Script Kiddies
The most numerous attackers are script kiddies. Script kiddies are not sysadmins. They are not skilled. They download small attack programs that work on a point−and−click basis and go looking for people to attack. They're the equivalent of drive−by shooters looking for easy pickings. Fortunately, script kiddies are particularly easy to protect against; you simply have to keep your system and server programs’ patches up to date.
Disaffected Users
The second group causes the majority of security problems: your own users. The fact is, disaffected employees cause most security breaches because they're most likely to know where your security holes are. For example, you might have all your servers patched, but if you have a modem in the back closet that lets anyone who knows the password into the network behind your firewall, you're in trouble.
The best way to stop people like these is to not be sloppy. When someone leaves the company, change all passwords, and tell all employees that the person has left and not to share information with that person. And get rid of the unsecured modem, or the undocumented telnet server, or whatever other hurried hack you put into place thinking that nobody would ever find it.
Skilled Attackers
The last group is actually dangerous: skilled attackers. These are competent systems administrators, security researchers, and penetration specialists who want specific information from your company. If one of these people wants into your systems, they can probably get there.
Still, the proper security measures that will stop the first two groups of people can change the tactics that the skilled attacker must use. Rather than breaking into your computers over the network, he'll have to show up at the door dressed as a telephone company repairman lugging a packet sniffer, or dumpster−dive searching for old sticky notes with passwords scribbled on them. This raises his exposure dramatically, and can even make a break−in more trouble than it's worth.
RANT You'll frequently hear the word "hacker" used to describe people who break into computers. This word has different meanings depending on the speaker. In the technical world, a hacker is someone who is interested in the inner workings of technological systems. Some hackers are interested in everything, some have a narrow area of interest—such as computers. In the FreeBSD community, "hacker" is a title of respect. The main FreeBSD technical list is called FreeBSD−hackers. In the popular media, a hacker is someone who breaks into computer systems, end of story. To them, all hackers are bad. I recommend avoiding the word entirely to avoid confusion. In this book, I call those who break into systems "intruders."[2] Technical wizards can be called by a variety of names, but they rarely object to "sir" or "madam."
[2]In person, I call them much less pleasant things.
FreeBSD Security Announcements
The best way to stop all attackers is to keep your system up to date. That means you need to know when to update your system, and what to update. An outdated system is a script kiddie's best friend.
The FreeBSD project has a team of developers who specialize in auditing source code and
139
watching for security issues with both the base operating system and add−on software. These developers maintain a very low−volume mailing list, FreeBSD−security−notifications@FreeBSD.org, and it's a good idea to subscribe to it. While you can monitor other mailing lists (such as BugTraq and CERT) for general announcements, the security−notifications list is a handy single source for FreeBSD−specific information.
Subscribing
T o s u b s c r i b e t o t h e s e c u r i t y − n o t i f i c a t i o n s m a i l i n g l i s t , s e n d a m e s s a g e t o major−domo@FreeBSD.org containing the following:
...............................................................................................
subscribe FreeBSD−security−notifications
...............................................................................................
You'll receive a confirmation message, and buried somewhere in it there'll be a command string something like this:
...............................................................................................
auth abax55b3 subscribe FreeBSD−security−notifications mwlucas@AbsoluteBSD.com
...............................................................................................
Reply to majordomo@FreeBSD.org with a message containing just that string, and you'll be subscribed.
To unsubscribe, send a similar message to majordomo@FreeBSD.org with the following body text:
...............................................................................................
unsubscribe FreeBSD−security−notifications
...............................................................................................
You'll get a message back with a confirmation string to send back to the mail server. Return it, and you'll be unsubscribed.
What You'll Get
Two sorts of messages come across the security−notifications mailing list: FreeBSD security advisories and FreeBSD ports−collection security advisories. The two have very different purposes.
FreeBSD security advisories apply to the base operating system. When a FreeBSD component has a security hole, the security team releases a security advisory. Read the advisory carefully to determine what you need to do.
The ports collection contains literally thousands of programs that can be easily installed on FreeBSD. While it's not the definitive guide to what can work on the system, it's certainly a big chunk of it. When the security team finds a hole in one of these software packages, they notify the vendor and issue a ports−collection security advisory. These pieces of software are beyond the FreeBSD Project's control, but since they're distributed with FreeBSD, FreeBSD frequently catches the blame when one of them is broken. The security team issues these advisories in an effort to
140