Date: Wed, 16 Feb 2005 17:11:14 -0600 From: Kevin Kinsey <kdk@daleco.biz> To: crzdgns1@starpower.net Cc: freebsd-newbies@freebsd.org Subject: Re: Newbie Question; security logs Message-ID: <4213D312.80609@daleco.biz> In-Reply-To: <3aeecac6.cfb2dd90.81b5e00@ms07.mrf.mail.rcn.net> References: <3aeecac6.cfb2dd90.81b5e00@ms07.mrf.mail.rcn.net>
next in thread | previous in thread | raw e-mail | index | archive | help
crzdgns1@starpower.net wrote: >Hello, > >I have been checking my logs lately and find that a lot of access >attempts have been blocked. That's good. There are a ton of access >attempts, mostly from asia. I am the only user on my computer, it is >my home computer and I just wanted to try the whole open source >phenomenon. So far, I think IP firewall is blocking all unauthorized >attempts to login, but, well, I am a newcomer to freebsd/unix/internet >security and want to be sure I am doing everything safely. Some of >my log entries say "possible breakin attempt". That made me kind of >uncomfortable too. How do I evaluate whether or not my computer is >safe? > >Thanks > >Mark > > Hello, Mark If you can redirect your question to questions@freebsd.org, you will get a larger and more well-educated audience, and perhaps some better responses. Really, it's not supposed to be here at all, I think. The Handbook's "Security" chapter is required reading, I should think. IIRC, it's chapter 14. You should not run any computer hooked directly to the internet without a firewall. Use good passwords. Change them occasionally. Note any system accounts with no passwords in your daily "root" emails. You should keep your operating system up to date. Quite a bit of Handbook info on this as well. Currently, "up to date" is a freebsd version listed at www.freebsd.org/security, with a kernel date later than the last security advisory (try "uname -a") or **known** to have been patched for any vulnerabilities. Subscribe to "freebsd-security-notifications@freebsd.org" --- you'll get announcements from the security officer as soon as any problems in the base OS are detected. Sometimes they are nice enough to advise of problems with many of the most common software packages, but it's not an obligation for them to do so. Check the output of "netstat -anf inet". If any servers are listening on your outside interface, they shouldn't be, unless you want them to be. If you have daemons listening to the Internet, they are available for anyone to connect to, unless you deny access via a firewall or /etc/hosts.allow. Needless to say, you need to stay on top of any "bug notices" that come from the suppliers of these programs. Most of the log messages you see are from automated tools searching for Linux installations with services protected by lazy passwords. Some could be more serious, but don't lose heart! One strategy for sshd; use /etc/hosts.allow, and deny access to everyone (unless you need to be able to use this system from outside). If you are running ipfw (you mention it, but give few details), try something like "ipfw add $n deny ip from any to me setup via $oif" where $n is a low rule number (so this gets placed before any accept rules and $oif is your outward facing interface) in your firewall rules. HTH, Kevin Kinsey
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4213D312.80609>