Membangun Server dari Awal dengan FreeBSD (part1)

, , | Friday, March 18, 2011

1. Optimasi Kernel
Setelah instalasi yg perlu di perhatikan adalah kompile kernel.
Buang device2 yang tidak diperlukan. eth driver, pcmcia dll.
1. DIsable IPv6
2. DISABLE NFS

Untuk option tambahan mgkn bisa ditambahkan pada kernel sbb :

options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD
options IPFIREWALL_DEFAULT_TO_ACCEPT
options DUMMYNET
options IPFILTER
options IPFILTER_LOG

#### PF OPTION ####
device pf
device pflog
device pfsync


2. Setting SSHD
ee /etc/ssh/sshd.config

Port 1234
Protocol 2
MaxAuthTries 2
MaxSessions 8
PermitRootLogin no
#StrictModes yes
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
PermitEmptyPasswords no
UseDNS no
Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
AllowUsers user1
AllowUsers user2


3. Setting TTYS
# If console is marked "insecure", then init will ask for the root password
# when going to single-user mode.
console none unknown off insecure
#
ttyv0 "/usr/libexec/getty Pc" cons25 on secure
# Virtual terminals
ttyv1 "/usr/libexec/getty Pc" cons25 on secure
ttyv2 "/usr/libexec/getty Pc" cons25 on secure
#ttyv3 "/usr/libexec/getty Pc" cons25 on secure
#ttyv4 "/usr/libexec/getty Pc" cons25 on secure
#ttyv5 "/usr/libexec/getty Pc" cons25 on secure
#ttyv6 "/usr/libexec/getty Pc" cons25 on secure
#ttyv7 "/usr/libexec/getty Pc" cons25 on secure
ttyv8 "/usr/local/bin/xdm -nodaemon" xterm off secure

Saran dari Dru Lavigne sbb :

General Hardening Tips

• restricting ssh access using the AllowUsers keyword in / etc/ssh/sshd_config
• using chflags to set the schg flag on system binaries and configuration files that
don't require modifications
• implementing a file integrity checking system such as tripwire
(http:/ /www.tripwire.com), aide (http:/ /www.cs.tut.fi/~rammer /aide.html)or
implementing your own using mtree
• changing /etc/motd removing the COPYRIGHT notice
• subscribing to the FreeBSD security advisories mailing list
(http:/ /lists.freebsd.org/mailman/listinfo/freebsd- security- notifications)
• reviewing mount(8) to see if any options are applicable to your filesystems
• reviewing your sysctl(8) settings; http:/ /sysctl.enderunix.org/ provides some
helpful descriptions
• reviewing your rc.conf(5) settings
Finally, do:
• read root's emails daily and have a log review action plan

This entry was posted on 9:56 AM and is filed under instalasi , security , tips . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

 

3 komentar:

Anonymous said...

[url=http://dcxvssh.com]BjUGcH[/url] , dbwXdvwtRSfNuVRci - http://hhmgziigpu.com

December 11, 2012 at 10:33 PM  
Anonymous said...

to wear up and meets all the details of the fun and pleasance.
around players comparable adjusting the situation from quantify to scrimpy.
furthermore, it's not a VIP performing artist you are. You can also sink in on the soul decision making? That would be amended than near deposit transfers. You usa casino bonus no deposit to decorate up and meets all the details of the fun and enjoyment. close to players variety adjusting the posture from reading to lean. furthermore, it's not a VIP actor you are.

You can besides sound on the prizewinning option?

That would be best than near enclose transfers. You
My homepage :: best casino bonuses online

February 2, 2013 at 12:32 PM  
Anonymous said...

I think the admin of this website is in fact working hard in favor of his web page,
for the reason that here every material is quality based data.


Here is my homepage Onlinecasino2013.Blogspot.Com

March 30, 2013 at 8:07 AM  

Post a Comment

Subscribe to: Post Comments (Atom)