Securing SUSE Linux

From openSUSE

Disable TELNETD

TELNETD is not enabled by default in SUSE.

Disable FTP Servers

FTP server is not enabled by default in SUSE.

Disable inetd

If no services are running (as is the default) xinetd is not running.

Lockdown SuSEfirewall2

A proper hardened firewall drops all unnecesary traffic. The SUSE firewall SuSEfirewall2 by default is not completely hardened. It is configured to reject ident/auth traffic on port 113 by default to prevent long timeouts when sending mail or connecting to an IRC server that send back auth queries. Please note, this behavior currently will not show up in the Yast configuration interface.

To change this manually open the file /etc/sysconfig/SuSEfirewall2

and change

FW_SERVICES_REJECT_EXT="0/0,tcp,113"

to

FW_SERVICES_REJECT_EXT=""

SSH Security

Configure SSH for SSH2-only Access

NOTE: For openSUSE 10.3 and later, SSH version 1 is disabled by default. These steps are typically unnecessary on versions 10.3 and later, unless SSH version 1 has been enabled after installation.

Modify the /etc/ssh/sshd_config file to change the PROTOCOL line from:

#PROTOCOL    1,2

to:

PROTOCOL     2

Limit SSH Access

change ssh port

In file /etc/ssh/sshd_config uncomment and change Port 22 to Port 65323 (for example), then restart ssh daemon. Use the following command to view the ports your computer has open (note that it may not be a complete list):

 netstat -na

You may find the following link helpful in choosing a port number: http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

rcsshd restart

Now that you have changed the port, you must configure the firewall accordingly. If you are using the 11.1 default firewall, enter YaST, Security and Users, Firewall, Allowed Services, External Zone or Internal Zone as the case may be, Advanced..., and enter the new port in TCP Ports.

Now to ssh to the machine, you will use the -p option. Ex.

 ssh ###.##.###.### -l user -p 65323

limit by users

1. start yast
2. go to Security & Users -> Edit and create groups
3. add a group named "sshlogin"
4. make all normal users (not root), whom you allow to use ssh to access the system member of this group.

In /etc/ssh/sshd_config modify:

AllowUsers root
 or
#PermitRootLogin yes

to:

#AllowUsers root
 or
PermitRootLogin no

And add:

AllowGroups sshlogin

Finally as root restart sshd:

rcsshd restart

Limit by hosts

In /etc/hosts.allow you enter the following lines for the hosts you specificaly allow, e.g.:

sshd : 127.0.0.1 : allow
sshd : 192.168.  : allow
sshd : 130.57.5.70 : allow
sshd : 10.         : allow

Next enter all that need to be denied:

sshd : ALL         :deny

Limit by variable hosts

Most of the time you just want to limit access from abusive hosts. If you want to see if this happens, do the following as root:

grep sshd /var/log/messages |grep "Invalid user"| \
awk '{print $NF}'|sort|uniq -c|sort -n

This will give the the number of attempts per IP. To block this, there are several scripts. An easy script to use is blockhosts. The way to use it under SUSE is as follows.

A) Download the GZIPed Archiveand unpack it.

B) Go into the just created directory and run as root python setup.py install

C) Add the following line to /etc/blockhosts.cfg with a space in front of LOGFILES

LOGFILES = [ "/var/log/messages", ]

D) Add the follwoing lines to /etc/hosts.allow

#---- BlockHosts Additions
#---- BlockHosts Additions <update: Blockhosts installs into /usr/bin/local>
sshd : ALL: spawn /usr/local/bin/blockhosts.py & : allow

If you want, you can still add specific hosts or ranges that are allowed or denied to /etc/hosts.allow

SSH systematic or brute-force attack protection

To protect SSH against brute-force attacks, refer to this article.

Edit BIOS to Disallow Booting from CDROM/Floppy

See the documentation for your specific BIOS. Booting from removable media allows an attacker with physical access to the machine to mount the systems' filesystems--accessing or deleting data, changing settings, or even changing passwords.

Be sure to:

1. Set a BIOS password
2. Change the boot order such that hard disk is first
3. Physically lock the case so attacker cannot reset the BIOS

Set GRUB password

Grub is a powerful bootloader which allows entries to be edited on the fly. This can be a security risk, however. GRUB can boot removable media or even access files on the hard disk.

To set a password, see the YaST 'Boot Loader' module. Remember to remove the 'Floppy' entry!

For 9.3:

1. Select 'Add'.
2. Change 'Selected Option' to 'password' and select 'OK'.
3. Check 'Protect Boot Loader with Password' and enter password.

For 10.0:

1. Switch to the 'Boot Loader Installation' tab.
2. Select 'Boot Loader Options.'
3. Check 'Protect Boot Loader with Password' and enter password.

Lock MySQL root account

MySQL by default has no password set for the root account. Users can login as user root with full database administrator privileges, simply by providing the account name. To test if this is still the case:

# mysqladmin -u root status

or

# mysql -u root

To set the password for the MySQL root account:

# mysql -u root
mysql> UPDATE mysql.user SET password=PASSWORD('new password') WHERE user='root';
mysql> FLUSH PRIVILEGES;

Then re-test access with one of the tests mentioned above.

Alternatively, open a Terminal window and run the following command:

# mysql_secure_installation

This will guide you through the process of setting a root password, disabling anonymous access and removing the default (test) databases.

Encrypt Data Partitions

Note: If the password for an encrypted partition is forgotten, all data will be unrecoverable!

YaST includes the option to encrypt partitions. It is a good idea to encrypt any partitions that contain sensitive data.

1. In the YaST Partitioner create a new partition as normal:
   1. Select 'Create.'
   2. Select the disk to create the partition on.
   3. Select whether a primary or extended partition should be created (if prompted).
2. In the create partition dialog, select a filesystem (other than swap or FAT) and a mount point (other than /, /usr, /boot, or swap).
3. Select a size for the partition.
4. Check "Encrypt File System" and select 'OK'.
5. Enter a password and select 'OK'.

The encrypted filesystem is created and its entry is added /etc/cryptotab. For example:

# cat /etc/cryptotab
/dev/loop0   /dev/sdb1   /encrypted_mount_point      reiserfs    twofish256 acl,user_xattr

When the system boots, a password is required before the filesystem is mounted:

Activating crypto devices using /etc/cryptotab ...
Please enter passphrase for /dev/sdb1:

It can be mounted and unmounted with the /etc/init.t/boot.crypto script. For example:

To mount:

/etc/init.d/boot.crypto start

To unmount:

/etc/init.d/boot.crypto stop

Alternatively, the mount commands can be used directly.

To mount an encrypted partition, a loopback device must first be established:

# losetup -e twofish256 /dev/loop0 /dev/sdb1
Password:

Then, the loopback device can be mounted:

# mount /dev/loop0 /encrypted_mount_point

To unmount, simply use the umount command then delete the loopback device:

# umount /encrypted_mount_point
# losetup -d /dev/loop0

Note that if you get an error like "mount: you must specify the filesystem type" when mounting, you may have entered the wrong password. Delete the loopback device and try again.

• See also: Encrypted Root File System