On Wed, Jan 5, 2011 at 1:48 PM, Mark Moellering <[email protected]> wrote:
> That's an excellent point. A span port from the upstream switch/router > > Since I am going to be setting up a mail server sometime next week and have > to keep things like this in mind; > would it make sense to run pf and block all outbound traffic that isn't on > port 25 ( port 995 , etc) and force any web administration programs onto a > port other than 80 to help with this sort of thing? Any other thoughts on > how to make sure future installations can be kept secure? > > As always, thanks in advance to everyone, > That a great example of when jails should be used, I put each service into it's own jail eg MTA, FTP, www. Actually I use something like pound then put each different website in it's own jail. Make sure each database backed service has separate login/passwords. Then if something like phplist, or an MTA is compromised the host OS and utilities can still be trusted, in theory at least. Also a managed port can help you deal with issues by tracking stat metrics/port mirroring/etc. You can use something ezjail to make administration tasks easier, and if you isolate the jail FS's(UFS/ZFS) make use of the snapshotting utilities. There are a couple of utilities in ports to help automate snapshots too. -- Adam Vande More _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[email protected]"
