Datasheet

ManualsBrandsNovell ManualsSoftware00662644465449-OEM

701

702

703

704

705

706

707

708

709

710

“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 683 — #709

Security in the Network

In the seventies, it was argued that this method would be more secure than

others due to the relative slowness of the algorithm used, which took a

few seconds to encrypt just one password. In the meantime, however, PCs

have become powerful enough to do several hundred thousand or even

millions of encryptions per second. Because of this, encrypted passwords

should not be visible to regular users (/etc/shadow cannot be read by

normal users). It is even more important that passwords are not easy to

guess, in case the password ﬁle becomes visible due to some error. Conse-

quently, it is not really useful to “translate” a password like “tantalise” into

“t@nt@1ls3”.

Replacing some letters of a word with similar looking numbers is not safe

enough. Password cracking programs that use dictionaries to guess words

also play with substitutions like that. A better way is to make up a word

with no common meaning, something that only makes sense to you per-

sonally, like the ﬁrst letters of the words of a sentence or the title of a book,

such as “The Name of the Rose” by Umberto Eco. This would give the fol-

lowing safe password: “TNotRbUE9”. In contrast, passwords like “beer-

buddy” or “jasmine76” are easily guessed even by someone who has only

some casual knowledge about you.

The Boot Procedure

Conﬁgure your system so it cannot be booted from a ﬂoppy or from CD,

either by removing the drives entirely or by setting a BIOS password and

conﬁguring the BIOS to allow booting from a hard disk only. Normally, a

Linux system is started by a boot loader, allowing you to pass additional

options to the booted kernel. Prevent others from using such parameters

during boot by setting an additional password in /boot/grub/menu.lst

(see Chapter 8 on page 203). This is crucial to your system’s security. Not

only does the kernel itself run with root permissions, but it is also the ﬁrst

authority to grant root permissions at system start-up.

File Permissions

As a general rule, always work with the most restrictive privileges possi-

ble for a given task. For example, it is deﬁnitely not necessary to be root

to read or write e-mail. If the mail program has a bug, this bug could be ex-

ploited for an attack that acts with exactly the permissions of the program

when it was started. By following the above rule, minimize the possible

damage.

683SUSE LINUX Enterprise Server