- Change default umask to 027
- Enabled pf firewall by default in settings.ini
- After testing, re-introduced the Sendmail/MTA disable
New settings Enhanced DoS/DDoS mitigation
net.inet6.icmp6.rediraccept = 0to prevent ICMP attacks. Only FreeBSD as a network appliance would benefit enabling this setting.net.inet.tcp.drop_synfin = 1to mitigate TCP SYN-FIN attacks and stealth probing.net.inet.tcp.cc.algorithm=htcpenable TCP congestion alleviation
H-TCP is a congestion control protocol for high-speed and long distance networks. It uses bandwidth estimation and changes the TCP window increase/decrease parameters according to the estimated minimal and maximal bandwidth. It takes into consideration that the parameter for additive increase should be small in slower networks and should be large in high-speed and long distance networks in order to achieve fast adaptation to the available bandwidth.
DoS/DDoS mitigation via network performance tuning for high-speed network servers, used by default on Vultr FreeBSD 14.0 cloud servers.
kern.ipc.maxsockbuf=67108864net.inet.tcp.sendbuf_max=67108864net.inet.tcp.recvbuf_max=67108864net.inet.tcp.sendbuf_auto=1net.inet.tcp.recvbuf_auto=1net.inet.tcp.sendbuf_inc=16384
NOTE
net.inet.tcp.syncache.hashsize, cachelimit, and bucketlimitWere last updated for 2016 Computing Hardware and should be made tunable, currently they are read-only and serve to make SYN FLOOD DoS attacks easier.
- ZenBleed workaround removed as it is now enable by default in 14 release
- 32bit protections removed as FreeBSD is focusing on 64bit and in the future dropping support for 32bit
- PIE, ASLR for 32bit
- Sendmail limitations removed since the 14.0 MTA in use is now the more secure Dragonfly Mail Agent
- Removed devcpu-data-amd as the re-worked port installs both AMD and Intel with command
devcpu-data
- Printing clean-up
- Fixed error in microcode matching
- Fixed Virtual Machine vs Bare Metal c shell bug in string matching
- Zenbleed_workdaround.csh fixes
- at reminder fixes
- CPU Model detection fixed
- AMD Threadripper Pros are still not being detected properly
- Updated to give notice that no Zenbleed affected CPU was found.
- The rc script has been updated for better performance and stability
- There is no positive value cases I can find for removing the chicken-bit during operation which on the contrary may produce unexpected results as with other workarounds of this type
- Rebooting without the rc script running returns the OS to an unset chicken-bit state which obviates the need to have a
rcchicken-bit removal function.- The user chooses the workaround or not without the rc script making available CPU state changes while in operation possibly inducing kernel crashes
- Simply using the
removeargument and rebooting will return the AMD Zenbleed vulnerability -> MSR state to default
- Fixed Syntax errors and word clarity in the main workaround file
- Added a prompted reminder function using
atto create a file in the home directory reminding the user to use the official patch due at that time and remove the workaround - Changed the user text notice after a microcode update for better security and stability
- Rebooting once should show clean startup with new microcode but still keep the tools in case of reversion
- Use the
cleanfunction to remove the conf directives that load the still loaded promiscuous cpu tools - Rebooting again to load without promiscuous cpu tools
settings.inimicrocode_update_enableset to "YES" in preparation for Zenbleed and Downfall Updates
- AMD Zenbleed mitigation script was added
- Changed requirements to be 13.1, 13.2 as this is when most security directives were added
- Remove much conf syntax verification to work on all FreeBSD confs instead of just default installs
- Reverted 64bit ASLR protections to 32bit since these were on by default since 13.1
hw.mds_disablewas set at 3, AUTO- Removed
vm.pmap.pti = "1"since this was on by default
- FreeBSD hardening script /usr/libexec/bsdinstall/hardening sets
security.bsd.allow_destructive_dtraceis formatted improperly with the flag without quotes as in/boot/defaults/loader.confand man. Script sets it properly. - Test DTrace hardening: Using all 3 commands should result in
Permission deniedorDestructive actions not allowed:dtrace -wn 'tcp:::connect-established { @[args[3]->tcps_raddr] = count(); }'dtrace -wqn tick-1sec'{system("date")}'dtrace -qn tick-1sec'{system("date")}'
- New setting
vm.pmap.pti = 0 - Setting
kern.securelevelto0has no effect as FreeBSD will increment to 1 disallowing script execution. README changed to reflect this. - Error message conformity and clarity improvement.
- Script now exits any time it restores a file to prevent partial writes and locked files.
- Some sysctl.conf settings moved over to loader.conf section for better security
- 64bit ASLR setting was reverted back to 32bit enable as 64bit is enabled by default.
kern.randompidworks better if the number is manually set over 100 and is a prime (*)