How To Use OPIE to Get One-Time Passwords for FreeBSD 10.1

This tutorial by FreeBSD user Hathy A (DigitalOcean) shows us how to set up “one-time” passwords on FreeBSD 10.1, a method to keep secure from unwanted access.

Original post:


SSH is the most popular way to log in to a server remotely. It is a cryptographic protocol that protects your password against man-in-the-middle and replay attacks.

You must keep in mind, though, that SSH protects your data only while it is in transit. Attackers can discover your SSH password by other means, such as by using keyloggers or strategically placed cameras.

As long as you use a trusted computer (say, one that belongs to you or your company), and do so from a safe location, you don’t have to worry about such attacks. However, sometimes you might need to use a public computer. To protect your passwords in such scenarios, FreeBSD comes with a security feature called One-time Passwords In Everything, or OPIE.

In this tutorial, you will learn how to generate and use one-time passwords to log in to your remote FreeBSD server. You can pregenerate one or more one-time passwords when you’re in a safe location, and save them for later when you access your server from a less secure location. That way, even if your one-time password gets logged, it won’t ever be useful to an attacker.


In order to follow this tutorial, you will need:

  • A FreeBSD 10.1 server which is accessible over SSH
  • A user who is allowed to switch to root; the default freebsd user on DigitalOcean is fine

[Read more…]

Mumblehard Malware Infects Thousands of Linux and FreeBSD Servers

A recent vulnerability has been found, affecting thousands of Linux and FreeBSD servers around the world. Norse encourages FreeBSD sysadmins to take proper measures to remedy this exploit. Check the whitepaper for more details.


Researchers have documented a newly discovered family of malware that infected thousands of Linux and FreeBSD servers, making them part of a massive spam distribution campaign.

The unusually sophisticated malware, dubbed Mumblehard, has two main components which are both written in Perl and leverage the same custom packer which is written in assembly language to produce ELF binaries that work to obfuscate the source code.

“Our analysis and research also shows a strong link between Mumblehard and Yellsoft. Yellsoft sells software, written in Perl, designed to send bulk e-mails. This program is called DirectMailer,” the researchers said.

“The first link between them is that the IP addresses used as C&C servers for both the backdoor and spamming components are located in the same range as the web server hosting The second link is that we have found pirated copies of DirectMailer online that actually silently install the Mumblehard backdoor when run. The pirated copies were also obfuscated by the same packer used by Mumblehard’s malicious components.”

The team discovered Mumblehard after a system administrator reported that a server had been blacklisted for sending spam, and they proceeded to dump the memory of a process that was connecting to different SMTP servers.

“The memory dump clearly showed it to be a Perl interpreter. We investigated and found the executable file in the /tmp directory. We started analyzing this ELF binary and discovered what we now call Mumblehard,” the researchers explained.

“We got interested in this threat because the way the Perl scripts used by the cybercriminals are packed inside ELF executables is uncommon and more complex than the average server threat.”

Key findings in the analysis include:

  • Perl scripts were packed inside ELF binaries written in assembly language, showing a higher level of sophistication than average
  • A total of 8,867 unique IP addresses were seen in our sinkhole over a 7-month period
  • The highest number of unique IP addresses seen in a single day is as high as 3,292
  • Mumblehard has been active since at least 2009
  • Among the compromised machines, web servers are the most susceptible to being infected
  • There is a strong link between Mumblehard and Yellsoft, an online company selling software to send bulk e-mail messages

“Victims should look for unsolicited cronjob entries for all the users on their servers. This is the mechanism used by the Mumblehard backdoor to activate the backdoor every 15 minutes.” the researchers noted.

“The backdoor is usually installed in /tmp or /var/tmp. Mounting the tmp directory with the noexec option prevents the backdoor from starting in the first place.”

A detailed white paper on Mumblehard is available here (PDF).

Original post:

How To Customize and Recompile Your Kernel on FreeBSD 10.1

This tutorial by Michael Ragusa of DigitalOcean shows us how to customize and recompile your kernel on FreeBSD 10.1.

