From owner-freebsd-questions@FreeBSD.ORG Wed Jan 5 20:05:20 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 00FAA106566C for ; Wed, 5 Jan 2011 20:05:20 +0000 (UTC) (envelope-from amvandemore@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 84EF18FC13 for ; Wed, 5 Jan 2011 20:05:19 +0000 (UTC) Received: by fxm16 with SMTP id 16so15277195fxm.13 for ; Wed, 05 Jan 2011 12:05:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=szusgxBn2LmQ79ASXKBT94sS62O2omfOL4xj93U0xCQ=; b=TEVLi1iS1Ms435Yq3eyGbmbeZjFLVr/69JxWX+97BOhQixIs+B1vIzXa653+HP04G6 JfM1kAODwY0kZtuUVI9M+/tp2wCW4Cqrj0YoDjDKERdYckHyOvon/k8k/ImXfwiuiIKq 9X5A94PxoVcXILYPbZiSHfIguNV0Kmde+E+Ag= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=mTbeQ7aUSCG/Lfb4CzAbwXPlUoXvnuPMngMGQ3qQjc43vWS+Yer6Vvzwa5mqHTYLdc 5VnnwSw0VBbWbZg3km/mSKk4mZDPdJl+saUFPUpCYHS/eKrlZOLE/4SpAe5hTi+7XoFs G3xT/ApEFxXYP61BPNLW77rVwIQII4Tb2aDdQ= MIME-Version: 1.0 Received: by 10.223.85.204 with SMTP id p12mr3001740fal.146.1294257918362; Wed, 05 Jan 2011 12:05:18 -0800 (PST) Received: by 10.223.114.4 with HTTP; Wed, 5 Jan 2011 12:05:18 -0800 (PST) In-Reply-To: <4D24CB09.3030603@msen.com> References: <4D249129.6090008@webtent.net> <4D249298.9080706@nrdx.com> <4D24CB09.3030603@msen.com> Date: Wed, 5 Jan 2011 14:05:18 -0600 Message-ID: From: Adam Vande More To: Mark Moellering Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: Bot? / pf question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jan 2011 20:05:20 -0000 On Wed, Jan 5, 2011 at 1:48 PM, Mark Moellering wrote: > That's an excellent point. A span port from the upstream switch/router > > Since I am going to be setting up a mail server sometime next week and have > to keep things like this in mind; > would it make sense to run pf and block all outbound traffic that isn't on > port 25 ( port 995 , etc) and force any web administration programs onto a > port other than 80 to help with this sort of thing? Any other thoughts on > how to make sure future installations can be kept secure? > > As always, thanks in advance to everyone, > That a great example of when jails should be used, I put each service into it's own jail eg MTA, FTP, www. Actually I use something like pound then put each different website in it's own jail. Make sure each database backed service has separate login/passwords. Then if something like phplist, or an MTA is compromised the host OS and utilities can still be trusted, in theory at least. Also a managed port can help you deal with issues by tracking stat metrics/port mirroring/etc. You can use something ezjail to make administration tasks easier, and if you isolate the jail FS's(UFS/ZFS) make use of the snapshotting utilities. There are a couple of utilities in ports to help automate snapshots too. -- Adam Vande More