From owner-freebsd-hackers Sat May 9 03:11:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA23842 for freebsd-hackers-outgoing; Sat, 9 May 1998 03:11:13 -0700 (PDT) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA23835 for ; Sat, 9 May 1998 03:11:09 -0700 (PDT) (envelope-from tlambert@usr06.primenet.com) Received: from smtp04.primenet.com (daemon@smtp04.primenet.com [206.165.6.134]) by freefall.freebsd.org (8.8.8/8.8.5) with ESMTP id DAA17531 for ; Sat, 9 May 1998 03:08:05 -0700 (PDT) Received: (from daemon@localhost) by smtp04.primenet.com (8.8.8/8.8.8) id DAA17259; Sat, 9 May 1998 03:11:10 -0700 (MST) Received: from usr06.primenet.com(206.165.6.206) via SMTP by smtp04.primenet.com, id smtpd017253; Sat May 9 03:11:06 1998 Received: (from tlambert@localhost) by usr06.primenet.com (8.8.5/8.8.5) id DAA27614; Sat, 9 May 1998 03:11:06 -0700 (MST) From: Terry Lambert Message-Id: <199805091011.DAA27614@usr06.primenet.com> Subject: Re: how safe is FreeBSD 2.2.5 To: fiber@phy.iitkgp.ernet.in (Sanjit Roy) Date: Sat, 9 May 1998 10:11:06 +0000 (GMT) Cc: freebsd-hackers@freefall.cdrom.com In-Reply-To: <3553963E.F2C5DE6@phy.iitkgp.ernet.in> from "Sanjit Roy" at May 9, 98 05:03:18 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > I need some advise regarding the security level in FreeBSD. Lately, a > lot of students in my university campus have been into hacking activity. > I have a Linux (kernel 1.2.8) system on one of my mail gateways and it's > a piece of cake becoming 'root' on that machine. I immediately need to > upgrade that to either REDHAT Linux 5.0 or FreeBSD 2.2.5. I have both > the flavours of unix available with me. > > What I want to know is : > > 1. which of the two is more secure? Neither one has undergone a full commercial audit. Various FreeBSD derivative have been audited, and have shown high marks, but they have been running "jailed" software, such as "smtpd/smtfwdd" on externally accessable SMTP ports, etc.. In general, if you can show a FreeBSD system being exploited, the people on this list will be happy to help track down and fix the problem, and to help you issue a CERT advisory. The short answer is "both are as secure as the effort you are willing to put in following an incident to resecure them". > 2. Is shadow util really effective in Linux. Don't know if there's one > in FreeBSD? FreeBSD runs shadow passwords at all times. There is no way to disable this. For a mail server, which does not require that the users of the server actually have UNIX accounts (especially if it is configered correctly; you should look into running the Cyrus IMAP4/POP3 servers on your box), password file exploits are the least of your worries. More likely you are going to get someone attempting a buffer overrun attack against a network daemon. The less daemons you run, the less vulnerable to attack you will be, statistically. In general, you should dedicate boxes like mail servers, and not run any other daemons on them. This is mostly a configuration issue than a specific OS issue. > 3. what do i have to do/install to make my system secure i.e, what are > the available patches and where do i get them? By default, the most recent release is normally without *known* exploits. When unknown exploits surface, they are maintained on the -stable branch matching the release. If, for example, an exploit were found against 2.2.6 (the most recent FreeBSD release), then the patches would be made available in the 2.2.6-stable branch. There are many ways to get this code; the easiest is to use cvsup to keep an up-to-date snapshot of the archive, and to set up a list monitoring procmail for the BSD lists that traps "CERT Advisory" and one for the -stable commit list that traps "security" and "CERT". Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message