From owner-freebsd-security Wed Aug 12 16:59:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA08542 for freebsd-security-outgoing; Wed, 12 Aug 1998 16:59:42 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA08531 for ; Wed, 12 Aug 1998 16:59:34 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id AAA11795 for ; Thu, 13 Aug 1998 00:59:08 +0100 (BST) Received: from kronus (na.nu.na.nu.na.nu [194.207.104.143]) by bofh.fast.net.uk (8.8.8/8.8.5) with SMTP id AAA08978 for ; Thu, 13 Aug 1998 00:59:04 +0100 (BST) Message-Id: <199808122359.AAA08978@bofh.fast.net.uk> X-Sender: netarc@bofh.fast.net.uk X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Thu, 13 Aug 1998 00:57:30 +0100 To: freebsd-security@FreeBSD.ORG From: Jay Tribick Subject: Re: somes questions ... In-Reply-To: <3.0.32.19980812161249.00692e8c@tyche> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi >>> i would to know how to secure the max the system. i access to a ip network, >>> without other protocols. i have have a ftp, tftp and http server on bsd, >>> and no other access from the network. >>> >>> what can i do to maximise the security of the server ?? >I'd probably also rip just about everything out of inetd, install tcp >wrappers, watch file permissions real closely, possibly chroot your >FTP/TFTP environment, do everything you can to make sure that programs >don't run as root/suid... And for God's sake, make sure your passwords are >decent! Don't forget the following: o Up your securelevel (`man init`) and set critical log files as append only (`man chflags`) o Put home on a seperate partition and quota it, same with /tmp o Mount /home as noexec so that users can't run their own uploaded programs (that's if you /have/ any users of course..) o Edit rc.firewall and customise to your needs, or alternatively roll your own firewall(tm) using ipfw. o Install the absolute minimum possible o Before deployment, try and gain root on your system as a normal user. o Monitor www.rootshell.com, bugtraq and freebsd-security *constantly*. o Install ssh and disabled all r[login|shell|cmd] services and telnetd if you can. o Check your system partitions / /var etc. for any files that are world writeable. o Run Satan, Saint, Cops, Tiger etc. etc. on your system to test for obvious exploitable holes. o Install a traffic shaper that will limit incoming icmp packets or alternatively just deny them completely at router level or filter them using ipfw. o I /would/ have said install Abacus sentry but there is a supposed bug in it recently that can lead to a DoS attack if misconfigured (ne: Abacus sentry detects port scans and blocks the host in realtime and can page a sysadmin) o Install tripwire and periodically check that all files have their CRC's etc. intact and are verbatim copies of the ones stored on write-protected media (e.g. CD-ROM) o Encase in concrete, remove all power, network cables, light, aural stimuli and anything else that someone could use to break into your machine (including pick-axes, hammers, screwdrivers etc.) Oh no, wait.. that's Microsofts C2 security specification creeping in there ;) Well.. you did say maximum security ;) Can't think of any more right now.. time for slZZZZZzzzzzzzzzzzz...... Regards, Jay Tribick [| Network Administrator | FastNet International | http://fast.net.uk |] [| Finger netadmin@fastnet.co.uk for contact information |] [| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message