[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Create a canned "Firewall Build"?

To: Patrick Giagnocavo <patrick@zill.net>
Subject: Re: Create a canned "Firewall Build"?
From: Jedi/Sector One <j@pureftpd.org>
Date: Thu, 21 Feb 2002 09:50:59 +0059
Cc: misc@openbsd.org
Content-Disposition: inline
References: <3C73BECF.8688.DD4A21@localhost> <PEELLCHAABDMPIOCEACOOEEICAAA.jkuetemeier@wolf-systems.net> <20020221081307.GA12802@c9x.org> <20020221032307.F4437@www2.zill.net>
User-Agent: Mutt/1.3.25i

On Thu, Feb 21, 2002 at 03:23:07AM -0500, Patrick Giagnocavo wrote:
> Set quotas by default to a sane value so that users can't fill up your
> partition.

  Not only for users but for daemons. Quotas for daemons are _very_ useful
to avoid people create millions of MySQL tables or to avoid your disk being
filled up by mail bombs. It also prevents bad things when some scripts are
going boo boo and start to create tons of files. Also, log files (for
instance Apache ones) that you forget to rotate can fill your partitions.
Quotas for everything avoids that.

> w uptime ps vmstat iostat pstat dmesg etc. should not be able to be
> run by normal users (say, those not in wheel or operator groups).

  Stephanie (actually the privacy patch) helps a bit.

> Replace the "real" ps with a shell script that calls "ps -uwx" only,
> so that users can see their own processes (since otherwise they can't
> kill their own processes).  Wrap other programs similarly.

  See above. Wrappers are risky especially when they involve setuid programs.

> I like the way that the master user database is regenerated to form
> /etc/passwd etc.  

  Btw, you can have /etc/passwd only readable by root. Create a 'pwd' group,
chown root:pwd /etc/passwd && chmod 640 /etc/passwd . Then, user can't see
what other logins do exist on the system. For some non-root daemons that
really need to read /etc/passwd, just make the user they run as a member of
'pwd'. I've made that on every system so far (including linux, sco and
solaris) with no trouble ever. But this is redundant if you already chroot
everything and everybody.

> All the ideas I have seen so far are very good.  
> What else is there?

  If we really want to start such a project, maybe a separate mailing-list
needs to be created, especially to discuss various ideas.

-- 
 __  /*-      Frank DENIS (Jedi/Sector One) <j@42-Networks.Com>     -*\  __
 \ '/    <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a>    \' /
  \/  <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a>  \/

References:
- Create a canned "Firewall Build"?
  - From: "Angus Scott-Fleming" <angussf@geoapps.com>
- Re: Create a canned "Firewall Build"?
  - From: "Joerg Kuetemeier" <jkuetemeier@wolf-systems.net>
- Re: Create a canned "Firewall Build"?
  - From: Jedi/Sector One <j@pureftpd.org>
- Re: Create a canned "Firewall Build"?
  - From: Patrick Giagnocavo <patrick@zill.net>

Prev by Date: Re: VPN W2K client
Next by Date: running lpd without opening a port?
Prev by thread: Re: Create a canned "Firewall Build"?
Next by thread: Re: Create a canned "Firewall Build"?
Index(es):
- Date
- Thread