Securing SLES9

From CoolSolutionsWiki

Q
Does anyone have solid lock down procedures for [SLES9] that make it still useable?
-Bob, Novell Forums


  1. Disable root login over SSH. SSH brute force password attacks are arguably the biggest threat to Linux systems. There are tons of SSH brute force attacks running these days and all of your public facing servers should have the SSH port firewalled. If they absolutely must be accessible to the outside, consider setting up the firewall to restrict that outside access to the certain addresses you need, or provide access over a VPN.

    If you absolutely must have *direct* root access via SSH, consider setting up a public key and then disabling root login except via public keys with the following line in /etc/ssh/sshd_config:

    Code: PermitRootLogin without-password

    Note that if you want to completely prevent root login, you need to use the DenyUsers directive in /etc/ssh/sshd_config, like so:

    Code: DenyUsers root

  2. Disable VNC administration. run VNC over an SSH tunnel, or use NX instead. VNC is unencrypted, so any passwords you type are sent over the wire in clear text.

  3. Use sudo to control access to root. As a general rule, you should never log in directly as root, mostly to save you from your own mistakes. sudo (Switch User and DO) is a command that lets you execute specific root commands as a regular user, and you can get extremely granular with the permissions (as an extreme example, only allowing jsmith when he is at a workstation with the IP address 10.10.2.1 to restart apache but can do nothing else). Sudo also will log every single command, when they were entered and what time they were entered, so you have an audit trail of all root actions on the server (usually more useful for troubleshooting than security, but still good nontheless) Sudo works with LUM-enabled (eDirectory) users just fine.

    There is also the su command (short for Switch User) which allows you to "become" root, but I discourage use of this except for situations where sudo is too cumbersome, because you don't get the audit trail of specific commands and you can't restrict access to commands.

  4. Use pam_access to control access to everything else. The PAM Access module allows you to limit access to an application by user, group or host, and can be used to restrict access on any PAM-enabled service to only those users that need access to it.
  5. The usual stuff. Strong Passwords, apply patches regularly, teach your employees not to give out their password for a bar of chocolate, yadda yadda yadda.
  6. You may want to check out the bastille package that comes with SLES 9. Run it on a test system to see what it does - It basically asks some questions about some things it can secure, and runs scripts accordingly.
  7. AppArmor is included with Support Pack 3. It's basically like a firewall for applications, similar to SELinux, but easier.

On another note, SLES9 is certified EAL4.

[edit]

Primary Author

--Justin Grote - Network Architect - JWG Networks 20:41, 1 May 2006 (MDT)

Retrieved from "http://wiki.novell.com/index.php/Securing_SLES9"