Server security with FreeBSD

[c00kie]

Hi,

I'm coming from a shared host to the grown-up world of Unix servers with very little knowledge (experience) from a security standpoint. I've installed FreeBSD on a laptop at home. I run through commands (edit files) similar to this:

/etc/rc.conf

ifconfig_em0="inet my.ip.add.ress netmask 255.255.255.0"
default_router="myRouter.ip.add.ress"

# /etc/resolv.conf

nameserver nameserver.ip.add.ress
nameserver nameserver.ip.add.ress

# /etc/hosts

my.ip.add.ress localhost mymachine.example.com

# pkg_add -r apache22

# /usr/local/etc/apache22/http.conf

line 148:
 Servermame my.ip.add.ress:80
 
# /etc/rc.conf

apache22_enable="YES"
apache22_http_accept_enable="YES"

# /usr/local/etc/rc.d/apache22 start
Performing sanity check on apache22 configuration:
Syntax OK
Starting Apache22

In browser, type "URL: my.ip.add.ress" - receive "It Works!" So it appears Apache is working fine on my laptop at home. For my own sanity my first question would be:

Is my laptop now open to all sorts of nasty things as it stands? DOS attacks etc.?

 

[kpa]

It depends on how your router is set up. If your local network is set up the usual way with private addresses (10/8 or 172.16/12 or 192.168/16 networks) and NAT you're mostly safe, at least from direct break in attempts from the internet. Denial of service attacks are still possible but the changes you get targeted with one are pretty low unless you make your web service publicly available.

 

[gkontos]

Is my laptop now open to all sorts of nasty things as it stands? DOS attacks etc...

If your laptop's webserver is accessible from the Internet then the short answer is yes.

 

[johnd]

You should set up a packet filter like ipfw(8) or pf(4). Basically you need to secure your OS as well as the applications (e.g. Apache).

Check out the Security Checklist and of course security(7) which should give you a basic outline.

 

[c00kie]

It depends on how your router is set up. If your local network is set up the usual way with private addresses (10/8 or 172.16/12 or 192.168/16 networks) and NAT you're mostly safe, at least from direct break in attempts from the internet. Denial of service attacks are still possible but the changes you get targeted with one are pretty low unless you make your web service publicly available.

Thanks. Yes some of those IP addresses that you quote look familiar: e.g private networks. What do you mean by making a web service publicly available?

Also, let's say I would like to save myself a few bob on hosting. I want to host low traffic web sites on my laptop. Is this a viable option? E.g. I'd register several domains and play around with DNS settings within FreeBSD. Does this have any further implications from a security standpoint?

 

[johnd]

By making a service publicly available, everyone is able to connect to this service. Do you want that to do with your Apache service?

Learn the difference between public and private IP addresses. The latter are not routed in the public Internet.

I want to host low traffic web sites on my laptop. Is this a viable option?

Yes.

E.g. I'd register several domains and play around with DNS settings within FreeBSD.

It´s not strictly necessary. You could also save some more money and use something like DynDNS. Your Notebook is connected to a Router which is connected to the Internet, right?

Does this have any further implications from a security standpoint?

I don´t think so. Read my post above.

 

[SirDice]

Keep in mind that most hacks happen on web applications. The server itself is normally not hacked, it's buggy and/or out-dated web applications that cause the most problems.

 

[c00kie]

That's given me a lot of information to go and digest. Many thanks.