SuSE Security FAQ
This is a collection of the most commonly asked questions on
the SuSE-Security mailing list.
Contributions to the FAQ are welcome. Please send them to email@example.com.
Q: One of my servers has been cracked open and overtaken by intruders. What now?
Q: I have secured all data from the compromised system and checked back with
our lawyers. Is there another place to report system compromises to?
A: If you have not done so already you need to install the OpenSSH package. This should be in the SEC section on your SuSE CD or DVD although as this is a network service I recomend that you first check to see if there is a newer version on ftp.suse.com.
SSH is basically a version of telnet that uses Secure Sockets Layer (or SSL) encryption. It can do everything that telnet, rsh and rlogin can, except in an encrypted manner. The only difference you really nead to know about compared to telnet is that you need to specify the username you wish to login with on the command line before you connect, rather than at an interactive prompt. (ie. I wish to connect to freenet.nether.net as the user joe, I would type ssh firstname.lastname@example.org) If you do not do this, ssh will try to automatically log you in as the current user.
Q: How do I securely copy files between my (SuSE) Linux machines?
Q: How do I securely copy files between my Windows PC and my (SuSE) Linux Server.
SuSE's version of OpenSSH all come with libwrap support compiled in by default. That is, they honour the /etc/hosts.allow and /etc/hosts.deny
If you have previously run harden_suse you will now have a line at the bottom of /etc/hosts.deny that looks like:
ALL : ALLIf this is what's causing your connection to be refused, you should will to see it in the /var/log/warn logfile. This can be checked by using the command
tail -f /var/log/warnTo enable access from your IP address, simple add the line:
sshd : x.x.x.xto /etc/hosts.allow (where x.x.x.x is the IP that you are connecting FROM.) You can also use the format x.x.x.x/y.y.y.y where y.y.y.y is the subnet mask of an entire network (ie. Your LAN) that you wish to allow. If you wish to allow SSH access from anywhere, you can replace x.x.x.x with the word ALL. This is not recommended.
SSHD also has the possibility of denying root access. Look at /etc/sshd_config and see if PermitRootlogin is yes (or try connecting as another user). Finally, you could be having a problem with different ssh versions. Openssh 2.3 supports both SSH1 and SSH2 and should work, and you should upgrade to it anyway, since earlier versions have some security problems.
How do I Secure SuSE?Have you read your SuSE Manual? Do that first!
Of course you have also already read Marc Heuse's (email@example.com) white paper on the Installation of a Secure Web Server :-)
30 Second Tutorial..
Install and run harden_suse (found at ftp://ftp.suse.com/pub/suse/i386/current/suse/sec1/hardsuse.rpm)
Install Sec Check (found at ftp://ftp.suse.com/pub/suse/i386/current/suse/sec1/seccheck.rpm)
Apply any updates that are applicable from : ftp://ftp.suse.de/pub/suse/i386/update/
Now, if you ran harden_suse and answered yes, it will have pretty much locked
everything down for you. You will need to set INETD to start again in
/etc/rc.config and you will need to re-enable ftp by un commenting the line
in /etc/inetd.conf that matches the ftp server you are running.
(Personally I like proftpd. Read /etc/proftpd.conf for info on locking it
down, it's self explanatory)
You will need to add the ip range that you want to connect to sshd from into
Once you have done all this (it should take you about 15 min) reboot the machine just to check that everything works and is set to startup etc, then do a "nmap localhost" (or a netstat -nat) your ports should now look like:Port State Service
21/tcp open ftp
22/tcp open ssh
80/tcp open http
Once you have double checked http://www.suse.de/en/support/security/index.html
just to see that you have applied all the available patches for the rpms you
have installed compare that web page to the output of
rpm -qaThere is of course alot more that you can do to secure a system, and I'm sure that you'll get a bunch of people telling you about securmod and tripwire and all the other cool security toys, all of which you should learn about and implement, but for your specification of a web server only (I am assuming your are the only person with a shell account)this will be sufficient to get your server on the web without worrying about being easily compromised.
Notice you didn't even have to configure a firewall/packetfilter?!
I've heard that sendmail is insecure, but it is also used very often. Do you know other mail-deamons which are more secure?There have been no known security weaknesses in sendmail as of version 8.9.3. Sendmail is quite powerful but not that easy to configure. Postfix and QMail are smaller, faster and possibly easier to configure, but from the security point of view there is no difference.
