Newbie Question; security logs

[Kevin Kinsey]

crzdgns1 at starpower.net wrote:

>Hello,
>
>I have been checking my logs lately and find that a lot of access 
>attempts have been blocked.  That's good.  There are a ton of access 
>attempts, mostly from asia.  I am the only user on my computer, it is 
>my home computer and I just wanted to try the whole open source 
>phenomenon.  So far, I think IP firewall is blocking all unauthorized 
>attempts to login, but, well, I am a  newcomer to freebsd/unix/internet 
>security and want to be sure I am doing everything safely.  Some of 
>my log entries say "possible breakin attempt".  That made me kind of 
>uncomfortable too.  How do I evaluate whether or not my computer is 
>safe?
>
>Thanks
>
>Mark
>  
>

Hello, Mark

If you can redirect your question to questions at freebsd.org,
you will get a larger and more well-educated audience, and
perhaps some better responses.  Really, it's not supposed
to be here at all, I think.

The Handbook's "Security" chapter is required reading, I
should think.  IIRC, it's chapter 14.

You should not run any computer hooked directly to the
internet without a firewall.

Use good passwords.  Change them occasionally.  Note
any system accounts with no passwords in your daily "root"
emails.

You should keep your operating system up to date.  Quite
a bit of Handbook info on this as well.  Currently, "up to date"
is a freebsd version listed at www.freebsd.org/security, with
a kernel date later than the last security advisory (try "uname -a")
or **known** to have been patched for any vulnerabilities.

Subscribe to "freebsd-security-notifications at freebsd.org" ---
you'll get announcements from the security officer as soon
as any problems in the base OS are detected.  Sometimes
they are nice enough to advise of problems with many of
the most common software packages, but it's not an obligation
for them to do so.

Check the output of "netstat -anf inet".  If any servers are
listening on your outside interface, they shouldn't be, unless
you want them to be. If you have daemons listening to the
Internet, they are  available for anyone to connect to, unless
you deny access via a firewall or /etc/hosts.allow.  Needless to
say, you need to stay on top of any "bug notices" that come from
the suppliers of these programs.

Most of the log messages you see are from automated tools
searching for Linux installations with services protected
by lazy passwords.  Some could be more serious, but don't lose
heart!

One strategy for sshd; use /etc/hosts.allow, and deny access
to everyone (unless you need to be able to use this system
from outside). 

If you are running ipfw (you mention it, but give few details),
try something like "ipfw add $n deny ip from any to me setup via $oif"
where $n is a low rule number (so this gets placed before any
accept rules and $oif is your outward facing interface) in your
firewall rules.

HTH,

Kevin Kinsey