|
|
|||
Disabling Services Not Needed
Im curious what services/daemons I can turn off for extra security. I am new to bsd and use it only for pf and routing. Everything else, thats not required for this to function, I would like to turn off if it has any added benefits.
On the default install I did not enable ssh since I will always be at the console and never telnet. |
|
|||
I just responded in your other topic, if you're always at the console.. then those BSD flags are quite redundant, they do not protect against physical compromise.. paranoid file encryption and expensive locks on doors are the only way to do that.
There is no reason to disable services that are running by default, the ones that are running are critical to the functionality of the system. If you're concerned about the reliability, make sure your firewall rules are sane. |
|
|||
Quote:
block drop log quick from { <bruteforce>, <noroute> } pass in log quick on { $EXT, $INT } inet proto tcp from IP.ADDR.ALLOWED.ACCESS to { $EXT } port 32009 flags S/SA modulate state (max-src-conn 10, max-src-conn-rate3/3, overload <bruteforce> flush global)
__________________
The more you learn, the more you realize how little you know .... |
|
|||
Quote:
__________________
The more you learn, the more you realize how little you know .... |
|
||||
I only mention this because I think the rest was sane. But for those truly serious threats that are actually looking to infiltrate via some means of surveillance or probing, putting services on non-standard ports does nothing. If you have SSH running on something other than 22... they're going to find it.
I would therefore recommend you leave it on 22.
__________________
Network Firefighter |
|
||||
Quote:
|
|
||||
Quote:
I know your reply already, it's not protecting the front door but putting the front door on the side of the house. Enforcing proper passwords, or better, use RSA keys exclusively is the real solution. But in the real world things do not always work this way ...
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. |
|
||||
You guys are right:
Sometimes I read about people's thoughts on security, and it chocks up to, If I do such-n-such, I can wipe my hands and walk away and not worry about this security problem ever again. I was not intending this for anyone in this discussion, mind you, but I think what separates "us" from "the rest of them" is the ability to not take these kinds of things for granted. So forgive me if I picked things apart there heheh .
__________________
Network Firefighter |
|
|||
Quote:
Wether some script kiddi finds what port your only service may be on is only 1 layer of "security" for lack of a better word. Even NOT using passwords may still be "hacked" because of the daemon itself possesing vulnerabilities, thus i prefer a full layered, as much as i can approach to keeping mofo's out of my stuff P.S. The REALLY skilled persons WILL find a way, i would rather at least try and deter them with more than 1 thing to have to get to.
__________________
The more you learn, the more you realize how little you know .... |
|
||||
Quote:
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
start stop services ? | smooth187 | OpenBSD General | 4 | 31st August 2008 01:00 AM |
disabling ctrl-c | malindang | FreeBSD General | 3 | 27th June 2008 12:06 AM |
Questions about my home configuration services | aleunix | OpenBSD Security | 9 | 12th June 2008 01:54 PM |
Spin locks and interrupts disabling | n4uti1us | FreeBSD General | 5 | 20th May 2008 01:51 PM |
Learn which services are listening on your box | anomie | Guides | 5 | 14th May 2008 09:59 AM |