Hi all ! I would like to discuss possibilities to improve default SUSE Linux security. What can be done to effectively improve it ? 1. For one thing - disable root access via SSH in default config. as described below, it protects from enemy guesswork: http://geekpit.blogspot.com/2006/04/five-minutes-to-more-secure-ssh.html any other ideas ?
On Mon, 2006-04-24 at 14:50 -0200, Alexey Eremenko wrote:
Hi all !
I would like to discuss possibilities to improve default SUSE Linux security.
What can be done to effectively improve it ?
1. For one thing - disable root access via SSH in default config.
as described below, it protects from enemy guesswork: http://geekpit.blogspot.com/2006/04/five-minutes-to-more-secure-ssh.html
Mandrake/Mandriva went down this route, it caused a great deal of
problems.
It may seem a good idea at first, but when you're trying to update a lot
of machines it's a real PITA.
--
Dave Cotton
On Monday April 24 2006 13:38, Dave Cotton wrote:
On Mon, 2006-04-24 at 14:50 -0200, Alexey Eremenko wrote:
Hi all !
I would like to discuss possibilities to improve default SUSE Linux security.
What can be done to effectively improve it ?
1. For one thing - disable root access via SSH in default config.
as described below, it protects from enemy guesswork: http://geekpit.blogspot.com/2006/04/five-minutes-to-more-secure-ssh.html
Mandrake/Mandriva went down this route, it caused a great deal of problems.
It may seem a good idea at first, but when you're trying to update a lot of machines it's a real PITA.
I always turn it off on all my servers. And I know a lot of admins who do as a course of good security practice. Personally, I'd rather see it turned off by default, then let those that need it go in and turn it on. Personally, I've found there's little I actually need to ssh as root for. I can do everything through su once I'm logged in as my normal user. -- ~R~ ---------------------------------------------------------- Every journalist has a novel in him, which is an excellent place for it.
Hi
I would like to discuss possibilities to improve default SUSE Linux security.
What can be done to effectively improve it ?
It really depends on how paranoid you are. You can start with a bios password, then a bootloader, configuring a firewall on your marchine, set nosuid, noexec, and nodev mount option in /etc/fstab on ext3 partition such as /tmp, ... Talking about servers, sitting in server farm with controlled physical access, some common /easy steps could be: - minimum software installation (no desktop if not required) - deactivation of all unnecessary network daemons, having the machine only listening on port 22/ ssh, and at the end of the installation, performing the security updates. - running a security scanner to verify that you have no hole at the end of your installation - add a non root user and disable ssh login as root. Actually also disabling password authentication, use only certificates, disable version 1 of ssh - watch your important files with tripwire - review all set-user-id and set-grup-id programs, actually you could run bastille - ... Then you would have the hardening of the services you run on top of your servers (for instance for mysql it would mean disabling remote access if you can, disabling LOAD DATA LOCAL INFILE, change the admin password, change the admin name, disabling anonymous access and removal of the sample databases) I hope it helps, just take into account that some hardening measures can be standardized, other measures depend on the services the server will offer Regards, Gaël
On Mon, Apr 24, 2006 at 02:50:35PM -0200, Alexey Eremenko wrote:
Hi all !
I would like to discuss possibilities to improve default SUSE Linux security.
What can be done to effectively improve it ?
1. For one thing - disable root access via SSH in default config.
as described below, it protects from enemy guesswork: http://geekpit.blogspot.com/2006/04/five-minutes-to-more-secure-ssh.html
edit /etc/securetty Only allow /dev/tty1 in there And read an article I wrote: http://www.antionline.com/showthread.php?s=&threadid=260361
any other ideas ?
-Allen
participants (5)
-
Alexey Eremenko -
Allen -
Dave Cotton -
Gaël Lams -
Roger Haxton