Dear friends,
I would like to write a paper about setting-up a hardened FreeBSD administration station.
This is for use in companies or in administration to provide "wide-defense" (in French "défense en profondeur") allowing some time to react.
This setup is not intended to stop any government attack (I don't think this is possible), only casual hacks:
I was thinking of :
* install FreeBSD 11.1 minimal.
* drop any incoming connection (pf), filter outcoming connection (pf), shutdown/uninstall any service.
* setting-up a user account with access to cu and ssh-client only. This accound should be locked-up.
* jail into this account.
* user smartcard to store SSH keys and various certs (will be using OpenSC) to avoid keyloggers and other goodies.
* connect only to network when needed for admin purpose, then shutdown.
I don't need to copy infected material on my laptop (which would make things way more complicated).
Any idea or paper appreciated.
Kind regards,
French Fries
I would like to write a paper about setting-up a hardened FreeBSD administration station.
This is for use in companies or in administration to provide "wide-defense" (in French "défense en profondeur") allowing some time to react.
This setup is not intended to stop any government attack (I don't think this is possible), only casual hacks:
- The admin station is a small laptop (ex: 200€ laptop) with network disabled, wireless/bluetooth removed. The admin station communicates with gateway using serial console. It boots encrypted.
- The admin "gateway" is a small beaglebone black station connecting using serial. One serial "in" and one serial "out". I have such a cape for Beaglebone. The gateway boots on readonly CD to minimize the risk of infection.
I was thinking of :
* install FreeBSD 11.1 minimal.
* drop any incoming connection (pf), filter outcoming connection (pf), shutdown/uninstall any service.
* setting-up a user account with access to cu and ssh-client only. This accound should be locked-up.
* jail into this account.
* user smartcard to store SSH keys and various certs (will be using OpenSC) to avoid keyloggers and other goodies.
* connect only to network when needed for admin purpose, then shutdown.
I don't need to copy infected material on my laptop (which would make things way more complicated).
Any idea or paper appreciated.
Kind regards,
French Fries