OK, I have read this thread, and the others are right, there is plenty of info on this stuff all over the net, as well as in your SuSE Manual... Did you look in there? In any case, I'm going to give you a 30 second tutorial to securing SuSE. (Mainly cause I'm feeling nice, met my girlfriend for lunch, and managed to finish a 200 page security audit report half a day early... oh, and it's 3pm friday and if I was some more time emailing I can go home without having done anything useful this arvo :-) Install and run harden_suse (found at ftp://ftp.suse.com/pub/suse/i386/current/suse/sec1/hardsuse.rpm) Install Sec Check (found at ftp://ftp.suse.com/pub/suse/i386/current/suse/sec1/seccheck.rpm) Apply any updates that are applicable from : ftp://ftp.suse.de/pub/suse/i386/update/ Now, if you ran harden_suse and answered yes, it will have pretty much locked everything down for you. You will need to set INETD to start again in /etc/rc.config and you will need to re-enable ftp by un commenting the line in /etc/inetd.conf that matches the ftp server you are running. (Personally I recommend proftpd. Read /etc/proftpd.conf for info on locking it down, it's self explanatory) You will need to add the ip range that you want to connect to sshd from into /etc/hosts.allow Also, you will need to enable apache (httpd) in /etc/rc.config This will give you everything you said you require with the exception of MySQL. I am not an sql guru, but I'm 99% sure that you don't need to have it listening on the network if you are going to be accessing it from localhost. If it does need to be listening on a network port, you should be able to tell it to listen on 127.0.0.1 only. Of course you will need to follow the MySQL docs on how to configure it securely with password etc. Once you have done all this (it should take you about 15 min except for MySQL which may take you a few minutes more) reboot the machine just to check that everything works and is set to startup etc, then do a nmap (or a netstat -nat) your ports should now look like: Port State Service 21/tcp open ftp 22/tcp open ssh 80/tcp open http Once you have double checked http://www.suse.de/en/support/security/index.html just to see that you have applied all the available patches for the rpms u have installed compare that webpage to the output of rpm -qa There is of course alot more that you can do to secure a system, and I'm sure that you'll get a bunch of people telling you about securmod and tripwire and all the other cool security toys, all of which you should learn about and implement, but for your specification of a web server only (I am assuming your are the only person with a shell account) this will be sufficient to get your server on the web without worrying about being easily compromised. Notice you didn't even have to configure a firewall/packetfilter?! Of course you have already read Marc's white paper on "Installation of a Secure Web Server" at http://www.suse.de/en/linux/webserver/index.html so you will probably know all of this already and be way ahead :-) Regards Nix /me heads back to the fsk%%#%ing OpenBSD box he was about to install SMTPD on... At 02:03 PM 6/12/2000 +0100, you wrote:
Hello,
I have the following services running:
Port State Service 21/tcp open ftp 22/tcp open ssh 80/tcp open http 111/tcp open sunrpc 113/tcp open auth 510/tcp open fcp 513/tcp open login 514/tcp open shell 515/tcp open printer 973/tcp open unknown 1024/tcp open kdm 3306/tcp open mysql
I do need ftp, ssh, http and mysql in any case. But I don´t know about the other services. I remotely administer this server which is housed at my ISPs place. Does anyone know the other services and if I can disable them? Additionally I need to know hwo to secure the "needed" services.
Any help is appreciated and many thanks in advance!
btw. I already use tcpd to wrap the most of the services.
Rgds Dustin
To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com