Date: Fri, 09 Jun 2000 08:38:05 GMT From: Salvo Bartolotta <bartequi@neomedia.it> To: "David J. Kanter" <djkanter@nwu.edu> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Security for a lonely desktop Message-ID: <20000609.8380500@bartequi.ottodomain.org> In-Reply-To: <20000608174110.A24158@localhost.localdomain> References: <20000608174110.A24158@localhost.localdomain>
index | next in thread | previous in thread | raw e-mail
>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
On 6/8/00, 11:41:10 PM, "David J. Kanter" <djkanter@nwu.edu> wrote
regarding Security for a lonely desktop:
> I run FreeBSD on a desktop, hook up to the Internet via a modem (with
> dynamic IP address assigning) and am the only user of this machine. Is
> security that much of an issue for someone like me, such that I'd have
to
> make changes to the default FreeBSD set up?
> I've read about closing down inetd services that I'd never use:
telnet, ftp,
> etc. Even turning off the sendmail daemon. Or, compiling a firewall
into my
> kernel. But are these really necessary for a guy like me?
> I'm interested in what people have to say.
> --
> David Kanter
> djkanter@nwu.edu
Dear David Kanter,
If you define your desktop as "lonely", somebody will visit it just to
make it feel less lonely :-)
Joking apart, you might want to disable ALL unnecessary services in
/etc/inetd.conf, as well as properly configuring /etc/hosts.allow (see
also hosts_access(5)); as an aside, you might want to have a look at
/etc/login.access.
E.g. you might begin by **suitably** specify ``ALL: ALL: deny'' (or
something else meeting your needs) in /etc/hosts.allow. Personally, on
my homebox, I have also set up a packet filter dropping all traffic
directed to X ports, portmapper , and a few other targets ("Winblows"
targets as well). Even if most of those targets are disabled
(non-existing or serviceless), I HAVE logged traffic directed to them
as well as a good number of attempts to portscan my homebox (!)
Furthermore, you might want to consider such features as "log_in_vain"
(read rc.conf(5)), and, under 4.0-something, blackhole(4).
As I have just said, I've seen portscan attempts on my homebox a
number of times, and I've received a few ftp, telnet, etc. requests as
well; probably, this kind of "sport" (tryng to hack a homebox) should
make very little sense, but it DOES happen.
Paranoia is safe. As usual. The fact is, a Unix box seems to be
appealing for some people, even if it is a homebox.
Best regards,
Salvo
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000609.8380500>