From owner-freebsd-questions@FreeBSD.ORG Wed Feb 20 16:32:15 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A9F6516A40B for ; Wed, 20 Feb 2008 16:32:15 +0000 (UTC) (envelope-from wmoran@potentialtech.com) Received: from mail.potentialtech.com (internet.potentialtech.com [66.167.251.6]) by mx1.freebsd.org (Postfix) with ESMTP id 7236B13C465 for ; Wed, 20 Feb 2008 16:32:15 +0000 (UTC) (envelope-from wmoran@potentialtech.com) Received: from localhost (pr40.pitbpa0.pub.collaborativefusion.com [206.210.89.202]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.potentialtech.com (Postfix) with ESMTP id D602BEBC3B; Wed, 20 Feb 2008 11:32:13 -0500 (EST) Date: Wed, 20 Feb 2008 11:33:13 -0500 From: Bill Moran To: "Zbigniew Szalbot" Message-Id: <20080220113313.334d852d.wmoran@potentialtech.com> In-Reply-To: <94136a2c0802200802r790ea5b1ye6f1a331b15ed6f4@mail.gmail.com> References: <94136a2c0802200802r790ea5b1ye6f1a331b15ed6f4@mail.gmail.com> X-Mailer: Sylpheed 2.4.8 (GTK+ 2.12.8; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions Subject: Re: security of a new installation / steps to take X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2008 16:32:15 -0000 On Wed, 20 Feb 2008 17:02:22 +0100 "Zbigniew Szalbot" wrote: > > In a matter of weeks we will be moving our office "server" replacing > it with a dedicated server machine functioning at an ISP's location. I > have spoken to them and they use Fedora so they won't be able to help > me much (besides we're not really prepared to pay them for > administrative work). Obviously, I want to keep using FreeBSD so they > promised to set up a basic installation so that I can remotely connect > to the server, configure it, install userland, etc. > > So far I have had FreeBSD systems only in office so I used my hardware > firewall (Dlink DFL 700) to block access to services on ports 22, etc. > Now, at the ISP I won't be able to do this so I will need to be a lot > more careful about security issues. I am planning to make a list of > steps I need to take to configure the OS to my liking and install > applications I need. However, I would really, really love to have some > advice from you re the basic steps. > > For example, I guess I will need to make friends with pf firewall (I > did use it but not extensively due to the hardware router in place). I > will need to disallow direct (3306) access to mysql database (again pf > thing?) and the like. Build a "deny by default" firewall. There are lots of advantages to it. See my explanation of my personal server: http://www.potentialtech.com/cms/node/16 Don't apply that technique blindly, the policy I use there is not appropriate for everyone. Rather, read through that to understand more about how to create a deny by default ruleset and adjust the details to meet your needs. Another thing that's extremely powerful is integrity monitoring using something like Tripwire or Samhain. If you're building a firewall remotely, create a cron job that disables the firewall every 30 minutes. (i.e. pfctl -d). Then, if you tweak your firewall rules in such a way that you lock yourself out, you just need to wait 30 minutes before you can get back in. Once you're sure your rules are working as you want, disable the cron job. Always leave yourself a back door (see the whitelist rule I have in the link above) so you don't accidentally get locked out. If your hosting provider can give you a serial console into the machine, that's the best option, but it's getting less commonly available these days. And don't be afraid to ask specific questions if you get stuck on details while you're setting it up. > In any case, many thanks for your hints, tips, links to get started (I > actually plan to use an old box in office to test-install everything > and only then do the same remotely). I have been using FreeBSD for 1,5 > year but I know how little I know so I'm ready to learn.