From owner-freebsd-questions Sat Aug 19 23:48:18 2000 Delivered-To: freebsd-questions@freebsd.org Received: from femail1.sdc1.sfba.home.com (femail1.sdc1.sfba.home.com [24.0.95.81]) by hub.freebsd.org (Postfix) with ESMTP id 8096437B42C for ; Sat, 19 Aug 2000 23:48:16 -0700 (PDT) Received: from home.com ([24.12.186.185]) by femail1.sdc1.sfba.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000820064811.NIDA29012.femail1.sdc1.sfba.home.com@home.com>; Sat, 19 Aug 2000 23:48:11 -0700 Message-ID: <399F1CC2.9F565491@home.com> Date: Sat, 19 Aug 2000 23:48:18 +0000 From: rob X-Mailer: Mozilla 4.72 [en] (X11; I; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Mike Meyer Cc: questions@FreeBSD.ORG Subject: Re: newbie security References: <14751.19841.179494.276810@guru.mired.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Thanks for the info. FreeBSD seems to be more straightforward and streamlined than linux which makes for better security. I also noticed that the only setuid files present were the mandatory ones. I am using portsentry, so I get logs of all of the scans. Most of which are from authorized-security@home looking at port 119 (nntp?). Rob. Mike Meyer wrote: > > rob writes: > > I have a linux box here that I spent a great deal of time securing. I > > am wondering if the same strategies apply to FreeBSD. Here is what I > > did for Linux and now for FreeBSD: > > > > 1. On linux, turned off all uneeded services. Did the same for > > FreeBSD. Kept smpt for qmail, and enabled internal identd, all else off. > > Always a good idea. > > > 2. On linux and FreeBSD, not using a firewall. Figured with all of the > > services off, I don't need it. > > You ought to set up a firewall anyway. If for nothing else, it will > detect and log probes to those unused services. > > > 4. On Linux, made /tmp /var /home / all seperate partitions. Should > > BSD use seperate slices for these? I followed the recommendations and > > just have /var on FreeBSD as a seperate slice. > > Actually, they don't need to be seperate slices at all. FreeBSD > subdivides a slice into partitions, and you can make those separate. I > tend to like splits like yours, but I'm old school. Not everyone does > that. To get *really* serious about it, mount root r/o. This takes a > bit of work to locate everything that needs to be written to and move > it off of root. You can also set kern_securelevel via > /etc/rc.conf. See init(1) for details. > > > 5. Mounted /tmp /var /home / nosetuid on Linux. Haven't done > > anything similar with BSD. > > Assuming that nosetuid does what I think it does - disables the setuid > and setgid bits on the file systems - then that should break > things. The su and suid commands should be broken if you do that. If > you really want to do these things on FreeBSD, the relevant option is > nosuid. > > > 6. Set all security related, and log files to 600 root.root on Linux. > > Yet to do on FreeBSD, but sounds like a good idea. > > Making all log files mode 600 owned by root means that root has to run > the daemons that log to them. This may or may not be either true or > desirable. > > If you're serious about security, you should audit the entire startup > sequence, and make sure that you understand everything that gets run, > and disable everything that you don't need. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message