POP daemon

Kirk Bailey idiot1 at netzero.net
Mon Jun 16 16:49:25 PDT 2003

Pay CAREFUL attention to the firewall and it's rules. Insure ALL ports are closed, or 
listened to ONLY by their proper daemon. Insure you have up to date software running in 
the server, and do NOT run anything with the word windows in it, the word is known to 
bring bad luck. RTFM for your collection of daemons, and insure they have  been given 
carefully thought out instructions and defaults. DO NOT allow something/anything to 
execute instructions. DO NOT use anything but a VERY recent version of formmail- or 
better, do not run formmail. Insure the httpd daemon can only access the web directory, 
and the web directory's cgi-bin, and nothing else. Only use scripts that are carefully 
checked to avoid bugs, or were checked out by someone else who is knowledgable at the 
art of peverting a server- or do not permit cgi at all. Although ssi includes are 
trather safe, DO NOT configure the httpd server to permit running commands, only cgi 
files- and they only from the web cgi-bin. DO NOT place anything else in that directory 
except known and trustworthy scripts or compiled programs. INSURE they cannot be written 
to by the user the httpd server runs as; in fact, insure the directory ITSELF cannot be 
written to by the httpd identity. THAT IDENTITY MUST NOT BE A PRIVILIGED USER. Carefully 
learn to understand the idea of identities, groups, and permissions. Learn to love your 
logs. Learn to sue crackers, they can (with a little luck, they're usually bankrupt 
losers) be profit centers.

Am I being paranoid?

Mitch Collinsworth wrote:
> On Mon, 16 Jun 2003, Dave wrote:
>>What I mean by good is 'secure as possible' (is there really such thing as
>>being totally secure / invulnerable?)
> Yes.  It's called "not connected to the network, in a bomb-shelter,
> with an emergency generator, with plenty of fuel".
> -Mitch
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"



         Kirk D Bailey
http://www.howlermonkey.net/ +-----+ http://www.tinylist.org/
http://www.listville.net/    | BOX | http://www.sacredelectron.org/
"Thou art free"-ERIS          think    'Got a light?'-Promethieus


More information about the freebsd-security mailing list