novell course 3058 suse linux security workbook
TRANSCRIPT
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
1/110
Novell Training Services
SELF-STUDY WORKBOOK
www.novell.com
SUSE LINUX Security
COURSE 3058
Version 1
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
2/110
Pr
oprietar
y Statement
Copyright 2005 Novell, Inc. All rights reserved.
No part of this publication may be reproduced, photocopied, stored on a retrieval
system, or transmitted without the express prior consent of the publisher. This
manual, and any portion thereof, may not be copied without the express written
permission of Novell, Inc.
Novell, Inc.1800 South Novell Place
Provo, UT 84606-2399
Disc
laimer
Novell, Inc. makes no representations or warranties with respect to the contents
or use of this manual, and specifically disclaims any express or implied
warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc. reserves the right to revise this publication and to make
changes in its content at any time, without obligation to notify any person or
entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any
NetWare software, and specifically disclaims any express or implied warranties
of merchantability or fitness for any particular purpose.
Further, Novell, Inc. reserves the right to make changes to any and all parts ofNetWare software at any time, without obligation to notify any person or entity
of such changes.
This Novell Training Manual is published solely to instruct students in the use of
Novell networking software. Although third-party application software packages
are used in Novell training courses, this is for demonstration purposes only and
shall not constitute an endorsement of any of these software applications.
Further, Novell, Inc. does not represent itself as having any particular expertise
in these application software packages and any use by students of the same shall
be done at the students own risk.
Software Pirac
y
Throughout the world, unauthorized duplication of software is subject to both
criminal and civil penalties.
If you know of illegal copying of software, contact your local SoftwareAntipiracy Hotline.
For the Hotline number for your area, access Novells World Wide Web page at
http://www.novell.com and look for the piracy page under Programs.
Or, contact Novells anti-piracy headquarters in the U.S. at 800-PIRATES (747-
2837) or 801-861-7101.
T
rademarks
Novell, Inc. has attempted to supply trademark information about company
names, products, and services mentioned in this manual. The following list of
trademarks was derived from various sources.
No
vell,
Inc.
T
rademarks
NetWare, the N-Design, and Novell are registered trademarks of Novell, Inc. in
the United States and other countries. CNA, CDE, CNI, NAEC, and NovellAuthorized Education Center are service marks and CNE is a registered service
mark of Novell, Inc. in the United States and other countries. ConsoleOne,
DirXML, and eDirectory are trademarks of Novell, Inc. GroupWise is a
registered trademark of Novell, Inc. Hot Fix, and IPX is a trademark of Novell,
Inc. NDS, Novell Directory Services, and NDPS are registered trademarks of
Novell, Inc. NetWire is a registered service mark of Novell, Inc. in the United
States and other countries. NLM and Novell Certificate Server are trademarks of
Novell, Inc. Novell Client, Novell Cluster Services, and Novell Distributed Print
Services are trademarks of Novell, Inc. ZENworks is a registered trademark of
Novell, Inc.
Other T
rademarks
Adaptec is a registered trademark of Adaptec, Inc. AMD is a trademark of
Advanced Micro Devices. AppleShare and AppleTalk are registered trademarks
of Apple Computer, Inc. ARCserv is a registered trademark of Cheyenne
Software, Inc. Btrieve is a registered trademark of Pervasive Software, Inc.
EtherTalk is a registered trademark of Apple Computer, Inc. Java is a trademarkor registered trademark of Sun Microsystems, Inc. in the United States and other
countries. Linux is a registered trademark of Linus Torvalds. LocalTalk is a
registered trademark of Apple Computer, Inc. Lotus Notes is a registered
trademark of Lotus Development Corporation. Macintosh is a registered
trademark of Apple Computer, Inc. Netscape Communicator is a trademark of
Netscape Communications Corporation. Netscape Navigator is a registered
trademark of Netscape Communications Corporation. Pentium is a registered
trademark of Intel Corporation. Solaris is a registered trademark of Sun
Microsystems, Inc. The Norton AntiVirus is a trademark of Symantec
Corporation. TokenTalk is a registered trademark of Apple Computer, Inc. Tru64
is a trademark of Digital Equipment Corp. UNIX is a registered t rademark of the
Open Group. WebSphere is a trademark of International Business Machines
Corporation. Windows and Windows NT are registered trademarks of Microsoft
Corporation.
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
3/110
Contents
Version 1
Copying all or part of this manual, or distrib
uting suc
h copies, is strictly pr
ohibited.
1-1
T
o r
eport suspected copying
, please call 1-800-PIRA
TES.
Contents
SUSE LINUX Security Self-Stud
y W
orkbook
Introduction
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Intro-1
SUSE LINUX Enterprise Server 9 Setup Instructions
. . . . . . . . . . . . . . . . . . . . . . .
Intro-2
Access the SUSE LINUX Enterprise Server 9 as a VMware Server
. . . . . . . . . . . . . . Intro-2
Install the SUSE LINUX Enterprise Server 9 Student Server with AutoYaST . . . . . . Intro-8
Scenario
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Intro-11
SECTION
2
Host Security
Exercise
2-1 Install SLES 9 with a Customized Partition Scheme
. . . . . . . . . . . . . . . . . . . . .
2-2
Exercise
2-2 Change PAM Configuration to Disable Graphical Root Login
. . . . . . . . . . . . .
2-6
Exercise
2-3 Subscribe to the SUSE Security Announcements
. . . . . . . . . . . . . . . . . . . . . . .
2-8
Exercise
2-4 Use nmap to Scan for Open Ports
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2-9
Exercise
2-5 Run a nessus Scan
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2-10
SECTION
3
Cr
yptograph
y:
Basics and Practical Application
Exercise
3-1 Create a CA and Certificates on the Command Line
. . . . . . . . . . . . . . . . . . . . .
3-2
Exercise
3-2 (optional) Create a Root CA and Certificates Using YaST
. . . . . . . . . . . . . . . .
3-5
Exercise
3-3 (optional) Work with GPG
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3-6
SECTION
4
Netw
ork Security
Exercise
4-1 Configure the TCP Wrapper
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4-2
Exercise
4-2 Use stunnel to Secure POP3 with SSL
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4-5
SECTION
6
P
ac
ket Filter
s
Exercise
6-1 Get Familiar with Basic iptables Syntax
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6-2
Exercise
6-2 Modify the Script to Set and Delete iptables Rules
. . . . . . . . . . . . . . . . . . . . .
6-15
Exercise Answers
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-19
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
4/110
1-2
Copying all or part of this manual, or distrib
uting suc
h copies, is strictly pr
ohibited.
Version 1
T
o r
eport suspected copying
, please call 1-800-PIRA
TES.
