Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
BSD Operating Systems

Securing FreeBSD 4.x STABLE 30

oscarcvt writes "While browsing through daily daemon news I found a story posted on Jan 4th that made reference to an article about securing FreeBSD 4.x. The article is titled 'A basic guide to securing FreeBSD 4.x-STABLE' . Everything from mounting ro to secure levels and lots of other stuff. Happy secureading!"
This discussion has been archived. No new comments can be posted.

Securing FreeBSD 4.x STABLE

Comments Filter:
  • by watchmaker1 ( 540289 ) on Thursday January 10, 2002 @05:21PM (#2819865)
    He recommends setting each user's dir to 0700. If this machine runs apache and you have UserDir turned on to allow http://some.box/~user/ style access which maps ~user to something like /home/user/web-public, apache will not be able to serve up that user's web-public.

    Can you tell I've hit this before?

    • The tips offered in that article weren't meant to be taken as rigid inflexible law. Obviously your users need their home directories to be world readable, then make them world readable. But if they don't need it, then setting the directories to 0700 is a wise precaution.
      • by Dahan ( 130247 )
        You don't need a world-readable home directory for Apache to be able to get to ~/public_html/ though... Use mode 0711 and people/processes can traverse through the directory, but not read its contents.
    • No problem (Score:2, Informative)

      by braque ( 16684 )
      you can set the userdir to something else, e.g. /home/homepages

      Then www.server.com/~user/bla.html == /home/homepages/user/bla.html

      works like a charm here, all users have mod 700 homedirs and 755 homepagedirs.
    • That is the reason I don't put userdir in the user's home directory. I created /home/web/ for web directories. I have to create it for them, but it's a minor issue and avoids users, especially those unfamiliar with unix permissions, from having to worry about it.
  • SC_DISABLE_REBOOT (Score:2, Insightful)

    by david8210 ( 523608 )
    It's FreeBSD nasty, why does not FreeBSD provide a sysctl to simply let root turn ctl+alt+del off? According to the article's "Secure the console", user can access console, they should let root to do the simple settings, at least it can prevent user from pressing ctl+alt+del to suddenly reboot machine! the user might not on purpose.
    • 1. The odds of pressing CTRL-ALT-DEL by accident are infinitessimally small--those keys are relatively far apart on most keyboards.

      2. If someone has physical access to your machine, you're fscked anyway...
  • One guy's opinion (Score:4, Insightful)

    by duffbeer703 ( 177751 ) on Friday January 11, 2002 @02:04PM (#2824780)
    This is just my opinion. Nothing more.

    After trying to use Linux (redhat 6x/7x, mandrake 7x/8x, debian, slackware) I found that none were upgradeable as easy as FreeBSD. Try upgrading from Redhat 7.1 -> 7.2. I've had it fail on 3 different machines (at work). Nightmares doing that. Plus everything is changing on a .x release. Debian sounds the best, but it didn't even install on the computer I tried. Mandrake just died one day (no clue)...the os wouldn't boot and i just gave up. Slackware is good, but it doesn't seem to have the documentation of FreeBSD. I used to love Linux, until I used it. The biggest problems I have had are with dependencies and non-kernel related problems. I think a centrally managed OS like the BSD's are much more efficient. With kernel releases every few months for Linux, how can you expect it to be stable? I'm a business person. I value time and money. /stand/sysinstall is the greatest utility FreeBSD has. From that 1 utility I can change anything I need to. Simple as that. Redhat had utilities that don't even work right!

    (Linux has always been very stable for me as a server. It runs into serious problems only when you start trying to make it into a desktop system and extensively use the X environment. In fact, X itself works just fine with a trimmed down window manager like fvwm. It's just not very "cool" or flashy, and not at all user-friendly when you need to add new items to menus.)

    As a business user, I'd assume you're trying to use BSD (or Linux) in a server situation? If so, I'm not sure why you had so many issues with Linux. On the other hand, BSD installs all the basic stuff you need to run a very stable web, ftp, mail, news, etc. type of server - so I'm not faulting you at all for making that choice.

    For myself, I find freebsd the os of choice for my servers, but as far as a desktop is concerned it pisses me off enormously that despite running on only one architecture and having only one distro, freebsd (4.4 stable) can't even set AA fonts up properly, key bindings in vim are fucked up etc.

    BSD is just rock solid. It's easy to install, upgrade and use. It has been proven. I can't wait to use 4.5 and try it out. Linux is trying to emulate Windows, and it never will. Linux should find it's niche over time. I know BSD has and it's thriving. Doing everything for everyone is bad, and I know BSD isn't.
  • by teambpsi ( 307527 ) on Tuesday January 15, 2002 @08:53PM (#2846279) Homepage
    one of the things I really like about working with FreeBSD is the ability to very easily skinny-down the kernel.

    usually if you've installed the kern-development or full set, go to

    /usr/src/sys/i386/conf

    copy GENERIC over to a new file and run through commenting out stuff you'll never use ... you can always reactivate it later if you need/want it

    don't need nfs? comment out

    #options NFS #Network Filesystem
    #options NFS_ROOT #NFS usable as root device, NFS required

    consider making a CDROM based boot image instead of HD -- not as fast boot (well, relatively) but ultimately secure and the machine will always come up in case of HD crash/corruption

    otherwise, if you don't have SCSI, dump them all! also, chop out any additional ethernet drivers, etc.

    not only will you get a smaller kernel with "less moving parts" that boots faster, you'll have less of a finger print to hit

    ipfilter is a must as well, and definitely shutdown all extra services in /etc/inetd.conf

    and finally, regarding SSH -- set it up to accept root connections from specific hosts, and then add in tcpwrappers and/or ipfilters to help enforce that -- it helps to cut down on any future buffer-overrun attacks that may surface

The sooner all the animals are extinct, the sooner we'll find their money. - Ed Bluestone

Working...