From owner-freebsd-questions  Fri Nov  2  0:43:31 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from guru.mired.org (okc-65-31-203-60.mmcable.com [65.31.203.60])
	by hub.freebsd.org (Postfix) with SMTP id 5B3E937B405
	for <questions@freebsd.org>; Fri,  2 Nov 2001 00:43:23 -0800 (PST)
Received: (qmail 48513 invoked by uid 100); 2 Nov 2001 08:43:14 -0000
From: Mike Meyer <mwm@mired.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15330.23714.263323.466739@guru.mired.org>
Date: Fri, 2 Nov 2001 02:43:14 -0600
To: "Anthony Atkielski" <anthony@atkielski.com>
Cc: questions@freebsd.org
Subject: Re: Lockdown of FreeBSD machine directly on Net
In-Reply-To: <5082896@toto.iv>
X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG%
 *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Anthony Atkielski <anthony@atkielski.com> types:
> Is there anything special I need to do to secure a FreeBSD system, freshly
> installed, before putting it on the Internet (i.e., with an IP address reachable
> from the outside world)?  Is it secure against attack as installed, or do I have
> to tweak some things?

It's almost certainly not secure against attack as installed. The real
question is how well known the insecurities are. Subscribe to the
appropriate security lists - freebsd-security at a bare minimum - so
you'll find out about them as they are found by the security team.

> Right now I have only ssdh, telnetd, sendmail, and inetd running, with ftp
> available (anonymous is disabled).

Everyone is going to tell you to kill telnetd - and they are probably
right, as sshd lets you do all that. The same thing is true of ftpd if
you don't allow anonymous ftp. If you have lots of Windows users, you
may want to see about arranging to distribute putty and pscp (from
<URL: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
> to them.

If you shut both telnetd and ftpd off, you can stop running inetd as
well. If you can only shut off telnetd, you can still shut off inetd
by invooking ftpd with the -D option. The idea is that the fewer
things you have listening to sockets, the less code there is that an
exploitable bug can be found in.

	<mike
--
Mike Meyer <mwm@mired.org>			http://www.mired.org/home/mwm/
Q: How do you make the gods laugh?		A: Tell them your plans.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message