securing beyond the handbook.

David Robillard david.robillard at gmail.com
Wed May 10 10:49:37 PDT 2006 

> Date: Wed, 10 May 2006 09:17:30 -0400
> From: "Jim Stapleton" <stapleton.41 at gmail.com>
> Subject: securing beyond the handbook
> To: freebsd-questions at freebsd.org
> Message-ID:
> 	<80f4f2b20605100617t3adfc57brc213c8571288727f at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> I'm about to get a static IP and direct outside access for my BSD box
> (before it was hidden behind a firewall/NAT). I was comfortable with
> the level of security I've had, but with the whole "open to the
> outside world" setup I'll have, what would you suggest for securing
> it?
>
> I'll be running:
> Apache
> PHP
> MySQL
> SSH/SFTP
> OpenRPG (only occasionally, from a special nonpriv account)
>
> Any suggestions, any of these that you know are such huge security
> holes that you would absolutely demand something else be run?
>
> Any other security suggestions?

Hi Jim,

I would strongly suggest running your internet accessible applications
from inside a jail. Check some man pages for jail information:
jail(8), jls(8) and jexec(8). The nice thing about jails is that once
everything is installed and running, you can strip it of any files
which is not used by your applications (such as compilers for
example). Therefore, if someone breaks in, he is limited in his
capabilites. Plus he does not gain your real root password (assuming
you are not using the same passwords in your jail of course ;)

Configure sshd(8) to allow only a certain set of trusted users via
AllowUsers configuration. Prohibit direct root login via
"PermitRootLogin no" and consider using public keys with a strong
passphrase instead of a simple password for login. If you have a
Kerberos server, use it.

Next, check your network architecture. Give your jail the public IP or
NAT it in your firewall to a DMZ section of your network. Make sure
your internet accessible applications are not inside your LAN. Be
certain to never let internet connections have direct access to
machines inside the LAN.

Also, consider running host intrusion detection. Such as Osiris,
Samhain or Tripwire. You can find them all in the FreeBSD ports.
Talking of ports, make sure you install security/portaudit to keep
track of you port's security.

Subscribe to the FreeBSD security mailing list and take action when an
advisory is sent.

Use mod_security with your Apache server. http://www.modsecurity.org/ 
Actually, remove all unused Apache module from your httpd.conf(5).

Run your MySQL database on another host (or another jail) which is in
a seperate Database DMZ which can only be accessed by certain well
defined hosts.

Use tcp_wrappers to secure you connections. Use sudo(8) instead of root.

Finally, check out some really good books on various security related issues:

Mastering FreeBSD and OpenBSD security from O'Reilly.
Apache Security from O'Reilly.
Essential PHP Security from O'Reilly.
Host Integrity Monitoring using Osiris and Samhain from Syngress.
FreeBSD security & hardening guide: http://www.syslog.org/Content-5-4.phtml

Oh, and don't forget to backup regularly. It's also part of your security.

Have fun!

David

> Thanks,
> -Jim

--
David Robillard
UNIX systems administrator, CISSP
Montréal: +1 514 966 0122

More information about the freebsd-questions mailing list