-
April 28th, 2003, 09:09 AM
#1
FreeBSD Kernel ??
Well, I'm re-compiling my kernel and was wanting some opinions on good and bad features to use in the kernel;-) Would like it to be a secure server.
Also, which is better for a web/mail server.
DNS - Name Server or a Caching Name Server
-
April 28th, 2003, 09:56 AM
#2
Re: FreeBSD Kernel ??
Originally posted here by phaza7
Well, I'm re-compiling my kernel and was wanting some opinions on good and bad features to use in the kernel;-) Would like it to be a secure server.
Also, which is better for a web/mail server.
DNS - Name Server or a Caching Name Server
Just use the GENERIC kernel. Unless you have some exotic hardware in your machine.
Also take a look at man security.
As for the DNS server. Set it up as an caching DNS (forward the requests to the DNS server(s) of your ISP) unless you want to run an authoritive dns server for your own domains.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
April 28th, 2003, 11:47 AM
#3
Senior Member
Hi,
Instead of using the GENERIC kernel, comment out things that u don't have(customize the kernel) and try adding firewall support too.
BlackMask
-
April 28th, 2003, 12:10 PM
#4
isn't ipf enabled in GENERIC?
The downside of running a custom kernel is that support/troubleshooting is harder/takes more time, trial/error...
My personal philosophy is why mess with generic if you don't need to?
Ammo
Credit travels up, blame travels down -- The Boss
-
April 28th, 2003, 12:23 PM
#5
You could create a really small kernel (just enough to get it to boot). Most stuff will get loaded by kldload anyway. This is also where your security risk (kernel-wise) will be. For a really secure kernel disable loadable kernel modules and compile everything you need static in the kernel.
You can also add the following to /etc/rc.conf:
kern_securelevel_enable="YES"
kern_securelevel="3"
see init(8) for more info about security levels.
Edit: Just took a look at GENERIC from 4.8-STABLE. There is no ipf or ipfilter in there. You will need to enable 1 or the other. See LINT for more info.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
April 28th, 2003, 01:58 PM
#6
Hi,
-If you wanna use IPFilter options, you need to customised your kernel by adding:
"options IPFILTER"
"options IPFILTER_LOG"
IPFilter uses a default accept stance. If you prefer a default deny stance, you can adding following:
"options IPFILTER_DEFAULT_BLOCK"
My FreeBSD's using IPFilter (FreeBSD 5) and IPFW (FreeBSD 4.8)
These options are not in the GENERIC kernel.
- I secure my kernel using this command:
# chflags schg /kernel <<< This would keep anyone from replacing your kernel:"both intruder and you"
And if you want to unset this flags you need to run securelevel =-1 and do this command:
# chflags noschg /kernel
- I set my securelevel to 3
- I turn off "pseudo-device bpf" << it's used for packet sniffer and for the DHCP client and server.If you don't need any of those, turn this off.
Cheerss
Not an image or image does not exist!
Not an image or image does not exist!
-
April 29th, 2003, 04:38 PM
#7
thanxs, not generic I roll my own
generic doesn't sound secure
thanxs for the help
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|