Original link:


The FreeBSD operating system utilizes the GENERIC kernel by default. This is a default configuration used to support a large variety of hardware out of the box. However, there are many different reasons for compiling a custom kernel, which include security, enhanced functionality, or better performance.

FreeBSD utilizes two branches of code for its operating system: stable and current. Stable is the current code release that is that is production ready. Current is the latest code release from the development team and has some of the latest bleeding edge features but is more prone to bugs and system instability. This guide will utilize the stable branch.

In this tutorial, we will recompile a FreeBSD kernel with a custom configuration.


To follow this tutorial, all you will need is:

  • One FreeBSD 10.1 Droplet.

If you’re new to FreeBSD, you can check out the Getting Started with FreeBSD series of tutorials.

Step 1 — Obtaining the Source Code

[Read more…]

HOWTO: FreeBSD 10.1 amd64 UEFI boot with encrypted ZFS root using GELI

FreeBSD user asteriskRoss shows us how to get amd64 UEFI boot (with encrypted ZFS root) working in FreeBSD 10.1 using GELI.

In this HOWTO, we’ll walk through installing FreeBSD 10.1-RELEASE as the sole operating system on a UEFI-enabled amd64/x86-64 PC to a single hard disk, with all except the /boot directory installed to a ZFS pool encrypted using geli(8).

The /boot directory will reside on an unencrypted UFS partition.

If you’re reading this for a later version of FreeBSD then it will probably work, but there may be a better and easier way of achieving the same goal. FreeBSD 10.1 was the latest release at time of writing.

Understanding technical limitations
UEFI support was added to FreeBSD in the 10.1 release for the amd64 architecture, but has some limitations:

  • It only supports booting from a UFS partition (that is, not ZFS)
  • It does not support UEFI Secure Boot.

PC manufacturers’ implementations of UEFI vary in quality. During the transition from legacy BIOS booting to UEFI, many manufacturers include a method of booting from both. This might be configurable or the firmware may decide which one to use based on the disk partitioning type (MBR or GPT) or presence of boot sector code. Even if your PC supports UEFI, implementation issues may prevent this method working for you.

The configuration described here is not compatible with the ZFS Boot Environment management utilities sysutils/beadm or manageBE, since both of these make assumptions about the filesystem layout that aren’t true here.

If you’re using an SSD, you should know that geli(8), which we are using here for encryption, doesn’t yet support TRIM, which will unfortunately have implications for your write performance.

A brief discussion on risk mitigation, disk encryption and GELI
This is not a HOWTO on different disk encryption techniques but you should understand what protection this configuration offers and what it doesn’t. When designing security, it is important to keep in mind whom you are defending against. In this configuration, I’m aiming to prevent someone reading my data if I lose the computer (all too common for laptops) or if it is stolen by a thief more interested in selling the hardware for cash than for any secrets on the hard disk. I am not looking to protect my data from espionage level attacks or from covert modification.

Encrypting information on a disk protects an attacker from accessing it “at rest”, that is, when the computer is powered off. It offers no protection at all against attacks while the computer is powered on and you have made that information available in its decrypted (plain text) form. This is true for all disk encryption. The configuration described here has further shortcomings. Secure Boot is disabled, the kernel and its modules are available in unencrypted form on the disk and I will be using GELI without enabling data authentication. This means that if someone sneaky wants to plant attack software on the machine, conduct an “evil maid” style attack or even modify the encrypted data so it decrypts to something different, they can and you won’t know about it.

If I had different requirements, I would consider putting my UEFI boot files and kernel on a removable disk that I kept with me, enabling data integrity verification for my GELI partition, encrypting with AES 256-bit keys rather than 128-bit, physically securing my PC and making it tamper evident, locking down the firmware configuration, rewriting the UEFI bootloader to support Secure Boot, using a PC with a TPM chip, reviewing the FreeBSD source code, never connecting my computer to the Internet, installing an alarm system in my office, training an attack dog to guard my computer… you get the idea. You can hire me for security consultancy or attack dog training at competitive rates but for now, let’s get on with the show.

Full tutorial:

A Closer Look at FreeBSD

FreeBSD user speaks about the history of the operating system, its uses, as well as what’s in store for the future.

Original post:

Takeaway: FreeBSD is widely used in numerous everyday application.

A Closer Look at FreeBSD
Despite its age, it still pops up in places you wouldn’t expect. If you use an Apple device, chat on WhatsApp or watch a movie on Netflix, you’re interacting with FreeBSD. Here we take a look at this Unix-like operating system.


FreeBSD has its roots in the original BSD version of Unix that was first created in 1977 by Bill Joy, who would later co-found Sun Microsystems. We’ve covered the history of BSD in general in detail in another article.

FreeBSD, as well as all the other major BSD variants, including NetBSD, are descended from 386BSD, the first BSD version to run on PC hardware. For various reasons William Jolitz, the creator of 386BSD, stalled on the project. Other groups stepped in with their own modifications, known as “patchkits.” The group that would become FreeBSD was one of them.

A lawsuit by AT&T asserting copyright over the BSD code distracted the community, but the terms were worked out and FreeBSD moved to the BSD 4.4 “Lite” codebase that had no AT&T code in version 2.0.

FreeBSD got a lot of attention in the ’90s, being used to run a number of ISPs and websites. Yahoo was a notable user. The current version of FreeBSD is 10, and it’s still going strong, even as the computer world has changed.


[Read more…]

Microsoft’s CoreCLR Now Works On FreeBSD

Microsoft has recently made CoreCLR to work on FreeBSD.

microsoftIt was back in February that Microsoft open-sourced CoreCLR, the execution engine of the core .NET stack. Besides coming to Linux and other platforms, this MIT-licensed engine has now been ported and is working for FreeBSD.

As of this week the CoreCLR code can now produce a working build on FreeBSD and are setting up FreeBSD as part of their continuous integration infrastructure to ensure the FreeBSD support remains in top condition moving forward.

Details on this feat are mentioned via this GitHub issue report and this milestone comes just one month after they were organizing a FreeBSD port team.

You can find the discussion here, as well as follow the updates on Github.

Original post:

How to set up FreeBSD 10.1 as a Domain Controller

FreeBSD user KENNETH ENZ shows us how to get FreeBSD 10.1 set up as a domain controller.

Getting FreeBSD and Samba configured to function as a domain controller similar to Active Directory is a straightforward process. After installation & configuration of the server, a Windows 8.1 machine is added to the newly created domain.

For more tutorials by KENNETH ENZ:

Jailed ownCloud in FreeBSD

FreeBSD user gnugr shows us how to get ownCloud set up in a FreeBSD jail.

Original post:


owncloud | ezjail | jails | freebsd | nginx
Moving to FreeBSD

I’ve had a ownCloud installation running for a good year or so on my unRAID server. As for ownCloud itself, I’ve been very happy with it. Managing non-unRAID things on unRAID though… not so fun. With that said, I’ve decided to move my installation to a FreeBSD 10.1 based system running on a Mac Mini. This box already services some minor things such as Murmur for our World of Warcraft guild The ORLY Factor, Git, etc. but is nearly idle most of the time.

Jail It!

A great feature of FreeBSD is jails. With a jail you can isolate an environment from the rest of the system such that if it comprimised, the rest of the system is not. Installations do not much with each other as well. All great stuff — lets put ownCloud in a jail!


For jail management I choose ezjail. This makes working with jails… er, a bit eaezsier.

Install & Prepare ezjail

I did not have ezjail already installed. Below are the steps I took to get ezjail installed and prepped on the system:

Install (alternatively, cd /usr/ports/sysutils/ezjail && make install clean):

sudo pkg install ezjail
Create a base jail & update it:

sudo ezjail-admin install -sp
sudo ezjail-admin update -P
A few entries need added to /etc/rc.conf:

[Read more…]