Assessing Your Vulnerability
It is a common mistake for people to assume that switching on a firewall makes them safe. Although there's no question that switching on a firewall is an important step to take, it is not a solution and never has been. Each system has distinct security needs, and taking the time to customize its security layout will give you maximum protection and best performance.
Following are the most common security mistakes people make:
Installing every package—SUSE Linux 10 has 3 gigabytes of software included in the distribution. If a machine is not going to be an FTP server, you probably don't need to have the server installed on it. YaST makes it easy to configure your installation so that you can remove unnecessary packages and get the ones you will use.
Enabling unused services—Do you really require the capability to access your system remotely? Do you want people to upload files to your machine? If not, don't run SSH or FTP. Always think about what you use, whether that service is
to the Internet, and whether you need it.
Disabling the local firewall on the grounds that your server already has a firewall installed—When it comes to firewalls, more is better. Your computer is your castle. Put up a wide moat with a long drawbridge, followed by a thick wall, followed by another thick wall 10 feet away from the first one. Make it hard to access, and it won't be worth the time it takes for your attacker to continue.
Letting your machine give out more information than it needs to—Earlier we talked about the unfortunate, if inevitable, demise of
as a useful tool to find out about other users on the network. Now it's just another way to hack into someone's system.
Keeping the door to the server room unlocked—Less common in IT
these days, but still a bad idea. Even if your
live in the server room (and with Linux servers, that really shouldn't be—they work best unattended), the room should be locked whenever no one is inside.
Being careless with your wireless network—Wireless networking is
and helpful, but the standards were not developed with security in mind. Someday, this is likely to improve. We're not there yet.
After you have
out these common problems, you're on to the real problem. How can the bad guys attack your machine? What can people access from the outside? This comes down to the question of what applications and services face the Internet, and what ports do they run on?
The best way to find answers to these questions is through the
networking utility. This little tool will scan the ports of any machine on your network, or all of them, and tell you which ones are open at that moment. Any service you have installed that responds to
's query is pointed out, and you may, in
, choose to lock down ports that should not be open.
SUSE Linux does not install
by default, but you can install the command-line version and a GUI front-end called
through YaST. Other GUIs are available at the Nmap website, http://www.
Although you can use the shell version, it is much easier to configure and see the results of
's work in the GUI (Figure 23.1). It is also better to run
as the SuperUser, because you will get more information that way. To launch
, log in as the SuperUser and type
ports to see what is open and vulnerable.
The best way to run
the first time, is to use the SYN Stealth scan (on by default when you launch it as SuperUser) with OS Detection and Version Probe on. By default,
scans the localhost (127.0.0.1), but you can add or change targets by typing the IP address(es) into the Target(s) edit box. The first time you run
, you should click the Scanned Ports box to change the scan range from a few default ports; select All from the drop-down menu. This scan takes a little longer, but gives you a more complete picture of your status. As you adjust your options in the GUI, you'll see the actual shell command being built at the bottom of the window. You could, if so inclined, copy this command to a text file and run it as a shell script later on.
When you have made your selections, click Scan.
tests each port to determine whether it responds. If it does,
asks the application at that port for version information and displays that to the
screen. You then get results like those displayed in Figure 23.1. Ideally, there will be no surprises on the list. If there are
, or you decide that there are some unnecessary services on the list, you can take action.
You can log your
scan by going to Save Log in the File menu and choosing a location from the menu. To view the log file later, go to Open Log from the File menu.
If you just have one or a few machines on the network, you probably need to run
only once a year, or if you suspect your system is compromised. Sysadmins of larger networks should run
regularly as part of their general maintenance regimen.
Peer-to-peer file sharing networks such as Gnutella and BitTorrent usually require you to open ports on your firewall to speed up, or even access, the network. Recognize that you may be
your security when you participate in these networks. Be wary when downloading files from these sources. although as of this writing, no significant worm has propagated itself through peer-to-peer networks, it could easily happen. Not every file with a certain
contains the content you may be expecting after you get it downloaded.