# We only need one (1) "temp" directory on our system and that should be /tmp
rm -R /var/tmp/
ln -s /tmp /var/tmp

# Make the console more secure by prompting for the root password going into single user mode
vi /etc/ttys
console none unknown off insecure

# Increase SSH security by adding or uncommenting a few lines in the sshd_config
vi /etc/ssh/sshd_config
Protocol 2
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
PermitEmptyPasswords no
PrintLastLog yes
UsePrivilegeSeparation yes
UseDNS yes

# Switch new passwords to use blowfish instead of md5 and increase password security in general
echo "crypt_default=blf" >> /etc/auth.conf
# Edit login.conf and edit and add a few lines to the default section
vi /etc/login.conf
        :passwd_format=blf:\

        :minpasswordlen=9:\
        :mixpasswordcase=true:\
        :passwordtime=90d:\
        :idletime=30:\
        :accounted=true:\
        :autodelete=90d:\
        :warnpassword=14d:\
# Put the changes to login.conf into effect
/usr/bin/cap_mkdb /etc/login.conf

# Only allow root to schedule jobs
echo "root" > /var/cron/allow
echo "root" > /var/at/at.allow
chmod o= /etc/crontab
chmod o= /usr/bin/crontab
chmod o= /usr/bin/at
chmod o= /usr/bin/atq
chmod o= /usr/bin/atrm
chmod o= /usr/bin/batch
 

# Increase security settings by adding or uncommenting these lines in your existing rc.conf
vi /etc/rc.conf
kern_securelevel_enable="YES" kern_securelevel="3" portmap_enable="NO" icmp_drop_redirect="YES" icmp_log_redirect="YES" log_in_vain="YES" sendmail_enable="NO" nfs_server_enable="NO" nfs_client_enable="NO" portmap_enable="NO" update_motd="NO"