Date: Sat, 6 Dec 2014 14:06:27 +1100 From: andrew clarke <mail@ozzmosis.com> To: Eric Popelka <arickp@cox.net> Cc: freebsd-questions@freebsd.org Subject: Re: Staying safe and sound Message-ID: <20141206030627.GA7787@ozzmosis.com> In-Reply-To: <54824DC6.5090605@cox.net> References: <54824DC6.5090605@cox.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri 2014-12-05 19:28:54 UTC-0500, Eric Popelka (arickp@cox.net) wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi, > > I'm administering FreeBSD on a public-facing virtual server as a side > project/resume builder/etc. My question is: what should I be doing to > keep the blackhat hax0rz away? I do some of the obvious (firewalling > most inbound traffic with ipfilter, reading the log files daily). A fresh install of FreeBSD is extremely secure. sshguard or similar might be useful if you're running public-facing sshd, mostly just to cut the noise down in your logs from people (or, rather, people running bots) trying to brute-force login. After a few incorrect password attempts the software can block their IP address. Whether it's Windows, Linux, OS X, BSD etc, security problems in the base OS or web server software (Apache, nginx, etc) are quite rare these days. I believe most site defacements and breakins occur due to bugs in PHP scripts or leaked passwords, etc. > I'm still on FreeBSD 10.0, so I'm assuming that I should upgrade the > kernel to 10.1. If I do go up to 10.1, is this simple enough on a > running system? I don't want to lose whatever drivers/modules/etc. > that came with the fresh DVD install of 10.0 (the virtual is running > FreeBSD using Xen, if that makes a difference). Assuming you're running the GENERIC kernel on 10.0-RELEASE (check uname -a), freebsd-update can upgrade both kernel and userland to 10.1, but there's no rush. 10.0 is currently still supported, so you can get security updates for it (also with freebsd-update). The latter is very simple. Note that security updates to the kernel will require a reboot to take effect. Upgrading from 10.0 to 10.1 may be slightly more work in the case of config file changes between versions, but it should be pretty self-explanatory. Given you're running FreeBSD in a VM, you could easily create a second non-public-facing VM just to experiment with if you're uneasy about working on the public-facing server. Alternatively you could use snapshots on the VM host if it supports that, in case you make a mistake you're not sure how to correct. > I assume I should also be doing pkg update; pkg upgrade on a regular > basis, too. Anything else I should be doing -- is there another > mailing list or RSS feed that notifies you about major vulnerabilities? Security updates to the base system are sent to freebsd-announce: https://lists.freebsd.org/mailman/listinfo/freebsd-announce Probably other places too. For packages/ports, see the VuXML database at http://vuxml.freebsd.org/freebsd/index-date.html for more info. > (Yes, I realize OpenBSD is the choice for those serious about > security, but like I said, this is mostly a playground server for > personal use. That said, I don't want to become an open relay, have my > site defaced, etc.) The FreeBSD team are serious about security. OpenBSD may have a name for itself but its leader is somewhat obsessive and abrasive, tending to drive people away. Subjectively, I find FreeBSD quite a bit easier to use than Net/OpenBSD, and I suspect that's most other people's experience too. Regards Andrew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20141206030627.GA7787>