SUSE Security FAQ

From Suntel Communications knowledgebase

This is a collection of the most commonly asked questions on the SUSE Security mailing list The Official archives of the list can be found here and you probably will want to take a look at the SUSE Security Announcements

---

Contributions to the FAQ are welcome.

---

Contents 1 Incident Reporting 1.1 One of my servers has been cracked open and overtaken by intruders. What now? 2 Secure Remote Access 2.1 Secure Shell 2.1.1 How do I securely access my server remotely? 2.2 Secure File Copy 2.2.1 How do I securely copy files between my (SuSE) Linux machines? 2.2.2 How do I securely copy files between my Windows PC and my Linux Server. 2.3 I can't connect to my server using SSH 2.4 How do I Secure SUSE? 2.4.1 30 Second Tutorial 3 Email 3.1 How do I configure Sendmail Securely? 3.2 How do I enable feature "X"? 3.3 How do I configure Postfix 3.4 Why doesn't SUSE ship Qmail? 4 I want to use X, but I don't want it to listen on the network for connections (port 6000) 5 How do I enable MD5 Password Encryption 6 Firewalls and IDS 6.1 Port Forwarding 6.2 What does "kernel: martian source aabbccdd for 11223344, dev eth0" mean? 6.3 Rejecting vs. Denying Packets 7 Misc 7.1 What is chroot? 8 Security Resources 8.1 Can you recommend some good reading on Linux Security? 8.1.1 Books 8.2 Other Places to Look for Security Info 8.3 Yet to be done/added 9 Credits

Incident Reporting

One of my servers has been cracked open and overtaken by intruders. What now?

In case of a compromised system, immediately follow these steps:

1. Disconnect the host from the network, do *NOT* switch it off
2. Connect a monitor, switch it on and carefully watch the status of all consoles, note down any obscurities, or take a polaroid.
3. Login to the compromised host and create a complete system backup on clean media. Secure this backup afterwards.
4. Use a non-networked computer to restore all the backed up data from the compromised host on a single harddisk for later examination with tools like grave digger from the Coroner's Toolkit by Wietse Venema (http://www.fish.com/forensics/).
5. Additionally, secure all system logs from the compromised system onto a non-writeable medium (CD-ROM) for quick referrence.
6. Get in touch with your boss and/or your organisation's legal department and inform them about the breach of security immediately. Cooperate with them to find out any legal possibilities of the case. During this time, do not wipe or modify any data on the compromised system for it might be relevant for legal examination.
7. After checking things with your lawyer/legal department/boss, low-level format all harddisks of the compromised system.
8. Analyse the logs of the compromised host and the post-mortem data you backed up from it in order to find the vulnerability the attacker exploited to crack your system.
9. Install a new SUSE Linux system from scratch *WITHOUT* any config files from the compromised system. Read the FAQ section "How do I secure SuSE?" for more information about securing your freshly installed system. If you have to restore certain data from the compromised system (e. g. customer web spaces, files for your ftp-server...), double- and triple-check that the data has not been modified or trojaned. This specially goes for scripts of any kind (CGI, php, etc.). Where possible, use clean versions of the files instead of those from the compromised server.
10. Configure a firewall, either as a dedicated host or on the server itself, and install an intrusion detection system (IDS, like snort)
11. If there are more systems which have not been compromised on the first glance, check their logfiles for more signs of intrusions.

I have secured all data from the compromised system and checked back with our lawyers. Is there another place to report system compromises to?

The CERT Coordination Center offers facilities for incident reporting, information about good security practises and ressources for your research around security. Reporting incidents to CERT results in advises from the CERT security experts and vital information to get back online quickly. If you want to report your incident to CERT, follow the steps found on the CERT Incident Reporting Form.

Secure Remote Access

Secure Shell

How do I securely access my server remotely?

If you have not done so already you need to install the OpenSSH package. This should be in the "SEC" section on your SuSE CD or DVD although as this is a network service I recommend that you first check to see if there is a newer version on ftp.suse.com.

SSH is basically a version of telnet that uses Secure Sockets Layer (or SSL) encryption. It can do everything that telnet, rsh and rlogin can, except in an encrypted manner. The only difference you really need to know about compared to telnet is that you need to specify the username you wish to login with on the command line before you connect, rather than at an interactive prompt. (ie. I wish to connect to freenet.nether.net as the user joe, I would type ssh joe@freenet.nether.net) If you do not do this, ssh will try to automatically log you in as the current user.

