DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 16th May 2008
revzalot's Avatar
revzalot revzalot is offline
Shell Scout
 
Join Date: May 2008
Posts: 123
Thanked 1 Time in 1 Post
Default All in one server

I'm planning the following to make an all in one FreeBSD server which will contain the following:

Mailserver - postfix, imap, antispam
Webserver - with mysql
Fileserver - samba, nfs, cups printing
Multimedia server - planning to play movies and mp3s; server will be connected to projector.
FTP server - i'm sure this will be jailed

1. What order of install should be taken?
2. What should be chrooted or jailed?
3. What are the best apps suited for this combo?
4. Ideal partition layout?

hardware: socket 939 AMD 4000+; 3G ram; 6600GT grfx card; gobs of disk storage like 2x400GB, 1 500GB and 1 250GB


Planning to use AMD64 FreeBSD 7 s/w.


The main issue is security here and yes I'm going to give shell accounts to friends and family around the world. So start thinking in a practical paranoid kind of way and lay it all out on the table.
Reply With Quote
  #2   (View Single Post)  
Old 16th May 2008
Weaseal's Avatar
Weaseal Weaseal is offline
Package Pilot
 
Join Date: May 2008
Location: East Coast, US
Posts: 177
Thanked 7 Times in 7 Posts
Default

I would also have to absolutely recommend jailing your Mailserver, and webserver, if indeed the main issue is security.
__________________
FreeBSD addict since 4.2-RELEASE.
My FreeBSD wiki.
Reply With Quote
  #3   (View Single Post)  
Old 17th May 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,135
Thanked 182 Times in 149 Posts
Default

Don't allow NFS, Samba and Cups through your firewall
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 17th May 2008
Weaseal's Avatar
Weaseal Weaseal is offline
Package Pilot
 
Join Date: May 2008
Location: East Coast, US
Posts: 177
Thanked 7 Times in 7 Posts
Default

See: http://www.freebsd.org/doc/en_US.ISO...plication.html
__________________
FreeBSD addict since 4.2-RELEASE.
My FreeBSD wiki.
Reply With Quote
  #5   (View Single Post)  
Old 17th May 2008
cajunman4life cajunman4life is offline
Real Name: Aaron Graves
Package Pilot
 
Join Date: May 2008
Location: Coolidge, Arizona
Posts: 203
Thanked 16 Times in 14 Posts
Default

The doc that Weaseal posted can also be done easily using ezjail (in the ports tree as sysutils/ezjail). Personally, I have just about everything jailed on my system (the base system is just that pretty much). Apache is in a jail, MySQL is in a jail, PostgreSQL in a jail, vsftpd is in a jail, and even "shell services" in a jail. I make use of mount_nullfs when absolutely necessary (for example, on shell server, ~/public_html is a softlink to /www/<username> in the jail system, and that FS is mount_nullfs to the WWW jail so that userdirs still display from the webserver... I know it's not perfect, but it's a good option without giving everybody access to the web server).
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident!
Reply With Quote
  #6   (View Single Post)  
Old 14th June 2008
aleunix aleunix is offline
Real Name: Alessandro
Spam Deminer
 
Join Date: May 2008
Location: Italy
Posts: 224
Thanked 3 Times in 3 Posts
Default

A further improvement could be well in putting each service on a separate partition.

Quote:
Originally Posted by J65nko View Post
Don't allow NFS, Samba and Cups through your firewall
Yes. It's a golden rule.
Reply With Quote
  #7   (View Single Post)  
Old 17th September 2008
martsept martsept is offline
New User
 
Join Date: Sep 2008
Posts: 1
Thanked 0 Times in 0 Posts
Default helllo

can I know more about your program......I mean VPN
Reply With Quote
  #8   (View Single Post)  
Old 3rd October 2008
mdh's Avatar
mdh mdh is offline
Real Name: Matt D. Harris
FreeBSD 2.2.6 User
 
Join Date: Oct 2008
Location: West Virginia
Posts: 139
Thanked 8 Times in 8 Posts
Default

Put the shell account users in a seperate virtual machine running under qemu, perhaps? That's pretty darn safe.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Sun Java System Web Server - Active Server Pages (yes ASP) hopla FreeBSD General 0 26th September 2008 08:22 AM


All times are GMT. The time now is 07:14 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick