Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 691 — #717
i
i
i
i
i
i
i
i
26
Security in the Network
from tampering with it. Furthermore, keep a backup of this database
available outside your machine, stored on an external data medium
not connected to it by a network link.
Take proper care when installing any third-party software. There
have been cases where a hacker had built a trojan horse into the tar
archive of a security software package, which was fortunately dis-
covered very quickly. If you install a binary package, have no doubts
about the site from which you downloaded it.
SUSE’s RPM packages are gpg-signed. The key used by SUSE for
signing is:
ID:9C800ACA 2000-10-19 SUSE Package Signing Key
<build@suse.de>
Key fingerprint = 79C1 79B2 E1C8 20C1 890F 9994 A84E DAE8 9C80
0ACA
The command rpm --checksig package.rpm shows whether
the checksum and the signature of an uninstalled package are cor-
rect. Find the key on the first CD of the distribution and on most key
servers worldwide.
Check your backups of user and system files regularly. Consider that
if you do not test whether the backup works, it might actually be
worthless.
Check your log files. Whenever possible, write a small script to search
for suspicious entries. Admittedly, this is not exactly a trivial task. In
the end, only you can know which entries are unusual and which are
not.
Use tcp_wrapper to restrict access to the individual services run-
ning on your machine, so you have explicit control over which
IP addresses can connect to a service. For further information re-
garding tcp_wrapper, consult the manual pages of tcpd and
hosts_access (man 8 tcpd, man hosts_access).
Use SuSEfirewall to enhance the security provided by tcpd (tcp_-
wrapper).
Design your security measures to be redundant: a message seen twice
is much better than no message at all.
691SUSE LINUX Enterprise Server