Date: Fri, 2 Nov 2001 02:43:14 -0600 From: Mike Meyer <mwm@mired.org> To: "Anthony Atkielski" <anthony@atkielski.com> Cc: questions@freebsd.org Subject: Re: Lockdown of FreeBSD machine directly on Net Message-ID: <15330.23714.263323.466739@guru.mired.org> In-Reply-To: <5082896@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
Anthony Atkielski <anthony@atkielski.com> types: > Is there anything special I need to do to secure a FreeBSD system, freshly > installed, before putting it on the Internet (i.e., with an IP address reachable > from the outside world)? Is it secure against attack as installed, or do I have > to tweak some things? It's almost certainly not secure against attack as installed. The real question is how well known the insecurities are. Subscribe to the appropriate security lists - freebsd-security at a bare minimum - so you'll find out about them as they are found by the security team. > Right now I have only ssdh, telnetd, sendmail, and inetd running, with ftp > available (anonymous is disabled). Everyone is going to tell you to kill telnetd - and they are probably right, as sshd lets you do all that. The same thing is true of ftpd if you don't allow anonymous ftp. If you have lots of Windows users, you may want to see about arranging to distribute putty and pscp (from <URL: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html > to them. If you shut both telnetd and ftpd off, you can stop running inetd as well. If you can only shut off telnetd, you can still shut off inetd by invooking ftpd with the -D option. The idea is that the fewer things you have listening to sockets, the less code there is that an exploitable bug can be found in. <mike -- Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ Q: How do you make the gods laugh? A: Tell them your plans. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15330.23714.263323.466739>