SUSE LINUX Administration
/Self-Study W
orkbook
SECTION
7
Application-le
vel Gateway
Exercise 7-1 Install and Configure Squid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2
Exercise 7-2 Configure SSL in Squid. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7
Exercise 7-3 Configure Proxy Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-10
Exercise 7-4 Configure Content Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-14
Exercise 7-5 Analyze Squid Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-17
Exercise 7-6 Use Dante. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-19
Exercise 7-7 Configure rinetd. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-25
SECTION 8 Virtual Private Networks
Exercise 8-1 Establish a VPN Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Exercise 8-2 (optional) Create a VPN Configuration Using YaST . . . . . . . . . . . . . . . . . . . . 8-6
Exercise 8-3 (optional) Filter IPSec Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8
SECTION 9 Intrusion Detection and Incident Response
Exercise 9-1 Log to a Remote Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
Exercise 9-2 Use Argus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4
SECTION 10 LifeFire Exercise
Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-2
Section 1 Set Up the Application-Level Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-4
Section 2 Set Up the Screening Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-5
Section 3 Set Up a Web Server in the DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-6
Section 4 Set Up the Mail Server in the LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-7
Section 5 Set Up the VPN Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-8
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
5/110
SUSE LINUX Security Self-Study Workbook
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. WorkbookIntro-1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX SecuritySelf-Study Workbook
This workbook is designed to help you practice the skills associated
with Course 3058 (SUSE LINUX Security) objectives outside of a
classroom.
Introduction
The skills introduced in this workbook are critical for performing
administrative tasks with regard to security with SUSE LINUX
Enterprise Server 9, and are necessary for passing the Novell CLE9
(Certified Linux Engineer) practicum.
The exercises in this workbook are the same as those included in
your Course 3058 SUSE LINUX Security manual, but with
modifications and notes to help you perform the exercises on a
single computer without relying on an instructor or partner SUSE
LINUX Enterprise Server 9 server.
xIf you experience any problems using the SUSE LINUX Enterprise Server 9VMware Server DVD or the Self-Study Workbook, please email yourquestions or comments to [email protected].
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
6/110
WorkbookIntro-2 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
SUSE LINUX Enterprise Server 9 Setup
Instructions
Before starting the exercises in this workbook, you need to set up a
SUSE LINUX Enterprise Server 9 server with the same
configuration as that provided in the classroom.
There are two solutions provided for you:
Access the SUSE LINUX Enterprise Server 9 as a VMware
Server on Intro-2
Install the SUSE LINUX Enterprise Server 9 Student Server
with AutoYaST on Intro-8
Access the SUSE LINUX Enterprise Server 9 as aVMware Server
If you want to avoid dedicating a computer to a SUSE LINUX
Enterprise Server 9 installation, you can use the SUSE LINUX
Enterprise Server 9 VMware virtual server provided on the SUSE
LINUX Enterprise Server 9 VMware Server DVD.
The following guides you through installing and using the SUSE
LINUX Enterprise Server 9 VMware server:
Check Setup Prerequisites
Install the SUSE LINUX Enterprise Server 9 VMware Server
Configure the SUSE LINUX Enterprise Server 9 VMware
Server
Start the SUSE LINUX Enterprise Server 9 VMware Server
VMware Workstation Tips
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
7/110
SUSE LINUX Security Self-Study Workbook
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. WorkbookIntro-3
To report suspected copying, please call 1-800-PIRATES.
Check Setup Prerequisites
The following items are required to run the SUSE LINUX
Enterprise Server 9 VMware server on your computer:
Although you can run the SUSE LINUX Enterprise Server 9
VMware server with 256 MB of RAM, processing time for
performing some Linux administration tasks (such as using YaST)
can be significantly reduced by increasing memory for the VMware
server.
If you do not own a copy of VMware Workstation (or have a version
earlier than 5), you can download and install a VMware Workstation
5 30-day evaluation copy from www.vmware.com.
Table Intro-1 Item Requirement
Memory 256 MB RAM (minimum)
Hard Drive Space 3.4 GB
DVD-ROM Drive For reading the SUSE LINUX
Enterprise Server 9 Self-Study Server
DVD and other CDs required for the
exercises.
Software VMware Workstation 5 or later
(Windows or Linux)
SUSE LINUX Enterprise
Server 9 Self-Study Server
DVD
Contains the SUSE LINUX Enterprise
Server 9 VMware Server files
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
8/110
WorkbookIntro-4 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
Install the SUSE LINUX Enterprise Server 9 VMware Server
Once you have VMware Workstation 5 installed on your host
computer, do the following to install the SUSE LINUX Enterprise
Server 9 VMware server:
1. Insert the SUSE LINUX Enterprise Server 9 Self-Study Server
DVD in your DVD-ROM drive.
2. Copy the VMware server files on the DVD to a directory on your
hard drive.
We recommend creating a specific directory (such as
/tmp/vmware/SLES9_3058) to store the files.
3. Start VMware Workstation 5.
4. Select File > Open ...
5. Browse to and open the sles.vmx file.
The SLES9_3058 VMware server opens in VMwareWorkstation and is ready to start.
6. Some exercises require a second computer. Create a second
VMware machine by creating another directory (like
/tmp/vmware/SLES9_3058-2) on the VMware host and repeat
Steps 2 - 5.
To avoid mixing up the machines, you could give the second
machine another hostname.
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
9/110
SUSE LINUX Security Self-Study Workbook
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. WorkbookIntro-5
To report suspected copying, please call 1-800-PIRATES.
Configure the SUSE LINUX Enterprise Server 9 VMware
Server
Before starting SUSE LINUX Enterprise Server 9, do the following:
1. Select VM > Settings.A Virtual Machine Settings dialog appears.
From this dialog you can adjust the settings for several devices
such as memory, floppy drive, and network adaptor before
starting the virtual server.
2. Check the following device settings:
Memory. This memory setting indicates the amount ofmemory used by the SUSE LINUX Enterprise Server 9
virtual server on the host computer.
Although you can run the SUSE LINUX Enterprise Server
9 virtual server with 256 MB of memory, we recommend
increasing the amount (when possible) to increase the
speed of certain administrative tasks (such as starting X
Window or using the GUI version of YaST).
DVD/CD-ROM. This is the DVD drive on your hostcomputer, and should be set as a physical drive.
We recommend leaving the default setting at auto detect
for Windows.
If you are running VMware Workstation on Linux, enter the
device name of the DVD drive (such as /dev/hdc). You can
normally select the device name from the drop-down list
for the Device field.
Floppy Drive. This is the floppy drive on your hostcomputer.
The default is set to A: for a Windows computer. If you
are running VMware Workstation on Linux, change the
setting to the device for the floppy drive (such as /dev/fd0).
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
10/110
WorkbookIntro-6 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
Network Adaptor. The NAT network connection defaultsetting provides a VMware Workstation DHCP server for
the SUSE LINUX Enterprise Server 9 server (which is
configured to use DHCP).
While you can select another setting (such as Bridged),these have not been tested and can cause problems
completing the exercises.
We recommend keeping the default NAT setting.
The rest of the settings should work properly to provide you
with the access you need to devices for USB, sound, and mouse
control.
If not, return to this dialog to make the necessary adjustments to
the settings.
3. When you finish reviewing the virtual server configuration, save
any changes and close the dialog by selecting OK.
During the exercises, you use Ctrl + Alt to access features suchas terminal consoles. VMware Workstation also uses this hot
key combination to switch you out of the virtual server to the
host machine.
4. To change the VMware hot key configuration, select Edit >Preferences.
A Preferences dialog appears.
5. Select the Hot keys tab; then select the Ctrl-Shift-Alt option.
Once you start the SUSE LINUX Enterprise Server 9 VMware
server, you can press Ctrl + Shift + Alt to access the hostmachine, including the VMware Workstation menu options.
6. Save the change by selecting OK.
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
11/110
SUSE LINUX Security Self-Study Workbook
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. WorkbookIntro-7
To report suspected copying, please call 1-800-PIRATES.
