The Wombelix Post - FreeBSD

FreeBSD 13 Base System OpenSSH Server Hardening

2022-03-17T00:00:00+01:00

Default sshd configs tend to focus more on compatibility instead security. Therefore hardening should be one of the first things after setup a new system.

I'm using the OpenSSH Daemon which comes with the FreeBSD Base System. When you want to use the openssh-portable port instead, skip Step 3, the rest should be identical.

Step 1) Delete existing host keys, generate new rsa and ed25519 key:

rm /etc/ssh/ssh_host_*
ssh-keygen -q -t rsa -b 4096 -f ssh_host_rsa_key -N ""
ssh-keygen -q -t ed25519 -f ssh_host_ed25519_key -N ""

Step 2) Create new Diffie-Hellman groups and avoid small moduli

ssh-keygen -G moduli-3072.candidates -b 3072
ssh-keygen -T moduli-3072 -f moduli-3072.candidates
mv moduli-3072 /etc/ssh/moduli
rm moduli-3072.candidates

Step 3) Disable DSA and ECDSA host keys, only use RSA and ED25519

sysrc sshd_dsa_enable="NO"
sysrc sshd_ecdsa_enable="NO"
sysrc sshd_ed25519_enable="YES"
sysrc sshd_rsa_enable="YES"

Step 4) Optimize /etc/ssh/sshd_config, improve security, restrict allowed key exchange, cipher and MAC algorithms

# Hardening
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com

# Security
PermitRootLogin no
AuthenticationMethods publickey
ChallengeResponseAuthentication no
UsePAM no
VersionAddendum none
X11Forwarding no
AuthorizedKeysFile .ssh/authorized_keys
Subsystem sftp /usr/libexec/sftp-server

Run service sshd restart to apply the new settings, to verify the results of your hardening, you can use the CLI Tool ssh-audit which is also available as Online Version.

Following a Custom Policy for ssh-audit based on the above recommendations:

name = "Custom Policy - FreeBSD 13 Base System OpenSSH Daemon (2022/03/17)"
version = 1
dh_modulus_size_diffie-hellman-group-exchange-sha256 = 2048
host keys = ssh-ed25519
key exchanges = curve25519-sha256, curve25519-sha256@libssh.org, diffie-hellman-group16-sha512, diffie-hellman-group18-sha512, diffie-hellman-group-exchange-sha256
ciphers = chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-gcm@openssh.com, aes256-ctr, aes192-ctr, aes128-ctr
macs = hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, umac-128-etm@openssh.com

Copy the policy into a file and run ssh-audit -P=<policy.txt> <servername>. The result should be similar to following example without warnings or errors:

# general
(gen) banner: SSH-2.0-OpenSSH_8.8
(gen) software: OpenSSH 8.8
(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
(gen) compression: enabled (zlib@openssh.com)

# key exchange algorithms
(kex) curve25519-sha256                     -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
(kex) curve25519-sha256@libssh.org          -- [info] available since OpenSSH 6.5, Dropbear SSH 2013.62
(kex) diffie-hellman-group16-sha512         -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512         -- [info] available since OpenSSH 7.3
(kex) diffie-hellman-group-exchange-sha256 (2048-bit) -- [info] available since OpenSSH 4.4

# host-key algorithms
(key) ssh-ed25519                           -- [info] available since OpenSSH 6.5

# encryption algorithms (ciphers)
(enc) chacha20-poly1305@openssh.com         -- [info] available since OpenSSH 6.5
                                            `- [info] default cipher since OpenSSH 6.9.
(enc) aes256-gcm@openssh.com                -- [info] available since OpenSSH 6.2
(enc) aes128-gcm@openssh.com                -- [info] available since OpenSSH 6.2
(enc) aes256-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes192-ctr                            -- [info] available since OpenSSH 3.7
(enc) aes128-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52

# message authentication code algorithms
(mac) hmac-sha2-256-etm@openssh.com         -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-512-etm@openssh.com         -- [info] available since OpenSSH 6.2
(mac) umac-128-etm@openssh.com              -- [info] available since OpenSSH 6.2

# fingerprints
(fin) ssh-ed25519: SHA256:uN9Oton+VmLL793KirVFB+ilD3Bndra4I/3yFntgX8k

# algorithm recommendations (for OpenSSH 8.8)
(rec) +diffie-hellman-group14-sha256        -- kex algorithm to append
(rec) +rsa-sha2-256                         -- key algorithm to append
(rec) +rsa-sha2-512                         -- key algorithm to append

Sources:

https://ozgurkazancci.com/ssh-server-security-audit-hardening-freebsd (Archive: [1], [2])
https://gist.github.com/koobs/e01cf8869484a095605404cd0051eb11 (Archive: [1], [2])
https://www.ssh-audit.com/hardening_guides.html (Archive: [1], [2])

Now available as Onion Service through the Tor Network

2022-03-13T00:00:00+01:00

I'm happy to announce that this site is also published as Onion Service from now on, which means a focus on privacy, security, freedom and support for the Tor Project as well as a statement against censorship.

The new Tor URL: http://2xwpdwnzmag3ewobwsdewpor4gmca4d5gltviol3u6upihb6m6m6xaad.onion

Also it was fun to setup ;) To ensure the right URLs are used, I decided to publish two versions, which was quite a simple task by adjusting a few lines in my Pelican configs.

The Tor Service is running on the same FreeBSD Jail as my (static) site and nginx, let me share some technical details.

Installing Tor is straight forward, just run pkg install tor and sysrc tor_enable="YES".

Two lines in /usr/local/etc/tor/torrc are enough to enable a new Onion Hidden Service:

HiddenServiceDir /var/db/tor/keys/<website>/
HiddenServicePort 80 unix:/var/run/tor-<website>.sock

For nginx I adjusted the existing https config to publish the Onion-Location (Archive: [1], [2]) header, which will advertise the .onion URL of this Site to visitors that are using the Tor Browser.

The Onion URL can be found in /var/db/tor/keys/<website>/hostname.

server {
        listen 443 ssl http2;
        # Tor unrelated config omitted
        add_header Onion-Location http://<onion_url>$request_uri;
}

As recommend in the Tor Setup Guide (Archive: [1], [2]) I added an additional server section and use a unix socket to listen for Tor requests.

server {
        listen unix:/var/run/<website>.sock;
        # Tor unrelated config omitted
        server_name <onion_url>;
        root <path_to_web_document_root>;
}

From a Pelican perspective, I created a second publishconf to set the SITEURL to my <onion_url> and adjusted the Makefile a little to upload the regular and the tor version at once.

Following the additions on top of the standard Makefile when installing Pelican.

PUBLISHCONF_TOR=$(BASEDIR)/publishconf_tor.py
SSH_TARGET_DIR_TOR=<path_to_web_document_root>

# Tor unrelated config omitted

rsync_upload_tor: publish_tor
        rsync -e "ssh -p $(SSH_PORT)" -P -rvzc --include tags --cvs-exclude --delete "$(OUTPUTDIR)"/ "$(SSH_USER)@$(SSH_HOST):$(SSH_TARGET_DIR_TOR)"

rsync_upload_all: rsync_upload rsync_upload_tor

Last step was to start the tor service service tor start, apply the new nginx config service nginx reload and to publish the site make rsync_upload_all.

Pagure on FreeBSD in Bastille powered Jail - Part 1

2021-03-13T00:00:00+01:00

A few months ago I started experimenting with FreeBSD and Jails managed by Bastille.

And tbh, I love it, simple, lightweight, it's just fun to work with, but that's a different Story for future Posts ;)

More important, I wanted to start self-host my Git repositories and to use Github, Gitlab, Codeberg and Notabug primary as Mirror. That should improve the visibility, compared to only self-hosting and help to reach potential contributors, independent of the Platform.

