Date: Fri, 09 Jun 2000 08:38:05 GMT From: Salvo Bartolotta <bartequi@neomedia.it> To: "David J. Kanter" <djkanter@nwu.edu> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Security for a lonely desktop Message-ID: <20000609.8380500@bartequi.ottodomain.org> In-Reply-To: <20000608174110.A24158@localhost.localdomain> References: <20000608174110.A24158@localhost.localdomain>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
On 6/8/00, 11:41:10 PM, "David J. Kanter" <djkanter@nwu.edu> wrote=20
regarding Security for a lonely desktop:
> I run FreeBSD on a desktop, hook up to the Internet via a modem (with
> dynamic IP address assigning) and am the only user of this machine. Is=
> security that much of an issue for someone like me, such that I'd have=
=20
to
> make changes to the default FreeBSD set up?
> I've read about closing down inetd services that I'd never use:=20
telnet, ftp,
> etc. Even turning off the sendmail daemon. Or, compiling a firewall=20
into my
> kernel. But are these really necessary for a guy like me?
> I'm interested in what people have to say.
> --
> David Kanter
> djkanter@nwu.edu
Dear David Kanter,
If you define your desktop as "lonely", somebody will visit it just to=20
make it feel less lonely :-)
Joking apart, you might want to disable ALL unnecessary services in=20
/etc/inetd.conf, as well as properly configuring /etc/hosts.allow (see=20
also hosts_access(5)); as an aside, you might want to have a look at=20
/etc/login.access.
E.g. you might begin by **suitably** specify ``ALL: ALL: deny'' (or=20
something else meeting your needs) in /etc/hosts.allow. Personally, on=20
my homebox, I have also set up a packet filter dropping all traffic=20
directed to X ports, portmapper , and a few other targets ("Winblows"=20
targets as well). Even if most of those targets are disabled=20
(non-existing or serviceless), I HAVE logged traffic directed to them=20
as well as a good number of attempts to portscan my homebox (!)
Furthermore, you might want to consider such features as "log_in_vain"=20
(read rc.conf(5)), and, under 4.0-something, blackhole(4).=20
As I have just said, I've seen portscan attempts on my homebox a=20
number of times, and I've received a few ftp, telnet, etc. requests as=20
well; probably, this kind of "sport" (tryng to hack a homebox) should=20
make very little sense, but it DOES happen.=20
Paranoia is safe. As usual. The fact is, a Unix box seems to be=20
appealing for some people, even if it is a homebox.
Best regards,
Salvo =20
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000609.8380500>