To handle security competently, it is important to observe some recommendations. You may find the following list of rules useful in dealing with basic security concerns:
Get and install the updated packages recommended by security announcements as quickly as possible.
Stay informed about the latest security issues:
opensuse-security-announce@opensuse.org is the SUSE mailinglist for security announcements. It is a first-hand source of information regarding updated packages and includes members of SUSE's security team among its active contributors. You can subscribe to this list on page http://en.opensuse.org/Communicate/Mailinglists.
Find SUSE security advisories as a news feed at http://www.novell.com/linux/security/suse_security.xml.
bugtraq@securityfocus.com is one of the best-known security mailing lists worldwide. Reading this list, which receives between 15 and 20 postings per day, is recommended. More information can be found at http://www.securityfocus.com.
Discuss any security issues of interest on our mailinglist opensuse-security@opensuse.org.
According to the rule of using the most restrictive set of permissions
possible for every job, avoid doing your regular jobs as
root
. This reduces the risk
of getting a cuckoo egg or a virus and protects you from your own
mistakes.
If possible, always try to use encrypted connections to work on a remote machine. Using ssh (secure shell) to replace telnet, ftp, rsh, and rlogin should be standard practice.
Avoid using authentication methods based solely on IP addresses.
Try to keep the most important network-related packages up-to-date and subscribe to the corresponding mailing lists to receive announcements on new versions of such programs (bind, postfix, ssh, etc.). The same should apply to software relevant to local security.
Change the /etc/permissions
file to optimize the
permissions of files crucial to your system's security. If you remove
the setuid bit from a program, it might well be that it cannot do its
job anymore in the intended way. On the other hand, consider that, in
most cases, the program will also have ceased to be a potential
security risk. You might take a similar approach with world-writable
directories and files.
Disable any network services you do not absolutely require for your
server to work properly. This makes your system safer. Open ports, with
the socket state LISTEN, can be found with the program
netstat
. As for the options, it is recommended to
use netstat -ap
or
netstat -anp
. The
-p
option allows you to see which process is occupying
a port under which name.
Compare the netstat
results with those of a thorough
port scan done from outside your host. An excellent program for this
job is nmap
, which not only checks out the ports of
your machine, but also draws some conclusions as to which services are
waiting behind them. However, port scanning may be interpreted as an
aggressive act, so do not do this on a host without the explicit
approval of the administrator. Finally, remember that it is important
not only to scan TCP ports, but also UDP ports (options
-sS
and -sU
).
To monitor the integrity of the files of your system in a reliable way,
use the program AIDE
(Advanced Intrusion Detection
Environment), available on openSUSE. Encrypt the database created
by AIDE to prevent someone from tampering with it. Furthermore, keep a
backup of this database available outside your machine, stored on an
external data medium not connected to it by a network link.
Take proper care when installing any third-party software. There have been cases where a hacker had built a trojan horse into the tar archive of a security software package, which was fortunately discovered very quickly. If you install a binary package, have no doubts about the site from which you downloaded it.
SUSE's RPM packages are gpg-signed. The key used by SUSE for signing is:
ID:9C800ACA 2000-10-19 SUSE Package Signing Key <build@suse.de> Key fingerprint = 79C1 79B2 E1C8 20C1 890F 9994 A84E DAE8 9C80 0ACA
The command rpm --checksig
package.rpm
shows whether the checksum and the signature of an
uninstalled package are correct. Find the key on the first CD of the
distribution and on most key servers worldwide.
Check backups of user and system files regularly. Consider that if you do not test whether the backup works, it might actually be worthless.
Check your log files. Whenever possible, write a small script to search for suspicious entries. Admittedly, this is not exactly a trivial task. In the end, only you can know which entries are unusual and which are not.
Use tcp_wrapper
to restrict access to the individual
services running on your machine, so you have explicit control over
which IP addresses can connect to a service. For further information
regarding tcp_wrapper
, consult the manual pages of
tcpd and hosts_access (man 8
tcpd
,
man hosts_access
).
Use SuSEfirewall to enhance the security provided by
tcpd
(tcp_wrapper
).
Design your security measures to be redundant: a message seen twice is much better than no message at all.
If you use suspend to disk, consider configuring the suspend image
encryption using the configure-suspend-encryption.sh
script. The program creates the key, copies it to
/etc/suspend.key
, and modifies
/etc/suspend.conf
to use encryption for suspend
images.