1. Optimasi Kernel
Setelah instalasi yg perlu di perhatikan adalah kompile kernel.
Buang device2 yang tidak diperlukan. eth driver, pcmcia dll.
1. DIsable IPv6
2. DISABLE NFS
Untuk option tambahan mgkn bisa ditambahkan pada kernel sbb :
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD
options IPFIREWALL_DEFAULT_TO_ACCEPT
options DUMMYNET
options IPFILTER
options IPFILTER_LOG
#### PF OPTION ####
device pf
device pflog
device pfsync
2. Setting SSHD
ee /etc/ssh/sshd.config
Port 1234
Protocol 2
MaxAuthTries 2
MaxSessions 8
PermitRootLogin no
#StrictModes yes
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
PermitEmptyPasswords no
UseDNS no
Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
AllowUsers user1
AllowUsers user2
3. Setting TTYS
# If console is marked "insecure", then init will ask for the root password
# when going to single-user mode.
console none unknown off insecure
#
ttyv0 "/usr/libexec/getty Pc" cons25 on secure
# Virtual terminals
ttyv1 "/usr/libexec/getty Pc" cons25 on secure
ttyv2 "/usr/libexec/getty Pc" cons25 on secure
#ttyv3 "/usr/libexec/getty Pc" cons25 on secure
#ttyv4 "/usr/libexec/getty Pc" cons25 on secure
#ttyv5 "/usr/libexec/getty Pc" cons25 on secure
#ttyv6 "/usr/libexec/getty Pc" cons25 on secure
#ttyv7 "/usr/libexec/getty Pc" cons25 on secure
ttyv8 "/usr/local/bin/xdm -nodaemon" xterm off secure
Saran dari Dru Lavigne sbb :
General Hardening Tips
• restricting ssh access using the AllowUsers keyword in / etc/ssh/sshd_config
• using chflags to set the schg flag on system binaries and configuration files that
don't require modifications
• implementing a file integrity checking system such as tripwire
(http:/ /www.tripwire.com), aide (http:/ /www.cs.tut.fi/~rammer /aide.html)or
implementing your own using mtree
• changing /etc/motd removing the COPYRIGHT notice
• subscribing to the FreeBSD security advisories mailing list
(http:/ /lists.freebsd.org/mailman/listinfo/freebsd- security- notifications)
• reviewing mount(8) to see if any options are applicable to your filesystems
• reviewing your sysctl(8) settings; http:/ /sysctl.enderunix.org/ provides some
helpful descriptions
• reviewing your rc.conf(5) settings
Finally, do:
• read root's emails daily and have a log review action plan
Membangun Server dari Awal dengan FreeBSD (part1)
General hardening tips from Dru..
security |
does this system really need IPv6 support?
• do I really want NFS (and its inherent security risks) on an Internet facing server?
• should I be loading filesystems I'll never use? (e.g. DOS, CD9660)
• do I need SCSI drivers on a non- SCSI system?
• do I need hardware RAID drivers if I'm using software RAID?
• do I really need to load dozens of NIC drivers if I always buy the same brand of NIC?
• do I need PCMCIA or wireless support on a non- laptop system?
• will I be using USB or Firewire?
KERNEL
1. DIsable IPv6
2. DISABLE NFS
There are many tools available to create a custom backup solution, ranging
built- in FreeBSD utilities to third- party software applications available through
ports collection. In a more complex scenario you may wish to investigate:
• bacula http://www.bacula.org
• rsnapshot http://www.rsnapshot.org
• boxbackup http://www.fluffy.co.uk/boxbackup/
General Hardening Tips
• restricting ssh access using the AllowUsers keyword in / etc/ssh/sshd_config
• using chflags to set the schg flag on system binaries and configuration files that
don't require modifications
• implementing a file integrity checking system such as tripwire
(http:/ /www.tripwire.com), aide (http:/ /www.cs.tut.fi/~rammer /aide.html)or
implementing your own using mtree
• changing /etc/motd , adding an ssh banner, and removing the COPYRIGHT notice
• subscribing to the FreeBSD security advisories mailing list
(http:/ /lists.freebsd.org/mailman/listinfo/freebsd- security- notifications)
• reviewing mount(8) to see if any options are applicable to your filesystems
• reviewing your sysctl(8) settings; http:/ /sysctl.enderunix.org/ provides some
helpful descriptions
• reviewing your rc.conf(5) settings
Finally, do:
• read root's emails daily and have a log review action plan
Lusca/cacheboy
proxy | Thursday, March 03, 2011
Lagi nyoba cacheboy tapi belum berhasil yang Tproxy karena mesinku amd. Googling nemu artikel berikut. Semoga bermanfaat
Diambil dari : http://hikmah-teknologi.blogspot.com/
LUSCA TPROXY on FREEBSD-7-STABLE
patch kernel:
cd /usr/src
fetch http://squid-proxy-pkg.googlecode.com/files/freebsd-tproxy-sys.patch
path -p0 < freebsd-tproxy-sys.patch
di kernel : /sys/i386/conf/PROXY
options IP_NONLOCALBIND
options IPDIVERT
options IPFIREWALL
options IPFIREWALL_NAT
