Date: Tue, 5 Mar 2002 05:23:08 +0200 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Johnson David <djohnson@acuson.com> Cc: freebsd-newbies@freebsd.org Subject: Re: Security on Workstations Message-ID: <20020305032308.GA3537@hades.hell.gr> In-Reply-To: <20020304185950.C995437B419@hub.freebsd.org> References: <20020304185950.C995437B419@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2002-03-04 10:59, Johnson David wrote:
> This months DaemonNews ezine has quite a bit of information on security.
> Interesting to be sure, but I don't think that information really applies to
> my boxen. I only have client systems that I maintain.
>
> At home my system is, well, a home system. I don't run a webpage off of it,
> and the only authorized user is myself. I have an SMC Barricade broadband
> router between it and the rest of the world. At work I have FreeBSD on a
> workstation within the company network. I have to frequently use telnet and
> rlogin to connect to other company systems which don't have ssh.
>
> What's the best strategy for securing these machines? Currently I'm using
> standard FreeBSD settings out of the box, with nothing in not in the default
> enabled. NFS and RPC are disabled.
I've found the following two simple steps to be sufficient for most of the
machines I've set up until now. A workstation at home, that I use for
every day work, and a few machines I've installed at other home user's
places:
- Don't run services that are not necessary for doing work.
- Use ipfw or ipfilter with a default deny policy.
- Use more than one access control types for open services.
The first means that my inetd.conf (if inetd needs to run) contains just a
few lines. Usually identd, for those who ask to connect to it, and comsat
when I feel like it.
The second step means that a default policy denies all incoming
connections, and drops weird packets (too short fragments, and a few other
things) on the floor. When I want to check a service, I can start it
locally, without worrying that it will instantly be 'seen' on the net.
I have to add a rule to the firewall ruleset to allow using it. This way,
even when a new service is added, it has to be explicitly enabled by me, in
order to be used.
Of course, this is not a panakea, that cures all evil, and I also use
other means of filtering who has access to each service if possible.
Those services that have to be accesses by a few 'trusted' machines,
are not allowed from 'any' in the firewall rules, and are also filtered
through hosts.allow if possible.
Finally, for those services that I have open, I run cronjobs that grep
through the daily logs, and mail root@localhost at the end of every day,
with any messages this service has generated. Another log grep wrapper
filters all the random stuff, and sends only 'unrecognized' messages to
another post to root@localhost.
It seems like a bit of paranoia, but one can never be too sure, can he?
Giorgos Keramidas FreeBSD Documentation Project
keramida@{freebsd.org,ceid.upatras.gr} http://www.FreeBSD.org/docproj/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-newbies" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020305032308.GA3537>