From owner-freebsd-questions@FreeBSD.ORG Sun Jul 10 23:22:27 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 732EB16A41C for ; Sun, 10 Jul 2005 23:22:27 +0000 (GMT) (envelope-from dot.sn1tch@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id E680043D45 for ; Sun, 10 Jul 2005 23:22:26 +0000 (GMT) (envelope-from dot.sn1tch@gmail.com) Received: by wproxy.gmail.com with SMTP id 69so745878wra for ; Sun, 10 Jul 2005 16:22:26 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:from:to:subject:date:mime-version:content-type:x-mailer:thread-index:x-mimeole:message-id; b=dTSU8NohmJI1YHy7CAHamk/Bc7ln5MhGs5ByhG2UxH/T6JOwo5FolLDXSjT59oqCrwhwnNj9Hc1ZiTbzGDnTSoae2n+bGsMgo6QpPs/TOlfSksk9EvqotHqTiaHCp2VBNrduPM7q6KZcbveq61lNuBKlHgN9q3tVLmC/wAoXMJE= Received: by 10.54.143.4 with SMTP id q4mr3516554wrd; Sun, 10 Jul 2005 16:22:26 -0700 (PDT) Received: from laptop003 ([68.207.248.220]) by mx.gmail.com with ESMTP id 24sm7051859wrl.2005.07.10.16.22.25; Sun, 10 Jul 2005 16:22:26 -0700 (PDT) From: "Joe Wood" To: Date: Sun, 10 Jul 2005 19:32:19 -0400 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Thread-Index: AcWFp50dySqBCRylSuWUP2J9+hC2fw== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Message-ID: <42d1adb2.39fb551a.7965.6d1d@mx.gmail.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Suspicious activity to look for... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jul 2005 23:22:27 -0000 I have a FreeBSD 5.4 system setup, and I have read numerous articles on securing it. For the first few months prior to setting up this system I read a lot about the little tweaks using sysctl and the like. Now everything is running good, but I want to know what to look for incase I am missing something. I, very meticulously, read all the system logs that get emailed to root and I read all the auth, console logs etc. Except for the occasional attempt to gain access with random usernames, there is nothing I see to be worried about. This system is in a very secure DMZ, so even if it was compromised there is no way it could leak over to the local network. Here are some of the variables in sysctl.conf: kern.ipc.somaxconn=8192 security.bsd.see_other_uids=0 net.inet.tcp.sendspace=32768 net.inet.tcp.recvspace=32768 net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 net.inet.ip.random_id=1 net.inet.icmp.icmplim=50 net.inet.icmp.drop_redirect=1 auth.conf and login.conf use blf as the crypt instead of md5 This system is used for public use, mainly shell accounts and ftp space to people I know. I know the risk is greater when I introduce public users into the mix.is there anything I can look for or something I have overlooked as far as checking for suspicious activity? Thanks for the help! p.s. Sorry for the long email, just trying to be thorough.