SUSE Security Lockdown - Hardening Your Linux System

İçindekiler

1 Disable TELNETD
2 Disable FTP Servers
3 Configure SSH for SSH2-only Access
4 Limit SSH Access
5 Disable inetd
6 Edit BIOS to Disallow Booting from CDROM/Floppy
7 Set GRUB password
8 Encrypt Data Partitions

Disable TELNETD

TELNETD is not enabled by default in SUSE.

Disable FTP Servers

FTP server is not enabled by default in SUSE.

Configure SSH for SSH2-only Access

Modify the /etc/ssh/sshd_config file to change the PROTOCOL line from:

#PROTOCOL    1,2

to:

PROTOCOL     2

Limit SSH Access

limit by users

start yast
go to Security & Users -> Edit and create groups
add a group named "sshlogin"
make all normal users (not root), whom you allow to use ssh to access the system member of this group.

In /etc/ssh/sshd_config modify:

AllowUsers root

to:

#AllowUsers root

And add:

AllowGroups sshlogin

Finally as root restart sshd:

rcsshd restart

Limit by hosts

In /etc/hosts.allow you enter the following lines for the hosts you specificaly allow, e.g.:

sshd : 127.0.0.1 : allow
sshd : 192.168.  : allow
sshd : 130.57.5.70 : allow
sshd : 10.         : allow

Next enter all that need to be denied:

sshd : ALL         :deny

Limit by variable hosts

Most of the time you just want to limit access from abusive hosts. If you want to see if this happens, do the following as root:

grep sshd /var/log/messages |grep "Invalid user"| \
awk '{print $NF}'|sort|uniq -c|sort -n

This will give the the number of attempts per IP. To block this, there are several scripts. An easy script to use is blockhosts. The way to use it under SUSE is as follows. A) Download the GZIPed Archive and unpack it. B) Go into the just created directory and run as root python setup.py install C) Add the following line to /etc/blockhosts.cfg with a space in front of LOGFILES

LOGFILES = [ "/var/log/messages", ]

D) Add the follwoing lines to /etc/hosts.allow

#---- BlockHosts Additions
#---- BlockHosts Additions
sshd : ALL: spawn /usr/bin/blockhosts.py & : allow

If you want, you can still add specific hosts or ranges that are allowed or denied to /etc/hosts.allow

Disable inetd

If no services are running (as is the default) xinetd is not running.

Edit BIOS to Disallow Booting from CDROM/Floppy

See the documentation for your specific BIOS. Booting from removable media allows an attacker with physical access to the machine to mount the systems' filesystems--accessing or deleting data, changing settings, or even changing passwords.

Be sure to:

Set a BIOS password
Change the boot order such that hard disk is first
Physically lock the case so attacker cannot reset the BIOS

Set GRUB password

Grub is a powerful bootloader which allows entries to be edited on the fly. This can be a security risk, however. GRUB can boot removable media or even access files on the hard disk.

To set a password, see the YaST 'Boot Loader' module. Remember to remove the 'Floppy' entry!

For 9.3:

Select 'Add'.
Change 'Selected Option' to 'password' and select 'OK'.
Check 'Protect Boot Loader with Password' and enter password.

For 10.0:

Switch to the 'Boot Loader Installation' tab.
Select 'Boot Loader Options.'
Check 'Protect Boot Loader with Password' and enter password.

Encrypt Data Partitions

Note: If the password for an encrypted partition is forgotten, all data will be unrecoverable!

YaST includes the option to encrypt partitions. It is a good idea to encrypt any partitions that contain sensitive data.

In the YaST Partitioner create a new partition as normal:
1. Select 'Create.'
2. Select the disk to create the partition on.
3. Select whether a primary or extended partition should be created (if prompted).
In the create partition dialog, select a filesystem (other than swap or FAT) and a mount point (other than /, /usr, /boot, or swap).
Select a size for the partition.
Check "Encrypt File System" and select 'OK'.
Enter a password and select 'OK'.

The encrypted filesystem is created and its entry is added /etc/cryptotab. For example:

# cat /etc/cryptotab
/dev/loop0   /dev/sdb1   /encrypted_mount_point      reiserfs    twofish256,acl,user_xattr

When the system boots, a password is required before the filesystem is mounted:

Activating crypto devices using /etc/cryptotab ...
Please enter passphrase for /dev/sdb1:

It can be mounted and unmounted with the /etc/init.t/boot.crypto script. For example:

To mount:

/etc/init.d/boot.crypto start

To unmount:

/etc/init.d/boot.crypto stop

Alternatively, the mount commands can be used directly.

To mount an encrypted partition, a loopback device must first be established:

# losetup -e twofish256 /dev/loop0 /dev/sdb1
Password:

Then, the loopback device can be mounted:

# mount /dev/loop0 /encrypted_mount_point

To unmount, simply use the umount command then delete the loopback device:

# umount /encrypted_mount_point
# losetup -d /dev/loop0

Note that if you get an error like "mount: you must specify the filesystem type" when mounting, you may have entered the wrong password. Delete the loopback device and try again.