Date: Sun, 13 Dec 1998 14:28:22 -0500 (EST) From: Barrett Richardson <brich@aye.net> To: Mike Thompson <miket@dnai.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Securing FreeBSD Internet Servers Message-ID: <Pine.BSF.3.96.981213125805.29068A-100000@phoenix.aye.net> In-Reply-To: <4.0.1.19981212224345.00e1e370@mail.dnai.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 12 Dec 1998, Mike Thompson wrote: > > Can someone point me in the general direction of other similar > resources that I can use to further ensure these servers are > secure? The more specific to FreeBSD the better, but I'll take > anything I can get. > > Thanks, > > Mike Thompson > > Check out http://www.best.com/~jkb I've been able to get the stackguard compiler http://church.cse.ogi.edu/DISC/projects/immunix up and going on 2.2.7 with some minor modifications. Currently running apache 1.3.3 and ssh 1.2.26 compiled with it in production and am getting ready to give qmail 1.03 the acid test. I'll send you more details if you want. I have patched imgact_aout.c, imgact_elf.c, and imgact_gzip.c to require a flag bit that can only be set by root before an executable can be run (John Dyson's idea). This prevents users from running arbitrary executeables (actually I need to modify ld.so so that LD_LIBRARY_PATH is hardcoded before the idea is complete -- Joel Ray Holveck's idea). I had to write a small util to set the flag on system binaries before a kernel with the patch is install else users wouldn't be able to run anything (I relaxed the requirement for root). Also need to take care not to set it on any user writeable shell scripts. Something I am in the process of implementing for qmail is have all the mail accounts (they won't have actual accounts on the system) run under the same non-root user and authenticate thru a different means than the password file. Then the authentication and local delivery do not have to be done as root. There won't be user accounts on this server (just staff) so I should be able to run qmail-smtpd on a non-priveleged port and redirect port 25 to via ipfilter. Then qmail-smtpd can be launched as a non-priveleged user (care must be taken in doing this as a user on the system could gain control of mail should your smtp agent die). Logging is all important. There are good tips in a recent thread "append only devices for logging". Something I am getting ready to try is setup a host whose justification for existance is logging. Raise the secure level and set the sappnd flag on the log files there, and set the immutable flag on just about everything else. On the production systems raise the secure level and set the immutable flag on syslog.conf, then have the production systems log to the syslog host. There is a recent 7 year thread "again logging" that should answer most questions about logging that aren't obvious in the man pages. I use md5 for password authentication and require the users to use 9 character passwords. They've been really understanding of that after a really ugly system breach we had last summer (it wasn't FreeBSD, our breach is one of the biggest reasons we switched). Inventory the suid system binaries. If you are not using something, do a chmod -s. -- Barrett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.981213125805.29068A-100000>