Quote:
Originally Posted by cajunman4life
I'd like to start a lively discussion on the methods and procedures everyone uses to "harden" their FreeBSD systems.
|
Desktop or server? In either case, depending on how it's being used would determine how many hardening cycles I'd go through.
Pretty straightforward for my desktop:
- make sure no daemons are listening for tcp/udp connections (except maybe dhclient);
- search for and disable useless (to me) suid/sgid programs;
- enable the blackhole(4) sysctl MIBs;
- turn off core dumps (more because I don't want to have to look for and delete them);
- occasionally run the security/rkhunter app to perform some sanity checking;
- believe it or not, scan downloaded files with clamav;
- review system logs and emails;
- keep base system and ports updated with security fixes asap.
I actually need to run an annoying proprietary java app that listens on all local interfaces to establish a secure connection with a system at work, so keeping in line with point #1 I run a packet filtering firewall to prevent outside connections to it. (Otherwise I probably wouldn't bother with the firewall.)