--On Wednesday, February 20, 2008 17:22:02 +0000 Matthew Seaman
-----BEGIN PGP SIGNED MESSAGE-----
Zbigniew Szalbot wrote:
So far I have had FreeBSD systems only in office so I used my hardware
firewall (Dlink DFL 700) to block access to services on ports 22, etc.
Now, at the ISP I won't be able to do this so I will need to be a lot
more careful about security issues. I am planning to make a list of
steps I need to take to configure the OS to my liking and install
applications I need. However, I would really, really love to have some
advice from you re the basic steps.
The important mantra to remember when securing a machine that is exposed
to the internet is:
What does not listen on the network cannot be used to compromise you.
In practice, this means run sockstat and look for all the processes
that are listening for connections on your external network interfaces.
If you don't need it, then don't run it.
What an outstanding answer. Matthew has covered all the correct bases. I can
only add one further suggestion. Consider using /etc/hosts.allow to protect
daemons that must listen on ports to restrict access even further.