Date: Fri, 09 Jun 2000 08:38:05 GMT From: Salvo Bartolotta <bartequi@neomedia.it> To: "David J. Kanter" <djkanter@nwu.edu> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Security for a lonely desktop Message-ID: <20000609.8380500@bartequi.ottodomain.org> In-Reply-To: <20000608174110.A24158@localhost.localdomain> References: <20000608174110.A24158@localhost.localdomain>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<< On 6/8/00, 11:41:10 PM, "David J. Kanter" <djkanter@nwu.edu> wrote=20 regarding Security for a lonely desktop: > I run FreeBSD on a desktop, hook up to the Internet via a modem (with > dynamic IP address assigning) and am the only user of this machine. Is= > security that much of an issue for someone like me, such that I'd have= =20 to > make changes to the default FreeBSD set up? > I've read about closing down inetd services that I'd never use:=20 telnet, ftp, > etc. Even turning off the sendmail daemon. Or, compiling a firewall=20 into my > kernel. But are these really necessary for a guy like me? > I'm interested in what people have to say. > -- > David Kanter > djkanter@nwu.edu Dear David Kanter, If you define your desktop as "lonely", somebody will visit it just to=20 make it feel less lonely :-) Joking apart, you might want to disable ALL unnecessary services in=20 /etc/inetd.conf, as well as properly configuring /etc/hosts.allow (see=20 also hosts_access(5)); as an aside, you might want to have a look at=20 /etc/login.access. E.g. you might begin by **suitably** specify ``ALL: ALL: deny'' (or=20 something else meeting your needs) in /etc/hosts.allow. Personally, on=20 my homebox, I have also set up a packet filter dropping all traffic=20 directed to X ports, portmapper , and a few other targets ("Winblows"=20 targets as well). Even if most of those targets are disabled=20 (non-existing or serviceless), I HAVE logged traffic directed to them=20 as well as a good number of attempts to portscan my homebox (!) Furthermore, you might want to consider such features as "log_in_vain"=20 (read rc.conf(5)), and, under 4.0-something, blackhole(4).=20 As I have just said, I've seen portscan attempts on my homebox a=20 number of times, and I've received a few ftp, telnet, etc. requests as=20 well; probably, this kind of "sport" (tryng to hack a homebox) should=20 make very little sense, but it DOES happen.=20 Paranoia is safe. As usual. The fact is, a Unix box seems to be=20 appealing for some people, even if it is a homebox. Best regards, Salvo =20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000609.8380500>