Subject: Re: security for netbsd as web server
To: Amadeus Stevenson <email@example.com>
From: Felix Deichmann <firstname.lastname@example.org>
Date: 03/25/2005 23:32:14
Amadeus Stevenson wrote:
> -ipfilter block all default, allow in www with keep state
If you expect many connections and "keep state", be sure that the state
table is big enough then. See IPSTATE_SIZE and IPSTATE_MAX in ip_state.h.
> Is there anything else you could do? Password rotation? What would you
> do if you had to run, say, a security-critical (eg. a bank or paypal)
If you are really paranoid:
# sysctl -w net.inet.ip.random_id=1
But increases CPU overhead, of course.