Bot? / pf question
Adam Vande More
amvandemore at gmail.com
Wed Jan 5 20:05:20 UTC 2011
On Wed, Jan 5, 2011 at 1:48 PM, Mark Moellering <mark at msen.com> wrote:
> That's an excellent point. A span port from the upstream switch/router
>
> Since I am going to be setting up a mail server sometime next week and have
> to keep things like this in mind;
> would it make sense to run pf and block all outbound traffic that isn't on
> port 25 ( port 995 , etc) and force any web administration programs onto a
> port other than 80 to help with this sort of thing? Any other thoughts on
> how to make sure future installations can be kept secure?
>
> As always, thanks in advance to everyone,
>
That a great example of when jails should be used, I put each service into
it's own jail eg MTA, FTP, www. Actually I use something like pound then
put each different website in it's own jail. Make sure each database backed
service has separate login/passwords. Then if something like phplist, or an
MTA is compromised the host OS and utilities can still be trusted, in theory
at least.
Also a managed port can help you deal with issues by tracking stat
metrics/port mirroring/etc.
You can use something ezjail to make administration tasks easier, and if you
isolate the jail FS's(UFS/ZFS) make use of the snapshotting utilities.
There are a couple of utilities in ports to help automate snapshots too.
--
Adam Vande More
More information about the freebsd-questions
mailing list