Security suggestions ..

  • Rainer Wess
    Rainer Wess

    Hello freebsdfan,

    i have played a litte with my box (thewall.pc.pppoe.0.2) and have found a few improvements that may be interessing for you:

    Sorry, i'm a litte bit paranoid ;-)

    1. I have deleted all users except root and there wasn't any error message, everything worked in the same way as before, so i think the other users are useless  - so i suggest to make a note in the documentation or delete them in the downloadpackage.

    2. The file-permissions of most files could be more restrictiv:
       for example: they are  555 for all executable files in /stand - im not very familar with this, but is 500 enough?
                    666 for most files in /dev - is 600 enough?
                    and so on...

    3. Every boot creates a file "passwd" in /etc - there are no passwords in it, but the rights are 644 so an intruder knows already the account-names, with a password-generator it is only a question of time until he gets root-permissions in..

    4. It would be a nice hint in the documentation to change the name of the user root in the master.passwd to something else to improve security..

    5. the last rule in rc.firewall is:
       ${fwcmd} add deny ip any to any  - im not very familar with it and just because im not knowing which protocols are else supported by the kernel i have changed it to:
       ${fwcmd} add deny all any to any

       Or dosn't this make any difference?


    PS: I started translation of your documentation to german yesterday (README and EXAMPLE.PPPoE),
    when i'am ready (~ in 14 days) i will email it to you.