Date: Sat, 19 Aug 2000 23:48:18 +0000 From: rob <europax@home.com> To: Mike Meyer <mwm@mired.org> Cc: questions@FreeBSD.ORG Subject: Re: newbie security Message-ID: <399F1CC2.9F565491@home.com> References: <14751.19841.179494.276810@guru.mired.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for the info. FreeBSD seems to be more straightforward and streamlined than linux which makes for better security. I also noticed that the only setuid files present were the mandatory ones. I am using portsentry, so I get logs of all of the scans. Most of which are from authorized-security@home looking at port 119 (nntp?). Rob. Mike Meyer wrote: > > rob writes: > > I have a linux box here that I spent a great deal of time securing. I > > am wondering if the same strategies apply to FreeBSD. Here is what I > > did for Linux and now for FreeBSD: > > > > 1. On linux, turned off all uneeded services. Did the same for > > FreeBSD. Kept smpt for qmail, and enabled internal identd, all else off. > > Always a good idea. > > > 2. On linux and FreeBSD, not using a firewall. Figured with all of the > > services off, I don't need it. > > You ought to set up a firewall anyway. If for nothing else, it will > detect and log probes to those unused services. > > > 4. On Linux, made /tmp /var /home / all seperate partitions. Should > > BSD use seperate slices for these? I followed the recommendations and > > just have /var on FreeBSD as a seperate slice. > > Actually, they don't need to be seperate slices at all. FreeBSD > subdivides a slice into partitions, and you can make those separate. I > tend to like splits like yours, but I'm old school. Not everyone does > that. To get *really* serious about it, mount root r/o. This takes a > bit of work to locate everything that needs to be written to and move > it off of root. You can also set kern_securelevel via > /etc/rc.conf. See init(1) for details. > > > 5. Mounted /tmp /var /home / nosetuid on Linux. Haven't done > > anything similar with BSD. > > Assuming that nosetuid does what I think it does - disables the setuid > and setgid bits on the file systems - then that should break > things. The su and suid commands should be broken if you do that. If > you really want to do these things on FreeBSD, the relevant option is > nosuid. > > > 6. Set all security related, and log files to 600 root.root on Linux. > > Yet to do on FreeBSD, but sounds like a good idea. > > Making all log files mode 600 owned by root means that root has to run > the daemons that log to them. This may or may not be either true or > desirable. > > If you're serious about security, you should audit the entire startup > sequence, and make sure that you understand everything that gets run, > and disable everything that you don't need. > > <mike > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?399F1CC2.9F565491>