From owner-freebsd-questions@FreeBSD.ORG Wed Feb 20 18:37:35 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8870416A410 for ; Wed, 20 Feb 2008 18:37:35 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from smtp3.utdallas.edu (smtp3.utdallas.edu [129.110.10.49]) by mx1.freebsd.org (Postfix) with ESMTP id 607F913C509 for ; Wed, 20 Feb 2008 18:37:35 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from utd59514.utdallas.edu (utd59514.utdallas.edu [129.110.3.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp3.utdallas.edu (Postfix) with ESMTP id E4F4265502 for ; Wed, 20 Feb 2008 12:37:34 -0600 (CST) Date: Wed, 20 Feb 2008 12:37:34 -0600 From: Paul Schmehl To: freebsd-questions Message-ID: In-Reply-To: <47BC61BA.60103@infracaninophile.co.uk> References: <94136a2c0802200802r790ea5b1ye6f1a331b15ed6f4@mail.gmail.com> <47BC61BA.60103@infracaninophile.co.uk> X-Mailer: Mulberry/4.0.8 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Re: security of a new installation / steps to take X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2008 18:37:35 -0000 --On Wednesday, February 20, 2008 17:22:02 +0000 Matthew Seaman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Zbigniew Szalbot wrote: > >> So far I have had FreeBSD systems only in office so I used my hardware >> firewall (Dlink DFL 700) to block access to services on ports 22, etc. >> Now, at the ISP I won't be able to do this so I will need to be a lot >> more careful about security issues. I am planning to make a list of >> steps I need to take to configure the OS to my liking and install >> applications I need. However, I would really, really love to have some >> advice from you re the basic steps. > > The important mantra to remember when securing a machine that is exposed > to the internet is: > > What does not listen on the network cannot be used to compromise you. > > In practice, this means run sockstat and look for all the processes > that are listening for connections on your external network interfaces. > > If you don't need it, then don't run it. > What an outstanding answer. Matthew has covered all the correct bases. I can only add one further suggestion. Consider using /etc/hosts.allow to protect daemons that must listen on ports to restrict access even further. -- Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/