http://www.freebsdwiki.net/index.php?title=Securing_servers&feed=atom&action=historySecuring servers - Revision history2024-03-28T19:04:37ZRevision history for this page on the wikiMediaWiki 1.18.0http://www.freebsdwiki.net/index.php?title=Securing_servers&diff=13108&oldid=prev173.88.199.104 at 16:38, 13 August 20122012-08-13T16:38:24Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 16:38, 13 August 2012</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 57:</td>
<td colspan="2" class="diff-lineno">Line 57:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>One school of thought says that once production systems that are exposed to the internet should not have any compilers or tools that are potentially abusable by intruders -- either remove them from the server after they've served their function (compiling programs etc), or never have them on the server itself, instead building your packages on another staging server and then copying the binaries over to the new server. The other school of thought on the matter says not to bother -- once an intruder is on your system, it's trivial for them to install the things they want/need themselves. One way to avoid this is to create firewall rules to explicitly deny connections FROM your machine (as well as TO) that are not strictly necessary. It's hard to download a rootkit from a server you can't contact. Be careful when doing this that you do not break your server's function, of course.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>One school of thought says that once production systems that are exposed to the internet should not have any compilers or tools that are potentially abusable by intruders -- either remove them from the server after they've served their function (compiling programs etc), or never have them on the server itself, instead building your packages on another staging server and then copying the binaries over to the new server. The other school of thought on the matter says not to bother -- once an intruder is on your system, it's trivial for them to install the things they want/need themselves. One way to avoid this is to create firewall rules to explicitly deny connections FROM your machine (as well as TO) that are not strictly necessary. It's hard to download a rootkit from a server you can't contact. Be careful when doing this that you do not break your server's function, of course.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">----</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">----</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">----</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">----</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">Of course, each of these sections can themselves spawn entire new subsections / subarticles of their own.  There's a ''reason'' entire books have been published on computer security! =)</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">Try to remember, when writing these articles, that "short and sweet" is best, when it comes to a single article.  If at all possible, try to limit the scope of any given article to a page or two of text; if you need to refer to something that is going to run a few pages all by itself, consider writing a separate article for that topic and hyperlinking it for people who need it.  For example, obviously [[firewall]]s need discussion in any internet-context security article, but instead of trying to go over setting one up in the midst of the internet security article itself, it's better to write one article about firewalls and another about the big picture, and just link them.</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[Category:Common Tasks]]</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[Category:Common Tasks]]</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[Category:Configuring FreeBSD]]</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[Category:Configuring FreeBSD]]</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[Category:Securing FreeBSD]]</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[Category:Securing FreeBSD]]</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">[[Category:FreeBSD for Servers]]</del></div></td><td colspan="2"> </td></tr>
<!-- diff cache key bsdwiki:diff:version:1.11a:oldid:13107:newid:13108 -->
</table>173.88.199.104http://www.freebsdwiki.net/index.php?title=Securing_servers&diff=13107&oldid=prev173.88.199.104 at 16:34, 13 August 20122012-08-13T16:34:24Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 16:34, 13 August 2012</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>Eventually we'll need sections or subarticles on various different security contexts. In the meantime, this is a start. See <del class="diffchange diffchange-inline">http://www.taosecurity.com/keeping_freebsd_up-to-date.html or </del>[http://www.freebsd.org/cgi/man.cgi?query=security&apropos=0&sektion=0&manpath=FreeBSD+5.4-stable&format=html the security man page] for ways to keep your system secure.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>Eventually we'll need sections or subarticles on various different security contexts. In the meantime, this is a start. See [http://www.freebsd.org/cgi/man.cgi?query=security&apropos=0&sektion=0&manpath=FreeBSD+5.4-stable&format=html the security man page] for ways to keep your system secure.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>==First Impressions Are Everything==</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>==First Impressions Are Everything==</div></td></tr>
<!-- diff cache key bsdwiki:diff:version:1.11a:oldid:13019:newid:13107 -->
</table>173.88.199.104http://www.freebsdwiki.net/index.php?title=Securing_servers&diff=13019&oldid=prev173.88.199.104: /* First Impressions Are Everything */2012-08-08T12:30:16Z<p><span class="autocomment">First Impressions Are Everything</span></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 12:30, 8 August 2012</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 4:</td>
