Frequently Asked Questions for FreeBSD 2.X, 3.X and 4.X
Prev		Next

Chapter 13 Security

13.1. BIND (named) is listening on port 53 and some other high-numbered port. What is going on?
13.2. Sendmail is listening on port 587 as well as the standard port 25! What is going on?
13.3. What is this UID 0 toor account? Have I been compromised?
13.4. Why is suidperl not working properly?

13.1. BIND (named) is listening on port 53 and some other high-numbered port. What is going on?

FreeBSD 3.0 and later use a version of BIND that uses a random high-numbered port for outgoing queries. If you want to use port 53 for outgoing queries, either to get past a firewall or to make yourself feel better, you can try the following in /etc/namedb/named.conf:

    options {
            query-source address * port 53;
    };

You can replace the * with a single IP address if you want to tighten things further.

Congratulations, by the way. It is good practice to read your sockstat(1) output and notice odd things!

13.2. Sendmail is listening on port 587 as well as the standard port 25! What is going on?

Recent versions of Sendmail support a mail submission feature that runs over port 587. This is not yet widely supported, but is growing in popularity.

13.3. What is this UID 0 toor account? Have I been compromised?

Do not worry. toor is an ``alternative'' superuser account (toor is root spelt backwards). Previously it was created when the bash(1) shell was installed but now it is created by default. It is intended to be used with a non-standard shell so you do not have to change root's default shell. This is important as shells which are not part of the base distribution (for example a shell installed from ports or packages) are likely be to be installed in /usr/local/bin which, by default, resides on a different filesystem. If root's shell is located in /usr/local/bin and /usr (or whatever filesystem contains /usr/local/bin) is not mounted for some reason, root will not be able to log in to fix a problem (although if you reboot into single user mode you will be prompted for the path to a shell).

Some people use toor for day-to-day root tasks with a non-standard shell, leaving root, with a standard shell, for single user mode or emergencies. By default you cannot log in using toor as it does not have a password, so log in as root and set a password for toor if you want to use it.

13.4. Why is suidperl not working properly?

For security reasons, suidperl is installed without the suid bit by default. The system administrator can enable suid behavior with the following command.

    # chmod u+s /usr/bin/suidperl

If you want suidperl to be built suid during upgrades from source, edit /etc/make.conf and add ENABLE_SUIDPERL=true before you run make buildworld.

Prev	Home	Next
Networking		PPP