Date: Wed, 20 Feb 2008 12:37:34 -0600 From: Paul Schmehl <pauls@utdallas.edu> To: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: security of a new installation / steps to take Message-ID: <B32FFDD34A120E23C4958F5C@utd59514.utdallas.edu> In-Reply-To: <47BC61BA.60103@infracaninophile.co.uk> References: <94136a2c0802200802r790ea5b1ye6f1a331b15ed6f4@mail.gmail.com> <47BC61BA.60103@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
--On Wednesday, February 20, 2008 17:22:02 +0000 Matthew Seaman <m.seaman@infracaninophile.co.uk> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Zbigniew Szalbot wrote: > >> So far I have had FreeBSD systems only in office so I used my hardware >> firewall (Dlink DFL 700) to block access to services on ports 22, etc. >> Now, at the ISP I won't be able to do this so I will need to be a lot >> more careful about security issues. I am planning to make a list of >> steps I need to take to configure the OS to my liking and install >> applications I need. However, I would really, really love to have some >> advice from you re the basic steps. > > The important mantra to remember when securing a machine that is exposed > to the internet is: > > What does not listen on the network cannot be used to compromise you. > > In practice, this means run sockstat and look for all the processes > that are listening for connections on your external network interfaces. > > If you don't need it, then don't run it. > What an outstanding answer. Matthew has covered all the correct bases. I can only add one further suggestion. Consider using /etc/hosts.allow to protect daemons that must listen on ports to restrict access even further. -- Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B32FFDD34A120E23C4958F5C>