One of the features the more advanced user will appreciate is the Security settings available in YaST2. The amount of detail given to security in this release is stunning…but not necessarily built for the new user. I want to highlight the openSUSE security settings so you can see for yourself just how granular you can be with openSUSE security.

Where to find security?

Figure 1

By default, of the security settings you are about to see are installed in openSUSE 11.4. In order to open up the Security Settings window click on Start > Computer > Administrator Settings (YaST). Once in YaST click on the Security and Users section (see Figure 1).

From there you will find a few security features to configure:

• Firewall: Configure your firewall on your system.
• Security Center and Hardening: Configure numerous security settings.
• Sudo: Graphic interface for managing sudo.

I want to concentrate on the Security Center in YaST. Click on that entry in the Security and Users section and a new window will open.

Security and Hardening

Figure 2

From within the Security and Hardening window (see Figure 2) you will have numerous settings available to you. In the security overview you get a good idea of what is enabled/disabled on your system. From that same section you can enable, disable, or configure those options. Some of the more handy options are:

Remote access to the display manager: Allow remote access to KDM.

Remote access to X server: Enable remote access to X windows.

Use secure file permissions: You can set your file permissions from three different levels (easy, secure, paranoid).

Another section in this window that is of great interest is pre-defined security settings. From here you can select from four different settings:

• Home Workstation
• Networked Workstation
• Network Server
• Custom

If you do not want to monkey around with too many of the security settings, I highly recommend you select one of the first three options here.

If you look at the Password section you will be surprised to find you can actually configure password checks as well as password expiration. If you have multiple users on your system, and you want to make sure your users are setting solid passwords, make sure you configure these sections. Here you can set the following:

• Minimum password length.
• Number of passwords to remember.
• Password encryption method.
• Password age (min and max).
• Days before Password Expires Warning.

Finally, you should take a look at the login section. Here you can set the amount of incorrect login attempts that can occur before a delay is forced. You can also enable/disable remote graphical login.

Final thoughts

Although openSUSE is not generally consider among the most secure Linux distributions, if administered properly it can easily stand toe to toe with any distribution available. And having the YaST security options readily available makes configuring openSUSE security a simple endeavor.

That complexity is what an introductory article is needed. I have seen plenty of users try to just jump into the heart and soul of iptables, only to see them fail miserably. To fully understand iptables one must first understand how iptables is actually used. In this article I will help you to understand the fundamentals of iptables so later on we can further that knowledge with more in-depth scripts and commands.

What IS iptables?

As I mentioned earlier, iptables is a powerful way to control packet traffic to and from your Linux box. But how does it manage this?  It does so by creating TABLES made up of CHAINS. There are three types of chains:

• INPUT: Controls packets coming in.
• OUTPUT: Controls packets going out.
• FORWARD: Controls packets that are forwarded.

These are also applied to the default policies. When you install a Linux operating system it will have three pre-defined iptables chains (one for each of the above).

Now each chain can handle the packet traffic in one of four different ways (actions):

• ACCEPT: Allow the packet in/out.
• REJECT: The target device will reject the packet.
• DROP: The packet is immediately dropped and the target device never sees said packet.
• RETURN: Go to another chain in your table as if it never saw the rejecting chain.

So now you have a TABLE made up of CHAINS that use ACTIONS to route traffic. Is this getting any easier? Now, you can also have more than one TABLE on a machine – but that is far too complex for an introductory article. Your machine will also have a default POLICY for each chain (INPUT, OUTPUT, FORWARD). By default these POLICIES are typically set to the action ACCEPT.

You must also understand that when a packet arrives on a machine it must traverse the iptables CHAIN until it either matches a CHAIN rule or it passes through all rules unscathed. Because of this you want to create your chains carefully. If you do not you can wind up with traffic you want to ACCEPT getting REJECTed because of a poorly ordered chain. For example:

Let’s say you want to ACCEPT all ssh traffic within your internal network safe passage to your machines. But what if you have a CHAIN rule that REJECTS ssh traffic in place before that internal rule? If you do this all internal ssh traffic will be REJECTed as well. In this case you would want your TABLE chain order like so:

CHAIN ACCEPTing incoming LAN ssh traffic

CHAIN REJECTing incoming WAN ssh traffic

Let’s take a look at how you use itables as a command to create or change POLICY chains.

Usage

Figure 1

If you issue the command iptables -L all of your current chains will be listed like what you see in Figure 1. NOTE: The iptables command MUST be run as either the root user or with the help of sudo.