Secure File Copy

How do I securely copy files between my (SuSE) Linux machines?

Arguably the best way to securely copy file over a network is with OpenSSH's scp command.

How do I securely copy files between my Windows PC and my Linux Server.

The most commonly used Windows SCP client is PSCP. For those people who are typing impaired, there is a really nice Windows GUI called WinSCP

I can't connect to my server using SSH

Check you have enabled access to SSHD in /etc/hosts.allow SuSE's version of OpenSSH all come with libwrap support compiled in by default. That is, they honour the /etc/hosts.allow and /etc/hosts.deny
If you have previously run harden_suse you will now have a line at the bottom of /etc/hosts.deny that looks like: ALL : ALL If this is what's causing your connection to be refused, you should will to see it in the /var/log/warn logfile. This can be checked by using the command tail -f /var/log/warn

To enable access from your IP address, simple add the line:

sshd : x.x.x.x

to /etc/hosts.allow (where x.x.x.x is the IP that you are connecting FROM) You can also use the format x.x.x.x/y.y.y.y where y.y.y.y is the subnet mask of an entire network (ie. Your LAN) that you wish to allow. If you wish to allow SSH access from anywhere, you can replace x.x.x.x with the word ALL. This is not recommended.

SSHD also has the possibility of denying root access. Look at /etc/sshd_config and see if PermitRootlogin is yes (or try connecting as another user). Finally, you could be having a problem with different ssh versions. Openssh supports both SSH1 and SSH2 and should work, and you should upgrade to it anyway, since earlier versions have some security problems.

How do I Secure SUSE?

Have you read your SUSE Manual? Do that first! Of course you have also already read Marc Heuse's (marc@suse.de) white paper on the Installation of a Secure Web Server

30 Second Tutorial

Install "seccheck" (found in "Productivity/Security" on your SUSE installation media) Apply any updates that are applicable from : ftp://ftp.suse.de/pub/suse/i386/update/ Now, if you ran harden_suse and answered yes, it will have pretty much locked everything down for you. You will need to set INETD to start again in /etc/rc.config and you will need to re-enable ftp by un commenting the line in /etc/inetd.conf that matches the ftp server you are running. (Personally I like proftpd. Read /etc/proftpd.conf for info on locking it down, it's self explanatory) You will need to add the ip range that you want to connect to sshd from into
/etc/hosts.allow
And you will need to enable Apache (httpd) in /etc/rc.config

Once you have done all this (it should take you about 15 min) reboot the machine just to check that everything works and is set to startup etc, then do a "nmap localhost" (or a netstat -nat) your ports should now look like:

Port State Service

21/tcp open ftp

22/tcp open ssh

80/tcp open http

Once you have double checked Novell's Linux Security page just to see that you have applied all the available patches for the rpms you have installed compare that web page to the output of

	rpm -qa

There is of course allot more that you can do to secure a system, and I'm sure that you'll get a bunch of people telling you about securmod and tripwire and all the other cool security toys, all of which you should learn about and implement, but for your specification of a web server only (I am assuming your are the only person with a shell account)this will be sufficient to get your server on the web without worrying about being easily compromised.

Notice that you didn't even have to configure a firewall/packetfilter?!

Email

I've heard that sendmail is insecure, but it is also used very often. Do you know other mail-daemons which are more secure?

There have been no known security weaknesses in sendmail as of version 8.9.3. Sendmail is quite powerful but not that easy to configure. Postfix and QMail are smaller, faster and possibly easier to configure, but from the security point of view there is no difference.

The Pros:

• very active maintainer team (www.sendmail.org)
• a couple of millions users worldwide
• very flexible and adaptable for your needs
• fully compatible to almost all internet mail standards
  
• supported by most tools/apps (antivirus, spam-blocker, etc.)
  
• very well documented, lots of good books are available
  
• highly reliable if configured correctly
  

The Cons:

• Can be difficult to set up
• Quite a steep learning curve

How do I configure Sendmail Securely?

Sendmail can be considered to be configured securely in a standard install of SuSE that has has harden_suse ran on it.

How do I enable feature "X"?

What you do is simply edit /etc/mail/linux.mc (or a copy of it) and select the options you want by removing the "dnl" from the front of the lines you want.
In some cases you will also need to change the domain etc also. It is very well commented, and you should have not trouble figuring it out. Once you think you have the right options you then execute the command
          "m4 /etc/mail/linux.mc > /etc/sendmail.cf"
and it will regenerate the sendmail.cf file for you, with the options you have selected.
Then a simple
          "/etc/init.d/sendmail restart"
will put the changes into effect for you.