Start the SUSE LINUX Enterprise Server 9 VMware Server
Do the following:
1. Start the SUSE LINUX Enterprise Server 9 VMware server by
selecting the Power On Button (or select Start this virtualmachine).
2. The SUSE LINUX Enterprise Server 9 server starts booting.
3. (conditional) If you cannot see the entire SUSE LINUX
Enterprise Server 9 window on your monitor, select the VMware
Workstation full screen mode.
After starting the SUSE LINUX Enterprise Server 9 services, a
blank screen is displayed while the X Window GUI interface is
loaded.
Depending on the amount of memory allocated to the virtual
server, loading the GUI interface can take almost a minute.
4. The VMware Tools package enhances the graphics resolution
and color depth capabilities of your virtual server.
This package is already installed in the SUSE LINUX
Enterprise Server 9 VMware image on the Student CD. No
action is needed on your part to install it.
5. Click in the virtual server window to switch keyboard and mouse
functionality from the host computer to the virtual server.
You are ready to start Exercise 2-2 Change PAM Configuration
to Disable Graphical Root Login. (Exercise 2-1 Install SLES 9
with a Customized Partition Scheme is not needed if you use
the VMware image as above.)
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
12/110
WorkbookIntro-8 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
VMware Workstation Tips
Although we rely on your experience with VMware Workstation to
complete the exercises in a virtual server environment, the following
are some tips that can help you when using the SUSE LINUX
Enterprise Server 9 virtual server:
If you cannot use the keyboard to enter text, try selecting the
virtual server window with the mouse or try pressing Shift +Tab.
If you need to switch keyboard and mouse focus from the
virtual server to the host computer, press Ctrl + Shift + Alt;then select the virtual window again to switch focus back.
If you want to save a copy of the SUSE LINUX Enterprise
Server 9 virtual server before continuing on with an exercise or
the next exercise, use the Snapshot feature (VM > Snapshot >Take Snapshot).
Before powering off the SUSE LINUX Enterprise Server 9
virtual server, make sure you shut down the server to avoid any
problems caused by not shutting down the server cleanly.
Install the SUSE LINUX Enterprise Server 9 StudentServer with AutoYaST
If you want to install the SUSE LINUX Enterprise Server 9 student
server on an available computer, the3058_Course_CD includes an
AutoYaST file (/setup/student.xml) that automatically configures
SUSE LINUX Enterprise Server 9 for you during installation. Allyou need to do is swap CDs during the installation.
xBy installing SUSE LINUX Enterprise Server 9 with AutoYaST, you removethe existing operating system and all files on your hard drive. Before startingthe installation, make sure you back up any important files you want to keep.
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
13/110
SUSE LINUX Security Self-Study Workbook
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. WorkbookIntro-9
To report suspected copying, please call 1-800-PIRATES.
To install and configure SUSE LINUX Enterprise Server 9 on your
computer with AutoYaST, do the following:
1. Check to make sure your computer meets the following hardware
requirements:
A Pentium III or AMD 750 Mhz or faster computer
512 MB RAM (256 minimum)
20 GB hard disk
CD-ROM drive
Internet access is optional for completing the exercises.
2. Copy the file student.xml (on your3058 Setup CD) to the rootof a floppy diskette.
3. Boot the server from SUSE LINUX Enterprise Server 9 CD 1.
4. When the GRUB installation screen appears, highlight the
Installation option.You have 20 seconds to highlight the option before GRUB
boots from the hard drive.
5. Set the display resolution by pressing F2; then select a displayresolution of at least 1024x768.
If a resolution of 1024x768 is not available, select the highest
resolution available (such as 640x480).
6. Insert the floppy diskette with the file student.xml into the serverdiskette drive.
7. In the Boot Options field (bottom of the screen), type the
following:
autoyast=floppy:///student.xml
Make sure you enter 3 forward slashes (///) or the installationprogram will not be able to find the file student.xml.
8. When you are ready to begin installation, press Enter.
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
14/110
WorkbookIntro-10 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
The kernel loads and the SUSE LINUX Enterprise Server 9
installation program detects the available hardware.
A Novell Software License Agreement dialog appears. YaST
takes care of accepting this agreement and interfacing with all
other dialogs during installation.9. At certain points, YaST requests a particular SUSE LINUX
Enterprise Server 9 installation CD.
Insert the requested SUSE LINUX Enterprise Server 9 CD;
then continue by selecting OK. Continue swapping CDs asindicated by the YaST installation program.
The installation screen keeps you updated on the installation
progress (time remaining and percentage completed).
After copying files from the CDs, YaST performs tasks such as
updating the configuration, copying files to the installed system,
installing the boot manager, and preparing for an initial system
boot.
When these tasks are completed, YaST reboots the system.
10. Remove the student.xml diskette and the last SUSE LINUX
Enterprise Server 9 CD from the computer drives, and then wait
for the system to boot.
After the system automatically reboots and finishes configuring,
a GUI login screen appears.
11. Log in as geeko with a password ofN0v3ll (a zero, not anuppercase O).
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
15/110
SUSE LINUX Security Self-Study Workbook
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. WorkbookIntro-11
To report suspected copying, please call 1-800-PIRATES.
Scenario
The Digital Airlines management has made the decision to secure
access from the local networks to the Internet with firewalls
consisting of packet filters and application level gateways. The
Digital Airlines offices will be connected using a VPN based on
IPSec.
To implement various components of this network topology, you
need additional experience in the following areas:
System administration with a strong focus on security
Using cryptography to secure network services
Setting up packet filters
Setting up application-level gateways
Connecting networks using VPN technology
You decide to set up test servers in the lab to enhance your skills in
these areas.
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
16/110
WorkbookIntro-12 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
17/110
Host Security
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Workbook2-1
To report suspected copying, please call 1-800-PIRATES.
S E C T I O N 2 Host Security
In this section of the workbook, you learn how to do the following:
Install SLES 9 with a Customized Partition Scheme on 2-2
Change PAM Configuration to Disable Graphical Root Login
on 2-6
Subscribe to the SUSE Security Announcements on 2-8
Use nmap to Scan for Open Ports on 2-9
Run a nessus Scan on 2-10
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
18/110
Workbook2-2 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
Exercise 2-1 Install SLES 9 with a Customized Partition Scheme
Before you start to work on this
exercise, think about whichpartitioning scheme makes
sense to use for which serverpurpose.
The purpose of this exercise is to show how security can be
improved by selecting an appropriate partitioning scheme for the
harddisk.
During the exercises of this section, you will install the SLES9
server you will be using during the rest of the course.
As this exercise assumes you are familiar with installation of SLES
9 in general, not every single step is described.
To partition the hard disk, do the following:
1. Turn on your machine and insert SLES 9 CD 1 in the CD ROM
drive. Select Installation in the installation menu.
2. Follow the installation workflow until the Installation Settingsscreen appears.
3. Remove any partitions from the hard drive by doing the
following:
a. Select Partitioning.
b. Select Create custom partition setup; then select Next.
c. Select Custom Partitioning -- for experts; then select Next.
d. Remove any existing partitions by selecting the device
/dev/hda; then select Delete.
A dialog appears asking if you really want to delete all the
partitions on /dev/hda.
e. Confirm the deletion by selecting Yes.
All partitions are removed from the list.
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
19/110
Host Security
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Workbook2-3
To report suspected copying, please call 1-800-PIRATES.