<td colspan="2" class="diff-lineno">Line 4:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>Login banners are useful sometimes, but since you'll likely already know what system you're logging into and what you're going to be using it for, will probably be unnecessary, and any extraneous information that they give when you login will usually be worthless to you but potentially useful to an attacker. If you want to change it (or remove it,) you'll need to:</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>Login banners are useful sometimes, but since you'll likely already know what system you're logging into and what you're going to be using it for, will probably be unnecessary, and any extraneous information that they give when you login will usually be worthless to you but potentially useful to an attacker. If you want to change it (or remove it,) you'll need to:</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>  1. edit /etc/motd (make it blank or put in a warning like <del class="diffchange diffchange-inline">"</del>you're being logged<del class="diffchange diffchange-inline">" </del>or <del class="diffchange diffchange-inline">"</del>authorized  </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>  1. edit /etc/motd (make it blank or put in a warning like you're<ins class="diffchange diffchange-inline"><br> </ins>being logged or authorized access ONLY or something)</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">    </del>access ONLY<del class="diffchange diffchange-inline">" </del>or something)</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>  2. [[touch]] /etc/COPYRIGHT and</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>  2. [[touch]] /etc/COPYRIGHT and</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>  3. add ''update_motd="NO"'' to /etc/rc.conf.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>  3. add ''update_motd="NO"'' to /etc/rc.conf.</div></td></tr>
<!-- diff cache key bsdwiki:diff:version:1.11a:oldid:11508:newid:13019 -->
</table>173.88.199.104http://www.freebsdwiki.net/index.php?title=Securing_servers&diff=11508&oldid=prevJimbo: Reverted edits by 80.200.109.201 (Talk); changed back to last version by Jimbo2009-10-23T02:54:33Z<p>Reverted edits by <a href="/index.php/Special:Contributions/80.200.109.201" title="Special:Contributions/80.200.109.201">80.200.109.201</a> (<a href="/index.php?title=User_talk:80.200.109.201&action=edit&redlink=1" class="new" title="User talk:80.200.109.201 (page does not exist)">Talk</a>); changed back to last version by <a href="/index.php/User:Jimbo" title="User:Jimbo">Jimbo</a></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 02:54, 23 October 2009</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>Eventually we'll need sections or subarticles on various different security contexts. In the meantime, this is a start. See http://www.taosecurity.com/keeping_freebsd_up-to-date.html or [http://www.freebsd.org/cgi/man.cgi?query=security&apropos=0&sektion=0&manpath=FreeBSD+5.4-stable&format=html the security man page] for ways to keep your system secure.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>Eventually we'll need sections or subarticles on various different security contexts. In the meantime, this is a start. See http://www.taosecurity.com/keeping_freebsd_up-to-date.html or [http://www.freebsd.org/cgi/man.cgi?query=security&apropos=0&sektion=0&manpath=FreeBSD+5.4-stable&format=html the security man page] for ways to keep your system secure.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">That</del>'<del class="diffchange diffchange-inline">s </del>what <del class="diffchange diffchange-inline">I</del>'<del class="diffchange diffchange-inline">ve gleaned from interviews thus far</del>. ,</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">==First Impressions Are Everything==</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">Login banners are useful sometimes, but since you</ins>'<ins class="diffchange diffchange-inline">ll likely already know </ins>what <ins class="diffchange diffchange-inline">system you</ins>'<ins class="diffchange diffchange-inline">re logging into and what you're going to be using it for, will probably be unnecessary, and any extraneous information that they give when you login will usually be worthless to you but potentially useful to an attacker</ins>. <ins class="diffchange diffchange-inline">If you want to change it (or remove it</ins>,<ins class="diffchange diffchange-inline">) you'll need to:</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> 1. edit /etc/motd (make it blank or put in a warning like "you're being logged" or "authorized </ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">    access ONLY" or something)</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> 2. [[touch]] /etc/COPYRIGHT and</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> 3. add ''update_motd="NO"'' to /etc/rc.conf.</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline"> 4. reboot to verify that the changes are made and effective.</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>==Security in a local user context==</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>==Security in a local user context==</div></td></tr>
