Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Borrowing a bit of experience -- hardening FreeBSD --
Operating Systems BSD Borrowing a bit of experience -- hardening FreeBSD -- Post 302905707 by Opr_Sys on Friday 13th of June 2014 07:08:44 AM
Old 06-13-2014
BSD
Quote:
Originally Posted by se2pi
I have been playing with qmail a lot in a virtual machine (debian OS), So I feel it 's time to go for a real server, but in order to have a bit of extra fun I decided to start testing in a real environment with FreeBSD. Of course this will be done in a non production server... nevertheless I am a bit worried about security. So It would be really nice to hear about others experiences, how to aboard security issues in FreeBSD, what to have in mind and of course knowledge or may be experiences are welcome !!!

Hope to read advices and experiences :-)

The server will be running FreeBSD 10

apache, qmail and bind nothing more (only one domain - No panel config Please - )

Thanks for reading and sharing ;-)
If your going to go with BSD's apache - Take your time to run Audit-D and Lynis to harden your config, run Apache in the Jail under Chroot and use Mod_Security.

I'll be honest and say I dont like Apache simply because it falls over far too often and it's easy for an attacker that knows what they're doing to go peeling it appart like peeling the layers off an Onion. ie: Which version of PHP - Soon query that!

Bind is also not my first choice, but it does the Job I guess, as it's not a production server then yeah go for it have fun exploring all the different security options at your disposal and play with them, the only way you learn about that kind of stuff is to play with it over and over and then you'll slowly get the gist.

See the fact of it is that it's not really a Typesafe system, thats why it comes bundled with things like Acid-Base and Snort, when in truth it uses far too much in line PHP, Perl, Java & Pthreads (Posix) etc, etc. If your looking for the totally 100% secure operating system, then you might want to explore 9-Base which is more Unix than Unix and uses Secure Name Spaces and then of course you configure you setup to dump it's db and user tables into 9, on BSD they break in and they elevate to Root on Plan 9 they break in and elevate to Nobody!

If it's going to be a production server then I would suggest going backwards rapidly, because it was only after Windows 3.35 that wierd stuff started creeping in. If you still have any old copies of Windows 3.1 laying around you can soon upgrade them to resemble 95 with Calmira II or you could go with freeDOS and OpenGEM.

It's time to dig out and dispose of all the wierd and unknowable security config's that seem to be prevelant everywhere, because in the age where they saying users should have no privacy then it's fast becoming evident that those are the words of a politician who doesnt know the first thing about 8 Bit - 16 Bit - 32 Bit or 64 Bit.

An I'll be damed if I'll let them just tread all over my civil liberties an those of everybody else just because they want to profit from there Multi-Level Marketing Scams and the fact they want a new Car.

It doesnt have to be BSD an it doesnt have to be Debian but it can sure as hell be Unix!
Last edited by Opr_Sys; 06-13-2014 at 10:14 AM..
 

6 More Discussions You Might Find Interesting

1. Programming

copying or concatinating string from 1st bit, leaving 0th bit

Hello, If i have 2 strings str1 and str2, i would like to copy/concatenate str2 to str1, from 1st bit leaving the 0th bit. How do i do it? (2 Replies)
Discussion started by: jazz
2 Replies

2. UNIX for Dummies Questions & Answers

I'm looking for a 64-bit Desktop that will run Windows, Linspire, FreeBSD and Solaris

Ok, I've been shopping around and I've seen some nice one's, but they are either too expensive or they are not 64-bit; I want to be prepared for the future at the right price (under $3,000 with a decent configuration)! :D Where can I find a good 64-bit desktop or workstation that will run the... (0 Replies)
Discussion started by: Mr. Nice Guy
0 Replies

3. Red Hat

boot the 32 bit kernel on a 64 bit PPC Linux machine?

