gore
July 30th, 2004, 12:50 AM
This is a very basic guide to help configure and secure a SUSE Linux system. I may be doing more, and make this a multi part tutorial, but for now, how about some feed back?
Planned add ons:
Make a complete SUSE guide for configuring SUSE Linux how you want it
Advanced security configuration
Setting up SUSE as a server
------------=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--==--==-=-=--==-=-=-=-=-=--==-=-=-=--------------------
Configuring basic security in SUSE Linux
This should work for 8.1 Professional 8.2 Professional and most of 9.1 Professional.
Some of the modules in YAST2 were moved in SUSE Linux 9.1 Professional, but they still work the same so you should have no problems with it, just finding where they were moved too.
Chapter one: Security updates
The first thing you should when you have finished installing SUSE Linux, is to check for updates. Usually you can do this while you're installing, but just in case you haven't you should do it after you boot up.
By default, you should see a little icon in the lower right hand corner, which will turn Red when you have a security update. Just right click on it and select "Check for updates".
this will search online for updates to any software you may have installed. After that it may turn Red, which means updates are out.
If = Red
Then do update
Else = Check which color it turns.
If = Yellow
Then select a new server to check, as this means that it had a problem connecting.
If = Green
Then everything is OK and there are no new updates.
If you found security updates, then right click on the Red icon, and select "Launch YOU" which will launch Yast Online Update. It will display the information like which server it is using.
If your icon was Yellow, you should open this up anyway, and select a new server to use for updates. Just click on the drop down menu where the servers are listed and click on a new one and try again.
If you're updating though then click on "Next" and it will check for updates and display the ones you need. Not everything here listed is needed, but if you have the software on your computer, then it will automatically select it, so you don't really need to to anything.
Also, there is software listed that SUSE could not legally include on the CD, like drivers for Video and Wireless cards, and Microsoft True Type Fonts.
You can select these for install by clicking on check box next to them.
After you have downloaded them, you'll notice a check box saying "Remove sources". this is so you can remove the sources that it is downloading, which is a good idea because it frees up space, and unless you look over everything, you really won't need them much.
After the packages are downloaded and installed, you can go to the next screen and watch the configuration files get written, and then, you're done.
Note that you need Root to do this. If you're not logged in as Root, whatever you want to do that needs to be done as Root will have a little box pop up asking for the Root password. Just type it in, and for the time being, that particular application is now being ran as Root. It's not like Red Hat where you do something similar and then have Root for a set amount of time, it's only for the application you were launching. You have to type it again for every other application you want to run that Needs Root.
Chapter 2 : YAST2
Now, SUSE defaults with KDE, so for the time being, use KDE. This will work in any Window Manager, and will also work in Run Level three. You'll just use an arrow key instead of the mouse.
Open up the YAST control Center by clicking on the lightning bolt Green orb, and selecting "Administration" and then clicking on "YAST2".
A window pops up asking for the Root password again, and then launches. YAST2 is the main configuration utility in SUSE Linux, so learn to use it.
Click on the module titled "Security and Users".
Click on the "Firewall" Icon to launch the Firewall configuration.
The module pops up, and then you can configure the Firewall.
Now, this part I can't walk you through, as I doubt all of you reading have the exact same set up as I do, but I can help:
Read what's on the screen. You should see "External Interface". If you have a Cable connection, or if you're using a Network connection, or a LAN, then you will be selecting "etho" for this.
For the "Internal Interface" that one is up to you.
the screen has directions on the left, so if you're using DSL or Dial up, read it.
After you have this section done, click on "Next" in the lower right of that window, to go to the next page. Clicking "Next" brings you to a page with a few more options than the last.
If you're NOT running a server in which people need access to your machine, then do NOT click on anything here. This is for punching holes in the firewall to allow access to services on your box.
If you're going to be using SUSE for a server, than go ahead and click on what you need to allow access with.
I'm going to use this box for Apache, FTP, and SSH, so I click on the following:
HTTP
Secure Shell
And then I click on "Expert" and type in "21" for the FTP port.
you may open as many ports as you want here, and I don't think I have to walk you through anymore. I told you how to open up the FTP port, and if you're setting up a server, then you should already know which ports do what.
After you have what you want typed in, click on "Ok" to go back to the other window.
After you have all the services you need opened up, click on "Next".