4. Create new partitions according to the partitioning scheme which
has been outlined by the instructor. If you are a self study student,
you can use the following scheme:
swap (1GB)
/ (3GB) /usr (3GB)
/opt (3GB)
/var (2GB)
/tmp (2GB)
/home (1GB)
/srv (Rest of the harddisc)
The sizes will vary depending on the disk space available and
the purpose of the server.
The following is the basic procedure to create partitions in theexpert partitioner:
1. Select Create.
2. Choose Primary Partition or Extended Partition. (Youcan create the first three partitions as Primary Partitions.
Then you need to create one Extended Partition. In this
Extended Partition you can then create further Logical
Partitions.)
3. Select the Format checkbox and choose a filesystem. SelectSwap for the swap partition and Reiser for all otherpartitions.
4. Adjust the End Cylinder Value. Type for example +3GB fora 3GB partition.
5. Select a mount point for the partition according to your
partitioning scheme. You dont have to select a Mount Point
for the Swap partition.
6. Select OK, and start again with step1 for the next partition.
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
20/110
Workbook2-4 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
5. When you have created all partitions, close the Expert Partitioner
and return to the Installation Settings overview.
6. In the Installation Settings overview window select Software.
a. Select Minimum graphical system (without KDE) and then
Detailed selection
b. If you prefer to use a desktop environment select KDE orGNOME.
c. Select Analyzing Tools, as you will be using several of theseduring the course.
d. Select Accept.
7. If a Automatic Changes dialog pops up, select Continue.
Software installation takes
some time.
Note: You will install further packages during this course to
perform the exercises.
8. Once all settings have been made in the Installation Settingsdialog, select Accept and then Yes, install.
9. Proceed with the installation:
There is no need to create a CA at this point, as this will be
done later in the course. Therefore, select Skip configuration atthis point.
Do not activate LDAP, use local authentication.
When prompted for the root password, select Expert Optionsand choose the encryption type Blowfish.
Use novell as root password for the purpose of this course.
Create a user geeko with the password N0v3ll.
Unless the instructor tells you otherwise, use DHCP in the
networking setup; domainname is digitalairlines.com; use10.0.0.254 as default gateway.
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
21/110
Host Security
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Workbook2-5
To report suspected copying, please call 1-800-PIRATES.
When done with the installation, log in to the graphical user
interface as geeko.
(End of Exercise)
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
22/110
Workbook2-6 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
Exercise 2-2 Change PAM Configuration to Disable Graphical Root
Login
In this exercise, you change the PAM configuration by doing the
following:
1. Log out of the KDE desktop environment.
2. When the KDM login screen appears, log in with the following:
Username: root
Password: novell
Notice that you can log in as root without a root entry in the
login screen.
3. Log out again from the KDE desktop environment.
4. Log in as geeko with a password ofN0v3ll.
5. Open a terminal window and su to root.
6. Open the file/etc/pam.d/xdmin a text editor.
7. Add the following as the second line of the file:
auth required pam_securetty.so
8. Save and close the file.
9. Log out and try to log in as root user at the KDM login screenagain.
The root login is denied.
10. Log in as geeko again.
xIf you cannot log in as geeko, restart the X server by pressingCtrl + Alt + Backspaceand try again. You might also need to rebootyour server.
11. Open a terminal window and su to root.
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
23/110
Host Security
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Workbook2-7
To report suspected copying, please call 1-800-PIRATES.
12. Open the file/etc/pam.d/xdm in a text editor and remove orcomment out the following line (the line you added):
auth required pam_securetty.so
13. Save and close the file.
14. Log out and try to log in as root at the KDM login screen again.
You can now log in as root.
xIf you cannot log in as root, restart the X-server usingCtrl + Alt + Backspaceand try again.
15. Log out of the KDE desktop environment and log back in as
geeko.
(End of Exercise)
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
24/110
Workbook2-8 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
Exercise 2-3 Subscribe to the SUSE Security Announcements
In this exercise, you subscribe to the SUSE security mailing list.
This means that Novell/SUSE will inform you by email about
current security issues of SUSE Linux products.
If you don't want to receive these messages, skip this exercise.
Do the following:
1. From the KDE start menu, select Internet > Web Browser.
2. In the address bar of the browser, enter the following:
http://www.suse.com/en/business/mailinglists.html
3. Scroll down to the entry suse-security-announce; then select thecheck box for that entry.
4. Scroll down to the bottom of that page. In the E-mail Addressfield, enteryour email address.
5. Subscribe to the list by selecting OK.
6. Close the web browser window.
(End of Exercise)
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
25/110
Host Security
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Workbook2-9
To report suspected copying, please call 1-800-PIRATES.
Exercise 2-4 Use nmap to Scan for Open Ports
The purpose of this exercise is to familiarize you with nmap and
port scans. You will work with another student in this exercise.
Do the following:
1. Open a terminal window an sux - to root with a password ofnovell.
2. Perform a TCP connect scan on the computer of your partner by
entering the following command:
nmap -sT .
Compare the result with the output ofnetstat -patune on his orher computer.
3. Start Ethereal by typing ethereal.
4.Select Capture > Start.
5. Select OK.
6. Let your partner scan your computer with nmap.
7. Select Stop in the ethereal capture dialog.
8. Have a look at the packet list in ethereal. Can you identify the
packets nmap used for the port scan?
(End of Exercise)
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
26/110
Workbook2-10 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
Exercise 2-5 Run a nessus Scan
The purpose of this exercise is to show you how to set up nessusd
and nessus client to scan hosts in the network. You will work with a
partner.
Do the following:
1. Open a terminal window an sux - to root with a password ofnovell.
2. Create a certificate for the nessusd and add a user who might
access nessusd by entering:
nessus-mkcert
nessus-adduser
Answer any questions appropriately. Use geeko as the user toadd. When prompted to enter rules within the adduser-script
press CTRL-D without entering any rules.
3. Start nessusd by entering:
rcnessussd start
4. Start the user interface by entering
nessus
5. Log in as geeko with the password you provided within the
script.
6. Enter the IP address of your partners computer as the target host
and scan it.
7. View the report by selecting the entries shown in the reportwindow.
(End of Exercise)
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
27/110
Cryptography: Basics and Practical Application
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Workbook3-1
To report suspected copying, please call 1-800-PIRATES.
S E C T I O N 3 Cryptography: Basics and Practical
Application
In this section of the workbook, you learn how to do the following:
Create a CA and Certificates on the Command Line on 3-2
(optional) Create a Root CA and Certificates Using YaST on
3-5
(optional) Work with GPG on 3-6
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
28/110
Workbook3-2 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
Exercise 3-1 Create a CA and Certificates on the Command Line
The certificates created in this
exercise are used later in theNetwork Security section of this
course.
Complete the exercisesuccesfully and do not delete
the certificates after the
exercise.
The purpose of this exercise is to familiarize you with the openssl
command. The certificates created in this exercise can be used in an
exercise in the next section.
Do the following:
1. Open a terminal window and su - to root with a password ofnovell.
2. Create the necessary directory structure in roots home directory,
(using your hostname instead ofdaxx) and change thepermissions for the private directory:
mkdir -p DAxx-ca/{certs,newcerts,private,crl}cd DAxx-cachmod 700 private
3.Edit the file
/etc/ssl/openssl.confwith a text editor and changevariables and company entries appropriately, like
/root/DAxx-CA for dir and Digitalairlines as company
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
29/110
Cryptography: Basics and Practical Application
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Workbook3-3
To report suspected copying, please call 1-800-PIRATES.
