-
According to the rule of using the most restrictive set of
permissions possible for every job, avoid doing your regular jobs as
root. This reduces
the risk of getting a cuckoo egg or a virus
and protects you from your own mistakes.
-
If possible, always try to use encrypted connections to work on a
remote machine. Using ssh (secure shell) to
replace telnet, ftp,
rsh, and rlogin should be
standard practice.
-
Avoid using authentication methods based on IP addresses alone.
-
Try to keep the most important network-related packages up-to-date
and subscribe to the corresponding mailing lists to receive
announcements on new versions of such programs
(bind,
sendmail, ssh,
etc.). The same should apply to software relevant to local
security.
-
Change the /etc/permissions file to optimize the
permissions of files crucial to your system's security. If you remove
the setuid bit from a program, it might well be that it cannot do its
job anymore in the intended way. On the other hand, consider
that, in most cases, the program will also have ceased to be a
potential security risk. You might take a similar approach with
world-writable directories and files.
-
Disable any network services you do not absolutely require for your
server to work properly. This makes your system safer. Open
ports, with the socket state LISTEN, can be found with the program
netstat. As for the options, it
is recommended to use
netstat -ap or
netstat -anp. The
-p option allows you to see which process is
occupying a port under which name.
Compare the netstat results with those of
a thorough port scan done from outside your host. An excellent
program for this job is nmap, which not
only checks out the ports of your machine, but also draws some
conclusions as to which services are waiting behind them. However,
port scanning may be interpreted as an aggressive act, so do not do
this on a host without the explicit approval of the administrator.
Finally, remember that it is important not only to scan TCP ports,
but also UDP ports (options -sS and
-sU).
-
To monitor the integrity of the files of your system in a
reliable way, use the program AIDE (Advanced Intrusion Detection
Environment),
available on SUSE Linux Enterprise. Encrypt the database
created by AIDE to prevent someone from
tampering with it. Furthermore, keep a backup of this database
available outside your machine, stored on an external data medium not
connected to it by a network link.
-
Take proper care when installing any third-party software. There have
been cases where a hacker had built a trojan horse into the tar
archive of a security software package, which was fortunately
discovered very quickly. If you install a binary package, have no
doubts about the site from which you downloaded it.
SUSE's RPM packages are gpg-signed. The key used by SUSE for
signing is:
ID:9C800ACA 2000-10-19 SUSE Package Signing Key <[email protected]>
Key fingerprint = 79C1 79B2 E1C8 20C1 890F 9994 A84E DAE8 9C80 0ACA
The command rpm --checksig
package.rpm shows whether the checksum and the signature
of an uninstalled package are correct. Find the key on the first CD
of the distribution and on most key servers worldwide.
-
Check your backups of user and system files regularly. Consider
that if you do not test whether the backup works, it might
actually be worthless.
-
Check your log files. Whenever possible, write a small script to
search for suspicious entries. Admittedly, this is not exactly a
trivial task. In the end, only you can know which entries are unusual
and which are not.
-
Use tcp_wrapper to restrict access to the
individual services running on your machine, so you have explicit
control over which IP addresses can connect to a service. For further
information regarding tcp_wrapper, consult the
manual pages of tcpd and hosts_access
(man 8 tcpd,
man hosts_access).
-
Use SuSEfirewall to enhance the security provided by
tcpd (tcp_wrapper).
-
Design your security measures to be redundant: a message seen
twice is much better than no message at all.