Date: Tue, 13 Jan 1998 08:35:34 -0500 (EST) From: spork <spork@super-g.com> To: Karl Pielorz <kpielorz@tdx.co.uk> Cc: Johnathan Raymond Sconiers II <jrs@Mcs.Net>, freebsd-questions@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG Subject: Re: Security for isp Message-ID: <Pine.BSF.3.96.980113082911.18180A-100000@super-g.inch.com> In-Reply-To: <34BAA582.F9151DE9@tdx.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Another thing to do is to examine exactly what you have that runs as root,
and decide whether it's needed or not. Most inetd-spawned services run as
root (check the entry in the 5th column of inetd.conf), and any programs
with the "s" bit set run as root, like "passwd":
spork@inch.com: $ ls -al `which passwd`
-r-sr-xr-x 1 root bin 20480 Feb 11 1997 /usr/bin/passwd
^
A quick way to find these guys is:
find / -perm -4000 -ls > /tmp/suid.out
and
find / -perm -2000 -ls > /tmp/sgid.out
These commands will give you lists of which programs run with either root
or privileged group permissions. Peruse the list in one window and read
man pages in the other. *Carefully* disable things that aren't needed by
your users.
And as others have suggested, the two O'Reilly books on security and
firewalls will give you more insight into why you are doing all this.
There's much more to this than you might think, but knowledge is your best
weapon.
Charles Sprickman
spork@super-g.com
----
"I'm not a prophet or a stone-age man
Just a mortal with potential of a superman
I'm living on" -DB
On Mon, 12 Jan 1998, Karl Pielorz wrote:
> Disable _EVERYTHING_ then pick the ones you need - and only enable them... If
> your setting up a public access FreeBSD system (or ISP system etc.) - look in
> the ports collection for things like 'tcpwrappers' - which will disallow or
> log connections from hosts which don't have reverse DNS addresses, or better
> still - get a good book on the subject, something like "Building Internet
> Firewalls ISBN 1-56592-124-0, O'Reilly & Associates, Inc." is a good place to
> start - even if your not building firewalls in particular...
>
> At the end of the day though - remember the motto - if you don't NEED it,
> don't RUN it... And the more complex the system / program / setup - the more
> that can go wrong, not only with the software - but with the security of the
> system...
>
> Regards,
>
> Karl
>
> ps. Don't take this _TOO_ far with BSD, I've heard of people deleting things
> like the /usr/bin directory - because they didn't _need_ it - it applies more
> to Servers, Ports etc. on the system - than the actual _BASE_ system - though
> it might be a good idea not putting things like C compilers on systems running
> as ISP servers (as not to give any 'visitors' too many tools ;-) - Though at
> the end of the day some things are worth the 'risk' factor...
>
> Johnathan Raymond Sconiers II wrote:
> >
> > Hi, sorry to bother you again with isp questions but i wanted know if
> > there are any things such as daemons, ports/packages that i should
> > automatically disable. THANKS
> >
> > John
> >
> > *********************************
> > * M C S N E T *
> > * Johnathan Raymond Sconiers II *
> > * jrs@mcs.net *
> > *********************************
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980113082911.18180A-100000>