The following is the example for the system da10. Please adjust
your settings to your environment..
4. To create the self-signed root certificate of your CA, enter
openssl req -newkey rsa:2048 -x509 -days 3650 \-keyout private/daxx-cakey.pem -out daxx-cacert.pem
Answer the questions.
# This definition stops the following lines choking if HOME isn't# defined.
HOME = /root/DA10-CA...dir = /root/DA10-CA# Where everything is keptcerts = $dir/certs # Where the issued certs are keptcrl_dir = $dir/crl # Where the issued crl are keptdatabase = $dir/index.txt # database index file.unique_subject = yes # Set to 'no' to allow creation of
# several certificates with same# subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/da10-cacert.pem # The CA certificateserial = $dir/serial # The current serial number#crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a
V1 CRLcrl = $dir/crl.pem # The current CRLprivate_key = $dir/private/da10-cakey.pem# The private keyRANDFILE = $dir/private/.rand # private random number file...[ req_distinguished_name ]countryName = Country Name (2 letter code)countryName_default = decountryName_min = 2countryName_max = 2
stateOrProvinceName = State or Province Name (full name)stateOrProvinceName_default = Bavaria
localityName = Locality Name (eg, city)localityName_default =Munich
...
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
30/110
Workbook3-4 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
5. To view the certificate, entering:
openssl x509 -in daxx-cacert.pem -text
6. To create the files index.txt and serial, enter
touch index.txt ; echo 01 > serial7. To create a certificate signing request for your machine, enter
openssl req -new -keyout private/daxx_prv_key.pem \-out certs/daxx_req.pem -days 365
Answer the questions.
The sequence of -out and
-infiles is important. If -infiles is
first, you get a not too helpful
error message.
8. To sign the certificate signing request and create the certificate,
enter
openssl ca -policy policy_anything -notext \-out certs/daxxcert.pem -infiles certs/daxx_req.pem
9. View the files index.txt and serial with cat.10. Repeat steps 79 to create another certificate for
server.digitalairlines.com.
11. To revoke the certificate just created and create a certificate
revocation list enter
openssl ca -revoke certs/servercert.pem
openssl ca -gencrl -out crl/daxx-crl.pem
12. View the files index.txt and serial with cat.
(End of Exercise)
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
31/110
Cryptography: Basics and Practical Application
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Workbook3-5
To report suspected copying, please call 1-800-PIRATES.
Exercise 3-2 (optional) Create a Root CA and Certificates Using YaST
The purpose of this exercise is to teach you how to manage a CA
using YaST.
Just a rough outline of steps is given here. Do the following:
1. Start a terminal window and sux - to root with a password ofnovell.
2. Start the YaST CA Management module by entering
yast2 ca_mgm
3. Select Create Root CA and follow the steps of the wizard tocreate a root CA.
Use values of your choice to fill in the dialogs.
4. Enter the root CA you just created.
5. Export the CA certificate to a file.
6. Create a server certificate.
7. Export the server certificate.
(End of Exercise)
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
32/110
Workbook3-6 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
Exercise 3-3 (optional) Work with GPG
The purpose of this exercise is to familiarize you with some of the
features of GPG and how keys are managed to exchange encrypted
mail.
Work with a partner to exchange keys and exchange encrypted mails
or files.
Do the following:
1. Open a terminal window and create a public/private GPG-key
pair by entering
gpg --gen-key
You have to answer several questions; the defaults will do for
this exercise. When creating your personal key pair you might
want to choose 2048 bits for the key length. Make sure that you
remember the Real name you enter during the key creationprocess.
2. To export your public key to a file, enter
gpg -a --export real name> name.asc
Choose a resonable name for the key file. Transfer this file to
your partner using scp.
3. To import the public key of your partner, enter
gpg --importpartners_name.asc
4. No mail service is set up in the course room, so you will encrypt
and transfer a file instead of mailing it. Write a message to a file,such as
echo Hello, how are you > textfile
5. To encrypt that file, enter
gpg -ea textfile
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
33/110
Cryptography: Basics and Practical Application
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Workbook3-7
To report suspected copying, please call 1-800-PIRATES.
You are prompted to enter a user ID. The name that is part of
the key will do, or use the hexadecimal ID of the key if there
are several keys with the same name.
6. View the file textfile.asc using cat.
7. Transfer the file to your partner, get his encrypted file to yourcomputer, using a descriptive filename to avoid overwriting each
others files.
8. To decrypt the file, enter
gpgfilename.asc ; catfilename
To view the decrypted file directly on the screen, you can use
gpg -o - filename
9. Sign the file with
gpg --clearsign textfile
10. Verify the signature with
gpg textfile.asc
11. Load the file textfile.asc in vi and alter one letter of the message.Save the changes and close vi. Verify the signature again.
(End of Exercise)
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
34/110
Workbook3-8 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
35/110
Network Security
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Workbook4-1
To report suspected copying, please call 1-800-PIRATES.
S E C T I O N 4 Network Security
In this section of the workbook, you learn how to do the following:
Configure the TCP Wrapper on 4-2
Use stunnel to Secure POP3 with SSL on 4-5
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
36/110
Workbook4-2 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
Exercise 4-1 Configure the TCP Wrapper
In this exercise you work with a partner to practice configuring the
TCP wrapper. The exercise consists of the following parts:
Part I: Secure the FTP Service Part II: Configure a Twist
Part III: Configure Logging
Part I: Secure the FTP Service
In this part of the exercise, you secure the FTP service so that
everyone in the classroom except your partner can access the FTP
server on your system.
Do the following:
1. Use YaST to install the package vsftpd.
2. Open a terminal window and su to the root user.
3. Open the file/etc/xinetd.d/vsftpd with a text editor.
4. Make sure the line disable = yes starts with a# character.
5. Save and close the file.
6. Restart xinetd with the command rcxinetd restart.
7. Open the file/etc/hosts.deny in a text editor.
8. Add the following to the end of the file:
9. vsftpd :IP_of_partner
10. Save the file.
11. Have your partner attempt to ftp to your system; then have
another student in the classroom attempt to ftp to your host.
12. The connection for your partner is closed. However, others can
ftp to your server.
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
37/110
Network Security
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Workbook4-3
To report suspected copying, please call 1-800-PIRATES.
13. Place a comment character (#) in front of the line you just addedto the file /etc/hosts.deny; then add the following line:
ALL:ALL
14. Save the file and close the editor.
15. Set the same security restriction by editing the file/etc/hosts.allow:
Open the file/etc/hosts.allow in a text editor.
16. Add the following to the end of the file:
vsftpd : ALL EXCEPTIP-of-partner
17. Save and close the file.
18. Have your partner try to ftp to the system; then have another
student in the classroom attempt to ftp to your host.
The results should be the same as with the file hosts.deny.
Part II: Configure a Twist
In this part of the exercise you configure TCP wrapper to execute
another program than the respective daemon.
Do the following:
1. Open a terminal window and su to the root user.
2. Edit the ALL:ALLline in /etc/hosts.deny to reflect thefollowing:
ALL: ALL: twist (echo "This service is not accessible from%a!")
3. Save and close the file.
4. Have your partner try to ftp to the system to verify that the
message is sent.
