Yeah, finally I've decided to re-install from an official iso. I've found some services in crontab I didn't liked at all - they were submitting a lot of info to a third-party servers (officially for monitoring purposes). p.s. Under "instance" I mean a dedicated unmanaged server. On 02/24/16 22:03, Terje Elde wrote:> > > > On 24 Feb 2016, at 05:17, Robert Ayrapetyan <robert.ayrapetyan at gmail.com> wrote: > > > > Hi. Is there any reliable way to verify checksums of all local files for some FreeBSD installation? E.g. I'm using a hoster which provides pre-deployed FreeBSD instances, how can I be sure there are no any patches\changes in a kernel\services etc? Does FreeBSD provides any automated tools for such kind of a verification? > > Just a quick note; if you suspect malicious intent from a competent attacker (your provider in this case), running an IDS-type check won't do. It's possible to use a kernel-module that omits itself when you're looking at the file system after boot for example, so it'd be invisible or look normal when checking the filesystem. > > Since you say "instance", I'm thinking probably VPS, in which case there needs to be a level of trust in the provider anyway, and this probably doesn't apply to you. Just wanted to mention it quickly as an apropos. > > Terje >
> On 26 Feb 2016, at 06:50, Robert Ayrapetyan <robert.ayrapetyan at gmail.com> wrote: > > Yeah, finally I've decided to re-install from an official iso. > I've found some services in crontab I didn't liked at all - they were submitting a lot of info to a third-party servers (officially for monitoring purposes). > p.s. Under "instance" I mean a dedicated unmanaged server.With a dedicated unmanaged, a reinstall would be my preference as well. There's an interesting option for this, called mfsBSD. It can be a bit of hassle to set it up the first time (just a bit), but once it's up, it'll give you an image that you can simply dd onto the harddrive(s), and boot from. It then runs only in memory, no longer dependent on the drives, and allows you to ssh in, and do an install just like you would from a dvd. The reason that it can be a slight hassle, is that unless your provider has DHCP, you'd have to configure IP etc in the image, so it'd be able to bring up networking correctly. Other options that can be interesting for setups like this, is using geli for disk-encryption. Terje