According to the rule of using the most restrictive set of permissions
possible for every job, avoid doing your regular jobs as
root. This reduces the
risk of getting a cuckoo egg or a virus and protects you from your own
If possible, always try to use encrypted connections to work on a
remote machine. Using ssh (secure shell) to replace
rsh, and rlogin should be
Avoid using authentication methods based on IP addresses alone.
Try to keep the most important network-related packages up-to-date and
subscribe to the corresponding mailing lists to receive announcements
on new versions of such programs (bind, postfix, ssh, etc.). The same
should apply to software relevant to local security.
Change the /etc/permissions file to optimize the
permissions of files crucial to your system's security. If you remove
the setuid bit from a program, it might well be that it cannot do its
job anymore in the intended way. On the other hand, consider that, in
most cases, the program will also have ceased to be a potential
security risk. You might take a similar approach with world-writable
directories and files.
Disable any network services you do not absolutely require for your
server to work properly. This makes your system safer. Open ports, with
the socket state LISTEN, can be found with the program
netstat. As for the options, it is recommended to
use netstat -ap or
netstat -anp. The
-p option allows you to see which process is occupying
a port under which name.
Compare the netstat results with those of a thorough
port scan done from outside your host. An excellent program for this
job is nmap, which not only checks out the ports of
your machine, but also draws some conclusions as to which services are
waiting behind them. However, port scanning may be interpreted as an
aggressive act, so do not do this on a host without the explicit
approval of the administrator. Finally, remember that it is important
not only to scan TCP ports, but also UDP ports (options
-sS and -sU).
To monitor the integrity of the files of your system in a reliable way,
use the program AIDE (Advanced Intrusion Detection
Environment), available on openSUSE. Encrypt the database created
by AIDE to prevent someone from tampering with it. Furthermore, keep a
backup of this database available outside your machine, stored on an
external data medium not connected to it by a network link.
Take proper care when installing any third-party software. There have
been cases where a hacker had built a trojan horse into the tar archive
of a security software package, which was fortunately discovered very
quickly. If you install a binary package, have no doubts about the site
from which you downloaded it.
SUSE's RPM packages are gpg-signed. The key used by SUSE for
ID:9C800ACA 2000-10-19 SUSE Package Signing Key <[email protected]>
Key fingerprint = 79C1 79B2 E1C8 20C1 890F 9994 A84E DAE8 9C80 0ACA
The command rpm --checksig
package.rpm shows whether the checksum and the signature of an
uninstalled package are correct. Find the key on the first CD of the
distribution and on most key servers worldwide.
Check your backups of user and system files regularly. Consider that if
you do not test whether the backup works, it might actually be
Check your log files. Whenever possible, write a small script to search
for suspicious entries. Admittedly, this is not exactly a trivial task.
In the end, only you can know which entries are unusual and which are
Use tcp_wrapper to restrict access to the individual
services running on your machine, so you have explicit control over
which IP addresses can connect to a service. For further information
regarding tcp_wrapper, consult the manual pages of
tcpd and hosts_access (man 8
Use SuSEfirewall to enhance the security provided by
Design your security measures to be redundant: a message seen twice is
much better than no message at all.
If you use suspend to disk, consider to configure the suspend image
encryption using the configure-suspend-encryption.sh
script. The program creates the key, copies it to
/etc/suspend.key, and modifies
/etc/suspend.conf to use encryption for suspend