security of a new installation / steps to take - Paul Schmehl - org.freebsd.freebsd-questions

9 messages in org.freebsd.freebsd-questionssecurity of a new installation / step...

From	Sent On	Attachments
Zbigniew Szalbot	Feb 20, 2008 4:02 pm
Schiz0	Feb 20, 2008 4:09 pm
Bill Moran	Feb 20, 2008 4:32 pm
Matthew Seaman	Feb 20, 2008 5:21 pm
Zbigniew Szalbot	Feb 20, 2008 5:41 pm
Jerry McAllister	Feb 20, 2008 5:58 pm
Matthew Seaman	Feb 20, 2008 6:03 pm
Paul Schmehl	Feb 20, 2008 6:37 pm
Olivier Nicole	Feb 22, 2008 3:37 am

Subject:	security of a new installation / steps to take
From:	Paul Schmehl (pau...@utdallas.edu)
Date:	Feb 20, 2008 6:37:18 pm
List:	org.freebsd.freebsd-questions

--On Wednesday, February 20, 2008 17:22:02 +0000 Matthew Seaman <m.se...@infracaninophile.co.uk> wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

Zbigniew Szalbot wrote:

So far I have had FreeBSD systems only in office so I used my hardware firewall (Dlink DFL 700) to block access to services on ports 22, etc. Now, at the ISP I won't be able to do this so I will need to be a lot more careful about security issues. I am planning to make a list of steps I need to take to configure the OS to my liking and install applications I need. However, I would really, really love to have some advice from you re the basic steps.

The important mantra to remember when securing a machine that is exposed to the internet is:

What does not listen on the network cannot be used to compromise you.

In practice, this means run sockstat and look for all the processes that are listening for connections on your external network interfaces.

If you don't need it, then don't run it.

What an outstanding answer. Matthew has covered all the correct bases. I can only add one further suggestion. Consider using /etc/hosts.allow to protect daemons that must listen on ports to restrict access even further.

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets