FreeBSD 5.4 with no Firewall?
m.seaman at infracaninophile.co.uk
Sun Jan 22 03:04:56 PST 2006
Benjamin D Adams wrote:
> I'm moving my server to a colocation. Its a web-server (Apache 2.0) on
> FreeBSD 5.4. Should I get a gigabyte firewall first?(I plan on getting
> one soon) How important? What can I do to help secure the OS its self?
> Any built in programs I should install first?
Sure, you can run a stand-alone FreeBSD box on the Internet without a
separate firewall, if you configure it carefully. Mind you, you still need
the same degree of care /with/ a firewall -- it just gives you another layer
behind which you can get away with a few things.
What you need to look out for when securing a machine against attack from
a) processes with network listeners: if there's nothing listening
at a particular network port, you can't be attacked through it.
Use sockstat(1) to see what programs are listening on your network
interfaces -- including the loopback interface. Do you really
need to run that program? Can you reconfigure something that listens
on all interfaces to bind to just the loopback interface?
b) When considering processes that you have to run to provide the
intended service -- are they configured to run as securely as
possible? Long-lived daemon processes, such as Apache should not
be run as the root user[*]. Always run them under an unprivileged
UID that does not have a real shell (/sbin/nologin exists for that
purpose). Make sure that UID cannot write to its home directory
(setting daemon users homes to / is fine) or to any other significant
locations -- a common mistake is to change the ownership of the
webserver's document tree to the UID the web server runs under.
Make full use of chroot(8) and jail(8) to further isolate exposed
processes from the rest of the system.
c) Do your homework, and keep alert to various channels where security
information is available. Sites like Secunia (http://secunia.com/),
the VuXML project (http://www.vuxml.org/freebsd/) and not least any
mailing lists or newsgroups or fora dedicated to software you're
running -- you should keep abreast of all such. Understand the
distinction between 'local' and 'remote' compromises or DoSes: it's
the remote ones you should spend energy worrying about unless you
are providing logins on your server to untrusted users. Keep
installed software up to date. The ports tree is actually really
good at getting security related updates committed promptly.
Similarly you should regularly update the OS itself. Track one of
the -SECURITY branches, and upgrade when advisories come out.
d) Abhor the use of any program which transmits sensitive information
across networks in plain text. Use ssh(1) exclusively for remote
login access -- preferably with key based auth rather than using
passwords. Avoid ftp(1) for copying web content onto servers: any of
scp(1), rsync(1) [over SSH] or WebDAV over HTTPS will serve you better.
If you have to display X programs on a remote desktop, always tunnel
the X traffic through ssh(1).
e) Configure a local packet filter -- one of pf(4), ipfw(8),ipf(8). Your
aim should be to be secure even without the firewall in place: it should
be insurance rather than anything more. Sometimes however it is the only
answer to protecting processes you have to run, but that expose themselves
on the net.
Although there is one class of attack you can eliminate easily using
a packet filter which is hard to do otherwise: spoofing the loopback
address. If the machine you're protecting conforms to the 'weak routing
model' (as FreeBSD does) then it will accept a packet destined for any of
its network interfaces on any other interface irrespective of network
routing. pf(4) makes preventing this really easy. This three line
pf.conf(5) will prevent a lot of potential attacks against daemons
listening on the loopback address, although you'll probably want something
a bit more comprehensive in actual use:
antispoof log quick for lo0
Keeping a server properly secured is not rocket science -- mostly it's just
common sense. But you cannot just 'secure your server' and then forget about
it: lasting security means active maintenance.
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-chat/attachments/20060122/d56c8437/signature.bin
More information about the freebsd-chat