SUSE Security Lockdown - Hardening Your Linux System
İçindekiler
Disable TELNETD
TELNETD is not enabled by default in SUSE.
Disable FTP Servers
FTP server is not enabled by default in SUSE.
Configure SSH for SSH2-only Access
Modify the /etc/ssh/sshd_config file to change the PROTOCOL line from:
#PROTOCOL 1,2
to:
PROTOCOL 2
Limit SSH Access
limit by users
- start yast
- go to Security & Users -> Edit and create groups
- add a group named "sshlogin"
- make all normal users (not root), whom you allow to use ssh to access the system member of this group.
In /etc/ssh/sshd_config modify:
AllowUsers root
to:
#AllowUsers root
And add:
AllowGroups sshlogin
Finally as root restart sshd:
rcsshd restart
Limit by hosts
In /etc/hosts.allow you enter the following lines for the hosts you specificaly allow, e.g.:
sshd : 127.0.0.1 : allow sshd : 192.168. : allow sshd : 130.57.5.70 : allow sshd : 10. : allow
Next enter all that need to be denied:
sshd : ALL :deny
Limit by variable hosts
Most of the time you just want to limit access from abusive hosts. If you want to see if this happens, do the following as root:
grep sshd /var/log/messages |grep "Invalid user"| \ awk '{print $NF}'|sort|uniq -c|sort -n
This will give the the number of attempts per IP. To block this, there are several scripts. An easy script to use is blockhosts. The way to use it under SUSE is as follows. A) Download the GZIPed Archive and unpack it. B) Go into the just created directory and run as root python setup.py install C) Add the following line to /etc/blockhosts.cfg with a space in front of LOGFILES
LOGFILES = [ "/var/log/messages", ]
D) Add the follwoing lines to /etc/hosts.allow
#---- BlockHosts Additions #---- BlockHosts Additions sshd : ALL: spawn /usr/bin/blockhosts.py & : allow
If you want, you can still add specific hosts or ranges that are allowed or denied to /etc/hosts.allow
Disable inetd
If no services are running (as is the default) xinetd is not running.
Edit BIOS to Disallow Booting from CDROM/Floppy
See the documentation for your specific BIOS. Booting from removable media allows an attacker with physical access to the machine to mount the systems' filesystems--accessing or deleting data, changing settings, or even changing passwords.
Be sure to:
- Set a BIOS password
- Change the boot order such that hard disk is first
- Physically lock the case so attacker cannot reset the BIOS
Set GRUB password
Grub is a powerful bootloader which allows entries to be edited on the fly. This can be a security risk, however. GRUB can boot removable media or even access files on the hard disk.
To set a password, see the YaST 'Boot Loader' module. Remember to remove the 'Floppy' entry!
For 9.3:
- Select 'Add'.
- Change 'Selected Option' to 'password' and select 'OK'.
- Check 'Protect Boot Loader with Password' and enter password.
For 10.0:
- Switch to the 'Boot Loader Installation' tab.
- Select 'Boot Loader Options.'
- Check 'Protect Boot Loader with Password' and enter password.
Encrypt Data Partitions
Note: If the password for an encrypted partition is forgotten, all data will be unrecoverable!
YaST includes the option to encrypt partitions. It is a good idea to encrypt any partitions that contain sensitive data.
- In the YaST Partitioner create a new partition as normal:
- Select 'Create.'
- Select the disk to create the partition on.
- Select whether a primary or extended partition should be created (if prompted).
- In the create partition dialog, select a filesystem (other than swap or FAT) and a mount point (other than /, /usr, /boot, or swap).
- Select a size for the partition.
- Check "Encrypt File System" and select 'OK'.
- Enter a password and select 'OK'.
The encrypted filesystem is created and its entry is added /etc/cryptotab. For example:
# cat /etc/cryptotab /dev/loop0 /dev/sdb1 /encrypted_mount_point reiserfs twofish256,acl,user_xattr
When the system boots, a password is required before the filesystem is mounted:
Activating crypto devices using /etc/cryptotab ... Please enter passphrase for /dev/sdb1:
It can be mounted and unmounted with the /etc/init.t/boot.crypto script. For example:
To mount:
/etc/init.d/boot.crypto start
To unmount:
/etc/init.d/boot.crypto stop
Alternatively, the mount commands can be used directly.
To mount an encrypted partition, a loopback device must first be established:
# losetup -e twofish256 /dev/loop0 /dev/sdb1 Password:
Then, the loopback device can be mounted:
# mount /dev/loop0 /encrypted_mount_point
To unmount, simply use the umount command then delete the loopback device:
# umount /encrypted_mount_point # losetup -d /dev/loop0
Note that if you get an error like "mount: you must specify the filesystem type" when mounting, you may have entered the wrong password. Delete the loopback device and try again.