The Unix model for security has been developed over the last 30 years. It is rather rigid and secure. As soon as your new BSD Unix system is installed it is rather secure, although you may wish to take further steps to lock it down further. There are many techniques you can use to secure your BSD system.

The most important step is to define a security policy. How do you intend to allow people to use the new system? Will you allow basic telnet or any shell accounts? Will you use tcp wrappers or a firewall or both? Will you have a Terms of Service agreement between yourself and your users which define the proper use of the system? Once you have a clear plan as to how the system will be run you can then lay out your plan of implementation. Once you do have your security policy in place, make it available so that everyone who uses the system is aware of it.

Security is a vague concept. What does it mean to be secure? As per the fine book from O'Reilly called Essential System Adminstation, security is defined as having the system remain in the state that you expect. Did you install that program or delete that file? If your system is doing things you do not expect, you can assume it is not secure even if you have not been hacked. If you have a user on the system who has root access but does not follow the security policy closely or does not keep you up to date as to what changes she is making, you will have problems. You want to ensure that you have control over the system. Your policy must be enforced and as the system administrator you must know what is happening on your system.

If you want to be secure immediately upon installing the system, seriously consider OpenBSD. Their secure by default goal gives you the assurance that you will be secure from day one. If you have some features that you need, you can turn them on. If you choose another OS, like FreeBSD or NetBSD you may have a little extra work to do before your new system complies with your security policy.

A common first step for non-OpenBSD systems is to install SSH directly after the install. Recently SSH has become integrated into BSD systems and you may not have to take the extra step to install it. What you will have to do is set it up so that it runs right at boot time. You will also likely want to turn off basic telnet as that does not maintain a secure connection like SSH. For those not familiar with SSH, it is to shell access what SSL is to a web browser. It maintains a secure connection from logging in to closing the connection. Not allowing basic telnet access goes a long way to making your box more secure.

Next you will want to tweak several other key systems. The inet daemon is one place to keep a watchful eye on. Do you need telnet, finger, nntp, popd servers running on this new box? If it is simply a web server you can turn them off. If it is a mail server, then be sure to have pop3 access enabled. Typically all very secure systems turn off everything that is not absolutely necessary. That means finger is never enabled.

Secure the inetd with a few extra command-line flags. There are various flags that are not on by default but add extra security. In FreeBSD I altered the inetd flags to be the following:

Read the man page on inetd (man inetd) for a full explanation of these flags. Basically these flags tell it to use tcp wrappers internally and external and to limit the maximum number of specific services to allow any IP over a specific time period. I have it set to 30 connections in 30 seconds and to only allow 30 services to run at a time. My system typically only has 5 to 10 services running for ftp or other systems at a time so 30 is a good limit for me. If anyone is having problems connecting I will know some automated system may be attempting to break into my server.

After you have taken these first few steps you can then move on to other core services like Sendmail, Bind and Apache. Any add-on service which is not integrated into your system may have security holes independently, but may provide a way for someone to crack into your system. To keep up to date on these newly discovered security holes, which happen all the time, you can use CERT. It is a very useful resource. You can also join mailing lists which will give you updates on various components of your system from time to time. But the best way to ensure all add-on systems are secure is to know their status when you install them and to keep them close to the most recent version. You may not want to install the most recent version on your most vital system, instead try it out on a secondary system for a while to see how it works. Typically security holes are found and patched within the first few months of a new major release. Small incremental releases of a program typical offer security patches and performance enhancements.

Finally your best bet in securing a system is experience. The better you know your system, with all it's quirks and features, the better you will be able to control it and monitor it. Take the time to read up on key parts of your new system. Join a couple mailing lists and read a few threads from time to time. You will learn a lot. Before too long you will be a security guru and you will be helping people on those same mailing lists.

• FreeBSD Security Information
• OpenBSD Security
• NetBSD Security Advisories
• Security Portal (a must read)
• Improving Security (FreeBSD Diary)
• Bind8 Security Issues (FreeBSD Diary)
• Front Page Extensions - security considerations (FreeBSD Diary)