The Magic DIrk

DO:

• Do use the ports and packages to install software.
• Do pay attention to the nightly, weekly, and monthly periodic output messages.
• Do become familiar with CVSup.
• Do install sudo (/usr/ports/security/sudo) and promote its use instead of running as root directly, especially if you share administrative duties with others.
• Do use ntpd and ntpdate to synchronize your system’s clock so that all the system logging and scheduled processes in FreeBSD that depend on the time being accurate can operate properly.
• Do be nice to the FreeBSD committers.
• Do decide what kind of security model you’re going to have.
• Do subscribe to the appropriate mailing lists for your version of FreeBSD.
• Do monitor the size of your log files.
• Do fly the Daemon banner proudly!

DON’T:

• Don’t use experimental features on a production server.
• Don’t forget to add yourself to the “wheel” group at installation time!
• Don’t get hung up on uptime.
• When probing your server for weaknesses, be careful to avoid triggering defense mechanisms such as PortSentry which block remote access from an attacking IP addressyou might find that you’ve locked yourself out of your own server.
• Don’t use shutdown to drop to single-user mode (for high-privilege activities such as replacing the kernel) if you’re using an older FreeBSD version that’s running with the securelevel setting at 1 or higher.
• Don’t make a habit of using filenames with spaces in them.
• Don’t write Perl or shell scripts on a local Windows machine and then upload them in binary mode over FTP, rather than in ASCII mode.
• Don’t use Telnet; use SSH instead, and (if at all possible) disable Telnet entirely so that your users can’t expose themselves or you to the weaknesses of unencrypted terminal traffic.
• Don’t enable sudo without using a properly designed sudoers file that restricts administrative access to only what’s necessary.