On Wed, 20 Feb 2008 17:02:22 +0100 "Zbigniew Szalbot" <[EMAIL PROTECTED]> wrote: > > In a matter of weeks we will be moving our office "server" replacing > it with a dedicated server machine functioning at an ISP's location. I > have spoken to them and they use Fedora so they won't be able to help > me much (besides we're not really prepared to pay them for > administrative work). Obviously, I want to keep using FreeBSD so they > promised to set up a basic installation so that I can remotely connect > to the server, configure it, install userland, etc. > > So far I have had FreeBSD systems only in office so I used my hardware > firewall (Dlink DFL 700) to block access to services on ports 22, etc. > Now, at the ISP I won't be able to do this so I will need to be a lot > more careful about security issues. I am planning to make a list of > steps I need to take to configure the OS to my liking and install > applications I need. However, I would really, really love to have some > advice from you re the basic steps. > > For example, I guess I will need to make friends with pf firewall (I > did use it but not extensively due to the hardware router in place). I > will need to disallow direct (3306) access to mysql database (again pf > thing?) and the like.
Build a "deny by default" firewall. There are lots of advantages to it. See my explanation of my personal server: http://www.potentialtech.com/cms/node/16 Don't apply that technique blindly, the policy I use there is not appropriate for everyone. Rather, read through that to understand more about how to create a deny by default ruleset and adjust the details to meet your needs. Another thing that's extremely powerful is integrity monitoring using something like Tripwire or Samhain. If you're building a firewall remotely, create a cron job that disables the firewall every 30 minutes. (i.e. pfctl -d). Then, if you tweak your firewall rules in such a way that you lock yourself out, you just need to wait 30 minutes before you can get back in. Once you're sure your rules are working as you want, disable the cron job. Always leave yourself a back door (see the whitelist rule I have in the link above) so you don't accidentally get locked out. If your hosting provider can give you a serial console into the machine, that's the best option, but it's getting less commonly available these days. And don't be afraid to ask specific questions if you get stuck on details while you're setting it up. > In any case, many thanks for your hints, tips, links to get started (I > actually plan to use an old box in office to test-install everything > and only then do the same remotely). I have been using FreeBSD for 1,5 > year but I know how little I know so I'm ready to learn. _______________________________________________ firstname.lastname@example.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"