From owner-freebsd-questions@FreeBSD.ORG Wed Feb 20 17:22:12 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6450216A405 for ; Wed, 20 Feb 2008 17:22:12 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id CD5D413C4D5 for ; Wed, 20 Feb 2008 17:22:11 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) by smtp.infracaninophile.co.uk (8.14.2/8.14.2) with ESMTP id m1KHM3j2032578; Wed, 20 Feb 2008 17:22:03 GMT (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.4.4 smtp.infracaninophile.co.uk m1KHM3j2032578 Authentication-Results: smtp.infracaninophile.co.uk; dkim=hardfail (SSP) header.i=unknown Message-ID: <47BC61BA.60103@infracaninophile.co.uk> Date: Wed, 20 Feb 2008 17:22:02 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.9 (X11/20080210) MIME-Version: 1.0 To: Zbigniew Szalbot References: <94136a2c0802200802r790ea5b1ye6f1a331b15ed6f4@mail.gmail.com> In-Reply-To: <94136a2c0802200802r790ea5b1ye6f1a331b15ed6f4@mail.gmail.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (smtp.infracaninophile.co.uk [IPv6:::1]); Wed, 20 Feb 2008 17:22:03 +0000 (GMT) X-Virus-Scanned: ClamAV 0.92/5893/Wed Feb 20 08:07:36 2008 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,NO_RELAYS autolearn=ham version=3.2.4 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions Subject: Re: security of a new installation / steps to take X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2008 17:22:12 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Zbigniew Szalbot wrote: > So far I have had FreeBSD systems only in office so I used my hardware > firewall (Dlink DFL 700) to block access to services on ports 22, etc. > Now, at the ISP I won't be able to do this so I will need to be a lot > more careful about security issues. I am planning to make a list of > steps I need to take to configure the OS to my liking and install > applications I need. However, I would really, really love to have some > advice from you re the basic steps. The important mantra to remember when securing a machine that is exposed to the internet is: What does not listen on the network cannot be used to compromise you. In practice, this means run sockstat and look for all the processes that are listening for connections on your external network interfaces. If you don't need it, then don't run it. If you don't need external access to it, then bind it to the loopback interface[1] or use it via a Unix domain socket (eg. 'skip-networking' in MySQL configuration) If you do need it, then strongly prefer encrypted versions of network protocols: IMAPS rather than IMAP, HTTPS instead of HTTP. This is particularly important if people are using password based authentication - -- otherwise you'ld be transmitting those passwords over the net in plain, where they are vulnerable to snooping. Ensure that any software that does listen on the network runs as an unprivileged UID. Ensure that the login accounts used for such daemons do not have real shells (/usr/sbin/nologin is a good choice) and preferably either have a non-existent home directory, or a home directory that the process does not own and cannot write to. The current working directory of the process (frequently /, but you can use 'fstat -p pid' and look for the 'wd' entry to find this) should similarly be unwritable by the process. If the process can run chrooted or jailed then it's a good idea to make it so. Be very wary of many web based applications, particularly those written in PHP. Sad to say, but many web developers just don't have a clue about security and commit some enormous howlers. They also love writing web- accessible configuration scripts, which you should take care to disable by changing filesystem permissions once you've done the configuring parts and also block or severely restrict access to by your webserver configuration. If anyone proposes running any PHP code that requires you to set 'register_globals' to 'on' in php.ini; well, suffice it to say, no sensible jury would convict should that person come to an ... unfortunate ... end. Make sure you track freebsd-announce@freebsd.org and apply any system patches in a timely manner. Also make full use of portaudit(1) and generally ensure that you are running up to date versions of any ported software. If you can do all the above effectively, then your machine should be pretty secure as is, even without running any severe filtering through the built in firewalls. Cheers, Matthew [1] People that understand the implications of the weak routing model as commonly seen in Unix servers (and certainly those that cannot control access to the same layer-2 network their server is on) will want to protect the loopback against spoofing attacks. The following 3-line pf.conf will do the trick: scrub in pass all antispoof log quick for lo0 - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHvGG68Mjk52CukIwRCNfQAJ9yaAXQzhNgfF31V+AtArEyDvdPigCffAuG afcraoWgVfPnUlSj4S8Zswk= =uZ1e -----END PGP SIGNATURE-----