From owner-freebsd-security Thu Apr 20 13: 9: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from hayseed.net (hayseed.net [207.181.249.194]) by hub.freebsd.org (Postfix) with ESMTP id 6764937BFE3 for ; Thu, 20 Apr 2000 13:08:54 -0700 (PDT) (envelope-from enkhyl@pobox.com) Received: from localhost (localhost [127.0.0.1]) by hayseed.net (8.9.3/8.9.3) with ESMTP id MAA02883; Thu, 20 Apr 2000 12:02:59 -0700 Date: Thu, 20 Apr 2000 12:02:57 -0700 (PDT) From: Christopher Nielsen X-Sender: enkhyl@hayseed.net To: Nick Loman Cc: freebsd-security@FreeBSD.ORG Subject: Re: 10 days In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 20 Apr 2000, Nick Loman wrote: > Given that I'm a FreeBSD newbie, and notwithstanding general security > tips, what should I be looking out for in these early days? Something you might want to do, if you haven't already, is enable log_in_vain in /etc/rc.conf by adding 'log_in_vain="YES"'. It will log connection attempts on ports that have nothing listening on them. It can be very enlightening. Some other options you might want to consider are: tcp_restrict_rst="NO" # Set to YES to restrict emission of RST icmp_drop_redirect="NO" # Set to YES to ignore ICMP REDIRECT packets icmp_log_redirect="NO" # Set to YES to log ICMP REDIRECT packets and if you don't mind breaking T/TCP tcp_drop_synfin="NO" # Set to YES to drop TCP packets with SYN+FIN # NOTE: this breaks rfc1644 extensions (T/TCP) -- Christopher Nielsen (enkhyl|cnielsen)@pobox.com Enkhyl on IRC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message