- very active maintainer team (www.sendmail.org)
- a couple of millions users worldwide
- very flexible and adaptable for your needs
- fully compatible to almost all internet mail standards
- supported by most tools/apps (antivirus, spam-blocker, etc.)
- very well documented, lots of good books are available
- highly reliable if configured correctly
- _Can_ be difficult to set up
- most admins need quite some time to get used to it
How do I configure Sendmail Securely?Sendmail can be considered to be configured securely in a standard install of SuSE that has has harden_suse ran on it.
How do I enable feature "X"?What you do is simply edit /etc/mail/linux.mc (or a copy of it) and select the options you want by removing the "dnl" from the front of the lines you want.
In some cases you will also need to change the domain etc also. It is very well commented, and you should have not trouble figuring it out. Once you think you have the right options you then execute the command
"m4 /etc/mail/linux.mc > /etc/sendmail.cf"
and it will regenerate the sendmail.cf file for you, with the options you have selected.
Then a simple
will put the changes into effect for you.
How do I configure PostfixFor a standard config where you have one domain only that you wish to recieve mail for, simply edit /etc/rc.config.d/postfix.rc.config
It has very good commenting and you should be able to follow it yourself.
Once you have changed this file to reflect your domain, save it and run the command SuSEconfig
This will merrily go off and generate the required config files for you. The primary file you need be interested in if you wish to do more advanced configuration of Postfix is /etc/postfix/main.cf
Why doesn't SuSE ship Qmail?Qmail's license is VERY restrictive and basically does not allow vendors to ship it (you cannot ship modified binaries). That and qmail's development has been somewhat stunted by the fact that contributions to it are often not included, basically only DJB is working on it, which means qmail lacks a LOT of features.
:0 local /usr/X11R6/bin/X :0 vt07
:0 local /usr/X11R6/bin/X :0 vt07 -nolisten tcp
How do I enable MD5 Password EncryptionThe documentation to enable MD5 password encryption is in /usr/share/doc/packages/pam/md5.config on your SuSE 7 machine.
Firewalls and IDS
A: What you need to do is "reverse" Masquerading. This can be accomplished with the IPMASQADM tool included on your SuSE CD. You will need to use this tool by hand, although it will happily co-exist along with Marc's IPFIREWALS package. (You will need to enable access to the port you want to forward in the firewall config of course) You can read the Author's FAQ here.
NOTE: This requires that you have regular Masquerading working first!
I see port scans to port number xyz - What does this mean? What is this port used for?In order to gather information about your system most attackers use port scanners like nmap (www.insecure.org/nmap/) to look for open ports and to remotely identify the operating system the target host is running.
This information, together with a list of known security vulnerabilites of various services and applications, can be used to exploit these holes, start denial of service (DoS) attacks and finally gain root access to the attacked system. That's why it is important to close services which you don't need (see HOW DO I SECURE SUSE?) and to keep up-to-date with the latest security patches.
If you want to know what service hides behind a certain port number you can look into /etc/services. For a (nearly) complete list of ports and services you may consult IANA's list of ports Unfortunately, there are also a lot of trojan horses around which use certain ports for their inbound and outbound activity. Some trojan apps come with a client utility capable of scanning single hosts or entire subnets for infected machines which can then be hijacked. For information about ports used by common trojan horses consult www.glocksoft.com/trojan_port.ht m , www.simovit s . com/sve/nyhetsarkiv/1999/nyheter9902.html or the The Trojans Lair Trojan Database.
What does "kernel: martian source aabbccdd for 11223344, dev eth0" mean?These are packets that Linux does not expect from the direction they came from (i.e. packets from internal hosts coming in on the external interface). The cause is probably a misconfigured machine on your LAN. You can turn off logging those packets via
which is documented in /usr/src/linux/Documentation/proc.txt
Rejecting vs. Denying PacketsPlease note, that the following applies to ipchains. Things are a little different for iptables/netfilter which ships with Linux kernel 2.4.x
Most packet filters offer you the possibiliy of either denying or rejecting a packet. So where's the difference?
DENYing a packet simply means not responding at all i.e. silently drop the packet.
