Basic server security - install the "ports" or not?

E

Ed_Flecko

I'm setting up a web server and I'll be running Apache in a jail (likely using ezjail).

Generally speaking, is it a good idea, from a server security perspective, to install the ports when setting up a server from scratch or should one leave those out? I will be running a custom kernel, so I'll need the "source" files (correct???), but I'm wondering if I'd ever really need the ports? Any software (like Apache, etc.) can be installed from packages, right?

Comments?

Thank you,
Ed
 
Everything you build from ports(7) is checked with SHA256 checksums so that the distfiles downloaded are valid and authentic. There's no room for tampering with the sources as long as the distfiles pass the SHA256 validity checks. You will get a build error in case one of the distfiles doesn't pass the tests.
 
Thank you.

I guess what I'm asking (maybe I asked it in a confusing way) is if it puts the overall security of the server at risk by having the entire ports collection installed on the server? Does it "harden" the server (if even in a small way) by leaving the ports collection off when you install the OS?

Ed
 
The ports collection won't be the first (probably one of the last) thing an attacker would use to attack your system, they would instead try to upload a custom made attack kit to the user account they have broken into and use that for searching more weak points in your system.
 
Great...thank you!

I would guess, for those people who run FBSDFreeBSD servers in a production environment, that most people may not have any accounts on the server other than root (and a highly complex password that gets changed regularly) that they SSH to in order to perform maintenance, etc.?

Ed
 
Ed_Flecko said:
Thank you.

I guess what I'm asking (maybe I asked it in a confusing way) is if it puts the overall security of the server at risk by having the entire ports collection installed on the server? Does it "harden" the server (if even in a small way) by leaving the ports collection off when you install the OS?

Ed
Click to expand...

To answer just your question, the only thing having /usr/ports is going to do is waste space if you never use it. If you don't use it, it's just a bunch of worthless files with no inherent security risk in and of itself. If you do use it, as said before the checksums help validate against tampering and you are at no more risk than the official build servers doing the same steps to create public packages.
 
Okay, I'll be that guy. In theory, having a ports tree present could increase the "attack surface". There are scripts in /usr/ports/Tools, there could be some type of compromise in a distfile in /usr/ports/distfiles that a user could extract into their own directory, there could be problems in the files directory of an individual port. I've never heard of problems with these, but can imagine it.

If you are concerned about this but still want to use ports, limit the exposure by putting the ports tree on a separate filesystem and leaving it unmounted by default.

And just to make the distinction, the "Ports Collection" or, informally, the ports tree, is just a directory of files, mainly Makefiles and other small text files, but also application distfiles. It does not include the built applications, just instructions for building them.
 
A script in /usr/ports/Tools that can be used maliciously or trojaned tarball in /usr/ports/distfiles still needs some way to actually use it. If an untrusted user has access, of course there would be nothing to stop them from using these files. However, if that was the case there may be nothing to stop them fetching the same file from the internet, compiling their own binary, or SCP'ing a file from their own machine. If not a local user maybe it's some Wordpress plug-in CVE of the week that allows executing something on the local machine. In either case there are a lot of "ifs" or specific issues that must be present to support malicious use. I think there is much more to gain security wise addressing securing applications and remote access and ensuring unauthorized users don't have access to start with rather than worry about a such a very specific circumstances.
 
You must log in or register to reply here.
Back
Top