From owner-freebsd-questions Wed Jul 17 11:35:11 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA09087 for questions-outgoing; Wed, 17 Jul 1996 11:35:11 -0700 (PDT) Received: from hustle.rahul.net (hustle.rahul.net [192.160.13.2]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id LAA09082 for ; Wed, 17 Jul 1996 11:35:09 -0700 (PDT) Received: by hustle.rahul.net with UUCP id AA07958 (5.67b8/IDA-1.5 for questions@freebsd.org); Wed, 17 Jul 1996 11:35:03 -0700 Received: (from jim@localhost) by starshine (8.6.11/8.6.9) id LAA02052; Wed, 17 Jul 1996 11:21:01 -0700 From: Jim Dennis Message-Id: <199607171821.LAA02052@starshine> Subject: Re: Free BSD and Security To: celestyte@pb.net (Bill Weiss) Date: Wed, 17 Jul 1996 11:21:00 -0700 (PDT) Cc: questions@freebsd.org In-Reply-To: <31ECA452.41C6@tech-one.com> from "Bill Weiss" at Jul 17, 96 01:29:06 am X-Mailer: ELM [version 2.4 PL24] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > Hi! We just installed free BSD on our server, and before we out the > system online we want to make sure we have all the security matters > covered. Aside from general network precautions(paswords, ports,etc..) > are they're any obscure features about logins we should check? ie: a > user logging into the system as ls or anything? Can never be to careful > these days! > Use vipw to look for unusual accounts (like sync, toor or ruut, man, guest). Make sure that their password fields are *'d out. Other questions/suggestions: (precede most of these with "Did you"... or "Do you want to") have a router? configure it to screen against packet spoofing and source routing? configure it to permit incoming sessions only to public services? anyone on your LAN use a modem to access a PPP account? install TCP_Wrappers? configure them? (/etc/hosts.allow, /etc/hosts.deny) install tripwire? use the chflags on all your binaries and shared libs? (make them "immutable" with syschg) (increase the security level with sysctl?) use something like: '(find -perm +2000 -ls; find -perm +4000 -ls) > suid.list' ... to make a list of all the SUID and SGID files on your system? use 'ps auxw' to make a list of all processes that are "normal" for your configuration? save copies of those lists (and your initial tripwire database -- or md5sum list) to a floppy? write protect that floppy? edited inetd.conf and taken out "unnecessary" services (like sprayd, chargen, echo, etc). (take sendmail -bd out and replaced it with a cron job to just do a sendmail -q -- assuming that you want this machine to send mail -- but you have a mailhost for all of your mail) Without digging out my notes that is the subset of measures I take for all internet connected FreeBSD or Linux systems that I put together (except for the 'sysctl' "securitylevel" feature which I've had trouble with -- and tripwire which I've basically hacked together a simpler analog to it -- which I should polish up and release). After all that I'd ask: What's on this server? Do other hosts "trust" this server? If so, how? ... any further questions and data integrity suggestions would stem from answers to these questions. > Thanks! > Bill > > PS our system in a P133, 64 megs, 4 gig and a portmaster with 20 modems. > We want to use the sever for users, mail, news, and to host a few sites. > We will be using a dedicated ISDN to start out with as this is all a new > thing to us....OS and all! Has Livingston added support for detected and denying "source routed" packets? Are these users customers or employees (are you starting an ISP service or is there some other business for which you are providing these services)? By "host a few sites" are you referring to "virtual web/ftp hosting" or "co-location"? Where are you located? Jim Dennis, Starshine Technical Services