Date: Fri, 05 Dec 2014 23:06:55 -0500 From: Eric Popelka <arickp@cox.net> To: andrew clarke <mail@ozzmosis.com> Cc: freebsd-questions@freebsd.org Subject: Re: Staying safe and sound Message-ID: <548280DF.90200@cox.net> In-Reply-To: <Q36U1p00Z4rGeTP0136WdT> References: <54824DC6.5090605@cox.net> <Q36U1p00Z4rGeTP0136WdT>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/5/14 10:06 PM, andrew clarke wrote: > A fresh install of FreeBSD is extremely secure. > > sshguard or similar might be useful if you're running public-facing > sshd, mostly just to cut the noise down in your logs from people (or, > rather, people running bots) trying to brute-force login. After a few > incorrect password attempts the software can block their IP address. I'm with you there. I had to set up ipfilter to block all port 22 traffic (except for a couple subnets), as I was seeing failed login attempts for 'oracle', 'admin', etc. once things were up and running. I'll look into sshguard as well. > Whether it's Windows, Linux, OS X, BSD etc, security problems in the > base OS or web server software (Apache, nginx, etc) are quite rare > these days. I believe most site defacements and breakins occur due to > bugs in PHP scripts or leaked passwords, etc. Ah yes. Professionally, I've had to spend many hours preventing Little Baby Tables (http://xkcd.com/327/) from causing havoc. > Assuming you're running the GENERIC kernel on 10.0-RELEASE (check > uname -a), freebsd-update can upgrade both kernel and userland to > 10.1, but there's no rush. 10.0 is currently still supported, so you > can get security updates for it (also with freebsd-update). > > The latter is very simple. Note that security updates to the kernel > will require a reboot to take effect. > > Upgrading from 10.0 to 10.1 may be slightly more work in the case of > config file changes between versions, but it should be pretty > self-explanatory. Great, thanks. It was hard to even find a hosting company, with servers in the Northeast U.S., that even had FreeBSD install ISOs to attach. >> (Yes, I realize OpenBSD is the choice for those serious about >> security, but like I said, this is mostly a playground server for >> personal use. That said, I don't want to become an open relay, have my >> site defaced, etc.) > > The FreeBSD team are serious about security. > > OpenBSD may have a name for itself but its leader is somewhat > obsessive and abrasive, tending to drive people away. > > Subjectively, I find FreeBSD quite a bit easier to use than > Net/OpenBSD, and I suspect that's most other people's experience too. Theo de Raadt? Yeah, it's too bad we can't all get along. Man, I think that's been going on since the mid-90s. Good times. Sorry about my choice of words re: OpenBSD, I was going to say 'super paranoid about security', but my desire to keep things calm and peaceful on a "newbie questions" mailing list prevented me from doing so. Certainly FreeBSD has been easy for me to pick up. Couldn't figure out RootOnZFS, but that's experimental anyway, and I know very little about zfs pools/mirrors/etc. UFS works fine for what I'm doing. -Eric
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?548280DF.90200>