From owner-freebsd-questions@FreeBSD.ORG Wed Feb 20 17:58:57 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 98C9D16A405 for ; Wed, 20 Feb 2008 17:58:57 +0000 (UTC) (envelope-from jerrymc@gizmo.acns.msu.edu) Received: from gizmo.acns.msu.edu (gizmo.acns.msu.edu [35.8.1.43]) by mx1.freebsd.org (Postfix) with ESMTP id 61D3013C4E1 for ; Wed, 20 Feb 2008 17:58:57 +0000 (UTC) (envelope-from jerrymc@gizmo.acns.msu.edu) Received: from gizmo.acns.msu.edu (localhost [127.0.0.1]) by gizmo.acns.msu.edu (8.13.6/8.13.6) with ESMTP id m1KHspDe056566; Wed, 20 Feb 2008 12:54:51 -0500 (EST) (envelope-from jerrymc@gizmo.acns.msu.edu) Received: (from jerrymc@localhost) by gizmo.acns.msu.edu (8.13.6/8.13.6/Submit) id m1KHspu2056565; Wed, 20 Feb 2008 12:54:51 -0500 (EST) (envelope-from jerrymc) Date: Wed, 20 Feb 2008 12:54:51 -0500 From: Jerry McAllister To: Matthew Seaman Message-ID: <20080220175451.GA56513@gizmo.acns.msu.edu> References: <94136a2c0802200802r790ea5b1ye6f1a331b15ed6f4@mail.gmail.com> <47BC61BA.60103@infracaninophile.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <47BC61BA.60103@infracaninophile.co.uk> User-Agent: Mutt/1.4.2.2i Cc: Zbigniew Szalbot , freebsd-questions Subject: Re: security of a new installation / steps to take X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2008 17:58:57 -0000 On Wed, Feb 20, 2008 at 05:22:02PM +0000, Matthew Seaman wrote: This is a very nice summary. I will steal it and post it on the wall in our cube-maze hallway. Thanks, ////jerry > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Zbigniew Szalbot wrote: > > > So far I have had FreeBSD systems only in office so I used my hardware > > firewall (Dlink DFL 700) to block access to services on ports 22, etc. > > Now, at the ISP I won't be able to do this so I will need to be a lot > > more careful about security issues. I am planning to make a list of > > steps I need to take to configure the OS to my liking and install > > applications I need. However, I would really, really love to have some > > advice from you re the basic steps. > > The important mantra to remember when securing a machine that is exposed > to the internet is: > > What does not listen on the network cannot be used to compromise you. > > In practice, this means run sockstat and look for all the processes > that are listening for connections on your external network interfaces. > > If you don't need it, then don't run it. > > If you don't need external access to it, then bind it to the loopback > interface[1] or use it via a Unix domain socket (eg. 'skip-networking' in > MySQL configuration) > > If you do need it, then strongly prefer encrypted versions of network > protocols: IMAPS rather than IMAP, HTTPS instead of HTTP. This is > particularly important if people are using password based authentication > - -- otherwise you'ld be transmitting those passwords over the net in plain, > where they are vulnerable to snooping. > > Ensure that any software that does listen on the network runs as an > unprivileged UID. Ensure that the login accounts used for such daemons do > not have real shells (/usr/sbin/nologin is a good choice) and preferably > either have a non-existent home directory, or a home directory that the > process does not own and cannot write to. The current working directory > of the process (frequently /, but you can use 'fstat -p pid' and look > for the 'wd' entry to find this) should similarly be unwritable by > the process. If the process can run chrooted or jailed then it's a good > idea to make it so. > > Be very wary of many web based applications, particularly those written > in PHP. Sad to say, but many web developers just don't have a clue about > security and commit some enormous howlers. They also love writing web- > accessible configuration scripts, which you should take care to disable by > changing filesystem permissions once you've done the configuring parts > and also block or severely restrict access to by your webserver configuration. > If anyone proposes running any PHP code that requires you to set 'register_globals' > to 'on' in php.ini; well, suffice it to say, no sensible jury would > convict should that person come to an ... unfortunate ... end. > > Make sure you track freebsd-announce@freebsd.org and apply any system patches > in a timely manner. Also make full use of portaudit(1) and generally ensure > that you are running up to date versions of any ported software. > > If you can do all the above effectively, then your machine should be pretty > secure as is, even without running any severe filtering through the built in > firewalls. > > Cheers, > > Matthew > > [1] People that understand the implications of the weak routing model > as commonly seen in Unix servers (and certainly those that cannot control > access to the same layer-2 network their server is on) will want to protect > the loopback against spoofing attacks. The following 3-line pf.conf > will do the trick: > > scrub in > pass all > antispoof log quick for lo0 > > - -- > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > Kent, CT11 9PW > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.4 (FreeBSD) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFHvGG68Mjk52CukIwRCNfQAJ9yaAXQzhNgfF31V+AtArEyDvdPigCffAuG > afcraoWgVfPnUlSj4S8Zswk= > =uZ1e > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"