Datasheet

ManualsBrandsNovell ManualsSoftware00662644465449-OEM

711

712

713

714

715

716

717

718

719

720

“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 690 — #716

The following is a list of rules you may ﬁnd useful in dealing with basic

security concerns:

According to the rule of using the most restrictive set of permissions

possible for every job, avoid doing your regular jobs as root. This

reduces the risk of getting a cuckoo egg or a virus and protects you

from your own mistakes.

If possible, always try to use encrypted connections to work on a re-

mote machine. Using ssh (secure shell) to replace telnet, ftp, rsh,

and rlogin should be standard practice.

Avoid using authentication methods based on IP addresses alone.

Try to keep the most important network-related packages up-to-date

and subscribe to the corresponding mailing lists to receive announce-

ments on new versions of such programs (bind, sendmail, ssh, etc.).

The same should apply to software relevant to local security.

Change the /etc/permissions ﬁle to optimize the permissions

of ﬁles crucial to your system’s security. If you remove the setuid bit

from a program, it might well be that it cannot do its job anymore in

the intended way. On the other hand, consider that, in most cases,

the program will also have ceased to be a potential security risk. You

might take a similar approach with world-writable directories and

ﬁles.

Disable any network services you do not absolutely require for your

server to work properly. This makes your system safer. Open ports,

with the socket state LISTEN, can be found with the program net-

stat. As for the options, it is recommended to use netstat -ap or

netstat -anp. The -p option allows you to see which process is oc-

cupying a port under which name.

Compare the netstat results with those of a thorough port scan done

from outside your host. An excellent program for this job is nmap,

which not only checks out the ports of your machine, but also draws

some conclusions as to which services are waiting behind them.

However, port scanning may be interpreted as an aggressive act, so

do not do this on a host without the explicit approval of the admin-

istrator. Finally, remember that it is important not only to scan TCP

ports, but also UDP ports (options -sS and -sU).

To monitor the integrity of the ﬁles of your system in a reliable way,

use the program tripwire, available on the SUSE LINUX distribu-

tion. Encrypt the database created by tripwire to prevent someone

690 26.7. Security and Conﬁdentiality