I know most of the general advice: "turn off unnecessary services", "no really, turn off unnecessary services", "least privilege", etc. I've also seen a few guides and/or tools, e.g., Bastille, for hardening Linux boxes, but nothing that seems tailored to NetBSD.
Assume for the sake of this list that I've already made sure root doesn't have SSH access, but that I haven't installed any server software.
What are your first steps for securing a new NetBSD box?
UPDATE: To be clear, I'm looking for specific steps. I'm entirely self-taught when it comes to server admin, but I feel I have a decent grasp of the general principles. I'm looking for details for two reasons:
- To see if there is anything NetBSD-specific that I've overlooked.
- To see if other people have better methods for putting the general principles into practice.
Thanks.
Please see security(8) in NetBSD manual. You can:
rc.confto harden a production systemsecurity.curtain = 1in sysctl.conf to limit users from seeing each other.security.pax.mprotect.global=1,security.pax.aslr.global=1)Please also see Elad Efrat's paper Recent Security Enhancements in NetBSD.
Please note that features that prevent changing binaries also prevent you from upgrading the system so prepare to make upgrades in single user mode.
PaX extensions may prevent some software such as gnu make from working at all. You can leave the .global flags disabled and set PaX flags on binary basis with paxctl.
It's the same with every system:
As SvenW said, the basic concepts pretty well apply across the board.
For a detailed read, the Center for Internet Security has a Benchmark available for FreeBSD. I imagine that it should be fairly easy to translate to your environment.