Well, I'm re-compiling my kernel and was wanting some opinions on good and bad features to use in the kernel;-) Would like it to be a secure server.
Also, which is better for a web/mail server.
DNS - Name Server or a Caching Name Server :D
Printable View
Well, I'm re-compiling my kernel and was wanting some opinions on good and bad features to use in the kernel;-) Would like it to be a secure server.
Also, which is better for a web/mail server.
DNS - Name Server or a Caching Name Server :D
Just use the GENERIC kernel. Unless you have some exotic hardware in your machine.Quote:
Originally posted here by phaza7
Well, I'm re-compiling my kernel and was wanting some opinions on good and bad features to use in the kernel;-) Would like it to be a secure server.
Also, which is better for a web/mail server.
DNS - Name Server or a Caching Name Server :D
Also take a look at man security.
As for the DNS server. Set it up as an caching DNS (forward the requests to the DNS server(s) of your ISP) unless you want to run an authoritive dns server for your own domains.
Hi,
Instead of using the GENERIC kernel, comment out things that u don't have(customize the kernel) and try adding firewall support too.
BlackMask
isn't ipf enabled in GENERIC?
The downside of running a custom kernel is that support/troubleshooting is harder/takes more time, trial/error...
My personal philosophy is why mess with generic if you don't need to?
Ammo
You could create a really small kernel (just enough to get it to boot). Most stuff will get loaded by kldload anyway. This is also where your security risk (kernel-wise) will be. For a really secure kernel disable loadable kernel modules and compile everything you need static in the kernel.
You can also add the following to /etc/rc.conf:
kern_securelevel_enable="YES"
kern_securelevel="3"
see init(8) for more info about security levels.
Edit: Just took a look at GENERIC from 4.8-STABLE. There is no ipf or ipfilter in there. You will need to enable 1 or the other. See LINT for more info.
Hi,
-If you wanna use IPFilter options, you need to customised your kernel by adding:
"options IPFILTER"
"options IPFILTER_LOG"
IPFilter uses a default accept stance. If you prefer a default deny stance, you can adding following:
"options IPFILTER_DEFAULT_BLOCK"
My FreeBSD's using IPFilter (FreeBSD 5) and IPFW (FreeBSD 4.8)
These options are not in the GENERIC kernel.
- I secure my kernel using this command:
# chflags schg /kernel <<< This would keep anyone from replacing your kernel:"both intruder and you"
And if you want to unset this flags you need to run securelevel =-1 and do this command:
# chflags noschg /kernel
- I set my securelevel to 3
- I turn off "pseudo-device bpf" << it's used for packet sniffer and for the DHCP client and server.If you don't need any of those, turn this off.
Cheerss
:cool: thanxs, not generic I roll my own
generic doesn't sound secure
thanxs for the help :D