|
|
域名空间 下载中心 社区论坛 信息公告 MY小屋 | |
 |
联系我们 设为首页 加入收藏 |
 |
|
 |
首页 | 新闻资讯 | 编程开发 | 网页设计 | 图形图象 | 网络媒体 | 网站模板 | 数 据 库 | 投稿 论坛 | 操作系统 | 系统优化 | 网络安全 | 黑客技术 | 硬件学堂 | 硬件报价 | 服 务 器 | 地图 专题 | 应用软件 | 聊天通讯 | Q Q 专栏 | 建站经验 | 在线工具 | 站长Club | 注 册 表 | 旧版 社会 | 游戏娱乐 | 设计欣赏 | 疑难解答 | 社区论坛 | 韩国素材 | 素材图库 | 广告服务 | 服务 |
 |
 |
 |
 当前位置:首页>>操作系统>>FreeBSD>>正文 |
新版上线![旧版] |  |
|||
注:打开慢时请稍等
FreeBSD 安全入门http://www.iyit.net 日期:2006-5-16 17:35:41 来源:本站整理转载 点击: |
BSD security fundamentalsSean Lewis sml@subterrain.net http://www.subterrain.net Scope and Scale Focus: FreeBSD – enterprise hardware support + most ‘mainstream' ? Security refresher + some new and interesting BSD security information. Emphasis on host-based security, one of the first layers of the security ‘onion'. The Basics If modifying an existing system, MAKE BACKUPS! Unnecessary services – prune /etc/inetd.conf and rc.conf – ‘explicit service enable'. 4.4-R = safer inetd.conf Work with the latest version of the OS – tracking STABLE or the new RELEASE branch is recommended. Encrypted communication Immediately disable telnet and use SSH – OpenSSH is included in FreeBSD installation. Use the sftp server function built into the ssh2 protocol rather than a standard ftpd. Set up public key authentication with SSH to prevent password transmission. File-system lockdown Mount non /usr or / [for /sbin] filesystems with the ‘nosuid' argument, especially /tmp. Search for and remove the suid bits off of non-used binaries [especially uucp – setgid] Use the chflags to set variables such as sappnd on log files, schg on system binaries, etc. Kernel Securelevels Kernel securelevels allow variable security level increases on the fly. Levels range from –1 -> 3, -1 and 0 being “insecure mode”. Securelevels may only be raised, not lowered once the system is in multiuser mode. Securelevels controlled via sysctl controls. Securelevel 1 – sappnd and schg flags can not be disabled – LKMs may not be loaded / unloaded. Securelevel 2 – securelevel 1 + no writing to disks except for mount(2). Time changes also clamped to 1sec. Securelevel 3 – securelevel 2 + ipfw rules cannot be modified. Schg on files in / for maximum effectiveness Sysctl/rc.conf variables net.inet.tcp.blackhole=2 and net.inet.udp.blackhole=1 – don't generate RSTs on portscan, replaces RESTRICT_RST. kern_securelevel_enable=“YES” kern_securelevel=“X” icmp_drop_redirect=“YES” fsck_y_enable=“YES” Secure your services Start potentially dangerous programs such as bind in a chroot'd environment. Log_in_vain=“YES” in rc.conf will show connections to tcp/udp ports with no service bound to them. Use packet filtering software such as ipfw or ipfilter to restrict access to services. Serving files with ftpd FreeBSD powers large ftp software sites such as ftp.cdrom.com - securely! Put individual users in the /etc/ftpchroot file to restrict them to their $HOME. Start ftpd with –l –l [twice] to enable extended logging. If running a large anonymous archive, use ftpd –A [only anonymous allowed] and –r [read-only mode for the server]. Serving web pages with apache Why apache? Reliable, widely-used, runs in a relatively secure fashion. Run httpd processes as non-root user, ‘nobody' is default, creating ‘www' user may offer more granularity. Run apache in a jailed environment to limit access. Use suEXEC to execute CGIs as a non-priveleged user. Logging Start syslogd with the ‘-s –s' flags to prevent it from opening 514/udp. Add a /var/log/ftpd entry for ftp.* in syslog.conf. Create a /var/log/security entry for security.* and auth.info syslog levels. Enable ipfw logging to syslog. Keeping people out. Use tcp wrappers [/etc/hosts.allow] to allow/deny access to certain tcp-based services. Use the AllowUsers/AllowGroups SSH configuration options to allow certain users and groups to connect via SSH. Give users who only require ftp access the /sbin/nologin shell to prevent access to a real shell. How to check your security /usr/ports/security/nmap – port scan yourself to check for strange services. /usr/ports/security/whisker – audit your web server for potential vulnerabilities. /usr/ports/security/tripwire-1.31 – ASR of tripwire, file integrity assurance. /usr/ports/security/snort – lightweight NIDS ex: http://www.subterrain.net/snort Other tips + tricks. Use ntpdate to synch your clock with a time server such as clock.isc.org. crontab it to keep it reliable. In /etc/ttys change the ‘secure' flag to ‘insecure' on each local TTY to prevent direct root login. Enable sudo for restrictive root-level access. Remember – turn off / remove what you don't use – complexity does not compliment security. Backporting sysctl stuff from –CURRENT to reduce the need for things like setgid kmem. Links to related material. This presentation: http://www.subterrain.net/ FreeBSD security advisories and info: http://www.freebsd.org/security FreeBSD security how-to: http://people.freebsd.org/~jkb/howto.html 编辑:黑鹰 [发送给好友] [打印本页] [关闭窗口] [返回顶部] 上一篇:icmp-response bandwidth limit 300/200 pps 下一篇:用 NT loader 来启动 FreeBSD 转载请注明来源:www.iyit.net 特别声明: 本站除部分特别声明禁止转载的专稿外的其他文章可以自由转载,但请务必注明出处和原始作者。文章版权归文章原始作者所有。对于被本站转载文章的个人和网站,我们表示深深的谢意。如果本站转载的文章有版权问题请联系编辑人员,我们尽快予以更正。 |
| 最新更新 | 热点排行 | 推荐新闻 | |||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
| 友情链接 | ||||||
 |
设置首 页 - 版权声明 - 广告服务 - 关于我们 - 联系我们 - 友情连接 |  |
| |||||||
易特网络技术