From owner-freebsd-isp Thu Jul 12 15:32:12 2001 Delivered-To: freebsd-isp@freebsd.org Received: from bilver.wjv.com (dhcp-1-113.n01.orldfl01.us.ra.verio.net [157.238.210.113]) by hub.freebsd.org (Postfix) with ESMTP id 66D9C37B403 for ; Thu, 12 Jul 2001 15:32:00 -0700 (PDT) (envelope-from bill@bilver.wjv.com) Received: (from bill@localhost) by bilver.wjv.com (8.11.1/8.11.1) id f6CMVsB44994; Thu, 12 Jul 2001 18:31:54 -0400 (EDT) (envelope-from bill) Date: Thu, 12 Jul 2001 18:31:24 -0400 From: Bill Vermillion To: Bart Silverstrim Cc: freebsd-isp@FreeBSD.ORG Subject: Re: gcc on production server Message-ID: <20010712183124.A44876@wjv.com> Reply-To: bv@wjv.com References: <20010711170336.B84178@krijt.livens.net> <20010711123133.A21587@pitr.tuxinternet.com> <20010712123523.G53408@jake.akitanet.co.uk> <007c01c10b14$5462d820$0100a8c0@sosbbs.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <007c01c10b14$5462d820$0100a8c0@sosbbs.com>; from bsilver@sosbbs.com on Thu, Jul 12, 2001 at 04:50:45PM -0400 Organization: W.J.Vermillion / Orlando - Winter Park Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jul 12, 2001 at 04:50:45PM -0400, Bart Silverstrim thus sprach: > On Jul 11, Hug Me wrote: > >> if you are REALLY worried about security, get a drive that has > >> a jumper you can change to read only, put your operating system > >> on it, move the jumper > >Ummmm... that's not clever. That's stupid. So, you're an ISP. > >If you're running this system, exactly how do you deliver mail, > >allow users to change webpages, etc? Oh yeah, and just out or > >curiosity, what happens to /var and /tmp ? As one colleague just > >replied when I read that paragraph to him "that's not an OS - > >it's a coaster". I hope it keeps your coffee warm. > Why not use two drives, one read only with the OS on it, one > with multiple partitions to mount to /var and /tmp, , > /home...stuff like that...or some variation of that theme? > I toyed with the idea of trying to make bootable CD's for the key > system files and such before, should work in a similar manner to > what is basically described above (although performance from the > read operations would be terrible) if I actually had the time and > extra hardware to dedicate to making system laid out to create a > "image" and make a slave drive on another system with a CD-R drive > :-) Gotta admit, that would make it terribly difficult to crack > into and lay trojaned system binaries... Using the highest security level and performing a noschg on all the important system directores can make the OS look almost like a ROM. Leave the file systems which need to be written as set normally. Eric Brueggmann posted this last August to this same list. =============================================================================== #!/bin/sh # Run this after a make world, for better security. chflags noschg /bin/* chflags noschg /usr/bin/* chflags noschg /sbin/* chflags noschg /usr/sbin/* chflags noschg /bin ; chflags noschg /sbin chflags noschg /usr/bin ; chflags noschg /usr/sbin cd /var/log; chmod g-w,o-r * ; chmod a+r wtmp echo "Edit /etc/rc.conf and change the kernellevel to 2" for i in ` find / -type f -perm -2000 | egrep -wv "lockfile" ` ; do chmod g-s $i ; done for i in ` find / -type f -perm -4000 | egrep -wv "man|login|passwd|su|ssh|sendmail|procmail|sudo|mail.local" ` ; do chmod u-s $i ; done for i in ` find / -type d -perm -002 | egrep -v "tmp" ` ; do chmod o-w $i ; done chmod 700 /root # cd to /home and chmod 700 every directory except "apache|newuser|ftp|?????" chflags schg /bin/* chflags schg /usr/bin/* chflags schg /sbin/* chflags schg /usr/sbin/* chflags schg /bin ; chflags schg /sbin chflags schg /usr/bin ; chflags schg /usr/sbin # =============================================================================== -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message