FreeBSD hardening

- Some FreeBSD hardening notes

buildit()
{
echo "Starting hardening stuff...Recompile kernel and stuff first..." \
&& rm -rf /usr/obj/* \
&& cd /usr/src && make buildworld && make buildkernel \
&& make installkernel && zfs mount bootpool && mergemaster -p \
&& make installworld && mergemaster -iF && make delete-old \
&& echo "Build done!Reboot and make delete-old-libs"
}

cryptswap()
{
echo "Encrypting swap area..." \
&& dev=`swapinfo | grep -v Device | awk '{print $1}'` \
&& swapoff ${dev} \
&& dd if=/dev/random of=${dev} bs=1m \
&& geli onetime -d -e aes ${dev} \
&& swapon ${dev}.eli \
&& echo "Done...Don't forget to modify fstab to ${dev}.eli..."
}
chfiles()
{
echo "Adding rc.conf stuff..." \
&& echo 'syslogd_flags="-ss"' >> /etc/rc.conf \
&& echo 'icmp_drop_redirect="YES"' >> /etc/rc.conf \
&& echo 'sendmail_enable="NO"' >> /etc/rc.conf \
&& echo 'inetd_enable="NO"' >> /etc/rc.conf \
&& echo 'nfs_server_enable="NO"' >> /etc/rc.conf \
&& echo 'nfs_client_enable="NO"' >> /etc/rc.conf \
&& echo 'portmap_enable="NO"' >> /etc/rc.conf \
&& echo 'update_motd="NO"' >> /etc/rc.conf \
&& echo 'clear_tmp_enable="YES"' >> /etc/rc.conf \
&& echo "Adding sysctl.conf stuff..." \
&& echo 'security.bsd.see_other_uids=0' >> /etc/sysctl.conf \
&& echo 'net.inet.ip.random_id=1' >> /etc/sysctl.conf \
&& echo 'net.inet.tcp.always_keepalive=1' >> /etc/sysctl.conf \
&& echo 'net.inet.tcp.blackhole=2' >> /etc/sysctl.conf \
&& echo 'net.inet.udp.blackhole=1' >> /etc/sysctl.conf \
&& echo 'kern.ipc.somaxconn=1024' >> /etc/sysctl.conf \
&& echo 'net.inet.tcp.sendspace=32768' >> /etc/sysctl.conf \
&& echo 'net.inet.tcp.recvspace=32768' >> /etc/sysctl.conf \
&& echo 'net.link.ether.inet.max_age=1200' >> /etc/sysctl.conf \
&& echo 'net.inet.icmp.bmcastecho=0' >> /etc/sysctl.conf \
&& echo 'net.inet.ip.redirect=0' >> /etc/sysctl.conf \
&& echo 'net.inet.ip6.redirect=0' >> /etc/sysctl.conf \
&& echo 'net.inet.icmp.maskrepl=0' >> /etc/sysctl.conf \
&& echo 'net.inet.ip.sourceroute=0' >> /etc/sysctl.conf \
&& echo 'net.inet.ip.accept_sourceroute=0' >> /etc/sysctl.conf \
&& echo "Changing file permissions and allow cron for root..." \
&& chmod o= /etc/fstab \
&& chmod o= /etc/ftpusers \
&& chmod o= /etc/group \
&& chmod o= /etc/hosts \
&& chmod o= /etc/hosts.allow \
&& chmod o= /etc/hosts.equiv \
&& chmod o= /etc/hosts.lpd \
&& chmod o= /etc/inetd.conf \
&& chmod o= /etc/login.access \
&& chmod o= /etc/login.conf \
&&; chmod o= /etc/newsyslog.conf \
&& chmod o= /etc/rc.conf \
&& chmod o= /etc/ssh/sshd_config \
&& chmod o= /etc/sysctl.conf \
&& chmod o= /etc/syslog.conf \
&& chmod o= /etc/ttys \
&& echo "root" > /var/cron/allow \
&& echo "root" > /var/at/at.allow \
&& chmod o= /etc/crontab \
&& chmod o= /usr/bin/crontab \
&& chmod o= /usr/bin/at \
&& chmod o= /usr/bin/atq \
&& chmod o= /usr/bin/atrm \
&& chmod o= /usr/bin/batch \
&& chmod 710 /root \
&& chmod o= /var/log \
&& echo "Link /var/tmp to /var..." \
&& mv /var/tmp/* /tmp/ \
&& rm -rf /var/tmp \
&& ln -s /tmp /var/tmp
}