Re: securing beyond the handbook
Jim, I'm currently reading Mastering FreeBSD and OpenBSD Security, and thus far it is proving to be a fantastic book covering many advanced security topics specifically related to BSD. I suggested you order a copy from Amazon<http://www.amazon.com/gp/product/0596006268/qid=1147325988/sr=1-1/ref=sr_1_1/102-5661269-0811354?s=books&v=glance&n=283155>; it's well worth the time... -David On 5/10/06, Jim Stapleton <[EMAIL PROTECTED]> wrote: Rephrase: I have 5 static IPs currently 1 is being used to "power" the NAT for all the machines inside the network, the other 4 are empty. I'm getting one of those 4 remaining, and having it point directly to my BSD machine. On 5/10/06, fbsd <[EMAIL PROTECTED]> wrote: > There is no difference between a dynamic and static ip > address from the point of the firewall. > > If you felt secure before, then getting a static ip > address will have no effect on that. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Jim > Stapleton > Sent: Wednesday, May 10, 2006 9:18 AM > To: freebsd-questions@freebsd.org > Subject: securing beyond the handbook > > > I'm about to get a static IP and direct outside access for my BSD > box > (before it was hidden behind a firewall/NAT). I was comfortable with > the level of security I've had, but with the whole "open to the > outside world" setup I'll have, what would you suggest for securing > it? > > I'll be running: > Apache > PHP > MySQL > SSH/SFTP > OpenRPG (only occasionally, from a special nonpriv account) > > Any suggestions, any of these that you know are such huge security > holes that you would absolutely demand something else be run? > > Any other security suggestions? > > Thanks, > -Jim > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to " [EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: securing beyond the handbook
Rephrase: I have 5 static IPs currently 1 is being used to "power" the NAT for all the machines inside the network, the other 4 are empty. I'm getting one of those 4 remaining, and having it point directly to my BSD machine. On 5/10/06, fbsd <[EMAIL PROTECTED]> wrote: There is no difference between a dynamic and static ip address from the point of the firewall. If you felt secure before, then getting a static ip address will have no effect on that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jim Stapleton Sent: Wednesday, May 10, 2006 9:18 AM To: freebsd-questions@freebsd.org Subject: securing beyond the handbook I'm about to get a static IP and direct outside access for my BSD box (before it was hidden behind a firewall/NAT). I was comfortable with the level of security I've had, but with the whole "open to the outside world" setup I'll have, what would you suggest for securing it? I'll be running: Apache PHP MySQL SSH/SFTP OpenRPG (only occasionally, from a special nonpriv account) Any suggestions, any of these that you know are such huge security holes that you would absolutely demand something else be run? Any other security suggestions? Thanks, -Jim ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: securing beyond the handbook
There is no difference between a dynamic and static ip address from the point of the firewall. If you felt secure before, then getting a static ip address will have no effect on that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jim Stapleton Sent: Wednesday, May 10, 2006 9:18 AM To: freebsd-questions@freebsd.org Subject: securing beyond the handbook I'm about to get a static IP and direct outside access for my BSD box (before it was hidden behind a firewall/NAT). I was comfortable with the level of security I've had, but with the whole "open to the outside world" setup I'll have, what would you suggest for securing it? I'll be running: Apache PHP MySQL SSH/SFTP OpenRPG (only occasionally, from a special nonpriv account) Any suggestions, any of these that you know are such huge security holes that you would absolutely demand something else be run? Any other security suggestions? Thanks, -Jim ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: securing beyond the handbook.
Date: Wed, 10 May 2006 09:17:30 -0400 From: "Jim Stapleton" <[EMAIL PROTECTED]> Subject: securing beyond the handbook To: freebsd-questions@freebsd.org Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed I'm about to get a static IP and direct outside access for my BSD box (before it was hidden behind a firewall/NAT). I was comfortable with the level of security I've had, but with the whole "open to the outside world" setup I'll have, what would you suggest for securing it? I'll be running: Apache PHP MySQL SSH/SFTP OpenRPG (only occasionally, from a special nonpriv account) Any suggestions, any of these that you know are such huge security holes that you would absolutely demand something else be run? Any other security suggestions? Hi Jim, I would strongly suggest running your internet accessible applications from inside a jail. Check some man pages for jail information: jail(8), jls(8) and jexec(8). The nice thing about jails is that once everything is installed and running, you can strip it of any files which is not used by your applications (such as compilers for example). Therefore, if someone breaks in, he is limited in his capabilites. Plus he does not gain your real root password (assuming you are not using the same passwords in your jail of course ;) Configure sshd(8) to allow only a certain set of trusted users via AllowUsers configuration. Prohibit direct root login via "PermitRootLogin no" and consider using public keys with a strong passphrase instead of a simple password for login. If you have a Kerberos server, use it. Next, check your network architecture. Give your jail the public IP or NAT it in your firewall to a DMZ section of your network. Make sure your internet accessible applications are not inside your LAN. Be certain to never let internet connections have direct access to machines inside the LAN. Also, consider running host intrusion detection. Such as Osiris, Samhain or Tripwire. You can find them all in the FreeBSD ports. Talking of ports, make sure you install security/portaudit to keep track of you port's security. Subscribe to the FreeBSD security mailing list and take action when an advisory is sent. Use mod_security with your Apache server. http://www.modsecurity.org/ Actually, remove all unused Apache module from your httpd.conf(5). Run your MySQL database on another host (or another jail) which is in a seperate Database DMZ which can only be accessed by certain well defined hosts. Use tcp_wrappers to secure you connections. Use sudo(8) instead of root. Finally, check out some really good books on various security related issues: Mastering FreeBSD and OpenBSD security from O'Reilly. Apache Security from O'Reilly. Essential PHP Security from O'Reilly. Host Integrity Monitoring using Osiris and Samhain from Syngress. FreeBSD security & hardening guide: http://www.syslog.org/Content-5-4.phtml Oh, and don't forget to backup regularly. It's also part of your security. Have fun! David Thanks, -Jim -- David Robillard UNIX systems administrator, CISSP Montréal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
securing beyond the handbook
I'm about to get a static IP and direct outside access for my BSD box (before it was hidden behind a firewall/NAT). I was comfortable with the level of security I've had, but with the whole "open to the outside world" setup I'll have, what would you suggest for securing it? I'll be running: Apache PHP MySQL SSH/SFTP OpenRPG (only occasionally, from a special nonpriv account) Any suggestions, any of these that you know are such huge security holes that you would absolutely demand something else be run? Any other security suggestions? Thanks, -Jim ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