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
38/110
Workbook4-4 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
Part III: Configure Logging
In this part of the exercise you configure logging, using the spawn
feature of TCP wrapper.
Do the following:
1. Open a terminal window and su to the root user.
2. At the bottom of the file /etc/hosts.allow, change the vsftpdline to reflect the following:
vsftpd,vsftpd : ALL EXCEPTIP-of-partner:spawn (echo "%a accessed %s" >> /tmp/service-access.log)
3. Save and close the file.
4. Have someone in the class besides your partner attempt to ftp to
the system to verify that the entry is logged.
5. Verify that all of the activity to the services under xinetd have
been logged in /var/log/xinetd.log by enteringcat /var/log/xinetd.log.
(End of Exercise)
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
39/110
Network Security
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Workbook4-5
To report suspected copying, please call 1-800-PIRATES.
Exercise 4-2 Use stunnel to Secure POP3 with SSL
The purpose of this exercise is to practice securing a service with
stunnel.
Do the following:
1. Open a terminal window and sux - to root using a password ofnovell.
2. Install the packages stunnel and qpopper by entering
yast -i stunnel qpopper
and inserting the appropriate CD when requested.
3. Use a certificate and its corresponding private key created in the
exercise Create a CA and Certificates on the Command Line
on 3-2 or in the exercise (optional) Create a Root CA and
Certificates Using YaST on 3-5.
You can either
Use the certificate and private key created for your
computer with openssl on the command line.
In this case you need to create a copy of the private key that
is not secured with a passphrase:
openssl rsa < private/daxx_prv_key.pem \> private/daxx_prv_key-unenc.pem
Copy the certificate and the private key into one file:
cat certs/daxx_cert.pem \private/daxx_prv_key-unenc.pem \>> /etc/stunnel/stunnel.pem
Also copy the RootCA certificate to the directory /tmp.
or
Use the certificate and private key created for your
computer in the YaST CA Management module.
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
40/110
Workbook4-6 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
Export it to/etc/stunnel/stunnel.pem, selecting Certificateand Key Unencrypted in PEM Format in the Exportdialog.
Also export the RootCA certificate and save it in the
directory/tmp.4. Limit access to the file /etc/stunnel/stunnel.pem by entering
chmod 600 /etc/stunnel/stunnel.pem
5. Using vi, modify the configuration of stunnel in the file
/etc/stunnel/stunnel.confto reflect the following entries (somelines need a comment symbol #, some need the comment symbol
deleted, and other lines need to be added by youyou have to
look through the file to find the lines):
#chroot = /var/lib/stunnel/#setuid = stunnel#setgid = nogroup
...[pop3s]accept = 995
# connect = 110exec = /usr/sbin/popperexecargs = popper -s
6. Start stunnel by entering rcstunnel start.
If there are any error messages, correct your configuration
accordingly.
7. Test your POP server by configuring a mail program of your
choice to pick up mail of a local account (such as geeko) from
localhost port 995.
Make sure that you use the full hostname(daxx.digitalairlines.com) in the pop server field, not just
localhost.
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
41/110
Network Security
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Workbook4-7
To report suspected copying, please call 1-800-PIRATES.
When finished with the configuration, actually try to pick up
mail. You should see an error message that the server certificate
failed the authenticity test.
Do not accept the certificate at this point but select cancel (or
whatever your mail program offers at this point).8. Import the CA certificate into your application. How this is done
depends on your mail program.
If you use KMail, you do that by starting konqueror andselecting
Settings > Configure Konqueror > Crypto > SSL signersTab > Import
Change directory to /tmp and choose the CA certificate suitable
for the stunnel certificate, either the OpenSSL or the YaST one.
9. Connect again to your mailbox with your mail program.
You should not get the same error message again, since the
certificate can now be validated by the mail program.
You might get a message that the certificate does not belong to
the server if the common name in the certificate differs from the
domain name you contacted. In this case you might want to
create a new certificate with the correct name.
(End of Exercise)
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
42/110
Workbook4-8 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
43/110
Packet Filters
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Workbook6-1
To report suspected copying, please call 1-800-PIRATES.
S E C T I O N 6 Packet Filters
In this section of the workbook, you learn how to do the following:
Get Familiar with Basic iptables Syntax on 6-2
Modify the Script to Set and Delete iptables Rules on 6-15
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
44/110
Workbook6-2 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
Exercise 6-1 Get Familiar with Basic iptables Syntax
In this exercise the computer
that is used for testing shouldnot have any iptables rules set.
Otherwise the results alsodepend on the settings of this
testing computer.
The purpose of this exercise is to familiarize you with the iptables
syntax and to show the effect of some iptables rules.
In the first part, you use iptables on the command line only. Anyrules set with iptables are lost with the next reboot.
As rules defined on the command line are lost with the next reboot,
the rules that make up the packet filter should be included in a shell
script that is executed during system startup.
Part II and the subsequent parts of this exercise deal with writing
such a script to set and delete rules.
There is no single right way to write such a script. Keep it as simple
as possible so you dont inadvertently open security holes. Use
comments within the script liberally so you can still understand it
when you have to modify it later.
The exercise will not cover every single step but will outline what
needs to be done to create a working script.
Work with a partner in this exercise. You will have to coordinate
with each other regarding setting and testing of rules. If you both set
rules at the same time and then test them, the test might not produce
the expected result, as the rules on the testing computer might
interfere with the test.
This exercise consists of:
Part I: Set iptables Rules on the Command Line Part II: Prepare a Structure for a Script
Part III: Define General Variables
Part IV: Create a Section to Delete Any Existing Rules
Part V: Create a Section to Display the Current Rule Set
Part VI: Add Static Rules
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
45/110
Packet Filters
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Workbook6-3
To report suspected copying, please call 1-800-PIRATES.
Part I: Set iptables Rules on the Command Line
The purpose of the first part of this exercise is to show you how
iptables is used and the effect the commands have.
Do the following:
1. Open a terminal window and su - to root with a password ofnovell.
2. Check if there are any rules set already by entering
iptables -v -L -n
3. If there are any rules in the INPUT, OUTPUT, or FORWARD
chain, delete them by entering
iptables -F
4. Set a rule blocking all ICMP packets to your computer coming
from other computers by enteringiptables -A INPUT -i eth0 -p icmp -j DROP
(This is only an example. Blocking all ICMP messages is
generally not advisable.)
5. Have your partner test this rule by sending an echo request (ping)
to your computer.
6. Try to send an echo request to your partners computer.
7. Delete the rule you set in Step 4 by entering
iptables -D INPUT -i eth0 -p icmp -j DROP
8. Set a rule blocking all ICMP packets from your computer to othercomputers by entering
iptables -A OUTPUT -o eth0 -p icmp -j DROP
9. Have your partner test this rule by sending an echo request (ping)
to your computer.
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
46/110
Workbook6-4 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
10. Try to send an echo request to your partners computer. (You will
notice a slightly different output of the ping command compared
to Step 6 above.)
11. Delete the rule you set in Step 8 by entering
iptables -D OUTPUT -o eth0 -p icmp -j DROP
12. Set a rule blocking all ICMP packets in the FORWARD chain by
entering
iptables -A FORWARD -p icmp -j DROP
If there is only one NIC in your computer you cannot test this
rule.
However you can test if this rule affects traffic to and from your
computer (which it shouldnt) by asking your partner to ping
your computer and by sending an echo request to your partners
computer.
