|
||||
Quote:
So the real answer is that your log file will be growing indefinitely (until you take the steps to temporarily get to a lower securelevel and manually rotate it). If you haven't already, check out the manpages for security(7) and chflags(1). There is a good book I reviewed here that discusses this topic in great detail.
__________________
Kill your t.v. |
|
|||
Yes, using sappend will prevent your logs from being rotated. As for a work-around... I don't know. One must mull the good vs the bad... Having your logs grow to an incredible size (for a medium to heavy load server) but being better poised to "stumble upon" someone evil, or having nice small compressed logs (but potentially not catching the evil person).
As far as secure levels, it's only something I'm beginning to look into. I hope someone else comes along and sheds some more light on this subject...
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident! |
|
|||
Quote:
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident! |
|
||||
Quote:
__________________
Kill your t.v. |
|
|||
Heh, same here... dokuwiki is extremely simple. Extremely nice way to stay organized.
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident! |
|
|||
I just thought of something... do any of you do anything to prohibit things like forkbombs and other simple DoS attacks?
Do not try this command unless you fully know what it does: Code:
:(){ :|:& };: Point being, this sort of attack is easily thwarted by setting values in /etc/login.conf for each user class (as appropriate). All users on my box are in the default class (except admins, which have a class called sysadmin and belong to group sysadmin), so I set max processes for default class to 20 (can be adjusted based on how many users, if any, notice the change), and set max memory usage. The default on FreeBSD was unlimited... bad idea for most users. Also, something else... something so simple that I never really would have thought of until I stumbled across this today: http://www.arbornet.org/~cdalten/grep.html Code:
cat < /dev/zero > /dev/null & So, how many of you are rushing off to check your /etc/login.conf now?
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident! |
|
||||
It is a good practice to keep a record about the running processes and the network connections with the ps,sockstat,netstat commands when your system runs at normal conditions.
When something unusual happening, you can compare your findings with those to get an idea. |
|
||||
Actually, friend of mine tried to prove FreeBSD inability to stand against fork-bombs. I allowed him to run the fork-bomb as a root written by canjuman4life... result - he was disappointed. Even ran as a root, I cleaned offending processes later with not much slowed down machine.
So, the nice variables available at login.conf are very good to start tightening malicious user activities. Last edited by coppermine; 17th May 2008 at 06:55 PM. |
|
|||
Quote:
I enable it by adding this line to /etc/pam.d/sshd (its the 3rd line, the others are already there) Quote:
And in /etc/adduser.conf I set Quote:
Last edited by hopla; 19th June 2008 at 09:49 AM. |
|
|||
Quote:
|
|
|||
Great, my first post here in the new forum and I already got a 'Thanks' Glad I could help!
|
|
|||
I have enabled the same functionality in the base system, without adding extra configs to sshd.
I've also installed and configured Tripwire. Just another layer in the security onion.
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident! |
|
|||
How have you done that then? By using login.conf settings perhaps? Because I tried those, but never got them to work... The pam_passwdqc also seems more powerfull (not just checking if your password is long enough, but also that it contains X number of different character sets etc)
|
|
|||
Quote:
Code:
password requisite pam_passwdqc.so min=disabled,8,8,8,8 retry=3 enforce=everyone password required pam_unix.so no_warn try_first_pass nullok PS - I was never able to get the settings in login.conf for password strength to work either. I read somewhere that they are silently ignored in favor of pam's configuration, and only exist for backwards compatibility.
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident! |
|
|||
Quote:
So you're saying I can leave out the line in /etc/pam.d/sshd and everything will be exactly the same for me? Got to try that out next monday Quote:
I agree with anomie on the forum guide, even if it was only to divert this discussion away from this thread After my testing on monday, I might just post a guide! |
|
|||
Quote:
Quote:
As to the guide - it'll be a welcome addition
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident! |
|
||||
@hopla & @cajunman4life,
This <profane adjective> rocks! I've been researching / testing this for the last hour or so. I love discovering something new in FreeBSD (or Linux) land. I can hardly wait to unleash this upon my users once I'm comfortable with it. Looking forward to the guide...
__________________
Kill your t.v. |
|
|||
You know, in thinking about this, when I put it in /etc/pam.d/passwd, it changes the way the "passwd" command runs. So any time anyone tries to change their password, this policy is invoked.
What if you use "adduser" to create users on your system? Most of the time I use vipw to create a user account (using * as password, then run "passwd <username>" to set the password). So it'll be interesting to see... adduser is a shell script so I'll take a look at it when I've got a bit of time (at work presently).
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident! |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Basic sshd hardening | anomie | Guides | 12 | 12th September 2008 03:39 AM |
Can I use this link for hardening FreeBSD 7 | mfaridi | FreeBSD Security | 1 | 9th July 2008 07:35 AM |