Date: 13 Feb 2002 09:24:34 +0000 From: Wayne Pascoe <freebsd@molemanarmy.com> To: J.S. <johann@broadpark.no> Cc: freebsd-questions@freebsd.org Subject: Re: -ATTENTION- Worthy Security Applications -DEBATE- Message-ID: <m2wuxhka3x.fsf@set.ehsrealtime.com> In-Reply-To: <20020212165131.59fe8243.johann@broadpark.no> References: <20020212165131.59fe8243.johann@broadpark.no>
next in thread | previous in thread | raw e-mail | index | archive | help
J.S. <johann@broadpark.no> writes: > Does FreeBSD have an equivalent to grsecurity (http://www.grsecurity.net)? > > And for system security tools, I am currently giving AIDE and SNORT a try. > I was hoping, if possible, that someone could come with a better > suggestion. > > Let's engage in a _REAL_ debate here. All of you who read this e-mail: > don't be shy. ENTER. What applications within /usr/ports/security are > accepted and refused by the FreeBSD community as worthy components for > system security? Ok, </me don's flame proof suit> Firstly, if you're truly interested in providing proper security, you either won't build things from ports, or you'll manually check all of the patches that are applied before the application is built and that the application source is downloaded from an authorititave source and checksums match. As for actually providing security, things like snort and aide play a part in that, but are not a silver bullet. Security is a process and a combination of applications and procedures. All of the applications in the world are useless unless you monitor their logs and pay attention to what they tell you. Implement a 'be conservative in what you accept' policy. This means that you should only accept access from users to services you want to provide, from certain locations. With some things like the web, this will be from all locations, but for a lot of other things you just DON'T provide public access. By public, I mean people within your organisation as well. At the moment, a rising percentage of penetration attempts and computer crime comes from inside the organisation and often isn't protected against. Implement a multi layered security solution. If you just trust to one solution and it breaks, 'they' own you. So go for ipfw / ipfilter, tcp wrappers on services in inetd, something like snort for an IDS and something like AIDE for file integrity and to detect tampering. Back that up with restrictive file permissions on the machine to ensure that local users can't get to services and files that they shouldn't. Add to that restrictions on what files can run set-uid to lower options for escalation of privilege attacks. Standardise on software and versions of that software if you can. It makes rolling out new machines easy. It also makes it easy to upgrade a package across all machines. Make sure that you subscribe to lists like the freebsd security announcements lists, bugtraq, and for what it is worth, CERT. Follow these lists, read the alerts and patch as soon as you see something that affects you. Campaign to your local ISP to stop them allowing faked packets onto their network. They should only allow packets with addresses registered to the customer site through the customers router. If I have 192.168.1.0/24 as my IP range, my ISP should NOT route packets with a source address of 10.0.0.1/8 coming from my router. They should drop the packets and issue me with a violation of T&C's warning. And for a personal rant... Don't use portsentry and similar apps. Why provide resources on one of your machines that you don't need to? Why provide bells on a wire when you can just go for barbed wire and machine gun turrets? From personal experience and the experiences of other people I have teamed with on security projects, portsentry is a waste of time. You spend half your life chasing automated scr1p7 k1dd13 scans that you're patched against. Just drop the packets on the floor and have done. Of course, none of this applies if you want to see what kind of things are being thrown at you. Then by all means run portsentry, but prepare to be VERY busy. Hope that helps. Flame away. -- - Wayne Pascoe | There are no stupid questions, freebsd@molemanarmy.com | only stupid people. http://www.molemanarmy.com | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m2wuxhka3x.fsf>