From owner-freebsd-questions@FreeBSD.ORG Wed May 10 17:49:37 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F1FEC16A475 for ; Wed, 10 May 2006 17:49:36 +0000 (UTC) (envelope-from david.robillard@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6698643D46 for ; Wed, 10 May 2006 17:49:34 +0000 (GMT) (envelope-from david.robillard@gmail.com) Received: by nz-out-0102.google.com with SMTP id l1so1777080nzf for ; Wed, 10 May 2006 10:49:34 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition; b=C1ZIXPvsFcGsMNAeXYI25a+Swyz15foovug26p1HwMHk/JDuVzgwzPlReYWu9kb4HWhpeo82xaLfFJHq/VOT6x4z24Dtko1jlva7FTEgzxdhAm693oMaQ4zpfFCrktnMstR8OAzZfbCwA3FvQlHf64UkxXFKd4/2suadhfVBCb8= Received: by 10.65.74.4 with SMTP id b4mr639195qbl; Wed, 10 May 2006 10:49:15 -0700 (PDT) Received: by 10.64.179.13 with HTTP; Wed, 10 May 2006 10:49:15 -0700 (PDT) Message-ID: <226ae0c60605101049l5f8f76bdl3ddd9130e88d0851@mail.gmail.com> Date: Wed, 10 May 2006 13:49:15 -0400 From: "David Robillard" To: "FreeBSD Questions Mailing List" MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Cc: Jim Stapleton Subject: Re: securing beyond the handbook. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 May 2006 17:49:37 -0000 > Date: Wed, 10 May 2006 09:17:30 -0400 > From: "Jim Stapleton" > Subject: securing beyond the handbook > To: freebsd-questions@freebsd.org > Message-ID: > =09<80f4f2b20605100617t3adfc57brc213c8571288727f@mail.gmail.com> > Content-Type: text/plain; charset=3DISO-8859-1; format=3Dflowed > > I'm about to get a static IP and direct outside access for my BSD box > (before it was hidden behind a firewall/NAT). I was comfortable with > the level of security I've had, but with the whole "open to the > outside world" setup I'll have, what would you suggest for securing > it? > > I'll be running: > Apache > PHP > MySQL > SSH/SFTP > OpenRPG (only occasionally, from a special nonpriv account) > > Any suggestions, any of these that you know are such huge security > holes that you would absolutely demand something else be run? > > Any other security suggestions? Hi Jim, I would strongly suggest running your internet accessible applications from inside a jail. Check some man pages for jail information: jail(8), jls(8) and jexec(8). The nice thing about jails is that once everything is installed and running, you can strip it of any files which is not used by your applications (such as compilers for example). Therefore, if someone breaks in, he is limited in his capabilites. Plus he does not gain your real root password (assuming you are not using the same passwords in your jail of course ;) Configure sshd(8) to allow only a certain set of trusted users via AllowUsers configuration. Prohibit direct root login via "PermitRootLogin no" and consider using public keys with a strong passphrase instead of a simple password for login. If you have a Kerberos server, use it. Next, check your network architecture. Give your jail the public IP or NAT it in your firewall to a DMZ section of your network. Make sure your internet accessible applications are not inside your LAN. Be certain to never let internet connections have direct access to machines inside the LAN. Also, consider running host intrusion detection. Such as Osiris, Samhain or Tripwire. You can find them all in the FreeBSD ports. Talking of ports, make sure you install security/portaudit to keep track of you port's security. Subscribe to the FreeBSD security mailing list and take action when an advisory is sent. Use mod_security with your Apache server. http://www.modsecurity.org/=20 Actually, remove all unused Apache module from your httpd.conf(5). Run your MySQL database on another host (or another jail) which is in a seperate Database DMZ which can only be accessed by certain well defined hosts. Use tcp_wrappers to secure you connections. Use sudo(8) instead of root. Finally, check out some really good books on various security related issue= s: Mastering FreeBSD and OpenBSD security from O'Reilly. Apache Security from O'Reilly. Essential PHP Security from O'Reilly. Host Integrity Monitoring using Osiris and Samhain from Syngress. FreeBSD security & hardening guide: http://www.syslog.org/Content-5-4.phtml Oh, and don't forget to backup regularly. It's also part of your security. Have fun! David > Thanks, > -Jim -- David Robillard UNIX systems administrator, CISSP Montr=E9al: +1 514 966 0122