As you can see, in my output, my TABLE consists of the three default policy CHAINS and each is currently set to the action ACCEPT.  What if I want to change my INPUT policy to DROP? After all, do you want incoming traffic to have total access to your machine? You can set the input POLICY to DROP with the following command:

sudo iptables -P INPUT DROP

What you have effectively done above is set your default INPUT POLICY to REJECT. So without creating any new CHAINS all incoming traffic to that machine will be REJECTED. Here’s the problem with that…say, for instance, you want to allow ssh traffic into that machine? If you leave it as is this will not happen. Because you have the INPUT POLICY set to REJECT and you have no other CHAINS in place, no incoming traffic will work. Remember, though, what I said about creating CHAINS in the right order to ensure needed traffic can find safe passage.

Final thoughts

Thus begins our journey with iptables. It’s not the most simple system to employ, but it certainly is powerful.  Is it worth the time and effort when there are so many GUI tools to choose from? That depends upon your needs. If you are working on nothing more than a desktop – then the GUI front-end will more than likely be enough. If, however, you have a server with mission-critical or sensitive data you might need the extra power and flexibility that iptables brings to the table.

But what is AppArmor? AppArmor is a security module implementation of name-based access controls. In other words, AppArmor protects your system against the exploitation of program flaws and compromises. This protection is done via profiles that will set a program to either “complain” or “enforce” against wrong doing.

In this article I will show you how to install AppArmor and how to use it to set an application in either “complain” or “enforce” mode.

Installation

The installation of AppArmor is simple:

1. Open up Synaptic (or your favorite package manager).
2. Search for “apparmor” (no quotes).
3. Select apparmor for installation (make sure apparmor-utils and apparmor-profiles are installed as well).
4. Click Apply to install.

That’s it. You are now ready to begin working with AppArmor.

Usage

AppArmor is a command-line only tool. It uses two particular commands for setting an application to either “complain” (aa-complain) or “enforce” (aa-enforce). There is also one other tool that is useful – apparmor_status. Let’s take a look at that command first.

You want to know the current status of AppArmor and what applications are currently in what mode. To find this out issue the command sudo apparmor_status. You should see listings similar to:

32 profiles are loaded.
12 profiles are in enforce mode.
/sbin/dhclient3
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-thumbnailer
/usr/lib/NetworkManager/nm-dhcp-client.action
...
20 profiles are in complain mode.
/bin/ping
/sbin/klogd
/sbin/syslog-ng
/sbin/syslogd
/usr/lib/dovecot/deliver
/usr/lib/dovecot/dovecot-auth
...

NOTE: I truncated the output to save space.

As you can see there are already certain applications in complain mode and certain applications in enforce mode. But what are these “modes”? Simple “complain” mode will log violations against the applications profile, whereas “enforce” will strictly enforce the applications profile. But what are (and where are) the profiles? You will find profiles for applications in /etc/apparmor.d. Each profile has its own settings, but all of them will have some unique characteristics. For example, with AppArmor you can define that an application have access to it’s configuration files using the “r” switch as in the /etc/apparmor.d/usr.sbin.dovecot profile line:

/etc/dovecot/** r

Creating a profile is a bit beyond the scope of this article (we’ll revisit this topic later).

Now, let’s change an application from complain to enforce. Look back at our apparmor_status output. Let’s switch the dovecot application from complain to enforce. To do this we use the aa-enforce command like so:

sudo aa-enforce /usr/sbin/dovecot

When you issue this command you will see the results appear immediately:

Setting /usr/sbin/dovecot to enforce mode.

To switch a command from enforce to complain you use the aa-complain command like so:

sudo aa-complain /usr/sbin/dovecot

Which will return the results:

Setting /usr/sbin/dovecot to complain mode.

You can run apparmor_status after you make changes to your applications to make sure the changes remain.

Final thoughts

AppArmor is a crucial piece of the Linux security puzzle. Without this application it would be much easier to exploit the weaknesses in numerous applications. As a Linux administrator, you owe it to yourself to further your knowledge of this tool. Later we will revisit AppArmor and create/edit profiles for applications.

In this article you will learn some very simple steps you can take to help make your Linux desktop a bit more secure than “out of the box”. These steps can be done by any level of user, so don’t think you will be doing any recompiling or creating iptables chains.

No auto login

When you first install many distros, you will be asked if you want your user to auto login. This is a bad idea if you are in an environment you can’t fully trust. If there are other users around, you do not want them using your account. To help avoid this disable auto login. On the GNOME desktop go to System >Administration > Login Screen. When the Login Screen Settings window opens follow these steps:

• Click the Unlock button.
• Enter your password when prompted.
• Check the Show the screen for choosing who will log in.
• Click Close.

Now when you are done using your desktop log out. The only way to get back in will be to log in.

