Simple Things to Improve Your System's Security
by Jacek Artymiak10/31/2002
Welcome back!
First, I'd like to thank all of the readers who sent me their suggestions
on what they'd like to read about in the future installments of
this series. Your input is very valuable to me, because I do not
want to write about things you are not interested in. The list of
topics is very long and I will have to sort it into thematic units
that can be covered in one or more articles, but among your suggestions
are also topics that can be bundled together with others in a form
of a list of tips. And this time, we'll take a break from pf
and discuss small and simple things that you can do to improve the security of your OpenBSD system.
Do Not Allow root Logins Over SSH
This is something you should turn off as soon as you install
OpenBSD. Logging in as root over networks, whether they are public
or private, is bad practice from the point of view of security.
You should never trust your network, and assume that the traffic
might be sniffed. And it doesn't matter that you are using SSH;
always assume the worst. The good practice is to log in as an ordinary
user and then use su to become superuser, or, even
better, use sudo to execute commands you need to run
as root. (As it happens, ONLamp.com has two articles about
sudo by Michael Lucas, "Eliminating Root with Sudo"
and "Sudo Aliases and Exclusions.")
To turn root logins off, edit /etc/ssh/sshd_config
and change
#PermitRootLogin yesto
PermitRootLogin noSave changes to make them permanent, and you won't have to worry about it anymore.
Learn to Use Groups and File Permissions
Juggling file permissions takes some practice, but those who master it will end up with a more secure system and less headaches. To help you with that, ONLamp.com published an interesting article, "Using Groups to Eliminate Root," by Michael Lucas. Read it and apply that knowledge in practice.
|
Related Reading 
Practical UNIX and Internet Security |
Learn to Use File Flags
Properly used, file permissions, ownership, and groups can greatly
enhanced the overall security of your system, as shown in the default
OpenBSD configuration. However, OpenBSD (and other BSD systems)
provide an additional file protection mechanism known as file flags.
Every file can have a number of flags (listed in man
chflags and man 2 chflags), out of which the
following are particularly interesting, from the point of view of
system security:
sappnd: system append-only, only superuser can write to this file and even then, any writes are in append mode (information is added to the end of the file, without overwriting earlier information).schg: system immutable, only superuser can change, move or delete this file.uappnd: user append-only, only owner and superuser can write to this file and even then, any writes are in append mode (information added to the end of the file, without overwriting earlier information).uchg: user immutable, only owner and superuser can change, move or delete this file.
To set flags, use chflags, e.g.:
$ chflags uchg ./signatureTo unset flags, add no prefix, e.g.:
$ chflags nouchg ./signatureOnce sappnd and schg flags are set,
they can only be unset while the system is at security level 0 or
-1. Not even root can change these flags in any other mode.
You can check file flags with ls -lo (compare its
output with that of ls -l).
How do file flags help? Well, if you set schg flags on binaries,
the attacker cannot modify them and insert rogue code. Similarly,
if you set that flag on files in the /etc directory,
nobody will be able to make changes to them.
Pages: 1, 2 |
