SUSE Security secrets (1)

Bkjia.com exclusive Article] SUSE attracts many enterprise users due to its outstanding performance and good security control. At present, it has started to have a large number of key applications in China. However, this does not mean that SUSE is safe in use, and there are still many security details to pay attention to in SUSE. This article introduces these security details in SUSE one by one to reveal every point of attention.

I. Patch, SSH, and others

1. Patch

Each patch update means that this is a security vulnerability or has other serious functional problems. However, if a patch is updated, it may cause system exceptions or even service paralysis. Therefore, be cautious when updating patches. In practice, there are four methods:

1) the patch is updated immediately after the system is installed, and then applied.

2) It protects the server by means of peripheral protection, and can use firewall, IPS, and other means.

3) Update the patch on the test machine. However, it is worth noting that some patches bring about problems that are hidden and may be okay today and tomorrow, but there is a problem the day after tomorrow. Therefore, it takes a long time to observe.

4) if you have many SUSE servers, you can also use NFS sharing or internal FTP and HTTP Services. However, FTP and HTTP pose other security risks.
To upgrade the SUSE Patch, you need to download the new RPM of Novell. The RPM package will be installed first, but in most cases, the RPM will handle it based on its dependency. In addition, Novell also has some prompts under special circumstances, such as kernel update and C Runtime Library. Novell provides a powerful tool, YaST. Unfortunately, YaST itself is not secure and there is a temporary file creation vulnerability in online upgrades.

Reinforcement Method: Enter yast and select online update in software.

2. SSH

By default, OpenSSH is installed on SUSE, OpenSSH is a popular and free encrypted connection tool, but the OpenSSH earlier version also has many security vulnerabilities, so it is best to go to The http://www.openssh.org to download the latest version. After upgrading to the latest version, there is still a lot of security reinforcement work to be done for SSH. For example, restrict the login of those accounts, change the default port, and specify accessible networks. But at least one thing you have to do is to change the Protocol version to 2. Because the security problem of version 1 is too serious, you can even intercept the password.

Reinforcement method:

Vi/etc/ssh/ssh_config

Modify the value of protocol to 2.

3. System Performance Audit

O & M personnel often need to monitor the system performance. sysstat provided by SUSE is a tool used to check the system status, such as CPU utilization and disk I/O. Sysstat collects system data every 10 minutes by default. You can use the sar command to view the data. Sysstat will first establish a normal performance curve. After the baseline is established, any activity beyond the baseline will be prompted. For example, password speculation, or events other than business peaks can lead to high CPU utilization and thus deviate from the normal baseline. Note that the data collected by sysstat is stored on the system for one week by default, and will be automatically removed by the cron task one week later. The collected data can be maintained in the/var/log/sa/directory. However, the server version installed by default does not include the sysstat package, unless you select full installation during installation.

Reinforcement Method: Install sysstat and run the sar command.

4. Firewall
SuSEfirewall2 is The SUSE package filtering firewall that allows and denies data access. By default, the service is installed and activated, and no services are allowed by default. To enable the service, you must enable it explicitly, such as the SSH mentioned above ).

Reinforcement method:

In YAST, Center -- # Security and Users -- # Firewall adjusts Firewall policies.
For more fine-grained policy configuration, you can go to YAST Center -- # System # --/etc/sysconfig editor-Network/Firewall/SuSEfirewall2, or directly edit the/etc/sysconfig/SuSEfirewall2 file.

5. Regular System Security Check script seccheck

Seccheck is a system security check script that periodically generates reports every day, every week, and every month and sends emails. However, he occupies resources during regular operation, so he should choose to do it during off-peak hours.

Reinforcement Method: YAST Center-System-#/etc/sysconfig-System/Security/Seccheck selection

6. SUSE Security Application Framework AppArmor
Compared with SuSEfirewall2, AppArmor features application-level protection and can manage file and directory access of applications and other fine-grained operations. It is a whitelist mechanism, that is to say, you can specify which behaviors are allowed and other dentions to better hide the internal system. For example, your system has a vulnerability, but the operation is not authorized by the white list, so the operation will be rejected.

Reinforcement Method: YAST Center-Novell AppArmor allows you to adjust detailed policies and view reports. If you are not familiar with it, AppArmor also provides a wizard function.

