OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Eric Timme (timothy_at_voidnet.com)
Date: Mon Dec 09 2002 - 13:17:15 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi everyone, I was wondering if someone could point me in the direction of
    some discussions of general security in a LAN environment with a FreeBSD
    machine doing NAT/firewalling? I haven't had a ton of luck browsing the
    archives and finding any discussions. I've read over the general primer, but
    would like to read about some actual deployment of security when your
    headless gateway sits in a dark closet, accumulating dust.

    Currently I have a pretty restrictive set of firewall rules in place, allowing
    only http and ssh traffic from the outside, and I require DES public/private
    keys for ssh access. There is a single user account on the gateway, and root
    logins are disallowed from all but console. The gateway is doing a single
    NFS export of my public_html directory for easy access from an internal
    FreeBSD gateway.

    As for current security, it is a little lacking, but I am planning to wipe and
    reinstall now that winter break affords me some freedom from schoolwork. I
    have the following settings in my partitioning scheme (ad0 is 1.5 gig, and
    with this partitioning scheme I just barely fit, and use ad1 for additional
    space), and use secure level 2 for daily operations.

    /dev/ad0s1a / rw,nosuid
    /dev/ad0s1e /tmp rw,noexec,nosuid
    /dev/ad0s1g /usr ro
    /dev/ad1s1e /usr/obj ro
    /dev/ad0s1d /usr/home rw,noexec,nosuid
    /dev/ad1s2e /usr/home/timothy/public_html rw,nosuid
    /dev/ad0s1h /usr/local ro,nosuid
    /dev/ad0s1f /var rw,noexec,nosuid

    I've been using snort with a remote acid installation with alright success,
    but it has never quite worked right, and am considering junking it, simply
    because I don't see a lot of other people using it, and it has only been of
    marginal success, spending more time picking up proxy scans from IRC and
    false positives than anything else.

    I'm planning to deploy aide with a write protected diskette, but would like
    some advice as to other products to look into; I don't access the machine
    regularly, aside from the NFS mount of my public_html directory, so would
    like to find something that could email me status updates daily, or bi-daily,
    ala the daily messages, which I currently forward to myself, to help reassure
    me nobody is poking around in it.

    Thanks for any pointers you can give me.

    To Unsubscribe: send mail to majordomoFreeBSD.org
    with "unsubscribe freebsd-security" in the body of the message