Hello and good day, i have setup a Server which is directly connected to the Internet, without NAT-Router or other Firewall Appliance. I am using FreeBSD 6.2. I have pf enabled to only allow traffic on specified Ports. I am using Apache-13 + Postfix + Dovecot & mysql for my Mail-system. There is only one /home/User, which authenticates via a Key with Pass- phrase to sshd. The Mail-users all authenticate to a mysql database. I know that i could make use of chroot or better jail to secure the machine from possible exploits in postfix & co, but i am not yet comfortable with jail. Other then keeping my Ports (and system) up to date, can you give me some tips on how to secure my Box a little bit? Thanks a lot, David
You might want to use /etc/hosts.allow to restrict some protocols further.
-Derek
At 10:17 AM 2/23/2007, David Schulz wrote:>Hello and good day,
>
>i have setup a Server which is directly connected to the Internet,
>without NAT-Router or other Firewall Appliance. I am using FreeBSD
>6.2. I have pf enabled to only allow traffic on specified Ports. I am
>using Apache-13 + Postfix + Dovecot & mysql for my Mail-system. There
>is only one /home/User, which authenticates via a Key with Pass- phrase to
>sshd. The Mail-users all authenticate to a mysql database.
>I know that i could make use of chroot or better jail to secure the
>machine from possible exploits in postfix & co, but i am not yet
>comfortable with jail. Other then keeping my Ports (and system) up to
>date, can you give me some tips on how to secure my Box a little bit?
>
>Thanks a lot,
>David
>_______________________________________________
>freebsd-security@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-security
>To unsubscribe, send any mail to
"freebsd-security-unsubscribe@freebsd.org"
>
>--
>This message has been scanned for viruses and
>dangerous content by MailScanner, and is
>believed to be clean.
>MailScanner thanks transtec Computers for their support.
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
Another program to consider is DenyHosts http://denyhosts.sourceforge.net/ It works exceptionally well. Bob Derek Ragona wrote:> You might want to use /etc/hosts.allow to restrict some protocols > further. > > -Derek > > > At 10:17 AM 2/23/2007, David Schulz wrote: >> Hello and good day, >> >> i have setup a Server which is directly connected to the Internet, >> without NAT-Router or other Firewall Appliance. I am using FreeBSD >> 6.2. I have pf enabled to only allow traffic on specified Ports. I am >> using Apache-13 + Postfix + Dovecot & mysql for my Mail-system. There >> is only one /home/User, which authenticates via a Key with Pass- >> phrase to sshd. The Mail-users all authenticate to a mysql database. >> I know that i could make use of chroot or better jail to secure the >> machine from possible exploits in postfix & co, but i am not yet >> comfortable with jail. Other then keeping my Ports (and system) up to >> date, can you give me some tips on how to secure my Box a little bit? >> >> Thanks a lot, >> David >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to >> "freebsd-security-unsubscribe@freebsd.org" >> >> -- >> This message has been scanned for viruses and >> dangerous content by MailScanner, and is >> believed to be clean. >> MailScanner thanks transtec Computers for their support. >> >
The FreeBSD Handbook also have some good tips: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/security.html Regards, -- Johan Berg On Fri, February 23, 2007 17:17, David Schulz wrote:> Hello and good day, > > i have setup a Server which is directly connected to the Internet, > without NAT-Router or other Firewall Appliance. I am using FreeBSD > 6.2. I have pf enabled to only allow traffic on specified Ports. I am > using Apache-13 + Postfix + Dovecot & mysql for my Mail-system. There > is only one /home/User, which authenticates via a Key with Pass- > phrase to sshd. The Mail-users all authenticate to a mysql database. > I know that i could make use of chroot or better jail to secure the > machine from possible exploits in postfix & co, but i am not yet > comfortable with jail. Other then keeping my Ports (and system) up to > date, can you give me some tips on how to secure my Box a little bit? > > Thanks a lot, > David > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" >-- Johan Berg
On Sat, Feb 24, 2007 at 12:17:00AM +0800, David Schulz wrote:> Hello and good day, > > i have setup a Server which is directly connected to the Internet, > without NAT-Router or other Firewall Appliance. I am using FreeBSD > 6.2. I have pf enabled to only allow traffic on specified Ports. I am > using Apache-13 + Postfix + Dovecot & mysql for my Mail-system. There > is only one /home/User, which authenticates via a Key with Pass- > phrase to sshd. The Mail-users all authenticate to a mysql database. > I know that i could make use of chroot or better jail to secure the > machine from possible exploits in postfix & co, but i am not yet > comfortable with jail. Other then keeping my Ports (and system) up to > date, can you give me some tips on how to secure my Box a little bit? > > Thanks a lot, > DavidHi David, Perhaps the following URI would be of interest: http://www.modsecurity.org/ I've been considering this tool myslef. I am not using it as of yet. Best Regards, Duane
freebsd-security@auscert.org.au
2007-Mar-01 14:01 UTC
Advice for Internet facing Mailserver
On Sun, 25 Feb 2007 12:14:24 +0100 (CET), "Johan Berg" wrote:>The FreeBSD Handbook also have some good tips: > >http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/security.html > > >Regards, > >-- Johan BergAlso, man SECURITY(7) cheers, joel