The next window doesn't have a whole lot to it, and is fairly easy. By default, the pre-checked boxes are fine. If you don't know if you want to check the last box or not, leave it alone.
Click on "Next".
The next configuration window shows a few options for logging. Leave these alone unless you're sure.
Click "Next".
After you click on "Next" a window pops up saying it will save the configuration. Click on "Continue" and it saves your settings and restarts the SUSE2Firewall.
And now you're back at the main window. Next, click on "Security settings".
When you open the Security settings window, you'll have a few options for setting up some security on your system.
By default it has a custom level, which you will now be setting.
Click "Next".
The next window has password options. At the top where it says "Checks" click the box that says "Checking new passwords" which will keep users from setting bad passwords.
Next, in the Password Length section, you should probably raise the "Maximum" length up a few notches, as 8 is nothing. I raised mine to 25. You can also set some password change warnings here, which may come in handt if a lot of users are going to use the system.
Click on "Next".
The next section should be changed from default:
Where it says "Boot permissions" click on the drop down box where it says "Reboot" and select "Ignore" so no one can just reboot your system. This is especially important if you're running a server.
Under that, where it says "Automatic" you should select "Only Root". That way no one can just shut the system down.
Click "Next".
This window allows you to set how long of a delay there is if someone logs in and mistypes a password, or if someone is trying to guess passwords. The default is 3 seconds.
This can be left alone unless you have a nosey little brother or sister, or people like to try and guess your password, in which case you can set it to whatever you want.
After you have chosen your options, click on "Next".
The next section is the "Adding users" section. Unless you're sure, leave this alone. Click on the "Next" button.
The next window has a few more options, and some important ones.
The setting of file permissions will really have to depend on you. Easy is selected by default, but if you're trying to be secure, jsut click on the box and select the option entitled "Secure".
The next setting is for updatedb. This is run every night, and you can select which user runs the command. You won't be typing it if you select your own user name, it in fact just runs with permissions of whichever of the user names you tell it to run as.
I'd suggest leaving it at "Nobody". Most of the other options here should be left alone unless you knwo what you're doing.
After you have selected what you would like here, click on the "Next" button, and all the settings will be saved.
Chapter 3 : System
In this Chapter, you will be staying in YAST2, and clicking on "System" on the left hand side of YAST2, to open up more settings to play with.
Word of warning:
do NOT play with these settings unless I tell you to, or you know what you're doing. You can REALLY mess up your system from here.
OK, start by clicking on "Run Level Editor".
When you open that window, you see a few basic options, but that's not why I aske you to open it. you'ore going to now edit and possible shut down services running on SUSE Linux. Again, DO NOT SHUT DOWN SERVICES UNLESS I GIVE YOU THE OK. One wrong click and your keyboard stops working.
Now, in the window that popped up, click on "Runlevel properties" and wait for the window to load.
After the window has loaded, you should see a vast amount of information. these are the services/Daemons running on your system.
I'm going to help you excersize the Daemons you don't want/need.
This screen may look odd and hard to understand, but it's really not.
The left shows what service it is, and as you go to the right it gives information aboutt hat service, and the number indicate what run levels it starts up in automatically.
Start by scrolling down a little until you see "Joystick". click on that, and then, towards the bottom where you see "Start/Stop/Refresh" click on "stop".
You don't need this is you don't have a joy stick.
Next, scroll down a little more, and think to yourself "Do I run this machine as a server?".
If you answered yes, then you'll need a few of these more than others, but if you answered "No", then you can safely click on "Portmap" and stop it too.
The next one you should see after scrolling down a little is called "sshd".
If you don't need to log into this box from a remote computer, then you don't need this service running.
You can safely stop SSH.
In here, you also may start up Daemons if you need them, but don't do it if you don't need to, or don't knwo what that means.
After you have everything shut down that you don't need (Only what I told you to click on, and things you were sure of) you can click on the Finish button in the lower part of your screen.
It saves the configuration you just made, and then tells you about it with a pop up window.
Click "Ok" on the pop up, and then the window closes, and you'r done.
You've just made your SUSE Linux system a little more secure. Now, don't be fooled, this is no where near fool proof. You should read up on SUSE Linux. And maybe if people like this tutorial, I'll write another one to show you how to edit the more advanced parts of SUSE Linux.
+++++++++++++++++++++++++++++++++++++
Was this easy?
Did it help?
What could be added that I haven't planned on?
Did the tutorial flow good?
Planned add ons:
Make a complete SUSE guide for configuring SUSE Linux how you want it
Advanced security configuration
Setting up SUSE as a server
------------=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--==--==-=-=--==-=-=-=-=-=--==-=-=-=--------------------
Configuring basic security in SUSE Linux
This should work for 8.1 Professional 8.2 Professional and most of 9.1 Professional.
Some of the modules in YAST2 were moved in SUSE Linux 9.1 Professional, but they still work the same so you should have no problems with it, just finding where they were moved too.
Chapter one: Security updates
The first thing you should when you have finished installing SUSE Linux, is to check for updates. Usually you can do this while you're installing, but just in case you haven't you should do it after you boot up.
By default, you should see a little icon in the lower right hand corner, which will turn Red when you have a security update. Just right click on it and select "Check for updates".
this will search online for updates to any software you may have installed. After that it may turn Red, which means updates are out.
If = Red
Then do update
Else = Check which color it turns.
If = Yellow
Then select a new server to check, as this means that it had a problem connecting.
If = Green
Then everything is OK and there are no new updates.
If you found security updates, then right click on the Red icon, and select "Launch YOU" which will launch Yast Online Update. It will display the information like which server it is using.
If your icon was Yellow, you should open this up anyway, and select a new server to use for updates. Just click on the drop down menu where the servers are listed and click on a new one and try again.
If you're updating though then click on "Next" and it will check for updates and display the ones you need. Not everything here listed is needed, but if you have the software on your computer, then it will automatically select it, so you don't really need to to anything.
Also, there is software listed that SUSE could not legally include on the CD, like drivers for Video and Wireless cards, and Microsoft True Type Fonts.
You can select these for install by clicking on check box next to them.
After you have downloaded them, you'll notice a check box saying "Remove sources". this is so you can remove the sources that it is downloading, which is a good idea because it frees up space, and unless you look over everything, you really won't need them much.
After the packages are downloaded and installed, you can go to the next screen and watch the configuration files get written, and then, you're done.
Note that you need Root to do this. If you're not logged in as Root, whatever you want to do that needs to be done as Root will have a little box pop up asking for the Root password. Just type it in, and for the time being, that particular application is now being ran as Root. It's not like Red Hat where you do something similar and then have Root for a set amount of time, it's only for the application you were launching. You have to type it again for every other application you want to run that Needs Root.
Chapter 2 : YAST2
Now, SUSE defaults with KDE, so for the time being, use KDE. This will work in any Window Manager, and will also work in Run Level three. You'll just use an arrow key instead of the mouse.
Open up the YAST control Center by clicking on the lightning bolt Green orb, and selecting "Administration" and then clicking on "YAST2".
A window pops up asking for the Root password again, and then launches. YAST2 is the main configuration utility in SUSE Linux, so learn to use it.
Click on the module titled "Security and Users".
Click on the "Firewall" Icon to launch the Firewall configuration.
The module pops up, and then you can configure the Firewall.
Now, this part I can't walk you through, as I doubt all of you reading have the exact same set up as I do, but I can help:
Read what's on the screen. You should see "External Interface". If you have a Cable connection, or if you're using a Network connection, or a LAN, then you will be selecting "etho" for this.
For the "Internal Interface" that one is up to you.
the screen has directions on the left, so if you're using DSL or Dial up, read it.
After you have this section done, click on "Next" in the lower right of that window, to go to the next page. Clicking "Next" brings you to a page with a few more options than the last.
If you're NOT running a server in which people need access to your machine, then do NOT click on anything here. This is for punching holes in the firewall to allow access to services on your box.
If you're going to be using SUSE for a server, than go ahead and click on what you need to allow access with.
I'm going to use this box for Apache, FTP, and SSH, so I click on the following:
HTTP
Secure Shell
And then I click on "Expert" and type in "21" for the FTP port.
you may open as many ports as you want here, and I don't think I have to walk you through anymore. I told you how to open up the FTP port, and if you're setting up a server, then you should already know which ports do what.
After you have what you want typed in, click on "Ok" to go back to the other window.
After you have all the services you need opened up, click on "Next".
The next window doesn't have a whole lot to it, and is fairly easy. By default, the pre-checked boxes are fine. If you don't know if you want to check the last box or not, leave it alone.