13. Flush your rules by entering
iptables -F
14. Find out what happens when you use ssh to connect to yourpartners ssh port by entering
ssh geeko@partner_IP
When prompted, enter the password N0v3ll. After you havesuccessfully logged in, logout again by pressing Ctrl-D.
15. Create an iptables rule that drops TCP packets addressed to port
22 (SSH) by entering
iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP
16. After your partner sets the rule on his or her computer, try again
to login to your partners computer and notice the difference
from the results in Step 14.
17. Change the rule from Step 15 to use REJECT as its target instead
of DROP.
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
47/110
Packet Filters
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Workbook6-5
To report suspected copying, please call 1-800-PIRATES.
You can either delete the rule and create a new one, or replace
the rule by entering
iptables -R INPUT 1 -i eth0 -p tcp --dport 22 -j REJECT
18. View the current ruleset by entering
iptables -v -L -n
19. After your partner sets the rule on his or her computer, try again
to ssh to your partners computer and find out if there is any
difference to before. If yes, why is that?
20. Change the rule from Step 17 once more to reject with a TCP
reset instead of the ICMP message port unreachable by entering
(on one line)
iptables -R INPUT 1 -i eth0 -p tcp --dport 22 -j REJECT--reject-with tcp-reset
21. View the current ruleset by entering
iptables -v -L -n
22. After your partner sets the rule on his or her computer, again
connect to your partners computer using ssh and find out if thereis any difference to before.
23. Flush your ruleset by entering
iptables -F
Part II: Prepare a Structure for a Script
This exercise will take quitesome time. If you do not have
some experience with shell
scripts, you will have difficultydoing this exercise.
Because any packet filter rules set with iptables are lost with thenext reboot, it is common practice to write a script to set them.
In addition to setting the rules (start), such a script should allow to
delete the rules (stop) and to show the currently active rules (status).
It should also allow integration into the runlevel concept.
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
48/110
Workbook6-6 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
The file/etc/init.d/skeleton gives an outline of how such a scriptcould be structured.
The purpose of this and the following parts of this exercise is to
show you the basic elements of such a script to set up and delete
iptables rules.
Do the following:
1. Open a terminal window and su - to root with a password ofnovell.
2. Change directory to/etc/init.d/.
3. Copy the file skeleton to fw-script.
4. Change the permissions so that the script can be executed by
entering
chmod 744 /etc/init.d/fw-script
5. Open the file fw-script in a text editor.
6. Keep the sections on init info and the case sections start, stop,
status, and *. Delete the comments and sections you do not need.
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
49/110
Packet Filters
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Workbook6-7
To report suspected copying, please call 1-800-PIRATES.
Your result could look similar to the following:
#! /bin/sh## /etc/init.d/fw-script and its symbolic link
# /(usr/)sbin/rcfw-script#### BEGIN INIT INFO# Provides: packetfilter# Required-Start: $syslog $network# Required-Stop: $syslog $network# Default-Start: 3 5# Default-Stop: 0 1 2 6# Short-Description: Sets packet filter rules# Description: Sets packet filter rules### END INIT INFO#. /etc/rc.status
# Reset status of this servicerc_reset
case "$1" instart|restart|reload)
echo -n "Starting Firewall "# Remember status and be verbose
rc_status -v;;
stop)echo -n "Shutting down Firewall "
# Remember status and be verboserc_status -v;;
status)echo "Current Firewall-rules "
rc_status -v
;;*)
echo "Usage: $0 {start|stop|status|restart|reload}"exit 1;;
esacrc_exit
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
50/110
Workbook6-8 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
(A template similar to the above can be found on the student
CD in the directory for this section.)
Part III: Define General Variables
The use of variables makes it easier to maintain the script.
Do the following:
1. Within the start section, define the following variables:
EXT_IF=eth0EXT_IP=INT_IF=INT_IP=
x
Because the computers in the class room might have only one NIC, this
exercise is limited to defining rules for the INPUT and OUTPUT chains.
The variables INT_IF and INT_IP can be used for a second NIC and rules forthe FORWARD chain.
You can also define variables for the IP address of the nameserver and othercomputers.
Using variables facilitates later changes, as you only have to change thevariable at one point, not the IP within various rules.
2. Also in the start section, set kernel parameters like
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
51/110
Packet Filters
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Workbook6-9
To report suspected copying, please call 1-800-PIRATES.
# echo 1 > /proc/sys/net/ipv4/ip_forwardecho 1 > /proc/sys/net/ipv4/tcp_syncookiesecho 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcastsecho 1 >\
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Protect from ICMP redirect packets:for f in /proc/sys/net/ipv4/conf/*/accept_redirectsdo
echo 0 > $fdone
# Block source routed packetsfor f in /proc/sys/net/ipv4/conf/*/accept_source_routedo
echo 0 > $fdone...
(If you dont want to type this, have a look at the files on the
student CD.)
xTo see a brief explanation of these and other parameters, start the YaSTPowertweak module and select the Networking options.
The above values can also be set within the Powertweak module instead ofthis script.
3. Add comments to your definition of variables and kernel
parameter settings.
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
52/110
Workbook6-10 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
Part IV: Create a Section to Delete Any Existing Rules
This makes sure that you can delete any rules you set.
Go to the stop section within the case statement and add iptables
commands to delete any existing rules:
1. Add an informative message to be displayed when the script is
called with the stop parameter.
2. Flush the chains by typing
iptables -Fiptables -t nat -F
3. Delete any user-defined chains by typing
iptables -X
4. Set the policy of the built in chains to accept by typing
iptables -P INPUT ACCEPTiptables -P OUTPUT ACCEPTiptables -P FORWARD ACCEPT
5. You can also reset the kernel parameters to previous settings in
the stop section as needed.
Part V: Create a Section to Display the Current Rule Set
Viewing the current rule set helps in debugging.
Do the following:
1. Go to the status section within the case statement to add iptables
commands to display the currently active rules.
2. Add the following lines to the status section
iptables -v -n -Liptables -v -n -t nat -L POSTROUTINGiptables -v -n -t nat -L PREROUTING
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
53/110
Packet Filters
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Workbook6-11
To report suspected copying, please call 1-800-PIRATES.
Part VI: Add Static Rules
Now the main part: The rules themselves.
To add static rules, do the following:
1. Go to the start section within the case statement to add your rules
with iptables commands.
2. Set the default policy to DROP by typing
iptables -P INPUT DROPiptables -P FORWARD DROPiptables -P OUTPUT DROP
3. Flush existing rules and delete existing user defined chains by
typing
iptables -Fiptables -t nat -F
iptables -X
If you do not flush the rules in the beginning, each call of the
script with the parameter start adds the rules again to the chain.
4. Allow all traffic from and to the loopback interface by typing
iptables -A OUTPUT -o lo -j ACCEPTiptables -A INPUT -i lo -j ACCEPT
5. Define rules to allow others to access the ssh server on your
computer by typing
iptables -A INPUT -p TCP -i $EXT_IF --dport 22 \-j ACCEPT
iptables -A OUTPUT -p TCP -o $EXT_IF --sport 22 \-j ACCEPT
6. (Optional) Limit the above INPUT rule to a destination IP
address as well as certain source IP addresses and source ports.
