On Tuesday 07 March 2006 23:42, Peter wrote: > Hi. I've set up several firewalls with OpenBSD but I have yet to go to > any extremes regarding "hardening". So far I have updated the source > (stable), recompiled the system & kernel, removed the source code, > turned off inetd, and set up a tight pf.conf. I have been reading up > on an interesting strategy of removing tons of executables, storing > them on a cd, and setting up symlinks to the cd mount point so they can > be accessed when needed. >
Of coarse now when you have a problem and need your diagnostic tools. Or for that matter if need to apply a security patch you are going to have lots of fun updating the system. Restrict connections to the localhost to only absolutly necessary services, restrict sshd access (and use ssh-keygen to create keypairs), and of coarse only give access to the console to trusted persons. Doing this, as well as keeping up to date on the security patches, will keep your system's risk to a minimum. Don't forget that if someone is good enough to gain access to your system, odds are they are smart enough to copy the code and complier that they need to completely root the system. Tim Donahue