</table>Jimbohttp://www.freebsdwiki.net/index.php?title=Securing_servers&diff=11503&oldid=prev80.200.109.201: /* First Impressions Are Everything */2009-10-22T23:16:52Z<p><span class="autocomment">First Impressions Are Everything</span></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 23:16, 22 October 2009</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>Eventually we'll need sections or subarticles on various different security contexts. In the meantime, this is a start. See http://www.taosecurity.com/keeping_freebsd_up-to-date.html or [http://www.freebsd.org/cgi/man.cgi?query=security&apropos=0&sektion=0&manpath=FreeBSD+5.4-stable&format=html the security man page] for ways to keep your system secure.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>Eventually we'll need sections or subarticles on various different security contexts. In the meantime, this is a start. See http://www.taosecurity.com/keeping_freebsd_up-to-date.html or [http://www.freebsd.org/cgi/man.cgi?query=security&apropos=0&sektion=0&manpath=FreeBSD+5.4-stable&format=html the security man page] for ways to keep your system secure.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">==First Impressions Are Everything==</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">That</ins>'<ins class="diffchange diffchange-inline">s </ins>what <ins class="diffchange diffchange-inline">I</ins>'<ins class="diffchange diffchange-inline">ve gleaned from interviews thus far</ins>. ,</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div> </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">Login banners are useful sometimes, but since you</del>'<del class="diffchange diffchange-inline">ll likely already know </del>what <del class="diffchange diffchange-inline">system you</del>'<del class="diffchange diffchange-inline">re logging into and what you're going to be using it for, will probably be unnecessary, and any extraneous information that they give when you login will usually be worthless to you but potentially useful to an attacker</del>. <del class="diffchange diffchange-inline">If you want to change it (or remove it</del>,<del class="diffchange diffchange-inline">) you'll need to:</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> 1. edit /etc/motd (make it blank or put in a warning like "you're being logged" or "authorized </del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">    access ONLY" or something)</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> 2. [[touch]] /etc/COPYRIGHT and</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> 3. add ''update_motd="NO"'' to /etc/rc.conf.</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline"> 4. reboot to verify that the changes are made and effective.</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>==Security in a local user context==</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>==Security in a local user context==</div></td></tr>
<!-- diff cache key bsdwiki:diff:version:1.11a:oldid:10855:newid:11503 -->
</table>80.200.109.201http://www.freebsdwiki.net/index.php?title=Securing_servers&diff=10855&oldid=prevJimbo: Reverted edits by 217.167.7.6 (Talk); changed back to last version by Dave2008-12-17T14:38:01Z<p>Reverted edits by <a href="/index.php/Special:Contributions/217.167.7.6" title="Special:Contributions/217.167.7.6">217.167.7.6</a> (<a href="/index.php?title=User_talk:217.167.7.6&action=edit&redlink=1" class="new" title="User talk:217.167.7.6 (page does not exist)">Talk</a>); changed back to last version by <a href="/index.php/User:Dave" title="User:Dave">Dave</a></p>
<table class='diff diff-contentalign-left'>
<tr valign='top'>
<td colspan='1' style="background-color: white; color:black;">← Older revision</td>
<td colspan='1' style="background-color: white; color:black;">Revision as of 14:38, 17 December 2008</td>
</tr></table>Jimbohttp://www.freebsdwiki.net/index.php?title=Securing_servers&diff=6108&oldid=prevDave: /* Making life difficult for intruders */2006-04-12T20:18:17Z<p><span class="autocomment">Making life difficult for intruders</span></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 20:18, 12 April 2006</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 56:</td>
<td colspan="2" class="diff-lineno">Line 56:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>==Making life difficult for intruders==</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>==Making life difficult for intruders==</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>One school of thought says that once production systems that are exposed to the internet should not have any compilers or tools that are potentially abusable by intruders -- either remove them from the server after they've served their function (compiling programs etc), or never have them on the server itself, instead building your packages on another staging server and then copying the binaries over to the new server. The other school of thought on the matter says not to bother -- once an intruder is on your system, it's trivial for them to install the things they want/need themselves.  </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>One school of thought says that once production systems that are exposed to the internet should not have any compilers or tools that are potentially abusable by intruders -- either remove them from the server after they've served their function (compiling programs etc), or never have them on the server itself, instead building your packages on another staging server and then copying the binaries over to the new server. The other school of thought on the matter says not to bother -- once an intruder is on your system, it's trivial for them to install the things they want/need themselves<ins class="diffchange diffchange-inline">. One way to avoid this is to create firewall rules to explicitly deny connections FROM your machine (as well as TO) that are not strictly necessary. It's hard to download a rootkit from a server you can't contact. Be careful when doing this that you do not break your server's function, of course</ins>.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<!-- diff cache key bsdwiki:diff:version:1.11a:oldid:6107:newid:6108 -->
</table>Davehttp://www.freebsdwiki.net/index.php?title=Securing_servers&diff=6107&oldid=prevDave at 03:21, 12 April 20062006-04-12T03:21:42Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 03:21, 12 April 2006</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 52:</td>
