Date: Thu, 20 Apr 2000 12:02:57 -0700 (PDT) From: Christopher Nielsen <enkhyl@pobox.com> To: Nick Loman <nick@loman.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: 10 days Message-ID: <Pine.LNX.4.21.0004201153160.23037-100000@hayseed.net> In-Reply-To: <Pine.BSF.4.21.0004201949370.25795-100000@slip.csosl.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 20 Apr 2000, Nick Loman wrote:
> Given that I'm a FreeBSD newbie, and notwithstanding general security
> tips, what should I be looking out for in these early days?
Something you might want to do, if you haven't already, is enable
log_in_vain in /etc/rc.conf by adding 'log_in_vain="YES"'. It will log
connection attempts on ports that have nothing listening on them. It can
be very enlightening.
Some other options you might want to consider are:
tcp_restrict_rst="NO" # Set to YES to restrict emission of RST
icmp_drop_redirect="NO" # Set to YES to ignore ICMP REDIRECT packets
icmp_log_redirect="NO" # Set to YES to log ICMP REDIRECT packets
and if you don't mind breaking T/TCP
tcp_drop_synfin="NO" # Set to YES to drop TCP packets with SYN+FIN
# NOTE: this breaks rfc1644 extensions (T/TCP)
--
Christopher Nielsen
(enkhyl|cnielsen)@pobox.com
Enkhyl on IRC
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.21.0004201153160.23037-100000>