From owner-freebsd-security Thu Mar 14 2:33: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id F412537B402 for ; Thu, 14 Mar 2002 02:32:55 -0800 (PST) Received: (qmail 55998 invoked by uid 1000); 14 Mar 2002 10:32:50 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 14 Mar 2002 10:32:50 -0000 Date: Thu, 14 Mar 2002 02:32:47 -0800 (PST) From: Jason Stone X-X-Sender: To: Chest Rockwell Cc: Subject: Re: New BSD user with a couple Qs In-Reply-To: Message-ID: <20020314021011.J9375-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I've read a couple docs on how to secure my machine. I just installed > 4.4 stable. I turned off pretty much everything except for ftp(users > only, no anon) and ssh. FTP is totally insecure as it sends all data in the clear - many attacks start by sniffing user passwords out of ftp sessions and then using local exploits to get root. Consider using sftp, the secure ftp-like alternative that comes with ssh. From the unix commandline, it works just like ftp, and for windows clients, CuteFTP, Secure iXplorer, and others support it - just change the port from 21 to 22. If you must use plain ftp, consider using opie passwords instead of plain passwords. Opie calculators exist for pretty much every platform, and some gui clients even have builtin support for it (Fetch for the Mac comes to mind). "man opie" for details. > I am a little familiar with redhat and remember editing my hosts.deny > file so that it locked out everyone except for my home and work > machines. I think that I need to edit the /etc/rc.firewall file. Is > this a good idea to deny everyone except for a few users and how would > I do that? FreeBSD also supports tcpwrappers-style access lists in /etc/hosts.allow, but using ipfw firewalling rules is probablly a better idea, as this will prevent, for example, buffer overflows, whereas tcpwrappers will not. I reccommend against editing /etc/rc.firewall, as this will create conflicts when you upgrade via cvsup (see below). I prefer to set all my firewall rules in a separate file. For example, my /etc/rc.conf contains: #------------------------------# firewall_enable="YES" firewall_logging="YES" firewall_type="/etc/ipfw.conf" #------------------------------# And then I have my ipfw rules in /etc/ipfw.conf: add deny tcp from any to any 111 add deny udp from any to any 111 add deny tcp from any to any 1023 add deny udp from any to any 1023 etc.... > I'm running 4.4 stable. Is that good enough or should I get the 4.5 > release? > > Do I need to upgrade/update any files or do anything else to secure > the machine? If so, could you send me a good link or give me some > help please? You definitely should upgrade. To upgrade to 4.5-stable, install the cvsup package, edit /usr/share/examples/cvsup/stable-supfile and change the line "*default host=CHANGE_THIS.FreeBSD.org" to "*default host=cvsup9.FreeBSD.org" and then run "cvsup -g -L 2 /usr/share/examples/cvsup/stable-supfile" to update your source tree. Finally, rebuild the user-space with something like "cd /usr/src && make world" You should also rebuild the kernel and use mergemaster to clean up your /etc files - check out the handbook for more help with that. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8kHxSswXMWWtptckRAiz9AJwMjH1PbdEdkjpzALxUZQX0XII7TwCffFOS SN4deJTkrSkVcYLr9vMk5VI= =lTSy -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message