If you would like to use blowfish instead of md5 here is how you go about doing it.

First off open up /etc/login.conf

change
:passwd_format=md5: to
:passwd_format=blf:


Some login.conf tweaks you can do.

to make clients passwords expire in 90 days add this line.

:passwordtime=90d

Warn the use mixed passwords.

:mixpasswordcase=true:

Set minimum password length to 10 characters.

Set clients to log off after 30 mins idle time.

:idletime=30:


save the changes to login.conf and now we will make the changes to work.

cap_mkdb /etc/login.conf

You'll then have to change all of your user's passwords so they will get a new blowfish hash. You can do this by typing:

passwd username

Once you have finished double check by typing in this command.

more /etc/master.passwd

All of the passwords for your users should begin with $2

Finally configure the adduser utillity to use blowfish when ever you create a new user.

edit /etc/auth.conf

add

crypt_default=blf


Now lets touch some nice protection stuff , like blocking nmap scans.

edit /etc/rc.conf and add

tcp_drop_synfin="YES"

if you want to block pings you can do it like so.

icmp_drop_redirect="YES"
icmp_log_redirect="YES"

Blocking pings on a box isn't good if your using a box as a webserver.




This will drop SYN packets destine to non-listening tcp/udp ports. This will create a blackhole and protect against stealth port scans.

Next edit /etc/sysctl.conf and add

net.inet.tcp.blackhole=2
net/inet.udp.blackhole=1


One nice feature you might like to add for ssh clients.
This will only allow users to view processes that they are running. But if your root you can still see all of the processess running.

edit /etc/sysctl.conf and add

security.bsd.see_other_uids=0

note: if your using 5.2 the name changed. the old name is:

kern.ps_shoallprocs=0

... Now I'm tried of typing and I'll add more when I get a chance, hope this helps some of you.