Hi all, I'm looking to cover a corner case for an upcoming test cycle. Is there a way to boot a RedHat Advanced Server 4 (update 3) installed on a Power PC machine to use a 32 bit kernel? This would be similar to what is done here -> https://www.unix.com/aix/26204-aix-platform.html I've done... (0 Replies)
Discussion started by: philrau
0 Replies

4. UNIX for Advanced & Expert Users

migrating unix mp-ras 32 bit to linux suse 64 bit

Hi. I need to migrate the whole unix environment from a Unix mp-ras 32 bit to a Linux Suse 64 bit. 1) can i use cpio to copy the data? 2) can i just copy the users from unix to linux or do i have to create them by hand 3) are there any other concerns i should worry about? thanx (1 Reply)
Discussion started by: mrodrig
1 Replies

5. Shell Programming and Scripting

How to handle 64 bit arithmetic operation at 32 bit compiled perl interpreter?H

Hi, Here is the issue. From the program snippet I have Base: 0x1800000000, Size: 0x3FFE7FFFFFFFF which are of 40 and 56 bits. SO I used use bignum to do the math but summing them up I always failed having correct result. perl interpreter info, perl, v5.8.8 built for... (0 Replies)
Discussion started by: rrd1986
0 Replies

6. Windows & DOS: Issues & Discussions

Which version of Windows Vista to install with a product key? 32-bit or 64-bit?

Hello everyone. I bought a dell laptop (XPS M1330) online which came without a hard drive. There is a Windows Vista Ultimate OEMAct sticker with product key at the bottom case. I checked dell website (here) for this model and it says this model supports both 32 and 64-bit version of Windows... (4 Replies)
Discussion started by: milhan
4 Replies

LEARN ABOUT DEBIAN

apache::eperl

ePerl(3pm)						User Contributed Perl Documentation						ePerl(3pm)

NAME

       Apache::ePerl - Fast emulated Embedded Perl (ePerl) facility

SYNOPSIS

	  #   Apache's httpd.conf file
	  #   mandatory: activation of Apache::ePerl
	  PerlModule Apache::ePerl
	  <Directory /root/of/webmaster/area>
	      <Files *.iphtml>
		  Options     +ExecCGI
		  SetHandler  perl-script
		  PerlHandler Apache::ePerl
	      </Files>
	  </Directory>
	  #   optional: configuration of Apache::ePerl
	  <Perl>
	  $Apache::ePerl::Config->{'BeginDelimiter'}  = '<?';
	  $Apache::ePerl::Config->{'EndDelimiter'}    = '!>';
	  $Apache::ePerl::Config->{'CaseDelimiters'}  = 0;
	  $Apache::ePerl::Config->{'ConvertEntities'} = 1;
	  </Perl>
	  #   optional: activation of Apache::Status for Apache::ePerl
	  <Location /perl-status>
	      Options	  +ExecCGI
	      SetHandler  perl-script
	      PerlHandler Apache::Status
	  </Location>

DESCRIPTION

       These packages provides a handler function for Apache/mod_perl which can be used to emulate the stand-alone Server-Side-Scripting-Language
       ePerl (see eperl(3) for more details) in a very fast way. This is not a real 100% replacement for nph-eperl because of reduced
       functionality under some special cases, principal runtime restrictions and speedup decisions. For instance this variant does not (and
       cannot) provide the SetUID feature of ePerl nor does it check for allowed filename extensions (speedup!), etc.  Instead it uses further
       features like object caching which ePerl does not use.

       But the accepted bristled source file format is exactly the same as with the regular ePerl facility, because Apache::ePerl uses the
       Parse::ePerl package which provides the original ePerl parser and translator. So, any valid ePerl which works under nph-eperl can also be
       used under Apache::ePerl.

       The intent is to use this special variant of ePerl for scripts which are directly under control of the webmaster. In this situation no real
       security problems exists for him, because all risk is at his own hands. For the average user you should not use Apache::ePerl. Instead
       additionally install the regular stand-alone ePerl facility (nph-eperl) for those users.