How do I configure Postfix

For a standard config where you have one domain only that you wish to receive mail for, simply edit /etc/rc.config.d/postfix.rc.config
It has very good commenting and you should be able to follow it yourself.
Once you have changed this file to reflect your domain, save it and run the command SuSEconfig

This will merrily go off and generate the required config files for you. The primary file you need be interested in if you wish to do more advanced configuration of Postfix is /etc/postfix/main.cf

Why doesn't SUSE ship Qmail?

Qmail's license is VERY restrictive and basically does not allow vendors to ship it (you cannot ship modified binaries). That and qmail's development has been somewhat stunted by the fact that contributions to it are often not included, basically only DJB is working on it, which means qmail lacks a LOT of features.

I want to use X, but I don't want it to listen on the network for connections (port 6000)

(At least with SuSE 6.4) Edit "/usr/X11R6/lib/X11/xdm/Xservers" and change

:0 local /usr/X11R6/bin/X :0 vt07

to

:0 local /usr/X11R6/bin/X :0 vt07 -nolisten tcp

How do I enable MD5 Password Encryption

The documentation to enable MD5 password encryption on SUSE 7 is in /usr/share/doc/packages/pam/md5.config

Newer versions of SUSE have the option of either DES, MD5 or Blowfish password encryption available from YaST2 in the "Security and Users" section under "Local Security". MD5 is the default on newer versions of SUSE Professional (and OpenSUSE) however SLES9 still has DES as the default.

Firewalls and IDS

Port Forwarding

Q: I have a little LAN with a SUSE Server as gateway, within my LAN I have a NT box with IIS, I want to be able to access the the httpd on the NT box from the internet by specifying some port on my gateway. I have firewals-2.1-5 installed and all clients in my LAN have unlimited access to the internet and to the gateway. I tried configuring the redirection, but seems to me like this only works when the NT box has an public IP, but it has not not, an will never have. So is it possible to do it with the firewall or do I have to fiddle with ipchains?
A: What you need to do is "reverse" Masquerading. This can be accomplished with the IPMASQADM tool included on your SuSE CD. You will need to use this tool by hand, although it will happily co-exist along with Marc's IPFIREWALS package. (You will need to enable access to the port you want to forward in the firewall config of course) You can read the Author's FAQ here. NOTE: This requires that you have regular Masquerading working first!

I see port scans to port number xyz - What does this mean? What is this port used for?

In order to gather information about your system most attackers use port scanners like nmap to look for open ports and to remotely identify the operating system the target host is running. This information, together with a list of known security vulnerabilites of various services and applications, can be used to exploit these holes, start denial of service (DoS) attacks and finally gain root access to the attacked system. That's why it is important to close services which you don't need (see HOW DO I SECURE SUSE?) and to keep up-to-date with the latest security patches.

If you want to know what service hides behind a certain port number you can look into /etc/services. For a (nearly) complete list of ports and services you may consult IANA's list of ports Unfortunately, there are also a lot of trojan horses around which use certain ports for their inbound and outbound activity. Some trojan apps come with a client utility capable of scanning single hosts or entire subnets for infected machines which can then be hijacked. For information about ports used by common trojan horses consult href="http://www.glocksoft.com/trojan_port.htm">www.glocksoft.com/trojan_port.ht m , http://www.simovits.com/sve/nyhetsarkiv/1999/nyheter9902.html or the The Trojans Lair Trojan Database

What does "kernel: martian source aabbccdd for 11223344, dev eth0" mean?

These are packets that Linux does not expect from the direction they came from (i.e. packets from internal hosts coming in on the external interface). The cause is probably a misconfigured machine on your LAN. You can turn off logging those packets via
<quote>/proc/sys/net/ipv4/conf/*interface*/log_martians</quote>
which is documented in /usr/src/linux/Documentation/proc.txt

Rejecting vs. Denying Packets

Please note, that the following applies to ipchains. Things are a little different for iptables/netfilter which ships with Linux kernel 2.4.x <p>Most packet filters offer you the possibiliy of either denying or rejecting a packet. So

where's the difference?

DENYing a packet simply means not responding at all i.e. silently drop the packet.

REJECT drops the packet, but (if it's not an ICMP packet) generates an ICMP reply to the source to tell it that the destination was unreachable.

