Mailinglist Archive: opensuse-security (520 mails)

< Previous Next >
Re: [suse-security] a little service question
  • From: Nix <suse@xxxxxxxxxxxxxxx>
  • Date: Sat, 09 Dec 2000 15:20:17 +1100
  • Message-id: <5.0.1.4.0.20001209144250.00aa7e28@xxxxxxxxxxxxxxxxxxxx>
OK, I have read this thread, and the others are right, there is plenty of info
on this stuff all over the net, as well as in your SuSE Manual... Did you look in
there?

In any case, I'm going to give you a 30 second tutorial to securing SuSE.
(Mainly cause I'm feeling nice, met my girlfriend for lunch, and managed to finish
a 200 page security audit report half a day early... oh, and it's 3pm friday and if
I was some more time emailing I can go home without having done anything useful
this arvo :-)

Install and run harden_suse
(found at ftp://ftp.suse.com/pub/suse/i386/current/suse/sec1/hardsuse.rpm)
Install Sec Check
(found at ftp://ftp.suse.com/pub/suse/i386/current/suse/sec1/seccheck.rpm)

Apply any updates that are applicable from :
ftp://ftp.suse.de/pub/suse/i386/update/

Now, if you ran harden_suse and answered yes, it will have pretty much locked
everything down for you. You will need to set INETD to start again in
/etc/rc.config and you will need to re-enable ftp by un commenting the line
in /etc/inetd.conf that matches the ftp server you are running.
(Personally I recommend proftpd. Read /etc/proftpd.conf for info on locking it
down, it's self explanatory)

You will need to add the ip range that you want to connect to sshd from into
/etc/hosts.allow

Also, you will need to enable apache (httpd) in /etc/rc.config

This will give you everything you said you require with the exception of MySQL.
I am not an sql guru, but I'm 99% sure that you don't need to have it listening on
the network if you are going to be accessing it from localhost.
If it does need to be listening on a network port, you should be able to tell it to
listen on 127.0.0.1 only.
Of course you will need to follow the MySQL docs on how to configure it securely
with password etc.

Once you have done all this (it should take you about 15 min except for MySQL
which may take you a few minutes more) reboot the machine just to check that
everything works and is set to startup etc, then do a nmap (or a netstat -nat)
your ports should now look like:

Port State Service
21/tcp open ftp
22/tcp open ssh
80/tcp open http

Once you have double checked http://www.suse.de/en/support/security/index.html
just to see that you have applied all the available patches for the rpms u have installed
compare that webpage to the output of
rpm -qa

There is of course alot more that you can do to secure a system, and I'm sure that you'll
get a bunch of people telling you about securmod and tripwire and all the other cool security
toys, all of which you should learn about and implement, but for your specification of a web
server only (I am assuming your are the only person with a shell account) this will be sufficient
to get your server on the web without worrying about being easily compromised.

Notice you didn't even have to configure a firewall/packetfilter?!

Of course you have already read Marc's white paper on "Installation of a Secure Web Server"
at http://www.suse.de/en/linux/webserver/index.html so you will probably know all of this
already and be way ahead :-)

Regards

Nix

/me heads back to the fsk%%#%ing OpenBSD box he was about to install SMTPD on...


At 02:03 PM 6/12/2000 +0100, you wrote:
Hello,

I have the following services running:

Port State Service
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open sunrpc
113/tcp open auth
510/tcp open fcp
513/tcp open login
514/tcp open shell
515/tcp open printer
973/tcp open unknown
1024/tcp open kdm
3306/tcp open mysql

I do need ftp, ssh, http and mysql in any case. But I donĀ“t know about the
other services. I remotely administer this server which is housed at my ISPs
place. Does anyone know the other services and if I can disable them?
Additionally I need to know hwo to secure the "needed" services.

Any help is appreciated and many thanks in advance!

btw. I already use tcpd to wrap the most of the services.

Rgds Dustin


---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
For additional commands, e-mail: suse-security-help@xxxxxxxx


< Previous Next >
This Thread
References