From owner-freebsd-security@FreeBSD.ORG Mon Jun 16 16:49:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E715F37B401 for ; Mon, 16 Jun 2003 16:49:24 -0700 (PDT) Received: from smtp02.wlv.untd.com (smtp02.wlv.untd.com [209.247.163.58]) by mx1.FreeBSD.org (Postfix) with SMTP id 3E96B43FBD for ; Mon, 16 Jun 2003 16:49:24 -0700 (PDT) (envelope-from idiot1@netzero.net) Received: (qmail 10688 invoked from network); 16 Jun 2003 23:49:15 -0000 Received: from dialup-67.31.212.97.dial1.tampa1.level3.net (HELO netzero.net) (67.31.212.97) by smtp02.wlv.untd.com with SMTP; 16 Jun 2003 23:49:15 -0000 Message-ID: <3EEE5705.6020002@netzero.net> Date: Mon, 16 Jun 2003 19:47:17 -0400 From: Kirk Bailey Organization: Silas Dent Memorial Cabal of ERIS Esoteric and hot dog boiling society User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Mitch Collinsworth References: <20030616105955.U11598@metafocus.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: POP daemon X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jun 2003 23:49:25 -0000 Pay CAREFUL attention to the firewall and it's rules. Insure ALL ports are closed, or listened to ONLY by their proper daemon. Insure you have up to date software running in the server, and do NOT run anything with the word windows in it, the word is known to bring bad luck. RTFM for your collection of daemons, and insure they have been given carefully thought out instructions and defaults. DO NOT allow something/anything to execute instructions. DO NOT use anything but a VERY recent version of formmail- or better, do not run formmail. Insure the httpd daemon can only access the web directory, and the web directory's cgi-bin, and nothing else. Only use scripts that are carefully checked to avoid bugs, or were checked out by someone else who is knowledgable at the art of peverting a server- or do not permit cgi at all. Although ssi includes are trather safe, DO NOT configure the httpd server to permit running commands, only cgi files- and they only from the web cgi-bin. DO NOT place anything else in that directory except known and trustworthy scripts or compiled programs. INSURE they cannot be written to by the user the httpd server runs as; in fact, insure the directory ITSELF cannot be written to by the httpd identity. THAT IDENTITY MUST NOT BE A PRIVILIGED USER. Carefully learn to understand the idea of identities, groups, and permissions. Learn to love your logs. Learn to sue crackers, they can (with a little luck, they're usually bankrupt losers) be profit centers. Am I being paranoid? . Mitch Collinsworth wrote: > On Mon, 16 Jun 2003, Dave wrote: > > >>What I mean by good is 'secure as possible' (is there really such thing as >>being totally secure / invulnerable?) > > > Yes. It's called "not connected to the network, in a bomb-shelter, > with an emergency generator, with plenty of fuel". > > -Mitch > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > -- end Cheers! Kirk D Bailey think http://www.howlermonkey.net/ +-----+ http://www.tinylist.org/ http://www.listville.net/ | BOX | http://www.sacredelectron.org/ +-----+ "Thou art free"-ERIS think 'Got a light?'-Promethieus .