Date: Mon, 11 Mar 96 07:00:17 -0800 From: Cy Schubert - BCSC Open Systems Group <cschuber@uumail.gov.bc.ca> To: sreid@edmbbs.iceonline.com Cc: security@FreeBSD.ORG Subject: Re: How secure is FreeBSD 2.1 right after install? Message-ID: <199603111500.HAA03943@passer.osg.gov.bc.ca> In-Reply-To: Your message of "Sun, 10 Mar 96 17:04:26 EST." <9603101704.D6300AZ@edmbbs.iceonline.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>
> Is there anything I need to do to secure my system after a fresh install
> >from the Walnut Creek CD?
>
> I've already disabled the r*, finger and telnet services in inetd.conf.
> I don't expect I'll need them. Is there anything else I need to worry
> about?
>
> Our local ethernet will start with two FreeBSD machines and a Cisco
> router, connected to the internet. One of the FreeBSD machines will be a
> web server (probably running Apache) and the other will be for web page
> development under X Windows.
>
> I'm concerned that X might be a potential security hole, since it uses
> TCP port 6000 to accept connections from clients... Can I close off
> remote access to the X server without having to install a firewall? I
> won't need to access the X server from the LAN. Can X be set to ignore
> the TCP port?
>
> I'm interested in anything that might be a security problem.
>
Here are some basic steps I would start with:
1. Install TCP/Wrapper and block all of your TCP services run out of inetd.
2. Recompile the kernel to make use of the IP Firewall code, then block
TCP ports 7, 9, 13, 19, 37, 53, 67, 88, 111, 161, 162, 177, 512, 513, 514,
520, 2049, 1, 11, 15, 43, 95, 123, 144, 515, 651, 2000, 6000-6100, ypserv
yppasswdd, ypbind, mountd, and nfs. I would also block UDP ports 7, 9,
13, 19, 37, 53, 67, 88, 111, 161, 162, 177, 512, 513, 514, 520, 2049,
ypserv, yppasswd, ypbind, mountd, nfs, and port 1023.
You could also block TCP services run out of inetd as well, however
TCP/Wrapper does a better job of reporting and does some "PARANOID"
checks against the DNS that filtering will not do. If you're really
paranoid you could block those ports.
On the other hand you would probably be better off blocking these ports
at your router. If you're really paranoid you could do both. Many of
the commercial firewalls consist of two routers and a bastion host
(firewall machine).
If you allow dial-in connections much of this may be of no use since many
hackers also phreak telephone lines.
3. Install Tripwire.
4. Run CRACK and COPS or Tiger on a weekly basis.
5. Route all auth.* messages to another machine and report on all anomolies.
6. Replace Sendmail 8.6.12 with Sendmail 8.7.4 and install smrsh.
7. If you don't expect to receive mail from the Internet on your FreeBSD
boxes run Sendmail out of inetd and cron, then wrap it with TCP/Wrapper.
If you don't need to receive mail at all don't even run sendmail out of
inetd, just let sendmail queue messages from cron.
This is what comres to mind at the moment. There's a lot more you could do
if you want to spend the time at it.
Regards, Phone: (604)389-3827
Cy Schubert OV/VM: BCSC02(CSCHUBER)
Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET
BC Systems Corp. Internet: cschuber@uumail.gov.bc.ca
cschuber@bcsc02.gov.bc.ca
"Quit spooling around, JES do it."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199603111500.HAA03943>