Click on "Next".
The next configuration window shows a few options for logging. Leave these alone unless you're sure.
Click "Next".
After you click on "Next" a window pops up saying it will save the configuration. Click on "Continue" and it saves your settings and restarts the SUSE2Firewall.
And now you're back at the main window. Next, click on "Security settings".
When you open the Security settings window, you'll have a few options for setting up some security on your system.
By default it has a custom level, which you will now be setting.
Click "Next".
The next window has password options. At the top where it says "Checks" click the box that says "Checking new passwords" which will keep users from setting bad passwords.
Next, in the Password Length section, you should probably raise the "Maximum" length up a few notches, as 8 is nothing. I raised mine to 25. You can also set some password change warnings here, which may come in handt if a lot of users are going to use the system.
Click on "Next".
The next section should be changed from default:
Where it says "Boot permissions" click on the drop down box where it says "Reboot" and select "Ignore" so no one can just reboot your system. This is especially important if you're running a server.
Under that, where it says "Automatic" you should select "Only Root". That way no one can just shut the system down.
Click "Next".
This window allows you to set how long of a delay there is if someone logs in and mistypes a password, or if someone is trying to guess passwords. The default is 3 seconds.
This can be left alone unless you have a nosey little brother or sister, or people like to try and guess your password, in which case you can set it to whatever you want.
After you have chosen your options, click on "Next".
The next section is the "Adding users" section. Unless you're sure, leave this alone. Click on the "Next" button.
The next window has a few more options, and some important ones.
The setting of file permissions will really have to depend on you. Easy is selected by default, but if you're trying to be secure, jsut click on the box and select the option entitled "Secure".
The next setting is for updatedb. This is run every night, and you can select which user runs the command. You won't be typing it if you select your own user name, it in fact just runs with permissions of whichever of the user names you tell it to run as.
I'd suggest leaving it at "Nobody". Most of the other options here should be left alone unless you knwo what you're doing.
After you have selected what you would like here, click on the "Next" button, and all the settings will be saved.
Chapter 3 : System
In this Chapter, you will be staying in YAST2, and clicking on "System" on the left hand side of YAST2, to open up more settings to play with.
Word of warning:
do NOT play with these settings unless I tell you to, or you know what you're doing. You can REALLY mess up your system from here.
OK, start by clicking on "Run Level Editor".
When you open that window, you see a few basic options, but that's not why I aske you to open it. you'ore going to now edit and possible shut down services running on SUSE Linux. Again, DO NOT SHUT DOWN SERVICES UNLESS I GIVE YOU THE OK. One wrong click and your keyboard stops working.
Now, in the window that popped up, click on "Runlevel properties" and wait for the window to load.
After the window has loaded, you should see a vast amount of information. these are the services/Daemons running on your system.
I'm going to help you excersize the Daemons you don't want/need.
This screen may look odd and hard to understand, but it's really not.
The left shows what service it is, and as you go to the right it gives information aboutt hat service, and the number indicate what run levels it starts up in automatically.
Start by scrolling down a little until you see "Joystick". click on that, and then, towards the bottom where you see "Start/Stop/Refresh" click on "stop".
You don't need this is you don't have a joy stick.
Next, scroll down a little more, and think to yourself "Do I run this machine as a server?".
If you answered yes, then you'll need a few of these more than others, but if you answered "No", then you can safely click on "Portmap" and stop it too.
The next one you should see after scrolling down a little is called "sshd".
If you don't need to log into this box from a remote computer, then you don't need this service running.
You can safely stop SSH.
In here, you also may start up Daemons if you need them, but don't do it if you don't need to, or don't knwo what that means.
After you have everything shut down that you don't need (Only what I told you to click on, and things you were sure of) you can click on the Finish button in the lower part of your screen.
It saves the configuration you just made, and then tells you about it with a pop up window.
Click "Ok" on the pop up, and then the window closes, and you'r done.
You've just made your SUSE Linux system a little more secure. Now, don't be fooled, this is no where near fool proof. You should read up on SUSE Linux. And maybe if people like this tutorial, I'll write another one to show you how to edit the more advanced parts of SUSE Linux.
+++++++++++++++++++++++++++++++++++++
Was this easy?
Did it help?
What could be added that I haven't planned on?
Did the tutorial flow good?