Date: Wed, 5 Jan 2011 14:05:18 -0600 From: Adam Vande More <amvandemore@gmail.com> To: Mark Moellering <mark@msen.com> Cc: freebsd-questions@freebsd.org Subject: Re: Bot? / pf question Message-ID: <AANLkTimtWK9R1U6zGpFJvcYri454pb3gLQ=geC48yApJ@mail.gmail.com> In-Reply-To: <4D24CB09.3030603@msen.com> References: <4D249129.6090008@webtent.net> <4D249298.9080706@nrdx.com> <AANLkTi=%2B=FGeQevAnxii6m2XK7i%2B617Mt4EkQfd2Ucv0@mail.gmail.com> <AANLkTinOewwzjMigG_Bn0%2BZL7GzvfL7Nq_FGBHyCNbsj@mail.gmail.com> <AANLkTimQy3H5HHGBGqd9JET22GH0ygWOh8DBta310SpY@mail.gmail.com> <4D24CB09.3030603@msen.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jan 5, 2011 at 1:48 PM, Mark Moellering <mark@msen.com> wrote: > That's an excellent point. A span port from the upstream switch/router > > Since I am going to be setting up a mail server sometime next week and have > to keep things like this in mind; > would it make sense to run pf and block all outbound traffic that isn't on > port 25 ( port 995 , etc) and force any web administration programs onto a > port other than 80 to help with this sort of thing? Any other thoughts on > how to make sure future installations can be kept secure? > > As always, thanks in advance to everyone, > That a great example of when jails should be used, I put each service into it's own jail eg MTA, FTP, www. Actually I use something like pound then put each different website in it's own jail. Make sure each database backed service has separate login/passwords. Then if something like phplist, or an MTA is compromised the host OS and utilities can still be trusted, in theory at least. Also a managed port can help you deal with issues by tracking stat metrics/port mirroring/etc. You can use something ezjail to make administration tasks easier, and if you isolate the jail FS's(UFS/ZFS) make use of the snapshotting utilities. There are a couple of utilities in ports to help automate snapshots too. -- Adam Vande More
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTimtWK9R1U6zGpFJvcYri454pb3gLQ=geC48yApJ>