Date: Mon, 16 Jun 2003 19:47:17 -0400 From: Kirk Bailey <idiot1@netzero.net> To: Mitch Collinsworth <mitch@ccmr.cornell.edu> Cc: freebsd-security@freebsd.org Subject: Re: POP daemon Message-ID: <3EEE5705.6020002@netzero.net> References: <20030616105955.U11598@metafocus.net> <Pine.LNX.4.51.0306161512080.19398@saruman.ccmr.cornell.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Pay CAREFUL attention to the firewall and it's rules. Insure ALL ports are closed, or listened to ONLY by their proper daemon. Insure you have up to date software running in the server, and do NOT run anything with the word windows in it, the word is known to bring bad luck. RTFM for your collection of daemons, and insure they have been given carefully thought out instructions and defaults. DO NOT allow something/anything to execute instructions. DO NOT use anything but a VERY recent version of formmail- or better, do not run formmail. Insure the httpd daemon can only access the web directory, and the web directory's cgi-bin, and nothing else. Only use scripts that are carefully checked to avoid bugs, or were checked out by someone else who is knowledgable at the art of peverting a server- or do not permit cgi at all. Although ssi includes are trather safe, DO NOT configure the httpd server to permit running commands, only cgi files- and they only from the web cgi-bin. DO NOT place anything else in that directory except known and trustworthy scripts or compiled programs. INSURE they cannot be written to by the user the httpd server runs as; in fact, insure the directory ITSELF cannot be written to by the httpd identity. THAT IDENTITY MUST NOT BE A PRIVILIGED USER. Carefully learn to understand the idea of identities, groups, and permissions. Learn to love your logs. Learn to sue crackers, they can (with a little luck, they're usually bankrupt losers) be profit centers. Am I being paranoid? . Mitch Collinsworth wrote: > On Mon, 16 Jun 2003, Dave wrote: > > >>What I mean by good is 'secure as possible' (is there really such thing as >>being totally secure / invulnerable?) > > > Yes. It's called "not connected to the network, in a bomb-shelter, > with an emergency generator, with plenty of fuel". > > -Mitch > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > -- end Cheers! Kirk D Bailey think http://www.howlermonkey.net/ +-----+ http://www.tinylist.org/ http://www.listville.net/ | BOX | http://www.sacredelectron.org/ +-----+ "Thou art free"-ERIS think 'Got a light?'-Promethieus .
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3EEE5705.6020002>