Ii. Minimize xinetd

1. Disable Standard Services

SUSE uses xinetd, which is better and more convenient to use than inetd. By default, SUSE disables all services. After SSH is enabled, you can configure xinetd services. This should also be the case for security. First, disable all services and then only enable necessary services.

Reinforcement Method: Run chkconfig to check the activation status of all services and disable unnecessary services.

2. trusted network access

Access to the server should be controlled, so SuSEfirewall2 or other measures should be used to control the access to only trusted networks.

Reinforcement method:

Vi/etc/sysconfig/SuSEfirewall2. You can also configure it in yast Center # System #/etc/sysconfig editor.

3. telnet

If there is no special reason, do not use telnet. telnet uses an unencrypted network protocol, which means that data transmitted from your account to you can be eavesdropped, you can use session hijacking to control your system. Therefore, SSH is strongly recommended, although SSH is not that secure.

Reinforcement method:

The command is chkconfig telnet on.

The command to close is chkconfig telnet off.

4. FTP

Similarly, do not use FTP, especially anonymous FTP, for no good reason. Like telnet, FTP is not encrypted and can be eavesdropped or hijacked. SSH provides SCP and SFTP, which can replace FTP. Note that sometimes FTP may be bound to some applications, such as the WEB upload channel I have seen many times, so you must use this anonymous FTP. If you must use FTP, you still need to do some control. Note that the FTP directory should be controlled and you 'd better have your own partitions. Vsftpd is not installed on SUSE by default.

Reinforcement method:

The command is chkconfig vsftpd.

The command to close is chkconfig vsftpd off.

5. rlogin/rsh/rcp

All r-series commands should be disabled. In addition to being eavesdropped, they also have problems with the verification mechanism and other security vulnerabilities, such as buffer overflow and arbitrary command execution. We recommend that you use SSH instead.

Reinforcement method:

Run the following command:

Chkconfig rexec on

Chkconfig rlogin on

Chkconfig rsh on

Close them:

Chkconfig rexec off

Chkconfig rlogin off

Chkconfig rsh off

6. TFTP

TFTP is generally used in diskless workstation and X-terminals. The configuration data of a vro or other network devices can be copied to implement the backup function. Of course, there is no special reason for this. We recommend that you disable it. TFTP is not installed by default on SUSE.

Close command chkconfig tftp off

7. IMAP

IMAP is only used by the Mail server. Some Mail clients, such as Eudora, Netscape Mail, and Kmail, must use IMAP to retrieve remote Mail.

Reinforcement Method: Command to disable the service

Chkconfig cyrus off or chkconfig imap off.

8. POP

This is an email receiving service. Do I need to receive emails as a server? If not, close the service.

Reinforcement Method: chkconfig qpopper off or chkconfig cyrus off.

Iii. Minimal startup of services

1. Set umask

The default umask should be set to at least 027. Some daemon processes, such as system logs, are set to be accessible to anyone by default. If a daemon needs to release the permission restriction, you can consider modifying the startup script of the daemon, giving it the permission without affecting other security of the server.

Reinforcement method:

Vi/etc/profile, change umask value to 027.

For all users in/home, the umask value is defined based on the shell type. Generally, add a new umask 027 line in/home/. profile.

2. SMTP

Check whether the server needs to process the email. In SUSE, Postfix is installed by default and is activated. If this server is an email server, it is important to note that it is a security risk to have the permission to search for attachments on the web interface. In addition, if you have experience in Mail Server Management, you will know how important it is to plan a chroot environment for postfix. In the chroot environment, even if someone breaks into the smtpd daemon, the damage can be limited.

Reinforcement method:

Open vi/etc/sysconfig/mail and set SMTPD_LISTEN_REMOTE = "yes ". It must also be enabled on the firewall.

Close: vi/etc/sysconfig/mail and set SMTPD_LISTEN_REMOTE = "no ".

3. Running level

There are two main running levels in SUSE. Level 5 is directly started to X Windows, and level 3 is the character interface. However, even if the system runs at level 3, you can still run startx under shelle to start X Windows.

Reinforcement method:

Set it to level 3, vi/etc/inittab, and change 5 in id: 5: initdefault to 3.

