FreeBSD 主機自保指南

2. 

4. 





6. 






7. 
 # freebsd-update

 # pkg upgrade

 # portsnap fetch update
 # portmaster -a



8. 
 # pkg audit -F


9. 




10. /etc/rc.conf
pf_enable="YES" # PF ( )
pf_rules="/etc/pf.conf" # PF
pf_flags="" # pfctl
pflog_enable="YES" # pflogd(8)
pflog_logfile="/var/log/pflog" # pflogd
pflog_flags="" # pflogd

11. /etc/pf.conf
ext_if="em0"
table <ncu_addr> {140.115.0.0/16}
block in on $ext_if proto tcp from any to any port 1 >< 1023
block in quick on $ext_if proto tcp from any to any port = 139
block in quick on $ext_if proto tcp from any to any port = 445
block in quick on $ext_if proto udp from any to any port 137 >< 138
block in all
pass in on $ext_if proto tcp from <ncu_addr> to $ext_if port 22 keep
state
pass in on $ext_if proto tcp from any to $ext_if port 22 keep state
pass in on $ext_if proto tcp from any to any port = 80
pass in on $ext_if proto tcp from any to any port = 443

12. 
 /usr/share/examples/pf/pf.conf


 # pfctl -vnf /etc/pf.conf
References:
http://www.openbsd.org/faq/pf/filter.html
http://daemonforums.org/showthread.php?t=8145
http://undeadly.org/cgi?action=article&sid=20060927091645

13. 







14. 
 # touch /etc/hosts.deniedssh
 /etc/hosts.allow
 sshd : /etc/hosts.deniedssh : deny
ALL : ALL : allow

 /usr/local/etc/fail2ban/jail.conf
 /etc/pf.conf
 table <fail2ban> persist block quick proto tcp from
<fail2ban> to $ext_if port ssh

15. 

 phpMyAdmin


16. 

17. 

18. 

19. 
 http://dns.gov.ph/process/connection.php~
 http://dns.gov.ph/ajaxResponse/modReqs.php~

 http://<my_personal_blog>/wordpress.tar.gz
 http://example.com/.git/
Reference:
http://kawsing.blogspot.tw/2013/05/dnsweb-httpblog.html
http://denny0223.github.io/MOPCON-2014-LT-Slide/#1

20.  /var/log
 messages
 auth.log
 mail.log
 httpd-error.log
 httpd-access.log
 /etc/syslog.conf


21.  Logwatch /w crontab


22. 
 # ps -aux
 # top
 # netstat -a
 # sockstat
 # fstat /path/to/some/file (lsof)


23. 
 crontab


24. 

