Latest news
This document will describe the basic security measures that should be applied to a FreeBSD 4.x workstation. Mostly all of these measures should be applied in a server environment too with some extra measures (CGI/PHP security for webservers, SQL security for databases, etc.)
The basics
FreeBSD is a pretty secure OS, although security aware people shouldn't rely on default OS security because even if the installed release is secure at the moment, our security system should protect us not only from current vulnerabilities but from ALL of them, even the undiscovered/undisclosed ones.
The first thing to do after we install FreeBSD is disabling to services we don't need. Let's say that you need FTP for file transfer and a SSHD (that you will only use in your local network). In order to disable all other services edit
/etc/rc.conf like this.Now edit
/etc/inetd.conf and uncomment ftp. The rest of the services should be left commented unless you don't need something else too (but remember that more services mean more risk).Ok, now you should check the
/usr/local/etc/rc.d/ directory. That's where httpd, rpcd, and other daemons are initialized just chmod -x the scripts you don't need (or just move/delete them if you feel more comfortable with it).Now reboot your system and type this .
If you see any other open service that you don't need you probably missed something in
/usr/local/etc/rc.d/.User management
If you are the only one who's using the workstation you should have at least 2 users besides root. The first one should be used for ftp access. That's because ftp transfers are not encrypted and they can be sniffed. This user should have the lowest security level and SHOULD NOT BE PART OF THE WHEEL GROUP. This is very important, this is the reason for having 2 users. The difference between regular users and users added to the wheel group is that while those in the wheel group are able to "su root", regular users can't access root even if they would have the root password.
The second user should be part of the wheel group and it will be used ONLY for ssh. This user's password shouldn't be exposed to unencrypted protocols (like ftp, telnet, pop, etc). In order to make sure that you will never accidentally log in to ftp, you should add this user to
/etc/ftpusers. If you need multiple users you should use this scheme for all of them (depending on their needs). I guess it's useless to say that you should use different passwords for these users :).Firewalling
Spotlight
Review: Logging and Log Management
Posted on 22 May 2013. | Every security practitioner should be aware of the overwhelming advantages of logging and perusing logs for discovering system intrusions. But logging and log management comes with its own set of difficulties.
Experts highlight top data breach vulnerabilities
Posted on 22 May 2013. | Hidden vulnerabilities lie in everyday activities that can expose personal information and lead to data breach, including buying gas with a credit card or wearing a pacemaker.
A closer look at Mega cloud storage
Posted on 21 May 2013. | Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
