Date: Wed, 10 May 2006 09:17:30 -0400
From: "Jim Stapleton" <[EMAIL PROTECTED]>
Subject: securing beyond the handbook
To: freebsd-questions@freebsd.org
Message-ID:
<[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
I'm about to get a static IP and direct outside access for my BSD box
(before it was hidden behind a firewall/NAT). I was comfortable with
the level of security I've had, but with the whole "open to the
outside world" setup I'll have, what would you suggest for securing
it?
I'll be running:
Apache
PHP
MySQL
SSH/SFTP
OpenRPG (only occasionally, from a special nonpriv account)
Any suggestions, any of these that you know are such huge security
holes that you would absolutely demand something else be run?
Any other security suggestions?
Hi Jim,
I would strongly suggest running your internet accessible applications
from inside a jail. Check some man pages for jail information:
jail(8), jls(8) and jexec(8). The nice thing about jails is that once
everything is installed and running, you can strip it of any files
which is not used by your applications (such as compilers for
example). Therefore, if someone breaks in, he is limited in his
capabilites. Plus he does not gain your real root password (assuming
you are not using the same passwords in your jail of course ;)
Configure sshd(8) to allow only a certain set of trusted users via
AllowUsers configuration. Prohibit direct root login via
"PermitRootLogin no" and consider using public keys with a strong
passphrase instead of a simple password for login. If you have a
Kerberos server, use it.
Next, check your network architecture. Give your jail the public IP or
NAT it in your firewall to a DMZ section of your network. Make sure
your internet accessible applications are not inside your LAN. Be
certain to never let internet connections have direct access to
machines inside the LAN.
Also, consider running host intrusion detection. Such as Osiris,
Samhain or Tripwire. You can find them all in the FreeBSD ports.
Talking of ports, make sure you install security/portaudit to keep
track of you port's security.
Subscribe to the FreeBSD security mailing list and take action when an
advisory is sent.
Use mod_security with your Apache server. http://www.modsecurity.org/
Actually, remove all unused Apache module from your httpd.conf(5).
Run your MySQL database on another host (or another jail) which is in
a seperate Database DMZ which can only be accessed by certain well
defined hosts.
Use tcp_wrappers to secure you connections. Use sudo(8) instead of root.
Finally, check out some really good books on various security related issues:
Mastering FreeBSD and OpenBSD security from O'Reilly.
Apache Security from O'Reilly.
Essential PHP Security from O'Reilly.
Host Integrity Monitoring using Osiris and Samhain from Syngress.
FreeBSD security & hardening guide: http://www.syslog.org/Content-5-4.phtml
Oh, and don't forget to backup regularly. It's also part of your security.
Have fun!
David
Thanks,
-Jim
--
David Robillard
UNIX systems administrator, CISSP
Montréal: +1 514 966 0122
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
