| View previous topic :: View next topic |
| Author |
Message |
gsfgf
Veteran
Joined: 08 May 2002
Posts: 1266
|
 Posted: Sat Dec 07, 2002 4:19 pm Post subject: what do i need for security? |
 |
|
I have a freebsd bo that's in the DMZ on my network. I use it as a web, ftp, telnet, and ssh server. What do i need to do to secure it? I need telnet in case i need to get into it from a win box that doens't have putty., but i don't use it unless i can't help it.
_________________
Aim:gsfgf0 |
|
| Back to top |
|
 |
splooge
l33t
Joined: 30 Aug 2002
Posts: 636
|
| Posted: Sat Dec 07, 2002 4:56 pm Post subject: |
|
|
Telnet security?
Never heard of it =)
You'd probably be better off asking this type of question on a bsd forum, as from what I can tell bsd doesn't use iptables, which is step #1 in securing the box.
Step #2 is removing telnet. |
|
| Back to top |
|
|
simulacrum
Tux's lil' helper
Joined: 30 Nov 2002
Posts: 128
Location: St Paul, MN
|
| Posted: Sat Dec 07, 2002 8:16 pm Post subject: |
|
|
| I would concur that you do not want telnet enabled. On my server the only ports I have open are ssh, http, and smtp. Putty doesn't require an installation so you can run it from any machine without having to do anything but download the client. Also, as far as file transfers go, you can use sftp (secure ftp) or scp through ssh. There are putty clients available (psftp). |
|
| Back to top |
|
|
frogger
n00b
Joined: 05 Dec 2002
Posts: 35
|
| Posted: Sat Dec 07, 2002 8:33 pm Post subject: |
|
|
First off, as everyone else has said, disable telnet. By telnetting into your box you're basically just giving away all your data in plain text. Security is out the window.
Another question, since FTP is also all plain text, do you REALLY need it? If you're running an anonymous public ftp server, perhaps. If you are using it for just a few user accounts, why not use sftp? Much more secure. I'm not a big fan of giving away passwords in plain text 
And yes, I do rant on about plain text passwords, but it is soooo easy for people to sniff unencrypted traffic. If you'd like to see just give dsniff a try. You'll be amazed what you (or anybody in the middle) can see.
Simply enough, just follow the FreeBSD stable branch and keep up with any security advisories announced. Firewall off any unnecessary ports. Don't run telnet/ftp |
|
| Back to top |
|
|
474
l33t
Joined: 19 Apr 2002
Posts: 714
|
| Posted: Sat Dec 07, 2002 8:40 pm Post subject: Various |
|
|
Don't ever use telnet to access your internal hosts from outside, via the Internet. However, I think it's acceptable to use telnet internally provided your users have low awareness/danger factor (i.e. they're not the kind to run packet sniffers or you have a switching non-promiscuous network hub).
If you are concerned about not always having an SSH client when you need to get at it from outside the office, then you might want to consider doing this (a) get a Java based SSH client applet and (b) host it on an internal web server. You can then visit that web page from the outside and as long as you have a java-enabled browser use the SSH client provided. There is one available, but I can't remember its name - you could try googling for it. Webmin also has a similar feature, and you can use Webmin over SSL (https) so that would be a better solution too (you can even configure a Webmin user so that SSH is the only option you get when you login to it).
| Quote: | | What do i need to do to secure it? |
Lots of things , such as disconnect it from the network! It's a bit of a generic question and I don't know your network topology. You say its in a DMZ so I presume you have a border firewall already so that's a good place to start. Also a proper DMZ should entail the host residing in it not really being able to get at other hosts in other zones (your main LAN subnet). That way if someone does compromise your FreeBSD box, there options for hacking other internal hosts are limited. Basically the only thing it should allow is stateful honouring of incoming communications only bound for the box itself, only coming from hosts outside of the Internet (and maybe from some of your internal hosts too if needed). Anything else you allow it to do, IP traffic-wise, progressively weakens its security.
If you're not running a packet filter on your FreeBSD box then I suggest you rectify that. IPFW is quite popular in BSD circles, but I strongly recommend IPFilter (which is available as a FreeBSD port I think). It's of outstanding quality and design and the syntax is really easy to learn. And I have plenty of experience with it so I'm more than happy to help you with the rulesets.
Of course, you're running publically available services on it so you'd better make sure of a few other things like:- The software you're using for each service is up-to-date and free of known security flaws
- You have a good understanding of the daemons involved and have used whatever options they have to ensure the highest possible security (e.g. SSH should only allow logins from a wheel user who can su to root, should timeout logins, should only allow SSH2 etc etc).
But do make sure you've locked down your main firewall before worrying about the BSD box. |
|
| Back to top |
|
|
gsfgf
Veteran
Joined: 08 May 2002
Posts: 1266
|
| Posted: Sat Dec 07, 2002 11:04 pm Post subject: |
|
|
i guess the java putty client would work. I had telnet so if i wanted to I rarely use ftp and telnet. IIRC i have only once logged in w/ telnet, i just have it in case i'm at school where i can't dl the a putty client and need to get something off it and apache's croaked. accedd to docs = good. Also i need the box to access the reast of the netowrk. I use it as a ssh server (via ssh over the net) for remote access of the rest of my netowrk. This in mind, i had been just using default settings to secure it and not using telnt when i don't have to. I'm not really worried about ftp insecurity since the ftp user is limited.
_________________
Aim:gsfgf0 |
|
| Back to top |
|
|
gsfgf
Veteran
Joined: 08 May 2002
Posts: 1266
|
| Posted: Sat Dec 07, 2002 11:05 pm Post subject: |
|
|
i guess the java putty client would work. I had telnet so if i wanted to I rarely use ftp and telnet. IIRC i have only once logged in w/ telnet, i just have it in case i'm at school where i can't dl the a putty client and need to get something off it and apache's croaked. accedd to docs = good. Also i need the box to access the reast of the netowrk. I use it as a ssh server (via ssh over the net) for remote access of the rest of my netowrk. This in mind, i had been just using default settings to secure it and not using telnt when i don't have to. I'm not really worried about ftp insecurity since the ftp user is limited.
_________________
Aim:gsfgf0 |
|
| Back to top |
|
|
#!
n00b
Joined: 20 Nov 2002
Posts: 11
|
| Posted: Sun Dec 08, 2002 7:39 pm Post subject: |
|
|
Why bother with ftp at all? Using sftp just needs the ssh daemon to be running, so in truth you don't have as many daemons running which can't be a bad thing right? You might as well just have sftp. Then if you're really needing it you can use it, and if you don't have access to an sftp client, you could ssh to your box and start the ftpd. I just don't see the point in leaving yourself vunerable.
_________________
"...you might as well skip the Xmas celebration completely, and instead sit in front of your linux computer playing with the all-new-and-improved linux kernel version."
(By Linus Torvalds) |
|
| Back to top |
|
|
|
Networking & Security