So I decided to setup Pagure, it's written in Python and seem to be the only Solution, that support pull requests from remote repositories.

But just installing the RPM Packages on a Supported OS like openSUSE or Fedora would be too easy ;)

This Project was therefore the perfect candidate, to get some more Hands on Experience with FreeBSD and Bastille.

I created a new Jail, mounted the Ports Tree from my FreeBSD Host and connected to the new Instance.

bastille create pagure 12.2-RELEASE 172.31.255.30 bastille0
bastille mount pagure /usr/ports /usr/ports nullfs rw 0 0
bastille console pagure

Based on the Pagure Documentation and some research, I installed the following packages:

pkg install git libgit2 python3-3_3 apache24-2.4.46 py37-pip-20.2.3 py37-wheel-0.30.0_1 wget py37-pillow-7.0.0 py37-Flask-1.1.2 vim-tiny

The available libgit2 Port was to old and due to some further dependencies, an official update wasn't available yet, so I had to update it on my own. Further reading: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=252098

/usr/ports/devel/libgit2/Makefile.patch

--- Makefile.orig       2021-03-10 23:58:49.921923000 +0100
+++ Makefile    2021-03-11 00:13:22.452236000 +0100
@@ -6,7 +6,7 @@
 # Tools/scripts/search_lib_depends_and_bump.sh devel/libgit2

 PORTNAME=      libgit2
-PORTVERSION=   1.0.1
+PORTVERSION=   1.1.0
 CATEGORIES=    devel
 MASTER_SITES=  https://github.com/libgit2/libgit2/releases/download/v${PORTVERSION}/

@@ -37,7 +37,7 @@
 .if ${SSL_DEFAULT} == base
 post-patch:
        @${REINPLACE_CMD} -e "/LIBGIT2_PC_REQUIRES.*openssl/ d" \
-               ${WRKSRC}/cmake/Modules/SelectHTTPSBackend.cmake
+               ${WRKSRC}/cmake/SelectHTTPSBackend.cmake
 .endif

 do-test:

Patch applied, compiled and installed:

patch -u -b Makefile -i Makefile.patch
make makesum
make install clean

Pagure Release 5.13.2 build and installed

cd
mkdir src
cd src
git clone https://pagure.io/pagure.git
cd pagure
git checkout -b 5.13.2 e1a8b5e4a2a347ab29de7cc21d9d2c89f55dd076

python3 setup.py build
python3 setup.py install

I wrote a little helper Script, to create some necessary folder structures and copy config files to the right location.

#!/bin/sh
mkdir -p /usr/local/etc/pagure
mkdir -p /usr/local/share/pagure

cp pagure/files/pagure.cfg.sample /usr/local/etc/pagure/pagure.cfg
cp pagure/files/alembic.ini /usr/local/etc/pagure/alembic.ini
cp pagure/files/pagure-apache-httpd.conf /usr/local/etc/apache24/Includes/pagure.conf
cp pagure/files/pagure.wsgi /usr/local/share/pagure/pagure.wsgi
cp pagure/createdb.py /usr/local/share/pagure/pagure_createdb.py

mkdir -p /usr/local/www/apache24/data/releases
chown git:git /usr/local/www/apache24/data/releases

mkdir -p /usr/local/git/repositories/{docs,forks,tickets,requests,remotes}

Dedicated Git User and Group created, would be cool in one single command, but that's not yet implemented

pw group add -n git
pw user add -n git -d /usr/local/git -c "Pagure Git User" -g git

That's all I have so far, unfortunately there wasn't enough time to finish the Installation.

Next Step based on the Pagure Install Guide is to set specific ACLs, but the syntax between Linux and FreeBSD differ, first I have to figure out how to adapt them.

Also there might be further adjustments required until Pagure is working as expected and behave similar as on a Linux system.

As soon I find some time to proceed, I will publish Part 2.