       So, the advantage of Apache::ePerl against the regular nph-eperl is better performance and nothing else. Actually scripts executed under
       Apache::ePerl are at least twice as fast as under nph-eperl. The reason its not that ePerl itself is faster. The reason is the runtime in-
       core environment of Apache/mod_perl which does not have any forking overhead.

   Installation and Configuration
       First you have to install Apache::ePerl so that Apache/mod_perl can find it.  This is usually done via configuring the ePerl distribution
       via the same Perl interpreter as was used when building Apache/mod_perl.

       Second, you have to add the following config snippet to Apache's httpd.conf file:

	  PerlModule Apache::ePerl
	  <Directory /root/of/webmaster/area>
	      <Files *.iphtml>
		  Options     +ExecCGI
		  SetHandler  perl-script
		  PerlHandler Apache::ePerl
	      </Files>
	  </Directory>

       This forces all files under the directory /root/of/webmaster/area/ with extension .iphtml to be processed by the Apache::ePerl::handler
       function which emulates the runtime behavior of the stand-alone "eperl" program (when run as a SSSL) up to 90%.

       If you're not paranoid about security (for instance driving a stand-alone webserver without user accounts) you can also just use

	  PerlModule Apache::ePerl
	  <Files *.iphtml>
	      SetHandler  perl-script
	      PerlHandler Apache::ePerl
	  </Files>

       which enables .iphtml files everywhere.

       Third, when you want to change the defaults of the ePerl parser, you also can add something like this to the end of the snippet above.

	  <Perl>
	  $Apache::ePerl::Config->{'BeginDelimiter'}  = '<?';
	  $Apache::ePerl::Config->{'EndDelimiter'}    = '!>';
	  $Apache::ePerl::Config->{'CaseDelimiters'}  = 0;
	  $Apache::ePerl::Config->{'ConvertEntities'} = 1;
	  </Perl>

       Fourth, you can additionally enable the mod_perl runtime status which then automatically enables an Apache::ePerl status handler:

	  <Location /perl-status>
	      Options	  +ExecCGI
	      SetHandler  perl-script
	      PerlHandler Apache::Status
	  </Location>

       This enables the URL "/perl-status" in general and the URL "/perl-status?ePerl" in special. Use it to see how much scripts where run and
       how much are still cached.

AUTHOR

	Ralf S. Engelschall
	rse@engelschall.com
	www.engelschall.com

HISTORY

       Apache::ePerl was first implemented by Mark Imbriaco <mark@itribe.net> in December 1996 as a plain Perl module after he has seen the
       original ePerl from Ralf S. Engelschall. It implemented the ePerl idea, but was not compatible to the original ePerl. In May 1997 Hanno
       Mueller <hmueller@kabel.de> has taken over the maintenance from Mark I. and enhanced Apache::ePerl by adding caching for P-Code, adding the
       missing "chdir" stuff, etc.

       Nearly at the same time Ralf S. Engelschall was unhappy of the old Apache::ePerl from Mark I. and already started to write this version
       (the one you are current reading its POD). He has rewritten the complete module from scratch, but incorporated the P-Code caching idea and
       the Apache::Status usage from Hanno M.'s version. The big difference between this one and Mark I.'s or Hanno M.'s versions are that this
       version makes use of the new Parse::ePerl module which itself incorporates the original ePerl parser.  So this version is more compliant to
       the original ePerl facility.

SEE ALSO

       Parse::ePerl(3)

       Web-References:

	 Perl:	   perl(1),	http://www.perl.com/
	 ePerl:    eperl(1),	http://www.engelschall.com/sw/eperl/
	 mod_perl: mod_perl(1), http://perl.apache.org/
	 Apache:   httpd(7),	http://www.apache.org/

perl v5.14.2							    2012-04-07								ePerl(3pm)
All times are GMT -4. The time now is 11:14 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy