security of a new installation / steps to take
Paul Schmehl
pauls at utdallas.edu
Wed Feb 20 18:37:35 UTC 2008
--On Wednesday, February 20, 2008 17:22:02 +0000 Matthew Seaman
<m.seaman at infracaninophile.co.uk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Zbigniew Szalbot wrote:
>
>> So far I have had FreeBSD systems only in office so I used my hardware
>> firewall (Dlink DFL 700) to block access to services on ports 22, etc.
>> Now, at the ISP I won't be able to do this so I will need to be a lot
>> more careful about security issues. I am planning to make a list of
>> steps I need to take to configure the OS to my liking and install
>> applications I need. However, I would really, really love to have some
>> advice from you re the basic steps.
>
> The important mantra to remember when securing a machine that is exposed
> to the internet is:
>
> What does not listen on the network cannot be used to compromise you.
>
> In practice, this means run sockstat and look for all the processes
> that are listening for connections on your external network interfaces.
>
> If you don't need it, then don't run it.
>
What an outstanding answer. Matthew has covered all the correct bases. I can
only add one further suggestion. Consider using /etc/hosts.allow to protect
daemons that must listen on ports to restrict access even further.
--
Paul Schmehl (pauls at utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
More information about the freebsd-questions
mailing list