Encrypt your ~/ directory

During installation many distributions give you the option of encrypting your ~/ directory. This will give you an added means of security – especially if your machine is stolen. With the ~/ directory being encrypted, even when the thief can not log into your user account, they will not be able to read your encrypted directory without the decryption key. That makes for some fairly safe data.

Don’t run unnecessary services

There are certain services you may not need on your machine. Some services can lead to a less-than-secure environment. Instead of allowing these services to continue running, stop them at boot time. Each distribution handles this differently. You can see how different distributions handle this in my article “Starting services at boot in Linux“. Shut down those unwanted services and gain a bit more security.

Run a simple firewall

Don’t bother getting too complicated with your desktop firewall. But if you are really paranoid, employ a simple tool like ufw (Uncomplicated Fire Wall). In Ubuntu ufw is installed by default. You can start it like so (from the command line):

sudo ufw enable

You can disable it like so:

sudo ufw disable

Install rkhunter

Root kits are a danger to any operating system. You will want to install a tool to check for root kits the minute your operating system is up and running. The best (and easiest) root kit tool is rkhunter. For information on installing and using rkhunter, read my article “Check for root kits with rkhunter“.

Shut down that P2P

I use P2P tools. But when I am done searching (and/or downloading) I shut that tool down. Why? Unwanted access. There is no real reason to leave your machine open to unknown users. So instead of leaving that P2P tool open for business, shut it down.

Careful with 666 and 777

When you chmod a file (or directory) use caution when given them either 666 or 777 file permissions (rw-rw-rw- and rwxrwxrwx respectively). This is especially true on a file (or directory) containing sensitive data. For those files either only allow read access to group and other or encrypt the file so only those with the encryption key have access. Using either 666 and/or 777 without careful thought is reckless on a Linux machine and can lead to security issues.

Final thoughts

There are so many more tips you can go through – some of which might seem common sense to many – that can lead to a more secure environment. But the most important tip I can give to you is to think before you execute. Don’t just randomly do something without knowing the end results first. In the case of security the old Benjamin Franklin quote “An ounce of prevention is worth a pound of cure.” holds very true.

Fwbuilder is a powerful firewall creation tool that works by adding objects to build a customized firewall. An object can be just about anything from a firewall, a library, a host, interface, address, DNS name, etc. The idea is you piece objects together to form a cohesive whole that works together to form a complete firewall. The only problem most run into is, when you fire up fwbuilder, where do you start? It may seem a bit confusing at first, but you know where the first step is, the rest of the journey is pretty clear.

Installing fwbuilder

I will touch briefly on installing fwbuilder, because it will not be found on your default system. And although you will find fwbuilder in your respository, it will be an outdated version. So to install the latest version first open up your /etc/apt/sources.list file and add the following (Note: I am installing this on Ubuntu 9.04.):

deb http://www.fwbuilder.org/deb/stable/ jaunty contrib

Before you update apt you will need to add the GPG key. Download that key and then issue the command:

sudo apt-key add PACKAGE-GPG-KEY-fwbuilder.asc

Now issue the command:

sudo apt-get update

Finally you can install with the command:

sudo apt-get install fwbuilder

Once installed you will find fwbuilder in the Administration sub-menu of the System menu (The entry will be labeled Firewall Builder).

Building a firewall

Figure 1

When you start up fwbuilder the main window (see Figure 1) will not seem very intuitive. The first thing you need to do is create a new firewall. To create a new firewall click the Object drop-down which is the icon to the immediate left of the User drop-down. Or you click the Object menu and select New Object (which will open the Object drop-down menu). From this drop-down select New Firewall.

When you add a new firewall object a wizard will appear. Before you can move beyond the first screen you have to do the following:

• Name your firewall.
• Select the firewall software the machine is running.
• Select the OS the firewall is running on.

In the first screen of this wizard is a very important option (if you want to make life easy for yourself). You can base your firewall on pre-configured templates. For new users this is always a good place to start. And even though you choose a pre-configured template, you can still customize this firewall.

But we’re building a customized firewall, so no templates here.

Figure 2

The next screen asks you how you want to define your interfaces. There are two methods: Manually and using SNMP to automatically discover the interfaces. Manually is the most reliable method of course so select that option and click Next.

In the device setup window (see Figure 2) you will enter the information for your networking device. Once you have entered this click Add. If you can’t figure out the MAC address you can always use the Networking Tool application under the Administration sub-menu of the System menu.

Once you have added the device click the Finish button. If you have a machine with two networking devices add your second device and then click Finish. You will now be in the window where you will add rules to your firewall. In the upper left pane click on the name of the firewall to open up the Desktop/Policy window (see Figure 3).

