FreeBSD Hardening Best Practises

Marian Hercek marian.hercek at ucm.sk
Wed May 2 13:45:43 CEST 2007

Previous message: FreeBSD Hardening Best Practises
Next message: FreeBSD Hardening Best Practises
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Nikto sa nechyta? :-(

-----Original Message-----
From: users-l-bounces at freebsd.cz [mailto:users-l-bounces at freebsd.cz] On
Behalf Of Marian Hercek
Sent: Monday, April 30, 2007 8:22 AM
To: users-l at freebsd.cz
Subject: FreeBSD Hardening Best Practises

FreeBSD Hardening Best Practises

Na internete mozno najst viacero odporucanych postupov na zabezpecenie
zakladnej instalacie FreeBSD, ako aj postupy na zabezpecenie aplikacii
tretich stran.

Cielom tohto topicu je tieto postupy zjednotit do jednej "prirucky" a pridat
vlastne skusenosti.

Budeme uvazovat styri modelove instalacie FreeBSD:
(I1) webovy server: Apache, PHP, MySQL, phpMyAdmin, FTP;
(I2) mailovy server: MTA (Postfix, ...), webmail (na baze PHP/Perl);
(I3) shell server: SSH, SCP/FTP, Apache, MySQL;
(I4) proxy server/firewall: firewall (PF, ...), Squid, DansGuardian.

Pre kazdu instalaciu budeme uvazovat minimalne 100 sucasnych spojeni vo
vytazenom case.

Postupy na zabezpecenie jednotlivych instalacii FreeBSD by mali obsahovat:
(P1) zabezpecenie samotneho FreeBSD;
  (P1a) vyladenie a zabezpecenie jadra FreeBSD pre konkretnu instalaciu;
  (P1b) zabezpecenie systemu (suborovy system, logovanie, ...);
  (P1c) nastavenie siete a firewallu (pf, ...);
(P2) zabezpecenie aplikacii tretich stran (Apache, PHP, ...).

Na zaciatku by bolo vhodne uviest par vseobecnych rad ako: system ma
obsahovat len nevyhnutne veci; vsade, kde je to len mozne pouzivat pravidlo
najmensich prav; zalohovat, zalohovat, zalohovat alebo logovat, logovat,
logovat.

Na zaciatok hardening-u systemu mozeme skusit utilitu lockdown
(ports/security/lockdown), ktorej jednotlive moznosti mozeme prebrat (napr.
nemoznost rotovat logy). Co vlastne dokaze lockdown zistime tu
http://www.bsdguides.org/guides/freebsd/security/harden.php

Su vitane vase pripomienky.

Marian Hercek

________ Information from NOD32 ________
This message was checked by NOD32 Antivirus System for Linux Mail Servers.
http://www.eset.com
-- 
FreeBSD mailing list (users-l at freebsd.cz)
http://www.freebsd.cz/listserv/listinfo/users-l

________ Information from NOD32 ________
This message was checked by NOD32 Antivirus System for Linux Mail Servers.
http://www.eset.com

________ Information from NOD32 ________
This message was checked by NOD32 Antivirus System for Linux Mail Servers.
http://www.eset.com

Previous message: FreeBSD Hardening Best Practises
Next message: FreeBSD Hardening Best Practises
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users-l mailing list