I’ve been spending a lot of time lately researching FreeBSD security solutions. Topics such as pf (packet filter), system hardening, etc. One of the tips that I thought I’d share here is a method of configuring your system to use blowfish encryption for passwords as opposed to the default MD5. If you are on a system that has a lot of users it might be prudent to update the encryption type to make your stored passphrase safer. Configure /etc/login.conf The password format is stored within the /etc/login.conf file. The default value being “md5”. To update your configuration to use blowfish instead make the following change to your file: – :passwd_format=md5:\  :passwd_format=blf:\ After you’ve made this change you’ll need to rehash the login database, which is done using the cap_mkdb command: cap_mkdb /etc/login.conf At this point any newly assigned passwords will be created using blowfish instead of MD5. Read more

I’ve been using my Mac more and more while I’m at work these days and one of the things that I quickly started to miss was the Linux keyboard shortcut for locking your screen (ctrl-alt-l) when you’re going to be away from your desk. The first few times I simply resigned myself to trust my office mate, but that wasn’t going to cut it long-term. I set out to find a solution to locking my screen while I was going to be away from my Mac. This is what I found. There are actually a number of solutions that I found. Some require third-party software. Others require creating dock icons to launch command-line tools. The solution I came up with requires no third-party software, custom dock icons or arthritis-inducing keyboard shortcuts. This uses easily configurable options that can also easily be undone if desired. I used Hot Corners. If you’re not familiar with Hot Corners, it is the ability to use your mouse and the four corners of your desktop to achieve additional functionality. Read more

As I’m sure you’ve all heard, today is April Fools and the day that the conficker worm is set to… well, do something. I haven’t read any reports on just exactly what it has done, if anything today, but I was able to come up with a solution that will allow you to scan for it using Arch Linux and the latest-greatest build of nmap. I just ran a scan on my home network and didn’t find anything (granted I only have Arch Linux, FreeBSD and Mac OS X machines here), but the same steps can be used to scan your office networks if you’re still wondering about being vulnerable. I will outline below how to install the Arch Build System (ABS), update the PKGBUILD for nmap to install the latest nmap and finally how to scan a range of networks for the conficker worm. Installation via ABS To build the latest-greatest copy of nmap we’ll use the ABS and simply update the PKGBUILD information. Read more

For those using FreeBSD, there has been another security update to the 7.1 release family. According to the UPDATING file: 20090323: p4 FreeBSD-SA-09:06.ktimer, FreeBSD-EN-09:01.kenv<br /> Correctly sanity-check timer IDs. [SA-09:06]<br /> Limit the size of malloced buffer when dumping environment<br /> variables. [EN-09:01] If you’re interested in applying this update to your system, here is the method I use: csup -g -L2 cvsup.freebsd.org /usr/share/examples/cvsup/standard-supfile<br /> cd /usr/src<br /> make buildkernel && make installkernel<br /> make buildworld && make installworld<br /> reboot There are other methods for keeping your base system updated, but I prefer the compiling method. What other methods might you suggest?