4. X Font Server

For servers, X Windows is generally not required. If the graphic interface is not used, X Font Server can be switched off. It provides a Font set for the graphic interface, in addition, XFS has some buffer overflow problems.

Reinforcement method:

Disable X Font Server: chkconfig xfs off

5. Standard start service

Every system daemon should be disabled if you do not know that it must be enabled. Vulnerable applications running on servers will greatly increase risks. SUSE uses chkconfig to manage all system service scripts. Note that the SUSE patch may resume some services. Before updating the patch, it is best to record the services you have started. In addition, some daemon may have some accounts, which should be deleted or locked to prevent others from logging on, or their Shell should be set to/bin/false.

Reinforcement method:

You can add or delete a service to or from a directory of different running levels. First, you need to know your system runtime sectors and run the runlevel command to view the running level, if the running level is 3, it must be in/etc/rc. d/rc3.d. All services starting with S are running at startup. For example, the mv/etc/rc3.d/S04rpcbind etc/rc3.d/K04rpcbind service is disabled.

In addition, you also need to delete or lock the account of the daemon. The delete USER command is userdel. You can delete these users: adm lp sync shutdown halt news uucp operator gopher, games can be deleted without using x windows, and ftp can be deleted without anonymous ftp.

6. SMB and NMB

SUSE provides Samba to provide file and print sharing for windows users, so that unix systems can act as file servers and print servers on windows networks, it even acts as a domain control Verification server for early windows systems. Samba requires SMB and NMB protocols. SMB is a Windows File Sharing and NMB is a NetBIOS message block. If you do not need to play these roles, you should close these two protocols. Close command chkconfig smb off

7. NFS

NFS is often used for unauthorized access to files, so you should disable it if you do not need it. Even if you really need the NFS service, you should take control measures, including limiting the IP address range for access and file read-only. The NFS client service should also be disabled.

Close command:

Chkconfig nfsserver off

Chkconfig autofs off

8. NIS

Do not use NIS unless necessary. NIS is short for Network Information Services, similar to domain controllers in windows. Although NIS is easy to maintain, it has design security problems and can be completely replaced by LDAP.

Close command:

Chkconfig ypserv off

Chkconfig yppasswdd off

9. RPC port ing

To run NIS, you must first run the portmap daemon. However, the RPC authentication mechanism is weak and can be bypassed easily, but RPC can be used to obtain a lot of important information. Unless NIS is required, it is recommended to disable it.

Close command: chkconfig portmap off

10. ncpfs script

Ncpfs is required for file sharing in NFS and windows networks, but it is not installed by default. If there is no network sharing, stop it. This script will be mounted to the client's network drive. Fortunately, it is not a persistent daemon, so it is not so dangerous.

Close command: chkconfig ncpfs off

11. apache

Only WEB servers can be used. Even if this server is a WEB server, do not store database and other environment support on this server.

Close command: chkconfig apache2 off

12. SNMP

Network management protocols are frequently used in large networks. You need to determine if you are using remote monitoring tools that depend on SNMP, such as HP OpenView, MRTG, and Cricket. If SNMP is used, we recommend that you change the default community string. In SUSE, snmp is set in/etc/snmpd. conf.

Close command: chkconfig snmpd off

13. DNS server

Determine whether your network needs domain name resolution servers. The number of DNS attacks has increased over the past two years. If you need to use them, we recommend using Access Control in/etc/named. conf. For example, the internal DNS server should not open external queries. In a relatively large network, the internal and external DNS servers are generally used to provide separate queries, but some small networks do not have the conditions to separate the internal and external, you should consider access control.

Close command: chkconfig named off

14. Squid Cache Server

Squid is a proxy server software. In fact, Squid is a good security architecture, because it sets a proxy between the client and the server, which reduces the risk of system information leakage to a certain extent, prevent internal vulnerabilities from being discovered. However, you must carefully configure Squid when using it. There are many vulnerabilities related to Squid cache. Without security concerns, attackers can still detect internal hosts or use your cache to hide the real IP addresses of attackers. Therefore, it should be configured as: do not allow external personnel to use your cache without authentication.

Close command: chkconfig squid off