Re: protecting my FreeBSD system
DSA - JCR wrote: HI all again I would like to know if there is a method to know how well protected is my system (FreeBSD 6.2) in order to not permit a user to enter as root. I need it because I have intellectual propierty in that box, and I know some people is interested on it. I use inetd, and I have all ports disable except Samba because it is a repository for Windows Docs in a network. (swap is not enable). My root password is almost 20 chars with numbers, normal and capitals letters, points. there is a user that belongs to operator with a script for (un)mounting USB disk in which I trap almost all signals (about 15). thanks in advance Juan Coruña Desarrollo de Software Atlantico You do realize this is not an easy question to answer, right? Security is mostly about applying good practices, and is more of a (never ending) process and not a system. FreeBSD gives you all the tools you need to build a very secure system, but it is up to you. First things to consider: what you want to protect, from whom, what kind of access (if any) they have to the machine. A strong root password is good, but not of much use if someone can walk to the machine and reboot it to single user mode, or even worse get the disk and run. You already say about a user with operator rights. If it is only a mount / umount operation he needs to perform, a very specific sudo would be better IMHO. And if it is really local users you are concerned about, I would suggest encryption. And as an extra measure, mark the system console as insecure in /etc/ttys ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: protecting my FreeBSD system
A strong root password is good, but not of much use if someone can walk to the machine and reboot it to single user mode, or even worse get the disk and run. for this - geli is excellent :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: protecting my FreeBSD system
some people is interested on it. I use inetd, and I have all ports disable except Samba because it is a repository for Windows Docs in a network. make sure samba listens only on internal interface. others looks ok ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: protecting my FreeBSD system
On Wed, Jul 30, 2008 at 09:38:26AM -, DSA - JCR wrote: HI all again I would like to know if there is a method to know how well protected is my system (FreeBSD 6.2) in order to not permit a user to enter as root. I need it because I have intellectual propierty in that box, and I know some people is interested on it. Note that nothing short of disk encryption can protect the machine if the attacker has physical access to it (e.g. he can steal the machine or the harddisk). Security is a never-ending road, not a destination. - Keep the machine in a locked room/cupboard (restrict physical access). - Subscribe to the freebsd-announce mailing list to keep on top of security advisories. - Keep you system patched/up-to-date in case vulnerabilities pop up in the kernel or dæmons that you use. - Disable dæmons that you do not use. - Install a firewall that blocks by default. - Disable remote root logins. - Build a custom kernel world that do not contain things that you do no use. See src.conf(5), e.g. WITHOUT_RCMDS. I use inetd, and I have all ports disable except Samba because it is a repository for Windows Docs in a network. (swap is not enable). You can use security/nmap to check if a system has open ports. My root password is almost 20 chars with numbers, normal and capitals letters, points. That's OK, as long as it isn't on a note near the machine. :-) there is a user that belongs to operator with a script for (un)mounting USB disk in which I trap almost all signals (about 15). Better to make that user member of a new group (e.g. usb) and (assuming that you're using umass(4)) give that group read/write rights on the da devices in /etc/devfs.rules: add path 'da*' mode 0660 group usb Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpKRWsHpZwsh.pgp Description: PGP signature
