From owner-freebsd-questions Sat Aug 19 20:17:11 2000 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (zoom3-035.telepath.com [216.14.3.35]) by hub.freebsd.org (Postfix) with SMTP id A571D37B423 for ; Sat, 19 Aug 2000 20:17:07 -0700 (PDT) Received: (qmail 12301 invoked by uid 100); 20 Aug 2000 03:16:17 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14751.19841.179494.276810@guru.mired.org> Date: Sat, 19 Aug 2000 22:16:17 -0500 (CDT) To: rob Cc: questions@freebsd.org Subject: newbie security In-Reply-To: <109197656@toto.iv> X-Mailer: VM 6.72 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG rob writes: > I have a linux box here that I spent a great deal of time securing. I > am wondering if the same strategies apply to FreeBSD. Here is what I > did for Linux and now for FreeBSD: > > 1. On linux, turned off all uneeded services. Did the same for > FreeBSD. Kept smpt for qmail, and enabled internal identd, all else off. Always a good idea. > 2. On linux and FreeBSD, not using a firewall. Figured with all of the > services off, I don't need it. You ought to set up a firewall anyway. If for nothing else, it will detect and log probes to those unused services. > 4. On Linux, made /tmp /var /home / all seperate partitions. Should > BSD use seperate slices for these? I followed the recommendations and > just have /var on FreeBSD as a seperate slice. Actually, they don't need to be seperate slices at all. FreeBSD subdivides a slice into partitions, and you can make those separate. I tend to like splits like yours, but I'm old school. Not everyone does that. To get *really* serious about it, mount root r/o. This takes a bit of work to locate everything that needs to be written to and move it off of root. You can also set kern_securelevel via /etc/rc.conf. See init(1) for details. > 5. Mounted /tmp /var /home / nosetuid on Linux. Haven't done > anything similar with BSD. Assuming that nosetuid does what I think it does - disables the setuid and setgid bits on the file systems - then that should break things. The su and suid commands should be broken if you do that. If you really want to do these things on FreeBSD, the relevant option is nosuid. > 6. Set all security related, and log files to 600 root.root on Linux. > Yet to do on FreeBSD, but sounds like a good idea. Making all log files mode 600 owned by root means that root has to run the daemons that log to them. This may or may not be either true or desirable. If you're serious about security, you should audit the entire startup sequence, and make sure that you understand everything that gets run, and disable everything that you don't need.