--On Wednesday, February 20, 2008 17:22:02 +0000 Matthew Seaman <[EMAIL PROTECTED]> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Zbigniew Szalbot wrote:

So far I have had FreeBSD systems only in office so I used my hardware
firewall (Dlink DFL 700) to block access to services on ports 22, etc.
Now, at the ISP I won't be able to do this so I will need to be a lot
more careful about security issues. I am planning to make a list of
steps I need to take to configure the OS to my liking and install
applications I need. However, I would really, really love to have some
advice from you re the basic steps.

The important mantra to remember when securing a machine that is exposed
to the internet is:

    What does not listen on the network cannot be used to compromise you.

In practice, this means run sockstat and look for all the processes
that are listening for connections on your external network interfaces.

If you don't need it, then don't run it.


What an outstanding answer. Matthew has covered all the correct bases. I can only add one further suggestion. Consider using /etc/hosts.allow to protect daemons that must listen on ports to restrict access even further.

--
Paul Schmehl ([EMAIL PROTECTED])
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to