pavement

Secure Kernel Source

From FreeBSDwiki
Jump to: navigation, search

Secure Kernel Source

The following are things you can do in the kernel source to tighten up security. You can prefix statements with # to make it a comment to disable it or delete the statement all together.


At the top the file is the following statement.

options INET6

Ipv6 is a developmental protocol, if you are not testing this protocol on purpose, it should be disabled.


Followed by Memory disk root option. This allows a operating system to be placed into memory and run.

option MD_Root


A few lines down are the network filesystem options. Comment these out to disable them.

options NFSCLIENT
options NFSSERVER
options NFSLOCKD
options NFS_ROOT


Comment out the following option because you disabled Ipv6 earlier.

device faith


options COMPAT_FREEBSD4
options COMPAT_FREEBSD5
options COMPAT_FREEBSD6
options COMPAT_FREEBSD7


Add the following statement.

options TCP_DROP_SYNFIN
Adds support for ignoring TCP packets with SYN+FIN. This prevents nmap from identifying the TCP/IP stack.


options ICMP_BANDLIM
Enables icmp error response bandwidth limiting. This will help protect from D.O.S. packet attacks.


options RANDOM_IP_ID
Causes the ID field in IP packets to be randomized instead of incremented by 1 with each packet generated. This closes a minor information leak which allows remote observers to determine the rate of packet generation on the machine by watching the counter.


options NO_LKM
Ddisable FBSD ability to dynamically load kernel modules.


If you do not have a printer cabled off the parallel port of this PC then disable these options.

device ppc
device ppbus
device lpt
device plip
device ppi


If you are not copying this system to other PCs with different hardware, then besides the security benefit you can also reduce the time it takes to compile the kernel by removing all unused device drivers. Review your /var/run/dmesg.boot log messages to see which devices you are really using and only keep those. Comment out all the others. Do not delete the following device; it is used by most NICs but does not show up in dmesg as used.

device miibus

Personal tools