From owner-freebsd-questions Fri Jun 9 0:36:47 2000 Delivered-To: freebsd-questions@freebsd.org Received: from aragorn.neomedia.it (aragorn.neomedia.it [195.103.207.6]) by hub.freebsd.org (Postfix) with ESMTP id 2FFDD37B667 for ; Fri, 9 Jun 2000 00:36:43 -0700 (PDT) (envelope-from bartequi@neomedia.it) Received: from bartequi.ottodomain.org (ppp3-pa5.neomedia.it [195.103.207.115]) by aragorn.neomedia.it (8.9.3/8.9.3) with SMTP id JAA32642; Fri, 9 Jun 2000 09:36:37 +0200 (CEST) From: Salvo Bartolotta Date: Fri, 09 Jun 2000 08:38:05 GMT Message-ID: <20000609.8380500@bartequi.ottodomain.org> Subject: Re: Security for a lonely desktop To: "David J. Kanter" Cc: freebsd-questions@FreeBSD.ORG In-Reply-To: <20000608174110.A24158@localhost.localdomain> References: <20000608174110.A24158@localhost.localdomain> X-Mailer: SuperCalifragilis X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG >>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<< On 6/8/00, 11:41:10 PM, "David J. Kanter" wrote=20 regarding Security for a lonely desktop: > I run FreeBSD on a desktop, hook up to the Internet via a modem (with > dynamic IP address assigning) and am the only user of this machine. Is= > security that much of an issue for someone like me, such that I'd have= =20 to > make changes to the default FreeBSD set up? > I've read about closing down inetd services that I'd never use:=20 telnet, ftp, > etc. Even turning off the sendmail daemon. Or, compiling a firewall=20 into my > kernel. But are these really necessary for a guy like me? > I'm interested in what people have to say. > -- > David Kanter > djkanter@nwu.edu Dear David Kanter, If you define your desktop as "lonely", somebody will visit it just to=20 make it feel less lonely :-) Joking apart, you might want to disable ALL unnecessary services in=20 /etc/inetd.conf, as well as properly configuring /etc/hosts.allow (see=20 also hosts_access(5)); as an aside, you might want to have a look at=20 /etc/login.access. E.g. you might begin by **suitably** specify ``ALL: ALL: deny'' (or=20 something else meeting your needs) in /etc/hosts.allow. Personally, on=20 my homebox, I have also set up a packet filter dropping all traffic=20 directed to X ports, portmapper , and a few other targets ("Winblows"=20 targets as well). Even if most of those targets are disabled=20 (non-existing or serviceless), I HAVE logged traffic directed to them=20 as well as a good number of attempts to portscan my homebox (!) Furthermore, you might want to consider such features as "log_in_vain"=20 (read rc.conf(5)), and, under 4.0-something, blackhole(4).=20 As I have just said, I've seen portscan attempts on my homebox a=20 number of times, and I've received a few ftp, telnet, etc. requests as=20 well; probably, this kind of "sport" (tryng to hack a homebox) should=20 make very little sense, but it DOES happen.=20 Paranoia is safe. As usual. The fact is, a Unix box seems to be=20 appealing for some people, even if it is a homebox. Best regards, Salvo =20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message