<td colspan="2" class="diff-lineno">Line 52:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>==Security through better logging==</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>==Security through better logging==</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">(keeping time </del>up to <del class="diffchange diffchange-inline">date with </del>[[<del class="diffchange diffchange-inline">ntpd</del>]] <del class="diffchange diffchange-inline">or regularly scheduled </del>[[<del class="diffchange diffchange-inline">ntpdate</del>]] <del class="diffchange diffchange-inline">- and it</del>'<del class="diffchange diffchange-inline">s worth noting that I've NEVER personally been able to get ntpd to actually update </del>the <del class="diffchange diffchange-inline">damn system time</del>, <del class="diffchange diffchange-inline">all it seems to do is maintain a drift file for me </del>- <del class="diffchange diffchange-inline">but anyway, importance of keeping system time precise down to milliseconds for coordination of system logs with logs at ISPs </del>and <del class="diffchange diffchange-inline">other servers involved in network attacks, use of </del>[[tripwire]] or <del class="diffchange diffchange-inline">built-in daily root emails to monitor for changes in important system files, and </del>also <del class="diffchange diffchange-inline">the benefits </del>of either <del class="diffchange diffchange-inline">maintaining a separate log </del>server or <del class="diffchange diffchange-inline">REGULARLY moving logs off-system </del>to <del class="diffchange diffchange-inline">a machine that doesn't trust </del>the server it's <del class="diffchange diffchange-inline">getting </del>the <del class="diffchange diffchange-inline">logs from one damn bit.  this topic may actually </del>need <del class="diffchange diffchange-inline">to be moved to its own separate subarticle</del>.<del class="diffchange diffchange-inline">)</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">Setting </ins>up <ins class="diffchange diffchange-inline">your system </ins>to <ins class="diffchange diffchange-inline">log actions, changes and logins is a good idea. Of course, it usually only occurs to an administrator after problems have started. Don't be that admin, go learn about </ins>[[<ins class="diffchange diffchange-inline">Setting up logging</ins>]] <ins class="diffchange diffchange-inline">and </ins>[[<ins class="diffchange diffchange-inline">NTP</ins>]] <ins class="diffchange diffchange-inline">(because if you can</ins>'<ins class="diffchange diffchange-inline">t trust </ins>the <ins class="diffchange diffchange-inline">timestamps your logs have</ins>, <ins class="diffchange diffchange-inline">they're useless </ins>-<ins class="diffchange diffchange-inline">- both from a security </ins>and <ins class="diffchange diffchange-inline">forensic perspective and from a legal perspective) before problems start. Consider setting up </ins>[[tripwire]] <ins class="diffchange diffchange-inline">(</ins>or <ins class="diffchange diffchange-inline">another [[IDS]] such as [[ACID]] or [[SNORT]] so you can </ins>also <ins class="diffchange diffchange-inline">keep track </ins>of <ins class="diffchange diffchange-inline">file changes.</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">==Making life difficult for intruders==</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">One school of thought says that once production systems that are exposed to the internet should not have any compilers or tools that are potentially abusable by intruders -- </ins>either <ins class="diffchange diffchange-inline">remove them from the </ins>server <ins class="diffchange diffchange-inline">after they've served their function (compiling programs etc), </ins>or <ins class="diffchange diffchange-inline">never have them on the server itself, instead building your packages on another staging server and then copying the binaries over </ins>to the <ins class="diffchange diffchange-inline">new </ins>server<ins class="diffchange diffchange-inline">. The other school of thought on the matter says not to bother -- once an intruder is on your system, </ins>it's <ins class="diffchange diffchange-inline">trivial for them to install </ins>the <ins class="diffchange diffchange-inline">things they want/</ins>need <ins class="diffchange diffchange-inline">themselves</ins>.  </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
</table>Davehttp://www.freebsdwiki.net/index.php?title=Securing_servers&diff=4708&oldid=prevSether: man security2005-08-17T05:20:44Z<p>man security</p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 05:20, 17 August 2005</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>Eventually we'll need sections or subarticles on various different security contexts. In the meantime, this is a start. See http://www.taosecurity.com/keeping_freebsd_up-to-date.html for <del class="diffchange diffchange-inline">one way </del>to keep your system secure.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>Eventually we'll need sections or subarticles on various different security contexts. In the meantime, this is a start. See http://www.taosecurity.com/keeping_freebsd_up-to-date.html <ins class="diffchange diffchange-inline">or [http://www.freebsd.org/cgi/man.cgi?query=security&apropos=0&sektion=0&manpath=FreeBSD+5.4-stable&format=html the security man page] </ins>for <ins class="diffchange diffchange-inline">ways </ins>to keep your system secure.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>==First Impressions Are Everything==</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>==First Impressions Are Everything==</div></td></tr>
</table>Setherhttp://www.freebsdwiki.net/index.php?title=Securing_servers&diff=3101&oldid=prevDave at 05:54, 24 July 20052005-07-24T05:54:31Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr valign='top'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 05:54, 24 July 2005</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 67:</td>
<td colspan="2" class="diff-lineno">Line 67:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[Category:Configuring FreeBSD]]</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[Category:Configuring FreeBSD]]</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[Category:Securing FreeBSD]]</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[Category:Securing FreeBSD]]</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">[[Category:FreeBSD for Servers]]</ins></div></td></tr>
</table>Dave