RE: [suse-security] request for opinions: SuSE 9 secure as a web server?
When the proper steps are taken, SuSE can be extrememly secure. You simply must run SuSEfirewall or iptables (they are the same, SuSEfirewall simply adds a config wrapper) and you can configure it to allow NFS or whatever you want on the inside port. You should prevent services from listening on the outside interface and configure the firewall to refuse connection attempts to unwanted services on the outside interface. I would advise that, out of the box, SuSE should not be place on the Internet with no protection. However, with a bit of configuration, SuSE can be reasonable secure on the Internet. Regards, -GS -----Original Message----- From: Adalberto Castelo [mailto:castelo@comcast.net] Sent: Saturday, December 20, 2003 9:08 AM To: suse-security@suse.com Subject: [suse-security] request for opinions: SuSE 9 secure as a web server? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks, I'm planning to serve web pages from my personal box (family pictures and the like), running SuSE 9 stock with all patches. The machine will be handed all port 80 (or whatever port I decide to use) requests from my linksys router/ firewall, therefore being completely exposed on that port. I'll also be letting ssh through. So my question is: how dangerous is this? How secure is a SuSE 9 box (with no tweaks or anything, just configured everthing with yast). I'm asking your opinion as to whether SuSE is considered reasonably safe for what I have in mind or if I should look for other options. And perhaps if there are simple steps I can take to increase my chances of not being cracked. Just some more info: in my internal network I'm running NFS, so can't use the suse firewall (since it blocks that service). I'm also running rsync. Cheers, Adalberto -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iQIVAwUBP+Rz596AspoXaofZAQLWTRAAmvTlJMOuFYHaTl1jd0wBG783DT/EasRi +n2kvNw6h1miR1aAvkObE//+/h1Vu2SHdMTnwIJvaMfXpdYg4Id+114+uk8MhJ6F JuaRMx6WL3bjw2oh/yGUP/n8TMxrYDVKIDmm2lrFmAb35UMnqa4J9bfJyAnMt3gm fZii/bd+BRzf7aZrJG7BZeHNLBFDTLMemU+pTH3ZqjVwxNbV9uE7gfCnK05TSrdZ 7pUFCVe0zEeGglO2r9lxpjQ+Azd2Ml2CDUq7m7YXPTg5ZBYXlVX0x6HaxUkS/YT4 MvfNbSVGqRp5e2iVV7TzYasddXr7FKwSLHJ6myGxUKTwn3iMSX3Z0j8fS1tFHSRj 9KboPqjWdsrGf86CfJeUwLRL+ZtuAu3do96tooYRDbzrMkbCgKmGXfJw1dxC5QkZ ovGuLK6HumtG8FSJebSlLZRvR6ctuo/+BfcLlHfKHbwTrYx6wVpXcqA4iGMfg1Fy 2tJ85UhoEMQzUHmQ3s3EJTVoKASAdOSVB9cVQ3TpFdLCsqavKD4tiLxkMN021ExC f2V2Xq7Kd38F0FG5ZLbGzdlSnCQ3rcaX9llI7kSxXxVf1lipEdYStNJ5H1ZORx9D AvLsGNfLQa7nl5yPev+NdA6wmxHF/fTFxVWsRdhMpAIaglpWoTweOlNA3ll3ivr0 Tdv6s4wYs9I= =Y+/m -----END PGP SIGNATURE----- -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here This electronic message transmission is a PRIVATE communication which contains information which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, please be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. Please notify the sender of the delivery error by replying to this message, or notify us by telephone (877-633-2436, ext. 0), and then delete it from your system.
services from listening on the outside interface and configure the firewall to refuse connection attempts to unwanted services on the outside interface.
Actually, you should disable everything that you don't need. If this is the case, you can still limit access to open ports to addresses that you trust. If all of this is done (takes a minute), you should be fine.
I would advise that, out of the box, SuSE should not be place on the Internet with no protection. However, with a bit of configuration, SuSE can be reasonable secure on the Internet.
open ports are 22, 111, 6000. If you manage to close these ports (easy. :-), then you wouldn't even need a firewall any more. There were occasions where some filter rules have helped to work around a problem in the Linux kernel (crash bugs, if the packets indeed reached higher layers than the netfilter code), but these cases are really rare and usually do not serve as a good reason to run firewalling rules on a SUSE system. What I'd be interested in: What are the protection measures that you would put in place if you wanted to secure a SUSE system for internet use? I'm sure we know some... :-) But maybe you have some ideas that will help us to make our job better.
Regards,
-GS
Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // Nail here | SUSE Linux AG - Security Phone: // for a new | Nürnberg, Germany +49-911-740530 // monitor! --> [x] | - -
* Roman Drahtmueller; <draht@suse.de> on 20 Dec, 2003 wrote:
open ports are 22, 111, 6000. If you manage to close these ports (easy. :-), then you wouldn't even need a firewall any more.
You mean as a packet filtering I guess :-)
What I'd be interested in: What are the protection measures that you would put in place if you wanted to secure a SUSE system for internet use?
Chrooting all possible services (see the thread I started a few days ago,) unfortunately many people were busy discussing the merits on how to make unsubscribe easier for people who never read their mails at the first hand, so not many responses or suggestions on how to achieve effectively while still allowing SuSEconfig to work efficiently
I'm sure we know some... :-) But maybe you have some ideas that will help us to make our job better.
