From owner-freebsd-questions@FreeBSD.ORG Wed Jul 30 10:05:27 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1D0FB1065674 for ; Wed, 30 Jul 2008 10:05:27 +0000 (UTC) (envelope-from sonic2000gr@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.156]) by mx1.freebsd.org (Postfix) with ESMTP id A16988FC20 for ; Wed, 30 Jul 2008 10:05:26 +0000 (UTC) (envelope-from sonic2000gr@gmail.com) Received: by fg-out-1718.google.com with SMTP id l26so339505fgb.35 for ; Wed, 30 Jul 2008 03:05:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=Uf+qPhHeJUes6SgPcjsqtHc5PoqXMOQNxeelYF4Z0ZE=; b=UUUvRMI4VIWO4+0gl6PwoLC/hXzGItKgBvWA6fxAd4aLQwSDdRMLsGkpcGPVRut2Ni iZ5nVDc46Sf5Ml6w7Fx9Mv0clHXX4W2guikuJwx7aVhxRgSRJ8GWUghUHauTRbcH50Jj 3fssYos8LQOGEpZfdOo3WjF+NX7MVRWziC/uY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=MC4UKRU0oqauVtVwyW1+WhlPYkYLwuz0pNKP2GVkawa2MsQSrjUz4CQEjU4dfOTR1E SMESmqfWeOWiRuvBkKjL5jh+ZFSAHtMLFiCmQbJjHCaKFETomodeUgFizluRPFhvZGcf 82pu2qeZ5FwyHJNpClGIQc0d/TsTpn+hB7XFU= Received: by 10.86.4.2 with SMTP id 2mr4684389fgd.63.1217412325510; Wed, 30 Jul 2008 03:05:25 -0700 (PDT) Received: from atlantis.dyndns.org ( [79.130.48.30]) by mx.google.com with ESMTPS id l19sm917936fgb.7.2008.07.30.03.05.23 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 30 Jul 2008 03:05:24 -0700 (PDT) Message-ID: <48903CE2.1040003@gmail.com> Date: Wed, 30 Jul 2008 13:05:22 +0300 From: Manolis Kiagias User-Agent: Thunderbird 2.0.0.14 (X11/20080703) MIME-Version: 1.0 To: DSA - JCR References: <47376.217.114.136.134.1217410706.squirrel@mail.dsa.es> In-Reply-To: <47376.217.114.136.134.1217410706.squirrel@mail.dsa.es> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-questions@freebsd.org Subject: Re: protecting my FreeBSD system X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jul 2008 10:05:27 -0000 DSA - JCR wrote: > HI all again > > I would like to know if there is a method to know how well protected is my > system (FreeBSD 6.2) in order to not permit a user to enter as root. > I need it because I have intellectual propierty in that box, and I know > some people is interested on it. > > I use inetd, and I have all ports disable except Samba because it is a > repository for Windows Docs in a network. (swap is not enable). > > My root password is almost 20 chars with numbers, normal and capitals > letters, points. > > there is a user that belongs to operator with a script for (un)mounting > USB disk in which I trap almost all signals (about 15). > > thanks in advance > > Juan Coruņa > Desarrollo de Software Atlantico > > You do realize this is not an easy question to answer, right? Security is mostly about applying good practices, and is more of a (never ending) process and not a system. FreeBSD gives you all the tools you need to build a very secure system, but it is up to you. First things to consider: what you want to protect, from whom, what kind of access (if any) they have to the machine. A strong root password is good, but not of much use if someone can walk to the machine and reboot it to single user mode, or even worse get the disk and run. You already say about a user with operator rights. If it is only a mount / umount operation he needs to perform, a very specific sudo would be better IMHO. And if it is really local users you are concerned about, I would suggest encryption. And as an extra measure, mark the system console as insecure in /etc/ttys