Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 27

Thread: Basics for SUSE Linux

  1. #11
    T3h 1337 N00b kryptonic's Avatar
    Join Date
    Sep 2003
    Location
    Seattle, Washington.
    Posts
    523
    Good one as usual gore. Ill have to try this sometimes. Well when i finally get SuSE that is.

  2. #12
    Junior Member
    Join Date
    Aug 2004
    Posts
    2

    Thumbs up Great! Thank you from Indonesia!

    Thanks a lot from Indonesia!
    I am just "moving" to SUSE 9.1, and you tutorial was a great help!
    Please, come with more like this one soon!

  3. #13
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    Nice info there gore. Just about the SuSE firewall... i would recomend NOT to use yast2 for the firewall setup. I recomend in a shell, to goto /etc/sysconfig/SuSEfirewall2 and configure it by hand. Theres alot more detail in there that yast offers you. You can setup the SuSE firewall with GREAT details, including your own iptables rules. The yast option just gives you a very small basic selection.

    Cheers


    /edit

    If the suse machine is just a personal box for use at home with no server functions, then the personal firewall that comes along is excellent. If its for a server, then the USER should know his way around the shell, vi, etc.... and setup the SuSEfirewall2 with the details needed/offered in the file itself, and not YAST. The file is commented with enough information to configure the firewall correctly. If someone does not understand the firewall config file, then he should not setup services.

    Cheers
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  4. #14
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Instronics:

    YAST2 has both basic and advanced set up for the fireall. When I start the next section for this I'll be showing that. The Basic set up is a quickie to get the system locked for normal use. After that, you stay in YAST2 and you can edit the system like you're saying from YAST2. All of the advanced options are still there, they are just in another part to YAST2.

    The Firewall set up for basic usage is there for normal users, but like I said, when I add more to this tutorial, I'll be showing you where in YAST2 you can edit complete system configurations. You don't have to do it in Vi, YAST2 has the same options, and hey explain what each part is in there for, and things like that. You can edit /etc from YAST2

  5. #15
    Junior Member
    Join Date
    Oct 2004
    Posts
    3
    Nice Post....Very informative...Will recommend it to my friends who are new to Suse...
    There are 10 types of persons in IT, those who understand binary, and those who don\'t....

  6. #16
    Senior Member
    Join Date
    Jul 2004
    Posts
    131
    it not bad at all. it's very basic - but okay. greenies given. :-)
    More cowbell! We need more cowbell!
    http://www.geocities.com/secure_lockdown/
    - - -
    \"Is the firewall there to protect you from the outside world or is it there to protect the outside world from *YOU*?\"

  7. #17

    Thoughts...

    I'm very suprised you consider having an FTP server on your box to be a good thing. Most people I know would use scp instead. My boxes generally have only a few ports open:
    tcp: 22 (ssh/scp and tunnelled vnc, mysql etc)
    tcp: 80 (web services)
    udp: 514 (syslog on logging server)

    Certainly removal of portmap is a good thing, but given the choice I wouldn't even let the RPC software get installed.

    I think the best message you've given is "keep up to date with security patches". As true in Linux as it is Windows and any other OS out there.

    If you really want to be secure you're best starting off thinking that way when you install the machine.
    * Install and USE tripwire/AIDE
    * Install and MONITOR seccheck
    * If other people have accounts consider running password crackers occasionally
    * Don't let root log in remotely
    * Don't let anyone su to root, use sudo instead

    SuSE out of the box isn't bad at all, but I wouldn't trust it on the internet as it stands. Thankfully it's not hard to harden it a little (those five steps, off the top of my head are a start), and if you _really_ want to tie it down it's not impossible. Think about using Bastille, a script that takes you through a set of steps that will really make life harder for anyone trying to screw with your system.

    Ultimately though....
    * Monitor any security systems you use, or they're worthless
    * Update security patches whenever appropriate

    Looking forward to gore's next installment!

  8. #18
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    No offense, but how is having a web port open better than an FTP port?

    If you really want to be secure you're best starting off thinking that way when you install the machine.
    * Install and USE tripwire/AIDE
    Tripwire on a home machine? Isnt that a bit pricey?
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  9. #19
    No offense taken ;-)

    I didn't have a problem with opening the FTP port, it was running the FTP server I was objecting to. Sorry for any confusion caused, maybe I should have been more precise.

    Yes, FTP servers can be secure, but unless you're after some anonymous FTP system I don't see why you wouldn't use scp instead. Scp offers you PPK authorisation and file compression, I don't know any FTP servers that have those features. I'm not saying that none do, I'm really saying I haven't looked at running an FTP server for a looong time.

    Anyway, _is_ a web port secure?
    Hell, I don't know. I'm running Apache and hoping bugs get fixed before they're used.

    Redarding Tripwire... there _is_ a free version available. As it happens I use AIDE instead (as that's what I could get running from the rpm once upon a time), which offers basically the same funtionality.

  10. #20
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177

    Re: Thoughts...

    Originally posted here by idmismatch
    I'm very suprised you consider having an FTP server on your box to be a good thing. Most people I know would use scp instead. My boxes generally have only a few ports open:
    tcp: 22 (ssh/scp and tunnelled vnc, mysql etc)
    tcp: 80 (web services)
    udp: 514 (syslog on logging server)

    Certainly removal of portmap is a good thing, but given the choice I wouldn't even let the RPC software get installed.

    I think the best message you've given is "keep up to date with security patches". As true in Linux as it is Windows and any other OS out there.

    If you really want to be secure you're best starting off thinking that way when you install the machine.
    * Install and USE tripwire/AIDE
    * Install and MONITOR seccheck
    * If other people have accounts consider running password crackers occasionally
    * Don't let root log in remotely
    * Don't let anyone su to root, use sudo instead

    SuSE out of the box isn't bad at all, but I wouldn't trust it on the internet as it stands. Thankfully it's not hard to harden it a little (those five steps, off the top of my head are a start), and if you _really_ want to tie it down it's not impossible. Think about using Bastille, a script that takes you through a set of steps that will really make life harder for anyone trying to screw with your system.

    Ultimately though....
    * Monitor any security systems you use, or they're worthless
    * Update security patches whenever appropriate

    Looking forward to gore's next installment!
    FTP, which if you read, I use PureFTPd, which SUSE chroots by default, and I have mine set up where you need a log in name and password that I alone have to give you. I don't think I'm exactly opening the door to hackers there.

    Password crackers are run each night along with the security scripts and all logs and script activities are emailed to me and the root account. (The more mails sent the harder it is for someone to clear them out.).

    Root can only log in to whatever /etc/securetty says it can. Now guess what I actually left in there..... Actually I should have added that to this tutorial.

    I do trust SUSE on the internet as it stands. Before SUSE has booted up, you can update it with all patches, and configure the firewall. All of this before it's even been booted for the first time. Bastille is not needed. harden_suse comes with SUSE Linux.

    I'd put SUSE as one of the most secure OSs in the World. And not tomention YAST2 is probably the best admin tool ever made.

    I do have plans for another tutorial like this one but with a lot more. I just haven't had the time.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •