From owner-freebsd-questions  Sat Jun 16 15:46:58 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from web14807.mail.yahoo.com (web14807.mail.yahoo.com [216.136.224.223])
	by hub.freebsd.org (Postfix) with SMTP id 36D4637B406
	for <freebsd-questions@freebsd.org>; Sat, 16 Jun 2001 15:46:44 -0700 (PDT)
	(envelope-from a_trans2001@yahoo.com)
Message-ID: <20010616224644.95648.qmail@web14807.mail.yahoo.com>
Received: from [24.248.85.196] by web14807.mail.yahoo.com; Sat, 16 Jun 2001 15:46:44 PDT
Date: Sat, 16 Jun 2001 15:46:44 -0700 (PDT)
From: La Place <a_trans2001@yahoo.com>
Subject: Re: a single resource for small network basic security considerations
To: freebsd-questions@freebsd.org
In-Reply-To: <3B2BA317.FC3B8A57@iowna.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Dave,

the basic concepts are pretty simple..let me write you the steps.

1) Install freebsd 4.3 
2) mkdir /backup; mv /etc/inetd.conf /backup/; touch /etc/inetd.conf
	- this removes the inetd.conf to a backup dir and creates a new file, everytime you want to run a
new service, just echo 1 line in /etc/inetd.conf and send sighup to inetd.  This way, if people
(superduper dumb kiddies) hacks you and echo an extra line in /etc/inetd.conf, you can tell right
away..because there areonly like 1 or 2 lines in the whole file now :).
3) use cvs or cvsup to update the SOURCE to -stable and PORTS
4) recompile the kernel and rebuild the binaries.  Make sure you enable IPFW in the kernel
5) You need a couple sysctl (/etc/sysctl.conf) settings :
	kern.ps_showallprocs=0
        net.inet.tcp.log_in_vain=1
        net.inet.udp.log_in_vain=1

	the first line make sure that users can only see their OWN proc.
	the second line logs all connection attempt to unopened tcp/udp ports.
6) make ipfw block connection requests to every single service port that you don't run.
7) also block ICMP packets too...if you don't want to ping ur box from far away ;)
8) that is essentially it.  then update your src once a week or so for security patches and
stuff..
9) if you run ftpd, make sure you chroot each user, by adding their username to /etc/ftpchroot
10)  don't run unecessary services...restrict hostnames/users accordingly.
11) that is essentially it :)..it is quite simple to follow most of these steps..:))

have fun...

Bruce Dang 
--- Bill Moran <wmoran@iowna.com> wrote:
> Here are a few of the resources I use:
> 1. man pages for IPFW, natd.
> 2. FreeBSD handbook
> 3. www.freebsddiary.org
> 4. www.mostgraveconcern.com/freebsd/
> 
> Dave Atkins wrote:
> > 
> > Sorry, I should stop posting before people start telling me to RTFM...but
> > this list is the most helpful resource I have been able to find.
> > 
> > Is there a good online resource which goes into step-by-step detail about
> > how to set up and protect a small network--for example for a small startup
> > company?
> > 
> > I have found tons of information, scattered all over the place, but no good
> > single resource.
> > 
> > Here is the outline for what I believe would be the topics needed. I don't
> > expect people to answer these questions on this list, but if you have good
> > links and send them to me (dave@atkinshome.com), I will compose a
> > comprehensive article and repost it--or at least a link to a url. My
> > question for this list is whether someone else has already done this?
> > 
> > 1) basic network architecture
> >   how to set up a firewall machine
> >   how to enable NAT including real IP to private IP aliasing
> >   how to use ifpw to write rules that provide best security - and the
> > consequences of each rule
> >   how to set up dhcp to provide addressing for the internal network and how
> > to deal with static ips
> >   how to lock down the firewall machine by disabling vulnerable services and
> > setting system security
> >   how can I monitor attempted intrusions?
> > 
> > 2) enabling the internal network
> >   Mail: what is most secure smtp strategy? (and howto do it)
> >     bastion host outside firewall relaying to internal mail server or just
> > open a port to the internal server?
> >     how do I prevent my mail server from becoming a spam relay?
> >       latest sendmail config tweaks?
> >       server configuration/security above and beyond packet filtering
> > covered above?
> >   DNS configuration
> >     I run my own DNS...should I poke a hole in the firewall or protect my
> > servers as best I can and leave them outside the firewall?
> >     How do I handle DNS for the internal network, given that I have these
> > external DNS servers going too?
> > 
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-questions" in the body of the message
> 
> -- 
> If a bird in the hand is worth two in the bush,
> then what can I get for two hands in the bush?
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message


__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message