Figure 3

What you want to do is right click within the upper right pane and select “Insert Rule”. When the rule is inserted it will be fairly worthless. You will notice much of the policies are listed as “Any” or “All”. In order to change this you have to add new objects. Let’s say, for example, we want to create an address range that will cover our entire LAN to be used as a destination. To do this click on the Object drop-down and select New Address Range. The lower right pane will change where you can enter the values for your range. I will enter the following:

• Name: Internal LAN
• Range Start: 192.168.1.1
• Range End: 192.168.1.200

You can add a comment if you like.

Figure 4

Now click Apply and that object has been created. This is where the fun begins. As you can see (in Figure 4) my new object is listed in the lower left pane. What I do is click and drag that object into the section of the new rule I want to apply that object to. So I want the Internal Lan object to apply to the Destination section of the rule so I will drag it to that section to apply it.

Now create as many objects as you need for your firewall and click and drag them to apply them. But don’t think you have to limit yourself to one rule. You can add as many rules to this firewall as you need.

Once you have completed building your firewall right click the firewall name (in my example it would be Desktop from the upper left pane) and click “Compile”.  This will open up a compilation wizard that is simple to walk through. The compilation will create a file with the same name as the firewall and an extension of .fw.  After the compilation is complete right click the firewall name and select Install. The installation wizard is also a simple walkthrough of steps. You will have to give a user for the firewall to run under as well as the password for that user. Also you will have to select if you are going to run in test mode or not. If you are install the firewall in test mode it will not be permanent. If you install in regular mode fwbuilder will ask you how soon you want to reboot your machine (so the firewall can take effect.) I suggest running in test most first. If this works then go back through the Install process and allow for full installation (including reboot).

Final thoughts

Fwbuilder is a powerful tool that allows you to create very customized firewalls. I highly recommend this tool for anyone serious about Linux security.

Now with the Linux operating system you have a lot of choices for protection. But one of the easiest to use is Firestarter. Firestarter is one of the easiest-to-use firewalls I have used. And with this simplicity does not come a sacrifice to security. Just because it’s easy does not mean it lacks protection. Firestarter is powerful and has a ton of features. In this article you will learn how to install Firestarter and set up a basic desktop firewall.

Feature highlights

Firestarter includes such features as:

• Setup wizard.
• Real time event viewer.
• Easy port forwarding.
• ICMP parameter tuning.
• Advanced kernel tuning.
• Suitable for desktops, servers, and gateways.

and much, much more.

Installation

The installation of Firestarter is simple. Because it will most likely be found in your distributions’ repositories you will only need to follow these steps for installation:

1. Open up your Add/Remove Software tool.
2. Search for “firestarter” (no quotes).
3. Select Firestarter for installation.
4. Click Apply.
5. Enter your user password.
6. Wait for the installation to complete.
7. Close your Add/Remove Software utility.

Running Firestarter

Figure 1

You will find the Firestarter executable located in the Administration sub-menu of the System menu (in GNOME). When you first run Firestarter the wizard will open up. The first screen is the usual Welcome screen so you can just click the Forward button. The first screen you will have to do any configuration with is the Network Device Setup (see Figure 1). In this screen you need to set which interface Firestarter is to listen to. I am using a laptop so I will select my wireless device.

Figure 2

The next screen (see Figure 2) asks if you need to use internet connection sharing to set your machine up as a gateway. If you do you will need to first click the check box to enable it and then select an interface for the other machines to connect to. If you need to use your machine as a DHCP server you will have to have that installed outside of Firestarter.

Once you have taken care of connection sharing (if it is needed) click the Forward button and you’re done. The last screen wants to know if you want to start the firewall immediately and has you save your configuration.

Figure 3

While Firestarter is running you will see a small icon in your notification area that looks like a blue circle with a right-pointing triangle. If you click on that it will open up the Firestarter main window (see Figure 3). From this window you can Stop the firewall, lock the firewall, view the events log, edit both your inbound and outbound policies, and monitor active connections.

In order to monitor active connections expand the Active Connections listing which will list every connection made to and from your machine. In both the Active connections section and the Events tab you can right click an entry and take action. For instance, in the Active Connections section you can right click an entry and look up the hostname of that entry. In the Events tab you can do more. If you right click an entry in the Events tab you can do the following:

• Allow connections from source.
• Allow inbound service for everyone.
• Allow inbound service for source.
• Disable events from source.
• Disable events on port.
• Lookup hostnames.

Finally, in the Policy tab, you can right click any blank area and add a rule that will apply to a connection from a host or to a port/service. When you go to add a rule you will only need enter the IP address (or domain) and then add a comment.

Final thoughts

Firestarter makes the often daunting task of creating a firewall for a Linux machine simple. If you have ever dealt with iptables you will understand when I say this is a huge relief for desktop users who do not want to take the time to learn to use the underlying technology.