1) find something to replace harden_suse that at least I know it will do the job 2) Update the Secure webserver Howto ( it ha not been updated for such a long time mentioning SuSE 6.4 (and 7.1) which is discontinued ages ago I'll place my sock next to the fireplace who knows maybe Santa Claus visits me also :-) Ich Wünsche Alles ein schönes neu Jahr Wish you all a happy new year ps. : If my German sucks sorry its only been 3 months I have been in germany and started tak,ing lessons like a month ago ) -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer Please reply to the list; http://susefaq.sf.net Please don't CC me.
open ports are 22, 111, 6000. If you manage to close these ports (easy. :-), then you wouldn't even need a firewall any more.
You mean as a packet filtering I guess :-)
:-) Right...
Chrooting all possible services (see the thread I started a few days ago,)
We're continuously working on this, as it will become a more and more important configuration feature in the future. Be aware that chroot() doesn't make sense for services that need root privileges to run, for one or the other reason. [...]
while still allowing SuSEconfig to work efficiently
Same applies. Will always be faster, we hope.
1) find something to replace harden_suse that at least I know it will do the job
Work in progress.
2) Update the Secure webserver Howto ( it ha not been updated for such a long time mentioning SuSE 6.4 (and 7.1) which is discontinued ages ago
Marc did so already, it will be published near the end of the year or the beginning of the next year. The white paper will refer to SLES8, not only a webserver, but all of the information applies to SUSE Linux as well.
I'll place my sock next to the fireplace who knows maybe Santa Claus visits me also :-)
I did that with my entire underwear already, didn't help, probably kept Santa away. :-)
Ich Wünsche Alles ein schönes neu Jahr Wish you all a happy new year
ps. : If my German sucks sorry its only been 3 months I have been in germany and started tak,ing lessons like a month ago )
Nix da. Das Deutsch ist besser als das von vielen, die schon immer Deutsch sprechen können sollten. No worries! Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // Nail here | SUSE Linux AG - Security Phone: // for a new | Nürnberg, Germany +49-911-740530 // monitor! --> [x] | - -
On Saturday 20 December 2003 20:00, Roman Drahtmueller wrote:
What I'd be interested in: What are the protection measures that you would put in place if you wanted to secure a SUSE system for internet use?
I'm sure we know some... :-) But maybe you have some ideas that will help us to make our job better.
Does SuSE have any plans to introduce projects like "hardened gentoo" that uses Propolice and PaX (among other things)? /Sigfred
On Sat, 20 Dec 2003, Roman Drahtmueller wrote:
What I'd be interested in: What are the protection measures that you would put in place if you wanted to secure a SUSE system for internet use?
I'm sure we know some... :-) But maybe you have some ideas that will help us to make our job better.
I'd like to see a mimimal out-of-the-box secured Apache webserver installation option, available from YaST with all the security options you have in mind enabled, and as many other services excluded/disabled as is possible. AFAIR doing a minimal installation under SuSE 8.1 pro does not include Apache, at this moment in time. Regards - Keith Roberts PS my machine is sitting behind a firewall on an ADSL router. Port 80 is the only port open. The box is updated regularly as security announcements are made, or I still check with YOU or fou4s once a week if not... What exploits are there that I need to be aware of that could get into my box via port 80, apart from the obvious attacks against Apache?
On Sun, 2003-12-21 at 11:06, Keith Roberts wrote:
On Sat, 20 Dec 2003, Roman Drahtmueller wrote:
What I'd be interested in: What are the protection measures that you would put in place if you wanted to secure a SUSE system for internet use?
I'm sure we know some... :-) But maybe you have some ideas that will help us to make our job better.
I'd like to see a mimimal out-of-the-box secured Apache webserver installation option, available from YaST with all the security options you have in mind enabled, and as many other services excluded/disabled as is possible.
First of all i would exchange the SuSE kernel to a grsecurity- one with PaX enabled. Best regards, Sandro Littke.
I see we have another -top- poster. My reply where it belongs. -----Original Message----- From: "Sturgis, Grant" <Grant.Sturgis@arraybiopharma.com> To: <suse-security@suse.com> Date: Sat, 20 Dec 2003 09:46:52 -0700 Subject: RE: [suse-security] request for opinions: SuSE 9 secure as a web server?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi folks,
I'm planning to serve web pages from my personal box (family pictures and the like), running SuSE 9 stock with all patches. The machine will be handed all port 80 (or whatever port I decide to use) requests from my linksys router/ firewall, therefore being completely exposed on that port. I'll also be letting ssh through.
So my question is: how dangerous is this? How secure is a SuSE 9 box (with no tweaks or anything, just configured everthing with yast). I'm asking your opinion as to whether SuSE is considered reasonably safe for what I have in mind or if I should look for other options. And perhaps if there are simple steps I can take to increase my chances of not being cracked.
Just some more info: in my internal network I'm running NFS, so can't use the suse firewall (since it blocks that service). I'm also running rsync.
It never hurts to be to careful. Since you have the linksys router blocking all ports but perhaps 80 (http) and 22 (ssh) you should be fairly safe. But keep a close watch on your log files and install a program like tripwire to watch any changes to files. This should alert you to any unrequested changes. Ken
participants (7)
-
Keith Roberts -
Ken Schneider -
Roman Drahtmueller -
Sandro Littke -
Sigfred Håversen -
Sturgis, Grant -
Togan Muftuoglu