Date: Thu, 1 May 2003 20:19:12 +0930 From: "Rob" <listone@deathbeforedecaf.net> To: "pat bey" <phaza7@yahoo.com>, "Max" <max_mail@exe.farlep.net> Cc: freebsd-questions@freebsd.org Subject: Re: securing the kernel Message-ID: <00f701c30fcf$5054af80$a4b826cb@goo> References: <20030430162901.22504.qmail@web41204.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
There's a little bit on kernel options in the security(7) manpage, but many of the 'hardening' steps are outside of the kernel. You can add ICMP_BANDLIM to the kernel config, as well as options for ipfirewall(4). My /etc/sysctl.conf has the entries net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 to slow down portscans - see blackhole(4). You might also want to look at runlevels in the init(8) manpage, though they work better on servers. Of course, turn off any network stuff you don't need - inetd(8) and portmap(8) can be disabled in /etc/rc.conf. If you run named(8), use the flags recommended in /etc/defaults/rc.conf and run it non-root. I haven't got any untrusted local users, so most of my focus is on network-based problems. I would certainly recommend /usr/ports/security/sudo as a replacement for su(8). It has much better control over who does what. ----- Original Message ----- From: "pat bey" <phaza7@yahoo.com> To: "Max" <max_mail@exe.farlep.net> Cc: <mrspock@esfm.ipn.mx>; <freebsd-questions@freebsd.org> Sent: Thursday, May 01, 2003 1:59 AM Subject: securing the kernel > I'm fairly new to missing with the kernel and was wandering what are some good options to add to it to help secure it from remote and local attackers. Of the options in Lint I don't know which are the most secure I haven't found any documents yet besides man and the handbook. Just looking for opinions > > Suppressed minds have no Freedom of Choice > > --------------------------------- > Do you Yahoo!? > The New Yahoo! Search - Faster. Easier. Bingo. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00f701c30fcf$5054af80$a4b826cb>