Sometimes denying isn't the the best of responses because in doing so, we actually tell the attacker that a packet filter is present. Another drawback of denying is, that some services will wait for a response, thus slowing down other services while waiting for the reply packet you'll never send. (please, please _remember_ that when it comes to inetd issues ;-)

Additional Information:

- IPCHAINS-HOWTO

- www.insecure.org Read the doc of nmap!!

- thousands of postings on millions of mailing-lists

FYI:

When a service isn't running on a unix system it normally let's the remote host know with some sort of return packet. In TCP this is done with an RST (reset) packet. UDP returns (usually) an icmp-type: port-unreachable packet with the original destination address of the packet.

But anyway, you cannot influence that behaviour using ipchains. If you like to do that consider using a *BSD system with ipf. For a start read the IP-Filter-HOWTO which should be available on http://www.obfuscation.org/ipf/

Misc

What is chroot?

Quoting Zwicky, Cooper, Chapman: Building Internet Firewalls: "The chroot mechanism allows a program to irreversibly change it's view of the filesystem by changing the program's idea of where the root of the filesystem is."

So, this is where the name comes from ;-)

Think of a chroot'ed program as a program that lives in it's own, restricted filesystem without access to the rest of your filessystems (say e.g. binaries or /etc/passwd). This restricted filesystem has to include everything (_but no more_) the chroot'ed program needs to run. Thus it has to include e.g. /etc, /bin, /lib etc. (don't forget the shared libraries).

The environment that needs to be set up like this called the chroot environment (often called "jail"). Please remember to avoid setting up symbolic links that point to areas outside the chroot environment.

The benefit of chrooting is e.g. to restrict users to a subset of tasks or to build up an additional layer of defense against an intruder, taking over one of your processes. Note, that it's not really impossible to break out of a chrooted environment, so don't rely on that exclusively.

Almost every program can be chrooted (Yes, even netscape ...) either by "built-in" means or by the chroot system call (man chroot, man 2 chroot).

To get a more practical approach, please read the man page of ftpd with special respect to /etc/ftpchroot. A proper anonymous ftp setup is an example for a chrooted environment.

Security Resources

Can you recommend some good reading on Linux Security?

Books

• PRACTICAL UNIX AND INTERNET SECURITY, O'Reilly
• Anonymous: "Maximum Security" SAMS Publishing (www.samspublishing.com)
• (German translation: "Hacker's Guide", Markt+Technik-Verlag München)
• Anonymous: "Maximum Linux Security" SAMS Publishing (www.samspublishing.com) ISBN 0-672-31670-6
• (German translation: "Linux Hacker's Guide", Markt+Technik-Verlag München)

Other Places to Look for Security Info

<a href="http://www.linuxsecurity.com/docs/colsfaq.html">comp.os.linux.security FAQ</a> - <quote>"This newsgroup is dedicated to the discussion of issues related to establishing and maintaining the security of machines running the Linux Operating System on all processor architectures."</quote>

<a href="http://www.cotse.com/">Church of the Swimming Elephant</a> - Have you gone to church today?

<a href="http://www.securityportal.com">Security Portal</a> - <quote>"Recognized as an objective force in the information security industry, SecurityPortal currently serves as the voice of security with its widely distributed e-newsletter and website with thousands of pages of security information"</quote>

Yet to be done/added

• firewalls: dmz
• Obtuse SMTPD
• service tunneling using ssh
• log file checking/digestifying
• correct use of unix permissions
• saint/satan reports service xyz is insecure - what now?
• mail and file virus scanning
• buffer overflows
• password security
• IDS
• incident reporting
• mail relaying/anti spam
• ftp and firewalls
• glossary to properly describe words and phrases like tcp, udp, trojan, scans, ports, firewall, statful packet inspection, packet filtering, vpn, ipsec, etc. pp...
• enhance the paragraph HOW DO I SECURE SUSE in a way that the users *know* what's going on if harden_suse or the
  seccheck-scripts are started, and *why* it is important
  not to run services with UID/GID 0, offer services which
  aren't used or have an eye at file permissions.

Credits

• Peter Nixon
• Kurt Seifried
• Boris Lorenz
• Johannes Geiger
• Chris Wahl
• Kevin Ivory
• lukas geider
• Matthias Patz

If you want name on this list, submit a completed answer to one of the unfinished questions above, or to a question asked on the mailing list.

Maintained by Suntel Communications