Mailinglist Archive: opensuse (3337 mails)

< Previous Next >
Re: [SLE] Tightening default SUSE Linux security
  • From: "Gaël Lams" <lamsgael@xxxxxxxxx>
  • Date: Tue, 25 Apr 2006 12:14:50 +0200
  • Message-id: <b93ea24d0604250314p6ae0a9ebi96a1f5dee7430da@xxxxxxxxxxxxxx>
Hi
>
> I would like to discuss possibilities to improve default SUSE Linux security.
>
> What can be done to effectively improve it ?
>

It really depends on how paranoid you are.
You can start with a bios password, then a bootloader, configuring a
firewall on your marchine, set nosuid, noexec, and nodev mount option
in /etc/fstab on ext3 partition such as /tmp, ...

Talking about servers, sitting in server farm with controlled physical
access, some common /easy steps could be:
- minimum software installation (no desktop if not required)
- deactivation of all unnecessary network daemons, having the machine
only listening on port 22/ ssh, and at the end of the installation,
performing the security updates.
- running a security scanner to verify that you have no hole at the
end of your installation
- add a non root user and disable ssh login as root. Actually also
disabling password authentication, use only certificates, disable
version 1 of ssh
- watch your important files with tripwire
- review all set-user-id and set-grup-id programs, actually you could
run bastille
- ...

Then you would have the hardening of the services you run on top of
your servers (for instance for mysql it would mean disabling remote
access if you can, disabling LOAD DATA LOCAL INFILE, change the admin
password, change the admin name, disabling anonymous access and
removal of the sample databases)

I hope it helps, just take into account that some hardening measures
can be standardized, other measures depend on the services the server
will offer

Regards,

Gaël
< Previous Next >
References