security of a new installation / steps to take

Wed Feb 20 16:32:15 UTC 2008

On Wed, 20 Feb 2008 17:02:22 +0100
"Zbigniew Szalbot" <zszalbot at gmail.com> wrote:
> 
> In a matter of weeks we will be moving our office "server" replacing
> it with a dedicated server machine functioning at an ISP's location. I
> have spoken to them and they use Fedora so they won't be able to help
> me much (besides we're not really prepared to pay them for
> administrative work). Obviously, I want to keep using FreeBSD so they
> promised to set up a basic installation so that I can remotely connect
> to the server, configure it, install userland, etc.
> 
> So far I have had FreeBSD systems only in office so I used my hardware
> firewall (Dlink DFL 700) to block access to services on ports 22, etc.
> Now, at the ISP I won't be able to do this so I will need to be a lot
> more careful about security issues. I am planning to make a list of
> steps I need to take to configure the OS to my liking and install
> applications I need. However, I would really, really love to have some
> advice from you re the basic steps.
> 
> For example, I guess I will need to make friends with pf firewall (I
> did use it but not extensively due to the hardware router in place). I
> will need to disallow direct (3306) access to mysql database (again pf
> thing?) and the like.

Build a "deny by default" firewall.  There are lots of advantages to it.
See my explanation of my personal server:
http://www.potentialtech.com/cms/node/16

Don't apply that technique blindly, the policy I use there is not
appropriate for everyone.  Rather, read through that to understand more
about how to create a deny by default ruleset and adjust the details to
meet your needs.

Another thing that's extremely powerful is integrity monitoring using
something like Tripwire or Samhain.

If you're building a firewall remotely, create a cron job that disables
the firewall every 30 minutes.  (i.e. pfctl -d).  Then, if you tweak
your firewall rules in such a way that you lock yourself out, you just
need to wait 30 minutes before you can get back in.  Once you're sure
your rules are working as you want, disable the cron job.

Always leave yourself a back door (see the whitelist rule I have in the
link above) so you don't accidentally get locked out.  If your hosting
provider can give you a serial console into the machine, that's the
best option, but it's getting less commonly available these days.

And don't be afraid to ask specific questions if you get stuck on details
while you're setting it up.

> In any case, many thanks for your hints, tips, links to get started (I
> actually plan to use an old box in office to test-install everything
> and only then do the same remotely). I have been using FreeBSD for 1,5
> year but I know how little I know so I'm ready to learn.