From owner-freebsd-questions@FreeBSD.ORG Sat Jul 26 10:21:42 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2EBA737B401 for ; Sat, 26 Jul 2003 10:21:42 -0700 (PDT) Received: from mail-da-1.dns-solutions.net (unknown [69.12.117.4]) by mx1.FreeBSD.org (Postfix) with SMTP id 66DC043F93 for ; Sat, 26 Jul 2003 10:21:41 -0700 (PDT) (envelope-from matthew@starbreaker.net) Received: (qmail 92366 invoked from network); 26 Jul 2003 17:21:39 -0000 Received: from unknown (HELO host185.209-113-232.oem.net) (matthew@starbreaker.net@209.113.232.185) by mail-da-1.dns-solutions.net - 209.113.232.185 with SMTP; 26 Jul 2003 17:21:39 -0000 From: Matthew Graybosch Organization: starbreaker.net To: "Peter Rosa" Date: Sat, 26 Jul 2003 13:22:31 -0400 User-Agent: KMail/1.5.2 References: <00a201c35398$ed1de680$3501a8c0@pro.sk> In-Reply-To: <00a201c35398$ed1de680$3501a8c0@pro.sk> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200307261322.31656.matthew@starbreaker.net> cc: freebsd-questions@freebsd.org Subject: Re: suid bit files and securing FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: matthew@starbreaker.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Jul 2003 17:21:42 -0000 > Second question is: Has anybody an exact wizard, how to secure > the FreeBSD machine. Imagine the situation, the only person who > can do anything on that machine is me, and nobody other. I have > set very restrictive firewalling, I have removed ALL tty's except > two local tty's (I need to work on that machine), but there are > still open port 25 and 53 (must be forever), so someone very > tricky can compromite my machine. > > I'm a little bit paranoic, don't I :-))))))) Uhm, yes, you *are* just a wee bit paranoid. But it helps to be paranoid if you're root on somebody else's machine. Great power and great responsibility, right? But if you're concerned with security uber alles, I'm surprised you didn't look into OpenBSD first. According to their site (openbsd.org), they've had "only one remote hole in the default install, in more than 7 years!" FreeBSD certainly can be secured, but it appears that the developers put performance and reliability first, and then security. Theo de Raadt puts security first. -- Matthew Graybosch http://www.starbreaker.net "I am become root, shatterer of kernels."