Date: Thu, 13 Aug 1998 00:57:30 +0100 From: Jay Tribick <netadmin@fastnet.co.uk> To: freebsd-security@FreeBSD.ORG Subject: Re: somes questions ... Message-ID: <199808122359.AAA08978@bofh.fast.net.uk> In-Reply-To: <3.0.32.19980812161249.00692e8c@tyche>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi >>> i would to know how to secure the max the system. i access to a ip network, >>> without other protocols. i have have a ftp, tftp and http server on bsd, >>> and no other access from the network. >>> >>> what can i do to maximise the security of the server ?? >I'd probably also rip just about everything out of inetd, install tcp >wrappers, watch file permissions real closely, possibly chroot your >FTP/TFTP environment, do everything you can to make sure that programs >don't run as root/suid... And for God's sake, make sure your passwords are >decent! Don't forget the following: o Up your securelevel (`man init`) and set critical log files as append only (`man chflags`) o Put home on a seperate partition and quota it, same with /tmp o Mount /home as noexec so that users can't run their own uploaded programs (that's if you /have/ any users of course..) o Edit rc.firewall and customise to your needs, or alternatively roll your own firewall(tm) using ipfw. o Install the absolute minimum possible o Before deployment, try and gain root on your system as a normal user. o Monitor www.rootshell.com, bugtraq and freebsd-security *constantly*. o Install ssh and disabled all r[login|shell|cmd] services and telnetd if you can. o Check your system partitions / /var etc. for any files that are world writeable. o Run Satan, Saint, Cops, Tiger etc. etc. on your system to test for obvious exploitable holes. o Install a traffic shaper that will limit incoming icmp packets or alternatively just deny them completely at router level or filter them using ipfw. o I /would/ have said install Abacus sentry but there is a supposed bug in it recently that can lead to a DoS attack if misconfigured (ne: Abacus sentry detects port scans and blocks the host in realtime and can page a sysadmin) o Install tripwire and periodically check that all files have their CRC's etc. intact and are verbatim copies of the ones stored on write-protected media (e.g. CD-ROM) o Encase in concrete, remove all power, network cables, light, aural stimuli and anything else that someone could use to break into your machine (including pick-axes, hammers, screwdrivers etc.) Oh no, wait.. that's Microsofts C2 security specification creeping in there ;) Well.. you did say maximum security ;) Can't think of any more right now.. time for sl<click>ZZZZZzzzzzzzzzzzz...... Regards, Jay Tribick <netadmin@fastnet.co.uk> [| Network Administrator | FastNet International | http://fast.net.uk |] [| Finger netadmin@fastnet.co.uk for contact information |] [| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199808122359.AAA08978>