Date: Sat, 19 Aug 2000 22:16:17 -0500 (CDT) From: Mike Meyer <mwm@mired.org> To: rob <europax@home.com> Cc: questions@freebsd.org Subject: newbie security Message-ID: <14751.19841.179494.276810@guru.mired.org> In-Reply-To: <109197656@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
rob writes: > I have a linux box here that I spent a great deal of time securing. I > am wondering if the same strategies apply to FreeBSD. Here is what I > did for Linux and now for FreeBSD: > > 1. On linux, turned off all uneeded services. Did the same for > FreeBSD. Kept smpt for qmail, and enabled internal identd, all else off. Always a good idea. > 2. On linux and FreeBSD, not using a firewall. Figured with all of the > services off, I don't need it. You ought to set up a firewall anyway. If for nothing else, it will detect and log probes to those unused services. > 4. On Linux, made /tmp /var /home / all seperate partitions. Should > BSD use seperate slices for these? I followed the recommendations and > just have /var on FreeBSD as a seperate slice. Actually, they don't need to be seperate slices at all. FreeBSD subdivides a slice into partitions, and you can make those separate. I tend to like splits like yours, but I'm old school. Not everyone does that. To get *really* serious about it, mount root r/o. This takes a bit of work to locate everything that needs to be written to and move it off of root. You can also set kern_securelevel via /etc/rc.conf. See init(1) for details. > 5. Mounted /tmp /var /home / nosetuid on Linux. Haven't done > anything similar with BSD. Assuming that nosetuid does what I think it does - disables the setuid and setgid bits on the file systems - then that should break things. The su and suid commands should be broken if you do that. If you really want to do these things on FreeBSD, the relevant option is nosuid. > 6. Set all security related, and log files to 600 root.root on Linux. > Yet to do on FreeBSD, but sounds like a good idea. Making all log files mode 600 owned by root means that root has to run the daemons that log to them. This may or may not be either true or desirable. If you're serious about security, you should audit the entire startup sequence, and make sure that you understand everything that gets run, and disable everything that you don't need. <mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14751.19841.179494.276810>