Lines Matching +full:8 +full:- +full:way
25 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
47 multi-user systems have some inherent security, the job of building and
60 As yesterday's mini-computers and mainframes
74 .Bl -enum -offset indent
89 Typically, DoS attacks are brute-force mechanisms that attempt
99 Brute-force network attacks are harder to deal with.
100 A spoofed-packet attack, for example, is
110 .Xr ftpd 8
114 The result is that if you have any moderate-sized user base,
116 (which is the most common and convenient way to log in to a system)
137 may find a bug in a root-run server and be able to break root over a network
138 connection to that server, or the attacker may know of a bug in an SUID-root
141 If an attacker has found a way to break root on a machine,
146 This gives you a convenient way to detect the attacker.
152 Security remedies should always be implemented with a multi-layered
155 .Bl -enum -offset indent
159 Securing root \(em root-run servers and SUID/SGID binaries
196 .Xr sshd 8 ,
209 One way to make root accessible is to add appropriate
256 An indirect way to secure the root account is to secure your staff accounts
259 This way an intruder may be able to steal the password
265 .Xr kerberos 8
279 .Xr ssh-keygen 1 .
281 to star-out the passwords for staff accounts also guarantees that staff
295 at all, and you should run a password-protected screen blanker.
299 consider the fact that the vast majority of break-ins occur remotely, over
311 re-passwording restrictions with Kerberos: not only can a Kerberos ticket
315 .Sh SECURING ROOT \(em ROOT-RUN SERVERS AND SUID/SGID BINARIES
317 Be aware that third party servers are often the most bug-prone.
320 .Xr imapd 8
322 .Xr popper 8 Pq Pa ports/mail/popper
330 .Xr talkd 8 ,
331 .Xr comsat 8 ,
333 .Xr fingerd 8
345 .Xr sshd 8
352 .Xr talkd 8 ,
353 .Xr comsat 8 ,
355 .Xr fingerd 8
364 .Xr sendmail 8 ,
365 .Xr popper 8 ,
366 .Xr imapd 8 ,
367 .Xr ftpd 8 ,
374 servers as root and rely on other mechanisms to detect break-ins that might
377 The other big potential root hole in a system are the SUID-root and SGID
386 the system-default SUID and SGID binaries can be considered reasonably safe.
402 If an intruder can break an SGID-kmem binary the
418 program or emulator with a keyboard-simulation feature, the intruder can
425 draconian access restrictions on your staff and *-out their passwords, you
437 The only sure fire way is to *-out as many passwords as you can and
444 attacker cannot obtain root-write access.
478 .Xr kldload 8 .
486 .Xr sysctl 8
515 read-only.
517 what you attempt to protect may prevent the all-important detection of an
521 Any super-user process can raise the level, but no process
524 .Bl -tag -width flag
525 .It Ic -1
526 Permanently insecure mode \- always run the system in insecure mode.
529 Insecure mode \- immutable and append-only flags may be turned off.
532 Secure mode \- the system immutable and system append-only flags may not
555 Highly secure mode \- same as secure mode, plus disks may not be
561 .Xr newfs 8
562 while the system is multi-user.
569 Network secure mode \- same as highly secure mode, plus
571 .Xr ipfw 8 ,
574 .Xr pfctl 8 )
607 The best way to detect an incursion is to look for modified, missing, or
611 limited-access system.
612 Writing your security scripts on the extra-secure limited-access system
615 limited-access box significant access to the other machines in the business,
616 usually either by doing a read-only NFS export of the other machines to the
617 limited-access box, or by setting up SSH keypairs to allow the limit-access
623 limited-access server is connected to the client boxes through a switch,
625 If your limited-access server
627 of routing, the NFS method may be too insecure (network-wise) and using SSH
628 may be the better choice even with the audit-trail tracks that SSH lays.
630 Once you give a limit-access box at least read access to the client systems
640 the client-box files boxes at least once a
647 information the limited-access machine knows is valid, it should scream at
667 .Xr sshd 8
687 .Xr mount 8 )
690 week, since the object of this layer is to detect a break-in whether or
691 not the break-in is effective.
695 .Xr accton 8 )
696 is a relatively low-overhead feature of
697 the operating system which I recommend using as a post-break-in evaluation
701 the break-in occurs.
708 break-in.
709 One way to keep a permanent record of the log files is to run
728 .Bl -enum -offset indent
741 .Xr inetd 8
748 .Xr inetd 8
755 Note that spoofed-IP attacks will circumvent
759 .Xr inetd 8 ,
761 Some standalone servers have self-fork-limitation parameters.
764 .Xr sendmail 8
769 .Xr sendmail 8 Ns 's
775 .Xr sendmail 8
781 .Xr sendmail 8
788 separate from the queue-runs
790 If you still want real-time delivery you can run the queue
796 .Xr sendmail 8
800 .Xr syslogd 8
809 with connect-back services such as tcpwrapper's reverse-identd, which can
811 You generally do not want to use the reverse-ident
818 services from network-based root compromise.
824 ports A, B, C, D, and M-Z
829 .Xr talkd 8 ,
830 .Xr sendmail 8 ,
831 and other internet-accessible services.
839 high-numbered port range on the firewall to allow permissive-like operation
854 internet-accessible ports, of course).
889 .Xr inetd 8
903 .Xr inetd 8 Ns -internal
944 key-forwarding in the SSH configuration, or that you make use of the
960 with backwards-compatibility shims to accept the existing names.
963 For that reason the previous names remain the canonical way to set the
968 .Bl -tag -width security.bsd.unprivileged_proc_debug
981 sub-jails.
991 Controls availability of the process debugging facilities to non-root users.
997 Tunable, amd64-only.
999 tables are sanitized to prevent so-called Meltdown information leak on
1010 cross-process ret2spec attacks.
1027 Controls force-flush of L1D cache on return from syscalls which report
1042 Controls force-flush of L1D cache on NMI;
1061 and do not serialize off-core memory accesses.
1063 Controls system-global Address Space Layout Randomization (ASLR) for
1064 normal non-PIE (Position Independent Executable) 32-bit ELF binaries.
1068 mode, also affected by the per-image control note flag.
1070 Controls system-global Address Space Layout Randomization for
1071 position-independent (PIE) 32-bit binaries.
1076 Enable randomization of the stack for 32-bit binaries.
1080 ASLR control for 64-bit ELF binaries.
1082 ASLR control for 64-bit ELF PIEs.
1084 ASLR sbrk compatibility control for 64-bit binaries.
1086 Controls stack address randomization for 64-bit binaries.
1088 Enables non-executable stack for 32-bit processes.
1091 Enables non-executable stack for 64-bit processes.
1094 32-bit processes.
1097 64-bit processes.
1108 .Xr xdm 1 Pq Pa ports/x11/xorg-clients ,
1112 .Xr accton 8 ,
1113 .Xr init 8 ,
1114 .Xr sshd 8 ,
1115 .Xr sysctl 8 ,
1116 .Xr syslogd 8 ,
1117 .Xr vipw 8