From owner-freebsd-security@FreeBSD.ORG Mon Feb 26 03:57:30 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A696116A402 for ; Mon, 26 Feb 2007 03:57:30 +0000 (UTC) (envelope-from duane@dwlabs.ca) Received: from smtpout.eastlink.ca (smtpout.eastlink.ca [24.222.0.30]) by mx1.freebsd.org (Postfix) with ESMTP id 6B82913C48E for ; Mon, 26 Feb 2007 03:57:30 +0000 (UTC) (envelope-from duane@dwlabs.ca) Received: from ip04.eastlink.ca ([24.222.10.20]) by mta01.eastlink.ca (Sun Java System Messaging Server 6.2-4.03 (built Sep 22 2005)) with ESMTP id <0JE10024DW9J5TA1@mta01.eastlink.ca> for freebsd-security@freebsd.org; Sun, 25 Feb 2007 23:27:19 -0400 (AST) Received: from blk-224-199-230.eastlink.ca (HELO dwpc.dwlabs.ca) ([24.224.199.230]) by ip04.eastlink.ca with ESMTP; Sun, 25 Feb 2007 23:27:28 -0400 Received: from dwpc.dwlabs.ca (mail.dwlabs.ca [192.168.0.10]) by dwpc.dwlabs.ca (8.13.8/8.13.8) with ESMTP id l1Q3On5F073076; Sun, 25 Feb 2007 23:24:55 -0400 (AST envelope-from duane@dwpc.dwlabs.ca) Received: (from duane@localhost) by dwpc.dwlabs.ca (8.13.8/8.13.8/Submit) id l1Q3OnD2073075; Sun, 25 Feb 2007 23:24:49 -0400 (AST envelope-from duane) Date: Sun, 25 Feb 2007 23:24:49 -0400 From: Duane Whitty In-reply-to: <2FF03F09-23CA-44ED-87BA-673095FFE430@tca-cable-connector.com> To: David Schulz Message-id: <20070226032449.GA72966@dwpc.dwlabs.ca> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ao8CABzi4UUY4MfmdGdsb2JhbACjHwEBAQ X-IronPort-AV: i="4.14,217,1170648000"; d="scan'208"; a="132686057:sNHT57710790" X-Virus-Scanned: ClamAV 0.88.6/2649/Sun Feb 25 04:10:41 2007 on dwpc.dwlabs.ca X-Virus-Status: Clean X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on dwpc.dwlabs.ca References: <8F62D3F1-B5AF-442F-B492-67D28FDCE9F0@tca-cable-connector.com> <2FF03F09-23CA-44ED-87BA-673095FFE430@tca-cable-connector.com> User-Agent: Mutt/1.4.2.2i X-Spam-Status: No, score=-1.7 required=5.0 tests=AWL,BAYES_00, UNPARSEABLE_RELAY autolearn=ham version=3.1.4 Cc: freebsd-security@freebsd.org Subject: Re: Advice for Internet facing Mailserver X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: duane@dwlabs.ca List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Feb 2007 03:57:30 -0000 On Sat, Feb 24, 2007 at 12:17:00AM +0800, David Schulz wrote: > Hello and good day, > > i have setup a Server which is directly connected to the Internet, > without NAT-Router or other Firewall Appliance. I am using FreeBSD > 6.2. I have pf enabled to only allow traffic on specified Ports. I am > using Apache-13 + Postfix + Dovecot & mysql for my Mail-system. There > is only one /home/User, which authenticates via a Key with Pass- > phrase to sshd. The Mail-users all authenticate to a mysql database. > I know that i could make use of chroot or better jail to secure the > machine from possible exploits in postfix & co, but i am not yet > comfortable with jail. Other then keeping my Ports (and system) up to > date, can you give me some tips on how to secure my Box a little bit? > > Thanks a lot, > David Hi David, Perhaps the following URI would be of interest: http://www.modsecurity.org/ I've been considering this tool myslef. I am not using it as of yet. Best Regards, Duane