From owner-freebsd-questions@FreeBSD.ORG Thu May 1 03:49:38 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D4A037B401 for ; Thu, 1 May 2003 03:49:38 -0700 (PDT) Received: from zim.0x7e.net (zim.0x7e.net [203.38.184.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE1E943FAF for ; Thu, 1 May 2003 03:49:36 -0700 (PDT) (envelope-from listone@deathbeforedecaf.net) Received: from goo.0x7e.net ([203.38.184.164] helo=goo) by zim.0x7e.net with smtp (Exim 3.36 #1) id 19BBcr-0005JL-00; Thu, 01 May 2003 20:19:17 +0930 Message-ID: <00f701c30fcf$5054af80$a4b826cb@goo> From: "Rob" To: "pat bey" , "Max" References: <20030430162901.22504.qmail@web41204.mail.yahoo.com> Date: Thu, 1 May 2003 20:19:12 +0930 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4920.2300 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4920.2300 cc: mrspock@esfm.ipn.mx cc: freebsd-questions@freebsd.org Subject: Re: securing the kernel X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 May 2003 10:49:38 -0000 There's a little bit on kernel options in the security(7) manpage, but many of the 'hardening' steps are outside of the kernel. You can add ICMP_BANDLIM to the kernel config, as well as options for ipfirewall(4). My /etc/sysctl.conf has the entries net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 to slow down portscans - see blackhole(4). You might also want to look at runlevels in the init(8) manpage, though they work better on servers. Of course, turn off any network stuff you don't need - inetd(8) and portmap(8) can be disabled in /etc/rc.conf. If you run named(8), use the flags recommended in /etc/defaults/rc.conf and run it non-root. I haven't got any untrusted local users, so most of my focus is on network-based problems. I would certainly recommend /usr/ports/security/sudo as a replacement for su(8). It has much better control over who does what. ----- Original Message ----- From: "pat bey" To: "Max" Cc: ; Sent: Thursday, May 01, 2003 1:59 AM Subject: securing the kernel > I'm fairly new to missing with the kernel and was wandering what are some good options to add to it to help secure it from remote and local attackers. Of the options in Lint I don't know which are the most secure I haven't found any documents yet besides man and the handbook. Just looking for opinions > > Suppressed minds have no Freedom of Choice > > --------------------------------- > Do you Yahoo!? > The New Yahoo! Search - Faster. Easier. Bingo. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >