Date: Wed, 7 Nov 2001 16:20:02 -0500 From: Klaus Steden <klaus@compt.com> To: brain_damaged <brain_damaged@florida-wireless.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: config questions Message-ID: <20011107162002.J691@cthulu.compt.com> In-Reply-To: <200111071558.AA828899532@florida-wireless.com>; from brain_damaged@florida-wireless.com on Wed, Nov 07, 2001 at 03:58:03PM -0500 References: <200111071558.AA828899532@florida-wireless.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Hello, > got hit by something called adorebsd-0.34. > guess some punks called team teso or something. > anyhoot I have a few questions on security setup. > (I am reading those pages on the frreebsd site also) > in one rc.conf i have kern_secure_enabled=yes and on > another machine no. Not sure why. > what is the best security ? and on the machine with it enabled i have kern_securelevel=1 > again what is the best security and what do they relate to ? > BSD has kernel security levels that determine how much is possible for anyone to do to a running system (even superuser). The default security level is -1, or totally insecure. Stepping upwards you get other kernel security levels. Security level 1, for instance (if memeory serves), forbids writing to any file, even by the superuser. The next level up forbids changing of network information (network-secure mode). They're quite useful -if- you can make them work. Once a kernel secure level has been increased, it cannot be decreased, so any changes you make to the security level are best performed from single user. > > in the inetd.conf there is comstat and ntalk that are the only two not commented out. should they be ? > and what are they for ? > On a system connected to the Internet, definitely not. Comsat is a mail notification protocol (a/k/a biff); ntalk is the network talk protocol, a terminal-based communication between two users. Both are insecure (no crypto) protocols, and should never be run on a secured system. > > I also have in one machine the inetd_enable=no > is that a good thing to have ? > Do you want to run the inetd or not? If your inetd isn't running, than any uncommented entries in /etc/inetd.conf won't be running either. However, if it is running, then they will respond to requests. On a secured machine, you don't need to run inetd if you're running sshd (since you should be communicating over a secured line at all times). > > it also say portmapper_enabled=no is that the best secure setup ? > The portmapper is often a security hazard, too; I've not seen an advisory specifically for the FreeBSD portmapper, but there are numerous other vulnerabilities for other Unix variants, and unless you're running RPC services (NIS/YP, NIS+, or NFS - and you definitely should NOT on a secured machine), you won't need it. However ... I noticed the other day on a 4.4-STABLE box that if the domainname was set, I had to run portmap to make passwd work correctly. ... but that's my problem. > > I d/l the portsentry from the packages but when i try to run it says not for this platform ??? > how do i get it to run on freebsd 4.3 > cd /usr/ports/security/portsentry; make install Will download, configure, compile, and install it for you. From there, it's up to you to learn how to use it. :> hope this helps, Klaus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011107162002.J691>