REJECT drops the packet, but (if it's not an ICMP packet) generates an ICMP reply to the source to tell it that the destination was unreachable.
Sometimes denying isn't the the best of responses because in doing so, we actually tell the attacker that a packet filter is present. Another drawback of denying is, that some services will wait for a response, thus slowing down other services while waiting for the reply packet you'll never send. (please, please _remember_ that when it comes to inetd issues ;-)
- www.insecure.org Read the doc of nmap!!
- thousands of postings on millions of mailing-lists
When a service isn't running on a unix system it normally let's the remote host know with some sort of return packet. In TCP this is done with an RST (reset) packet. UDP returns (usually) an icmp-type: port-unreachable packet with the original destination address of the packet.
But anyway, you cannot influence that behaviour using ipchains. If you like to do that consider using a *BSD system with ipf. For a start read the IP-Filter-HOWTO which should be available on http://www.obfuscation.org/ipf/
What is chroot?Quoting Zwicky, Cooper, Chapman: Building Internet Firewalls: "The chroot mechanism allows a program to irreversibly change it's view of the filesystem by changing the program's idea of where the root of the filesystem is."
So, this is where the name comes from ;-)
Think of a chroot'ed program as a program that lives in it's own, restricted filesystem without access to the rest of your filessystems (say e.g. binaries or /etc/passwd). This restricted filesystem has to include everything (_but no more_) the chroot'ed program needs to run. Thus it has to include e.g. /etc, /bin, /lib etc. (don't forget the shared libraries).
The environment that needs to be set up like this called the chroot environment (often called "jail"). Please remember to avoid setting up symbolic links that point to areas outside the chroot environment.
The benefit of chrooting is e.g. to restrict users to a subset of tasks or to build up an additional layer of defense against an intruder, taking over one of your processes. Note, that it's not really impossible to break out of a chrooted environment, so don't rely on that exclusively.
Almost every program can be chrooted (Yes, even netscape ...) either by "built-in" means or by the chroot system call (man chroot, man 2 chroot).
To get a more practical approach, please read the man page of ftpd with special respect to /etc/ftpchroot. A proper anonymous ftp setup is an example for a chrooted environment.
Can you recommend some good reading on Linux Security?Online and free:
Linux Administrator's Security Guide to be replaced by:
Linux Security Knowledge Base
PRACTICAL UNIX AND INTERNET SECURITY, O'Reilly
Anonymous: "Maximum Security" SAMS Publishing (www.samspublishing.com)
(German translation: "Hacker's Guide", Markt+Technik-Verlag München)
Anonymous: "Maximum Linux Security" SAMS Publishing (www.samspublishing.com)
(German translation: "Linux Hacker's Guide", Markt+Technik-Verlag München)
Other Places to Look for Security Infocomp.os.linux.security FAQ -
"This newsgroup is dedicated to the discussion of issues related to establishing and maintaining the security of machines running the Linux Operating System on all processor architectures."
Church of the Swimming Elephant - Have you gone to church today?
Security Portal -
Yet to be done/added
- firewalls: dmz - Obtuse SMTPD - service tunneling using ssh - log file checking/digestifying - correct use of unix permissions - saint/satan reports service xyz is insecure - what now? - mail and file virus scanning - buffer overflows - password security - IDS - incident reporting - mail relaying/anti spam - ftp and firewalls - glossary to properly describe words and phrases like tcp, udp, trojan, scans, ports, firewall, stateful packet inspection, packet filtering, vpn, ipsec, etc. pp... enhance the paragraph HOW DO I SECURE SUSE in a way that the users *know* what's going on if harden_suse or the seccheck-scripts are started, and *why* it is important not to run services with UID/GID 0, offer services which aren't used or have an eye at file permissions.
CreditsPeter Nixon - firstname.lastname@example.org
Kurt Seifried - email@example.com
Boris Lorenz - firstname.lastname@example.org
Johannes Geiger - email@example.com
Chris Wahl - firstname.lastname@example.org
Kevin Ivory - Ivory@SerNet.de
lukas geider - email@example.com
Matthias Patz - Matthias.Patz@patz-net.de
If you want name on this list, Send me a completed Answer to one of the unfinished ones above.
This FAQ created and maintained by firstname.lastname@example.org