From owner-freebsd-isp Mon Jan 12 15:24:24 1998 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id PAA18141 for isp-outgoing; Mon, 12 Jan 1998 15:24:24 -0800 (PST) (envelope-from owner-freebsd-isp) Received: from caladan.tdx.co.uk (caladan.tdx.co.uk [195.188.177.4]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id PAA18023; Mon, 12 Jan 1998 15:24:10 -0800 (PST) (envelope-from kpielorz@tdx.co.uk) Received: from tdx.co.uk (lorca-tx.tdx.co.uk [195.188.177.242]) by caladan.tdx.co.uk (8.8.5/8.8.5) with ESMTP id WAA04153; Mon, 12 Jan 1998 22:56:22 GMT Message-ID: <34BAA582.F9151DE9@tdx.co.uk> Date: Mon, 12 Jan 1998 23:21:38 +0000 From: Karl Pielorz Organization: TDX X-Mailer: Mozilla 4.04 [en] (WinNT; I) MIME-Version: 1.0 To: Johnathan Raymond Sconiers II CC: freebsd-questions@freebsd.org, freebsd-isp@freebsd.org Subject: Re: Security for isp References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-isp@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Disable _EVERYTHING_ then pick the ones you need - and only enable them... If your setting up a public access FreeBSD system (or ISP system etc.) - look in the ports collection for things like 'tcpwrappers' - which will disallow or log connections from hosts which don't have reverse DNS addresses, or better still - get a good book on the subject, something like "Building Internet Firewalls ISBN 1-56592-124-0, O'Reilly & Associates, Inc." is a good place to start - even if your not building firewalls in particular... At the end of the day though - remember the motto - if you don't NEED it, don't RUN it... And the more complex the system / program / setup - the more that can go wrong, not only with the software - but with the security of the system... Regards, Karl ps. Don't take this _TOO_ far with BSD, I've heard of people deleting things like the /usr/bin directory - because they didn't _need_ it - it applies more to Servers, Ports etc. on the system - than the actual _BASE_ system - though it might be a good idea not putting things like C compilers on systems running as ISP servers (as not to give any 'visitors' too many tools ;-) - Though at the end of the day some things are worth the 'risk' factor... Johnathan Raymond Sconiers II wrote: > > Hi, sorry to bother you again with isp questions but i wanted know if > there are any things such as daemons, ports/packages that i should > automatically disable. THANKS > > John > > ********************************* > * M C S N E T * > * Johnathan Raymond Sconiers II * > * jrs@mcs.net * > *********************************