# Basic server security - install the "ports" or not?



## Ed_Flecko (Jul 23, 2015)

I'm setting up a web server and I'll be running Apache in a jail (likely using ezjail).

Generally speaking, is it a good idea, from a server security perspective, to install the ports when setting up a server from scratch or should one leave those out? I will be running a custom kernel, so I'll need the "source" files (correct???), but I'm wondering if I'd ever really need the ports? Any software (like Apache, etc.) can be installed from packages, right?

Comments?

Thank you,
Ed


----------



## kpa (Jul 23, 2015)

Everything you build from ports(7) is checked with SHA256 checksums so that the distfiles downloaded are valid and authentic. There's no room for tampering with the sources as long as the distfiles pass the SHA256 validity checks. You will get a build error in case one of the distfiles doesn't pass the tests.


----------



## Ed_Flecko (Jul 23, 2015)

Thank you.

I guess what I'm asking (maybe I asked it in a confusing way) is if it puts the overall security of the server at risk by having the entire ports collection installed on the server? Does it "harden" the server (if even in a small way) by leaving the ports collection off when you install the OS?

Ed


----------



## kpa (Jul 23, 2015)

The ports collection won't be the first (probably one of the last) thing an attacker would use to attack your system, they would instead try to upload a custom made attack kit to the user account they have broken into and use that for searching more weak points in your system.


----------



## Ed_Flecko (Jul 23, 2015)

Great...thank you!

I would guess, for those people who run FBSDFreeBSD servers in a production environment, that most people may not have any accounts on the server other than root (and a highly complex password that gets changed regularly) that they SSH to in order to perform maintenance, etc.?

Ed


----------



## kpa (Jul 23, 2015)

The recommendation is to use an unprivileged user in the wheel group for logging in via SSH and then use su(1) or security/sudo for gaining superuser privileges.


----------



## junovitch@ (Jul 23, 2015)

Ed_Flecko said:


> Thank you.
> 
> I guess what I'm asking (maybe I asked it in a confusing way) is if it puts the overall security of the server at risk by having the entire ports collection installed on the server? Does it "harden" the server (if even in a small way) by leaving the ports collection off when you install the OS?
> 
> Ed



To answer just your question, the only thing having /usr/ports is going to do is waste space if you never use it.  If you don't use it, it's just a bunch of worthless files with no inherent security risk in and of itself.  If you do use it, as said before the checksums help validate against tampering and you are at no more risk than the official build servers doing the same steps to create public packages.


----------



## wblock@ (Jul 24, 2015)

Okay, I'll be that guy.  In theory, having a ports tree present could increase the "attack surface".  There are scripts in /usr/ports/Tools, there could be some type of compromise in a distfile in /usr/ports/distfiles that a user could extract into their own directory, there could be problems in the files directory of an individual port.  I've never heard of problems with these, but can imagine it.

If you are concerned about this but still want to use ports, limit the exposure by putting the ports tree on a separate filesystem and leaving it unmounted by default.

And just to make the distinction, the "Ports Collection" or, informally, the ports tree, is just a directory of files, mainly Makefiles and other small text files, but also application distfiles.  It does not include the built applications, just instructions for building them.


----------



## Ed_Flecko (Jul 24, 2015)

Good stuff! Thank you all for your comments and opinions!



Ed


----------



## junovitch@ (Jul 24, 2015)

A script in /usr/ports/Tools that can be used maliciously or trojaned tarball in /usr/ports/distfiles still needs some way to actually use it.  If an untrusted user has access, of course there would be nothing to stop them from using these files.  However, if that was the case there may be nothing to stop them fetching the same file from the internet, compiling their own binary, or SCP'ing a file from their own machine.  If not a local user maybe it's some Wordpress plug-in CVE of the week that allows executing something on the local machine.  In either case there are a lot of "ifs" or specific issues that must be present to support malicious use.  I think there is much more to gain security wise addressing securing applications and remote access and ensuring unauthorized users don't have access to start with rather than worry about a such a very specific circumstances.


----------