options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IP_NONLOCALBIND
options LIBALIAS
#option tunning for squid
options VFS_AIO
options MAXFILES=262144
options MSGMNB=32768
options MSGMNI=82
options MSGSEG=4096
options MSGSSZ=128
options MSGTQL=2048
options SHMSEG=32
options SHMMNI=256
options SHMMAX=4194304
options SHMALL=16384
makeoptions COPTFLAGS="-O2 -pipe -funroll-loops -ffast-math"
makeoptions NO_MODULES=yes
build kernel
cd /usr/src
make buildkernel KERNCONF=PROXY && make installkernel KERNCONF=PROXY
di /etc/sysctl.conf
net.inet.ip.nonlocalok=1
cp /usr/src/sys/netinet/in.h /usr/include/netinet
install squid
pkg_add -v http://squid-proxy-pkg.googlecode.com/files/lusca-with-tproxy-r14371_3.tbz
di /usr/local/etc/squid/squid.conf
http_port XXX.INTERNAL.IP.XXX:3128 transparent tproxy
# em0 -> External interface (to mikrotik)
# em1 -> Internal interface (to client)
di /etc/ipfw.tproxy
ipfw add fwd 192.168.1.1,3128 tcp from 192.168.1.0/24 to any 80 in via em1 # default rule to transparent proxy
ipfw add fwd 192.168.1.1 tcp from any 80 to 192.168.1.0/24 in via em0 # catch the packets that come back using the clients IPs
di rc.conf
gateway_enable="YES"
ifconfig_em0="192.168.0.1 255.255.255.252"
ifconfig_em1="192.168.1.1 255.255.255.0"
firewall_enable="YES"
firewall_script="/etc/ipfw.tproxy"
firewall_type="open"
firewall_logging="YES"
fsck_y_enable="YES"
background_fsck="NO"
squid_enable="YES"
#disini tidak menggunakan bind taoi dnsmasq
dnsmasq_enable="YES"
dnsmasq_flags="--conf-file=/usr/local/etc/dnsmasq.conf"
dan jangan lupa di router paling atas untuk membuat NAT dan static routes utk ip di bawah proxy
Tproxy
Back to proxy, especially squid. Eh ada lagi yang namanya cacheboy.
Cacheboy adalah optimasi dari squid stable 2. Menurut pemahaman saya sih cacheboy itu versi moddingnya squid 2 begitulah gampangnya. Nah waktu mencoba instalasi via port ada banyak option yang bisa di enable/disable. Nah berhubung sudah lama gak ngutik squid jadi perlu cari2 lagi fungsi2 option tsb. Antara lain :
1. Delay pool : Fitur ini digunakan untuk limitasi bandwidth
2. AUFS dan COSS : Ini adalah tipe file penyimpanan cache dari squid
3. PF dan IPF transparent : Ini untuk mengaktifkan support PF firewall atau IPF firewall untuk transparent proxy
4. Enable Tproxy : untuk mengaktifkan Tproxy.
Penjelasan Tproxy dari internet sbb :
Transparent Proxy (TProxy)
Tproxy is truly transparent proxy. A transparent proxy or more precisely an interception proxy is the one that becomes transparent to the clients by transparently intercepting the http requests and serving the response, which means the client need not be explicitly configured to use the proxy but they are transparently sent to the proxy without the client's knowledge. Since the interception proxy forwards the request on behalf of the client, the web server see's the source of the request come from the proxy and hence it is not transparent to the web server.
The tproxy feature comes into solving this issue and makes itself transparent to both for the client and the web server. However, the interception and/or tproxy feature requires kernel support and packet redirection feature of the operating system.
Note: To make still more truly transparent, the proxy should be configured not to add any extra headers while forwarding the request and serving the response.
Nha kira2 terjemahannya spt ini.
Tproxy adalah transparent proxy yg sebenar2nya. Transparent proxy atau proxy penangkap adalah proxy yang bekerja dengan menangkap paket http/browsing dari client secara transparan. Dengan kata lain, di sisi client tidak memerlukan adanya konfigurasi pengaktifkan proxy karena secara otomatis dan mau tidak mau akan lewat proxy.
Karena proxy tsb menangkap paket dan melakukan koneksi ke webserver tujuan maka yg dikenali oleh webserver tujuan adalah IP dari proxy bukan dari client.
Fitur dari Tproxy inilah kuncinya, sehingga webserver tujuan mengenali langsung ip client (tentu saja ip public). Fitur ini memerlukan pengaktifan pada kernel dari OS yang dipakai.
Install NTP Server di FreeBSD
Caranya mudah. Install saja ntp via port
Kemudian
# ee /etc/ntp.conf
server 3.id.pool.ntp.org
server 0.asia.pool.ntp.org
server 2.asia.pool.ntp.or
driftfile /var/db/ntp.drift
Save file /etc/ntp.conf dengan konfigurasi di atas.
Kemudian start service dengan perintah
/etc/rc.d/ntpd start
Kemudian jalankan perintah
ntpdate -d localhost
Jika ada pesan no server bla2. Maka coba tunggu kisaran 10 s/d 15 menit. Dan coba ulangi lagi sampai terjadi sinkronisasi sbb
1 Mar 14:01:36 ntpdate[19223]: step time server localhost offset -225.715219 sec
Jangan lupa untuk membuka port 123 udp.
