-
July 30th, 2004, 01:38 PM
#11
Good one as usual gore. Ill have to try this sometimes. Well when i finally get SuSE that is.
-
August 13th, 2004, 08:31 AM
#12
Junior Member
Great! Thank you from Indonesia!
Thanks a lot from Indonesia!
I am just "moving" to SUSE 9.1, and you tutorial was a great help!
Please, come with more like this one soon!
-
August 13th, 2004, 10:40 AM
#13
Nice info there gore. Just about the SuSE firewall... i would recomend NOT to use yast2 for the firewall setup. I recomend in a shell, to goto /etc/sysconfig/SuSEfirewall2 and configure it by hand. Theres alot more detail in there that yast offers you. You can setup the SuSE firewall with GREAT details, including your own iptables rules. The yast option just gives you a very small basic selection.
Cheers
/edit
If the suse machine is just a personal box for use at home with no server functions, then the personal firewall that comes along is excellent. If its for a server, then the USER should know his way around the shell, vi, etc.... and setup the SuSEfirewall2 with the details needed/offered in the file itself, and not YAST. The file is commented with enough information to configure the firewall correctly. If someone does not understand the firewall config file, then he should not setup services.
Cheers
Ubuntu-: Means in African : "Im too dumb to use Slackware"
-
August 13th, 2004, 01:54 PM
#14
Instronics:
YAST2 has both basic and advanced set up for the fireall. When I start the next section for this I'll be showing that. The Basic set up is a quickie to get the system locked for normal use. After that, you stay in YAST2 and you can edit the system like you're saying from YAST2. All of the advanced options are still there, they are just in another part to YAST2.
The Firewall set up for basic usage is there for normal users, but like I said, when I add more to this tutorial, I'll be showing you where in YAST2 you can edit complete system configurations. You don't have to do it in Vi, YAST2 has the same options, and hey explain what each part is in there for, and things like that. You can edit /etc from YAST2
-
October 22nd, 2004, 12:12 AM
#15
Junior Member
Nice Post....Very informative...Will recommend it to my friends who are new to Suse...
There are 10 types of persons in IT, those who understand binary, and those who don\'t....
-
October 22nd, 2004, 05:55 PM
#16
it not bad at all. it's very basic - but okay. greenies given. :-)
-
January 14th, 2005, 06:00 PM
#17
Member
Thoughts...
I'm very suprised you consider having an FTP server on your box to be a good thing. Most people I know would use scp instead. My boxes generally have only a few ports open:
tcp: 22 (ssh/scp and tunnelled vnc, mysql etc)
tcp: 80 (web services)
udp: 514 (syslog on logging server)
Certainly removal of portmap is a good thing, but given the choice I wouldn't even let the RPC software get installed.
I think the best message you've given is "keep up to date with security patches". As true in Linux as it is Windows and any other OS out there.
If you really want to be secure you're best starting off thinking that way when you install the machine.
* Install and USE tripwire/AIDE
* Install and MONITOR seccheck
* If other people have accounts consider running password crackers occasionally
* Don't let root log in remotely
* Don't let anyone su to root, use sudo instead
SuSE out of the box isn't bad at all, but I wouldn't trust it on the internet as it stands. Thankfully it's not hard to harden it a little (those five steps, off the top of my head are a start), and if you _really_ want to tie it down it's not impossible. Think about using Bastille, a script that takes you through a set of steps that will really make life harder for anyone trying to screw with your system.
Ultimately though....
* Monitor any security systems you use, or they're worthless
* Update security patches whenever appropriate
Looking forward to gore's next installment!
-
January 14th, 2005, 07:42 PM
#18
No offense, but how is having a web port open better than an FTP port?
If you really want to be secure you're best starting off thinking that way when you install the machine.
* Install and USE tripwire/AIDE
Tripwire on a home machine? Isnt that a bit pricey?
N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)
-
January 14th, 2005, 11:44 PM
#19
Member
No offense taken ;-)
I didn't have a problem with opening the FTP port, it was running the FTP server I was objecting to. Sorry for any confusion caused, maybe I should have been more precise.
Yes, FTP servers can be secure, but unless you're after some anonymous FTP system I don't see why you wouldn't use scp instead. Scp offers you PPK authorisation and file compression, I don't know any FTP servers that have those features. I'm not saying that none do, I'm really saying I haven't looked at running an FTP server for a looong time.
Anyway, _is_ a web port secure?
Hell, I don't know. I'm running Apache and hoping bugs get fixed before they're used.
Redarding Tripwire... there _is_ a free version available. As it happens I use AIDE instead (as that's what I could get running from the rpm once upon a time), which offers basically the same funtionality.
-
January 14th, 2005, 11:46 PM
#20
Re: Thoughts...
Originally posted here by idmismatch
I'm very suprised you consider having an FTP server on your box to be a good thing. Most people I know would use scp instead. My boxes generally have only a few ports open:
tcp: 22 (ssh/scp and tunnelled vnc, mysql etc)
tcp: 80 (web services)
udp: 514 (syslog on logging server)
Certainly removal of portmap is a good thing, but given the choice I wouldn't even let the RPC software get installed.
I think the best message you've given is "keep up to date with security patches". As true in Linux as it is Windows and any other OS out there.
If you really want to be secure you're best starting off thinking that way when you install the machine.
* Install and USE tripwire/AIDE
* Install and MONITOR seccheck
* If other people have accounts consider running password crackers occasionally
* Don't let root log in remotely
* Don't let anyone su to root, use sudo instead
SuSE out of the box isn't bad at all, but I wouldn't trust it on the internet as it stands. Thankfully it's not hard to harden it a little (those five steps, off the top of my head are a start), and if you _really_ want to tie it down it's not impossible. Think about using Bastille, a script that takes you through a set of steps that will really make life harder for anyone trying to screw with your system.
Ultimately though....
* Monitor any security systems you use, or they're worthless
* Update security patches whenever appropriate
Looking forward to gore's next installment!
FTP, which if you read, I use PureFTPd, which SUSE chroots by default, and I have mine set up where you need a log in name and password that I alone have to give you. I don't think I'm exactly opening the door to hackers there.
Password crackers are run each night along with the security scripts and all logs and script activities are emailed to me and the root account. (The more mails sent the harder it is for someone to clear them out.).
Root can only log in to whatever /etc/securetty says it can. Now guess what I actually left in there..... Actually I should have added that to this tutorial.
I do trust SUSE on the internet as it stands. Before SUSE has booted up, you can update it with all patches, and configure the firewall. All of this before it's even been booted for the first time. Bastille is not needed. harden_suse comes with SUSE Linux.
I'd put SUSE as one of the most secure OSs in the World. And not tomention YAST2 is probably the best admin tool ever made.
I do have plans for another tutorial like this one but with a lot more. I just haven't had the time.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|