From nobody Fri Apr 04 21:56:00 2025 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZTsr34Vr5z5sTqY for ; Fri, 04 Apr 2025 21:56:19 +0000 (UTC) (envelope-from dpchrist@holgerdanske.com) Received: from holgerdanske.com (holgerdanske.com [IPv6:2001:470:0:19b::b869:801b]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "holgerdanske.com", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZTsr16xtWz3J19 for ; Fri, 04 Apr 2025 21:56:17 +0000 (UTC) (envelope-from dpchrist@holgerdanske.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=holgerdanske.com header.s=nov-20210719-112354 header.b=s0PbjNcM; dmarc=pass (policy=none) header.from=holgerdanske.com; spf=pass (mx1.freebsd.org: domain of dpchrist@holgerdanske.com designates 2001:470:0:19b::b869:801b as permitted sender) smtp.mailfrom=dpchrist@holgerdanske.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=holgerdanske.com; s=nov-20210719-112354; t=1743803769; bh=fwgDlJNWzIc3AgRFuNvz2BCtLpGzuhS8xVOJYeMsj1Y=; h=Received:Message-ID:Date:MIME-Version:User-Agent:Subject:To: References:Content-Language:From:In-Reply-To:Content-Type: Content-Transfer-Encoding; b=s0PbjNcM1bQlIQ5mrdoV4znIAT1hlTtuJTyuaAyas/N/dDx1sgJ2+5XIVQE/Aw93f UG1Qtt4GJv96lyjVcri8sL1gOl5LkdLfy+Y04Bc8PVeTsGNmA98RaiHwLvz7+VP5Xi J1DahbVPoXo9tDGXvDdkqiR1JkCXMWIl4O8SwpzMUVso6qZrboGzAcQpUsX3Js8lBw nXV5b07VCmlshgtkSHNf6xKQ7xOUyJLd7dqSlvKHPnJNnoaaN/0llrPNx8XkYoG6Nc aXW2Ptp+R+SwNvQ8IqtVzbPf0Ris0915cOyUzb6+IdqiRTfL6CiiTTzkcpG+M0FnFf CO8ZC4IEDiuJ8Nsk0kMH4/hT01UMjUb9e37IwMmeD/rYjjWuh9O5TyiQ+t0mq1QeNi hwrlEriae5KxspaoSfrLRZYTsPZu5yXA435fLkGKosoBCbFdVO6JKmL1Lfc+o04X+k sZS6Y/6nBFs4IxaYD/OAaNsi92Oe9/iw5C9OeK0OdBNE47HVKSM9wcykvmYqngHsNt Tak8FJCrHPtXITXLpMnskhEXQZ4PTzCnN+D+HnZzVvzKrOYxTZhQ4F9n2974Z9Uqfy IcLM5SqRa8WC+Biyubcpb5oRCXvOVpis2R++7x7ywgA4iHsxXejDPmeFMoJYNQuIbZ DNNHExhHkqQIJGBXWcgKYLYo= Received: from 99.100.19.101 (99-100-19-101.lightspeed.frokca.sbcglobal.net [99.100.19.101]) by holgerdanske.com with ESMTPSA (TLS_AES_128_GCM_SHA256:TLSv1.3:Kx=any:Au=any:Enc=AESGCM(128):Mac=AEAD) (SMTP-AUTH username dpchrist@holgerdanske.com, mechanism PLAIN) for ; Fri, 4 Apr 2025 14:56:09 -0700 Message-ID: <419a92a3-6d5b-44cb-8edf-6e65373ae72d@holgerdanske.com> Date: Fri, 4 Apr 2025 14:56:00 -0700 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Securing FreeBSD. To: questions@freebsd.org References: Content-Language: en-US From: David Christensen In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spamd-Result: default: False [-3.42 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.989]; NEURAL_HAM_MEDIUM(-0.63)[-0.631]; DMARC_POLICY_ALLOW(-0.50)[holgerdanske.com,none]; R_DKIM_ALLOW(-0.20)[holgerdanske.com:s=nov-20210719-112354]; ONCE_RECEIVED(0.20)[]; R_SPF_ALLOW(-0.20)[+a:november.he.net]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US]; RCVD_TLS_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[questions@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[holgerdanske.com:+] X-Rspamd-Queue-Id: 4ZTsr16xtWz3J19 X-Spamd-Bar: --- On 4/4/25 13:01, Albert Shih wrote: > Le 04/04/2025 à 11:45:16-0700, David Christensen a écrit >> On 4/4/25 10:13, Albert Shih wrote: >>> Is they are any way to secure a FreeBSD to prevent destroying data ? >> >> It sounds like you want read-only storage media (?). > > Yeah...exactly. The purpose is to recycle some old server to create some > «non erasable» backup in addition to our «normal» backup. Please clarify how you will create the "«non erasable» backup" and how you will use it. > They are two thing I will not consider in the equation : > > Security problem in FreeBSD. If you wish to defend against security problems in FreeBSD, then I suggest that you run the oldest supported release of FreeBSD -- 13.4-RELEASE. > Physical access to the server. If you wish to defend against an intruder who has physical access to the server, then I suggest that you select drives that have self-encryption (in addition to write-protection). > beside that I want to make the server safest as possible. > >> Burning your data to a CD-R/DVD-R/BD-R disc comes to mind. > > well....not possible. Too many To. What is the size of the "«non erasable» backup"? What devices is it currently stored on? Do you want to keep using those device(s)? If not, what are your expectations for new devices? > And the data change daily. "non erasable" and "change daily" are contradictory goals. Please clarify. >> Another option is a USB flash drive with a physical write-protect switch: >> >> https://www.kanguru.com/products/defender-elite30-usb-3-0-hardware-encrypted-flash-drive >> >> https://www.kanguru.com/products/kanguru-defender-elite300-fips-140-2-certified-secure-superspeed-usb-3-0-hardware-encrypted-flash-drive?variant=41077736833139 >> > > Same issue. Not possible. > > Regards. What about the IODD external drive enclosures? On 4/4/25 11:45, David Christensen wrote: > Searching Amazon, I found external disk drive enclosures with various > features; including write-protect: > > https://www.iodd.shop/all-products David