configuration, I’m aiming to prevent someone reading my data if I lose the computer (all too common for laptops) or if it is stolen by a thief more interested in selling the hardware for cash than for any secrets on the hard disk. I am not looking to protect my data from espionage level attacks or from covert modification.

Encrypting information on a disk protects an attacker from accessing it “at rest”, that is, when the computer is powered off. It offers no protection at all against attacks while the computer is powered on and you have made that information available in its decrypted (plain text) form. This is true for all disk encryption. The configuration described here has further shortcomings. Secure Boot is disabled, the kernel and its modules are available in unencrypted form on the disk and I will be using GELI without enabling data authentication. This means that if someone sneaky wants to plant attack software on the machine, conduct an “evil maid” style attack or even modify the encrypted data so it decrypts to something different, they can and you won’t know about it.

If I had different requirements, I would consider putting my UEFI boot files and kernel on a removable disk that I kept with me, enabling data integrity verification for my GELI partition, encrypting with AES 256-bit keys rather than 128-bit, physically securing my PC and making it tamper evident, locking down the firmware configuration, rewriting the UEFI bootloader to support Secure Boot, using a PC with a TPM chip, reviewing the FreeBSD source code, never connecting my computer to the Internet, installing an alarm system in my office, training an attack dog to guard my computer… you get the idea. You can hire me for security consultancy or attack dog training at competitive rates but for now, let’s get on with the show.

Full tutorial: https://forums.freebsd.org/threads/howto-freebsd-10-1-amd64-uefi-boot-with-encrypted-zfs-root-using-geli.51393/

A Closer Look at FreeBSD

FreeBSD user speaks about the history of the operating system, its uses, as well as what’s in store for the future.

Original post: http://www.techopedia.com/2/31035/software/a-closer-look-at-freebsd

Takeaway: FreeBSD is widely used in numerous everyday application.

A Closer Look at FreeBSD
Despite its age, it still pops up in places you wouldn’t expect. If you use an Apple device, chat on WhatsApp or watch a movie on Netflix, you’re interacting with FreeBSD. Here we take a look at this Unix-like operating system.

History

FreeBSD has its roots in the original BSD version of Unix that was first created in 1977 by Bill Joy, who would later co-found Sun Microsystems. We’ve covered the history of BSD in general in detail in another article.

FreeBSD, as well as all the other major BSD variants, including NetBSD, are descended from 386BSD, the first BSD version to run on PC hardware. For various reasons William Jolitz, the creator of 386BSD, stalled on the project. Other groups stepped in with their own modifications, known as “patchkits.” The group that would become FreeBSD was one of them.

A lawsuit by AT&T asserting copyright over the BSD code distracted the community, but the terms were worked out and FreeBSD moved to the BSD 4.4 “Lite” codebase that had no AT&T code in version 2.0.

FreeBSD got a lot of attention in the ’90s, being used to run a number of ISPs and websites. Yahoo was a notable user. The current version of FreeBSD is 10, and it’s still going strong, even as the computer world has changed.

Features

[Read more…]