os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
doc/en/security/secure.sgml
Wolfram Schneider 80d71116c1 The new FreeBSD Security homepage. 
Submitted by: guido
1998-06-19 09:46:53 +00:00

60 lines
2.7 KiB
Text
Raw Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN" [
<!ENTITY base CDATA "..">
<!ENTITY date "$Date: 1998-06-19 09:46:52 $">
<!ENTITY title "How to secure a FreeBSD system">
<!ENTITY % includes SYSTEM "../includes.sgml"> %includes;
]>
<!-- $Id: secure.sgml,v 1.1 1998-06-19 09:46:52 wosch Exp $ -->
<html>
&header;
There are several steps involved in securing a FreeBSD system, or in
fact any UNIX system:
<UL>
<LI>disabling potentially dangerous software<BR>
A lot of software has to be run as a special privileged user to make use
of specific resources, bij making
the executable set-uid. An example is UUCP software or PPP
software that makes use of a serial port, or sendmail which has to write
in the mail spool and bind to a network port. When you are not using
UUCP, it is of little use to have the software on your system and it may
be wise to disable it. Of course, this requires good knowlegde of what
can be thrown away and what not, as well as a good indication whether or
not you will want the functionality in the future.<BR>
Also some utilities you may find not interesting enough to have them
around and pose a possible security risk, like swapinfo. If you remove
the set-uid bit for the executable (via chmod ug-s filename) you
can always keep on using swapinfo when you're root. It is however
not a good idea stripping so many sbits you have to be root all
the time.<BR>
Not only remove programs that you don't use, also remove services you
don't want or need to provide. This can be done by editting the
<TT>/etc/inetd.conf</TT> file and uncommenting out all services you
don't use.
<LI>fixing software with security bugs<BR>
Subscribe yourself to mailinglist to get updates on security bugs in
software and to get the fixes. Apply them immediately.
<LI>checking your system on a regular basis<BR>
With programs like COPS and SATAN you can find gaping holes and
misconfigurations on your system. It is a good idea to run them
occasionaly to see if you have made any mistakes.<BR>
Also check the daily security reporting that FreeBSD send to root. Check
the logfiles once in a while. Clean up unused accounts.
<LI>being able to repair your system when security has been breached<BR>
Always have backups and a clean version of the operating system (e.g. on
CD-ROM).
<LI>installing software that watches the system<BR>
Programs like the tcp wrapper (a package with FreeBSD) and tripwire help you
monitor activity on your system. This makes it easier to detect
breakins.
<LI>educating the people working on the system<BR>
Users should know what they are doing, and e.g. use hard to guess
password. Let them understand that the security of the system is partly
in their hands.
</UL>
&footer
</body>
</html>
Reference in a new issue View git blame Copy permalink