From owner-freebsd-stable@FreeBSD.ORG  Fri Mar  7 19:33:49 2008
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 98D98106566C
	for <freebsd-stable@freebsd.org>; Fri,  7 Mar 2008 19:33:49 +0000 (UTC)
	(envelope-from security@jim-liesl.org)
Received: from smtp1.mc.surewest.net (qsmtp.mc.surewest.net [66.60.130.145])
	by mx1.freebsd.org (Postfix) with SMTP id 6EF108FC18
	for <freebsd-stable@freebsd.org>; Fri,  7 Mar 2008 19:33:49 +0000 (UTC)
	(envelope-from security@jim-liesl.org)
Received: (qmail 4592 invoked from network); 7 Mar 2008 11:07:09 -0800
Received: by simscan 1.1.0 ppid: 4588, pid: 4589, t: 0.1649s
	scanners: regex: 1.1.0 attach: 1.1.0 spam: 3.1.7-deb
X-Spam-Checker-Version: SpamAssassin 3.1.7-deb (2006-10-05) on 
	smtp1.surewest.net
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=disabled 
	version=3.1.7-deb
X-Spam-CMAE-Analysis: v=1.0 c=1 a=N1jU6Q3aOcQA:10 a=6I5d2MoRAAAA:8 
	a=kruHNeHDAAAA:8 a=mV9VRH-2AAAA:8 a=c62mxto-i0OSGds8T1gA:9 
	a=CF6TN8i9Rv6d0-iynO4A:7 a=c1KsgZwo43dnM7Gltv9cUswYnxMA:4 
	a=0dRpvnS4h04A:10
Received: from unknown (HELO smtp.jim-liesl.org) (66.60.173.44)
	by smtp1 with SMTP; 7 Mar 2008 11:07:09 -0800
Received: from smtp.jim-liesl.org (localhost.static.surewest.net [127.0.0.1])
	by smtp.jim-liesl.org (Postfix) with ESMTP id DDFFA5CE5;
	Fri,  7 Mar 2008 11:07:08 -0800 (PST)
Received: from [127.0.0.1] (daemon.static.surewest.net [192.168.1.15])
	by smtp.jim-liesl.org (Postfix) with ESMTP id 7E4855C1C;
	Fri,  7 Mar 2008 11:07:08 -0800 (PST)
Message-ID: <47D1925B.2040905@jim-liesl.org>
Date: Fri, 07 Mar 2008 11:07:07 -0800
From: security <security@jim-liesl.org>
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0
To: Mike Tancsa <mike@sentex.net>
References: <200803071637.aa04380@walton.maths.tcd.ie>	<47D16FA5.5070008@scottevil.com>
	<jxde08.ricrhn@webmail.deejc.net>
	<200803071734.m27HYFCf014595@lava.sentex.ca>
In-Reply-To: <200803071734.m27HYFCf014595@lava.sentex.ca>
X-Enigmail-Version: 0.95.6
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV using ClamSMTP
Cc: FreeBSD Mailing List <freebsd-stable@freebsd.org>,
	Darran <darranc@deejc.net>
Subject: Re: FreeBSD and Apache, is it safe out of the box ?
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Mar 2008 19:33:49 -0000

Mike Tancsa wrote:
> At 12:02 PM 3/7/2008, Darran wrote:
>> Hello all,
>>
>> I want to run a (FreeBSD 7) server facing the internet and running 
>> Apache and
>> wondered if its safe out of the box .. so to speak ?
> Yes, today it is.  But that does not necessarily mean you will not 
> need to do updates, apply patches, perhaps change your configuration 
> to deal with new threats.  In my experience, FreeBSD makes the later 
> part easier than Windows or Linux (IMHO and experience)
>
>
>> Do i have to do a degree in configuration to allow it to face the 
>> wild west
>> (internet) ?
>> I also want to use it for storage of media and serving of media .. 
>> using windows
>> and freebsd clients .. is it possible .. again .. out of the box ?
>
>
> If you mean turn it on, click a few buttons and "it works" ? no.  You 
> will need to install and configure samba and apache.
> e.g.
> cd /usr/ports/net/samba3;make install
>
> will get the application installed, but you still need to configure it 
> and later maintain it.  With Windows, I find you can initially get 
> things working without understanding how it works.  But when you run 
> into problems, you wont understand how to fix them. In general I find 
> with FreeBSD, you are expected to understand some basics, but you are 
> then better prepared to understand the problems you will face in 
> running a server....
>
> That being said, the defaults FreeBSD 7.0 it comes with are pretty 
> sane and you should be able to get going quickly to the point where 
> you are doing "stuff"
>
>         ---Mike
>
> _
I would agree with the following caveats:
ONLY allow ssh logins, ONLY using public key auth., and never directly 
to root.
Careful with guest access under SAMBA
While Apache at this point is reasonably secure, there are a ton of apps 
that you can run under it that aren't.  I'm thinking of many PHP based 
in general, and most of the forum apps in particular.  Be sure to 
research the security history of web apps (or anything that opens up a 
port listener).  Sign up for the mailing list of what you install, so 
you'll be alerted to security updates.
Consider running a file modification detector like aide or tripwire.  
They won't keep you from getting owned, but they'll tell you if it happens

A little light reading

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/security-intro.html
http://www.onlamp.com/pub/a/bsd/2002/08/08/FreeBSD_Basics.html
http://httpd.apache.org/docs/2.2/misc/security_tips.html

jim