security of a new installation / steps to take
pauls at utdallas.edu
Wed Feb 20 18:37:35 UTC 2008
--On Wednesday, February 20, 2008 17:22:02 +0000 Matthew Seaman
<m.seaman at infracaninophile.co.uk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> Zbigniew Szalbot wrote:
>> So far I have had FreeBSD systems only in office so I used my hardware
>> firewall (Dlink DFL 700) to block access to services on ports 22, etc.
>> Now, at the ISP I won't be able to do this so I will need to be a lot
>> more careful about security issues. I am planning to make a list of
>> steps I need to take to configure the OS to my liking and install
>> applications I need. However, I would really, really love to have some
>> advice from you re the basic steps.
> The important mantra to remember when securing a machine that is exposed
> to the internet is:
> What does not listen on the network cannot be used to compromise you.
> In practice, this means run sockstat and look for all the processes
> that are listening for connections on your external network interfaces.
> If you don't need it, then don't run it.
What an outstanding answer. Matthew has covered all the correct bases. I can
only add one further suggestion. Consider using /etc/hosts.allow to protect
daemons that must listen on ports to restrict access even further.
Paul Schmehl (pauls at utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
More information about the freebsd-questions