From owner-freebsd-isp@FreeBSD.ORG Wed Aug 6 10:03:24 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E3A3237B401 for ; Wed, 6 Aug 2003 10:03:24 -0700 (PDT) Received: from emerald.incredible.com.na (NSP.inc.net.na [196.44.138.114]) by mx1.FreeBSD.org (Postfix) with ESMTP id 00ADE43F3F for ; Wed, 6 Aug 2003 10:03:22 -0700 (PDT) (envelope-from schalk@home.incredible.com.na) Received: from [10.222.101.2] (helo=Fujitsu) by emerald.incredible.com.na with smtp (Exim 4.12) id 19kRfA-00071v-00 for freebsd-isp@freebsd.org; Wed, 06 Aug 2003 18:01:24 +0100 Message-ID: <006801c35c3c$a0ce65a0$0265de0a@Fujitsu> From: "Schalk Erasmus" To: References: <000a01c358d3$dcc94eb0$0265de0a@Fujitsu> <001501c358d4$eb701c90$0265de0a@Fujitsu> Date: Wed, 6 Aug 2003 18:03:15 +0100 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: FreeBSD - Secure by DEFAULT ?? [hosts.allow] X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Aug 2003 17:03:25 -0000 Could someone assist me with this? Regards Schalk ----- Original Message ----- Sent: Saturday, August 02, 2003 10:03 AM Subject: Re: FreeBSD - Secure by DEFAULT ?? [hosts.allow] > I guess I also need to allow the other Services, in this order: > > sshd : myhomepc : allow > exim : ALL : allow > httpd : ALL : allow > ftpd : ALL : allow > ALL : ALL : deny > > Is this right? > > > # Start by allowing everything (this prevents the rest of the file > > # from working, so remove it when you need protection). > > # The rules here work on a "First match wins" basis. > > ALL : ALL : allow > > > > # Wrapping sshd(8) is not normally a good idea, but if you > > # need to do it, here's how > > #sshd : .evil.cracker.example.com : deny > > > > Regards > > Schalk Erasmus > > > > > ----- Original Message ----- Sent: Saturday, August 02, 2003 9:55 AM Subject: FreeBSD - Secure by DEFAULT ?? > Hi, > > I need to know what the implications are to make use of the hosts.allow file > on a FreeBSD Production Server (ISP Setup)? > > The reason I'm asking, is that I've recently decommisioned a Linux SendMail > Server to a FreeBSD Exim Server, but with no Firewall (IPTABLES) yet. > > Besides the fact that it only runs EXIM and Apache, is it necessary to > Configure rc.Firewall? or can I only make use of the hosts.allow file? > > Currently I would only like to allow SSH access from my Home Network, > instead of allowing the WORLD. > > I've seen OpenBSD Servers using hosts.deny and hosts.allow files, but based > on the new "Access Control File", it is all merged together in one file: > > # > # hosts.allow access control file for "tcp wrapped" applications. > # $FreeBSD: src/etc/hosts.allow,v 1.8.2.7 2002/04/17 19:44:22 dougb Exp $ > # > # NOTE: The hosts.deny file is deprecated. > # Place both 'allow' and 'deny' rules in the hosts.allow file. > # See hosts_options(5) for the format of this file. > # hosts_access(5) no longer fully applies. > # Start by allowing everything (this prevents the rest of the file > # from working, so remove it when you need protection). > # The rules here work on a "First match wins" basis. > ALL : ALL : allow > > # Wrapping sshd(8) is not normally a good idea, but if you > # need to do it, here's how > #sshd : .evil.cracker.example.com : deny > > > Should I make the following changes to this file? (I'm afraid I might get > kicked out) > > ALL : ALL : deny > sshd : myhomepc.baboon.com : allow > > > What kind of protection does FreeBSD need by Default? Since OpenBSD goes > around saying: "SECURE BY DEFAULT" !? > > > Just asking..... > > Regards > Schalk Erasmus > >