From owner-freebsd-security  Wed Mar 29 18:32:39 2000
Delivered-To: freebsd-security@freebsd.org
Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207])
	by hub.freebsd.org (Postfix) with ESMTP id 5B7E937B607
	for <freebsd-security@FreeBSD.ORG>; Wed, 29 Mar 2000 18:32:36 -0800 (PST)
	(envelope-from cjc@cc942873-a.ewndsr1.nj.home.com)
Received: (from cjc@localhost)
	by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id VAA18039;
	Wed, 29 Mar 2000 21:32:07 -0500 (EST)
	(envelope-from cjc)
Date: Wed, 29 Mar 2000 21:32:07 -0500
From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
To: Scott <scotte@speakeasy.org>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Help securing fresh install from CD
Message-ID: <20000329213207.A17852@cc942873-a.ewndsr1.nj.home.com>
Reply-To: cjclark@home.com
References: <Pine.LNX.4.10.10003291114410.2508-100000@grace.speakeasy.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <Pine.LNX.4.10.10003291114410.2508-100000@grace.speakeasy.org>; from scotte@speakeasy.org on Wed, Mar 29, 2000 at 11:15:48AM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, Mar 29, 2000 at 11:15:48AM -0800, Scott wrote:
> Hello to all:
>   
> I have just ordered a new PC to install the January release of FreeBSD from CD.
> I was wondering how secure FreeBSD is out-of-the-box,
> and what additional steps I need to take in securing it.
>   
> My experience has been with securing Linux and Solaris boxes -
> commenting out non-needed services in /etc/inetd.conf, looking for SUID and
> GUID programs, installing SSH, etc.
>   
> What specifics are needed for FreeBSD, also considering this system will likely
> double as a firewall.

Most of the same steps, edit inetd.conf and hosts.allow. OpenSSH is
now part ofthe base system, so that is done for you. Check for uneeded
suid and guid (uucp is one on my system, but I would be shocked to see
someone find a hole in that after all of these years).

What you might be more interested in is the 'schg' flag (man chflags)
and securelevels (man init) in FreeBSD.

For a firewall, there are kernel config options and sysctl options you
need to consider to defeat or at least lessen the effect of certain
remote DOS attacks (e.g. SYN attacks).
-- 
Crist J. Clark                           cjclark@home.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message