From owner-freebsd-questions@FreeBSD.ORG Sat Dec 6 04:07:04 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 02F5516B for ; Sat, 6 Dec 2014 04:07:04 +0000 (UTC) Received: from eastrmfepo102.cox.net (eastrmfepo102.cox.net [68.230.241.214]) by mx1.freebsd.org (Postfix) with ESMTP id A14AD996 for ; Sat, 6 Dec 2014 04:07:03 +0000 (UTC) Received: from eastrmimpo210 ([68.230.241.225]) by eastrmfepo102.cox.net (InterMail vM.8.01.05.15 201-2260-151-145-20131218) with ESMTP id <20141206040656.KEQR13649.eastrmfepo102.cox.net@eastrmimpo210> for ; Fri, 5 Dec 2014 23:06:56 -0500 Received: from macbook.local.popelka.us ([72.205.45.227]) by eastrmimpo210 with cox id Q46v1p00B4u5WUQ0146wki; Fri, 05 Dec 2014 23:06:56 -0500 X-CT-Class: Clean X-CT-Score: 0.00 X-CT-RefID: str=0001.0A020207.548280E0.00E7,ss=1,re=0.001,fgs=0 X-CT-Spam: 0 X-Authority-Analysis: v=2.0 cv=aZC/a2Ut c=1 sm=1 a=KPoI11KysOGbLPnGgDkkuA==:17 a=Ihlm5HH3WnQA:10 a=N659UExz7-8A:10 a=kviXuzpPAAAA:8 a=GumQ9EM2AAAA:8 a=RkdYTFmYn3J_9wtYY_oA:9 a=pILNOxqGKmIA:10 a=DXAZHqwI1i-5w_n-:21 a=rQjjq5sGgX8tbPgJ:21 a=KPoI11KysOGbLPnGgDkkuA==:117 X-CM-Score: 0.00 Authentication-Results: cox.net; auth=pass (PLAIN) smtp.auth=arickp@cox.net Message-ID: <548280DF.90200@cox.net> Date: Fri, 05 Dec 2014 23:06:55 -0500 From: Eric Popelka User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: andrew clarke Subject: Re: Staying safe and sound References: <54824DC6.5090605@cox.net> In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Dec 2014 04:07:04 -0000 On 12/5/14 10:06 PM, andrew clarke wrote: > A fresh install of FreeBSD is extremely secure. > > sshguard or similar might be useful if you're running public-facing > sshd, mostly just to cut the noise down in your logs from people (or, > rather, people running bots) trying to brute-force login. After a few > incorrect password attempts the software can block their IP address. I'm with you there. I had to set up ipfilter to block all port 22 traffic (except for a couple subnets), as I was seeing failed login attempts for 'oracle', 'admin', etc. once things were up and running. I'll look into sshguard as well. > Whether it's Windows, Linux, OS X, BSD etc, security problems in the > base OS or web server software (Apache, nginx, etc) are quite rare > these days. I believe most site defacements and breakins occur due to > bugs in PHP scripts or leaked passwords, etc. Ah yes. Professionally, I've had to spend many hours preventing Little Baby Tables (http://xkcd.com/327/) from causing havoc. > Assuming you're running the GENERIC kernel on 10.0-RELEASE (check > uname -a), freebsd-update can upgrade both kernel and userland to > 10.1, but there's no rush. 10.0 is currently still supported, so you > can get security updates for it (also with freebsd-update). > > The latter is very simple. Note that security updates to the kernel > will require a reboot to take effect. > > Upgrading from 10.0 to 10.1 may be slightly more work in the case of > config file changes between versions, but it should be pretty > self-explanatory. Great, thanks. It was hard to even find a hosting company, with servers in the Northeast U.S., that even had FreeBSD install ISOs to attach. >> (Yes, I realize OpenBSD is the choice for those serious about >> security, but like I said, this is mostly a playground server for >> personal use. That said, I don't want to become an open relay, have my >> site defaced, etc.) > > The FreeBSD team are serious about security. > > OpenBSD may have a name for itself but its leader is somewhat > obsessive and abrasive, tending to drive people away. > > Subjectively, I find FreeBSD quite a bit easier to use than > Net/OpenBSD, and I suspect that's most other people's experience too. Theo de Raadt? Yeah, it's too bad we can't all get along. Man, I think that's been going on since the mid-90s. Good times. Sorry about my choice of words re: OpenBSD, I was going to say 'super paranoid about security', but my desire to keep things calm and peaceful on a "newbie questions" mailing list prevented me from doing so. Certainly FreeBSD has been easy for me to pick up. Couldn't figure out RootOnZFS, but that's experimental anyway, and I know very little about zfs pools/mirrors/etc. UFS works fine for what I'm doing. -Eric