7. Add a rule that logs packets that are dropped in the INPUT chain
by typing
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
54/110
Workbook6-12 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
iptables -A INPUT -j LOG --log-prefix INPUT-DROP
8. Add a rule that rejects packets instead of having them dropped by
the default policy of the chain by typing
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
9. Start your script by entering in a terminal window (as root)
/etc/init.d/fw-script start
If there are any error messages, correct any mistakes in the
syntax within your script.
10. Have your partner try to access your ssh daemon.
If he cannot do so, it could be because there is something wrong
with your rules or because rules on his or her computer do not
allow him or her to contact another server (or both).
Find out what the problem is by looking at /var/log/messages
with less or tail -fon both computers.
It is actually a good idea to have a separate terminal window
with tail -f /var/log/messages constantly open while testing therules.
If it turns out his rules forbid him to contact your computer,
have him call his script with the parameter stop and try again.
Correct any errors in your own script.
11. Test if your script actually blocks traffic to other services.
Start the Apache web server with rcapache2 start and haveyour partner try to access your computer with a browser.
You should see log entries for dropped packets in
/var/log/messages.
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
55/110
Packet Filters
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Workbook6-13
To report suspected copying, please call 1-800-PIRATES.
! --syn prevents other
computers from establishing a
TCP connection from port 22.
The first packet of a TCPhandshake originating at port 22
is discarded by this rule.
12. If your partner asked you if you could reach his or her ssh
daemon and you tried with the current rules active, you would
notice that your current rules do not allow you to do that.
Define rules that allow you to contact the ssh daemon on other
computers by enteringiptables -A INPUT -p TCP -i $EXT_IF ! --syn --sport 22 \-j ACCEPTiptables -A OUTPUT -p TCP -o $EXT_IF --dport 22 \-j ACCEPT
Why should you add ! --syn?
13. Add another ruleset like the one in Step 12 allowing you to
contact web servers (port 80) on other computers.
14. Add a rule that logs packets that are dropped in the OUTPUT
chain by entering
iptables -A OUTPUT -j LOG --log-prefix \OUTPUT-DROP
15. Activate your rules by entering/etc/init.d/fw-script start (yourcurrent rules will be replaced by the new ones).
16. Try to contact the sshd on your partners computer.
17. Try to contact a web server.
18. Try to ping your partners computer and watch the log file.
19. Have him turn off his rules and then have him ping you.
Watch your log file.
20. Add rules allowing incoming and outgoing ICMP messages.
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
56/110
Workbook6-14 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
21. Restart your script.
Ping your partners computer and have him ping yours.
22. Add comments to describe what your rules are supposed to do.
(End of Exercise)
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
57/110
Packet Filters
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Workbook6-15
To report suspected copying, please call 1-800-PIRATES.
Exercise 6-2 Modify the Script to Set and Delete iptables Rules
The script developed in the last exercise uses static filtering rules
only.
In this exercise you will modify the script to include dynamicfiltering rules and you will create and use a user-defined chain.
Part I: Use Stateful Packet Filtering
Part II: User-Defined Chains
Part III: (optional) View the SuSEFirewall2 Configuration and
Script
Part I: Use Stateful Packet Filtering
The state module helps to simplify the script and thus make it less
error prone. And it adds the feature of statful inspection to thecomputer.
To replace the rules defined so far for TCP connections, do the
following:
1. Put a comment sign in front of those six rules (Two each for ssh
in and out, and www).
2. Define rules for the second and all subsequent packets of a
connection using the connection tracking module:
# INPUT-Chainiptables -A INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT# OUTPUT-Chainiptables -A OUTPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT
3. Define a rule allowing the first packet of a connection to the ssh
daemon on your computer by entering
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
58/110
Workbook6-16 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
iptables -A INPUT -i $EXT_IF -p tcp --syn --dport 22 -mstate --state NEW -j ACCEPT
4. Set the new rules by entering
/etc/init.d/fw-script start
Have your partner access the ssh daemon on your computer.
Watch the log file.
5. View the entry tracking the connections in the /proc file system
by entering
cat /proc/net/ip_conntrack
6. Add rules that allow you to access the sshd and web servers on
other computers.
Test this and the access to the web server running on your
computer to see if it is still blocked as intended.
7. Add useful comments to your script.
Part II: User-Defined Chains
User-defined chains can help reduce the number of rules packets
have to run through before a hit or make the script easier to
understand (or both).
The user-defined chain has to exist before any rule uses the chain as
a target. Therefore, these rules should appear in the script above the
rules for the built in chains.
In this part, you will set up a user-defined chain for UDP packets.
You may have noticed that the script so far does not allow any name
resolution.
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
59/110
Packet Filters
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Workbook6-17
To report suspected copying, please call 1-800-PIRATES.
Do the following:
1. Locate an appropriate point in the script to insert the lines and
create the chain udp-rules by typing
iptables -N udp-rules
2. Create a rule for a packet querying a nameserver by entering (on
one line)
iptables -A udp-rules -o $EXT_IF -p udp --dport 53 -m state--state NEW -j ACCEPT
(There is no need for a rule for the answer packets because they
are covered by the rule from Part I covering second and
subsequent packets.)
xUnder certain circumstances there is a fallback to TCP for name resolution.Therefore, a similar rule is needed for TCP port 53.
3. Packets that do not match any of the rules in the user-defined
chain continue down the built-in chain they came from.
This is not what is intended here; therefore, insert a rule to log
packets and another to reject them by entering
iptables -A udp-rules -j LOG --log-prefix REJECT-udp iptables -A udp-rules -j REJECT
Because this last rule matches all packets, none return to the
previous chain.
4. The rule to end all UDP packets from the output chain to the
user-defined chain has to be inserted after the general rules forsecond and subsequent packets, as otherwise the answers to the
UDP packets your computer sends out will be discarded.
Add this rule by typing at the appropriate point in the script
iptables -A OUTPUT -p upd -j udp-rules
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
60/110
Workbook6-18 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
xIf you want to allow incoming UDP traffic, a similar rule is needed forthe INPUT chain. Within the user-defined chain you can distinguishincoming and outgoing traffic by the -i and -o options.
5. Set the rules by entering
/etc/init.d/fw-script start
Find out if name resolution is now functional.
6. (optional)Create another user-defined chain that takes care of
the logging.
Instead of logging packets in built-in or other user-defined
chains, send those packets to a separate user-defined chain to be
logged and then dropped or rejected.
7. (optional). Watch the log file for a while.
You will see all kinds of entries for packets being rejected.
Write rules allowing IP traffic that is needed for proper
computer operation.
8. (optional). Have your partner test your filter rules with nmap
from his computer.
Part III: (optional)View the SuSEFirewall2 Configuration and
Script
The purpose of this exercise is to show you a sophisticated setup
and its complexity.
Do the following:
1. View/etc/sysconfig/SuSEfirewall2 by using less.
2. View the script/sbin/SuSEfirewall2 by using less.
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
61/110
Packet Filters
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Workbook6-19
To report suspected copying, please call 1-800-PIRATES.
3. View the scripts/etc/init.d/SuSEfirewall2_* by using less.
(End of Exercise)
Exercise Answers
Exercise 6-1 Get Familiar with Basic iptables Syntax,Part VI: Add
Static Rules on 6-11:
12. Why should you add ! --syn?
The rule
iptables -A INPUT -p TCP -i $EXT_IF ! --syn --sport 22 \-j ACCEPT
allows all TCP packets from port 22 exept the first packet of a TCPconnection which has only the syn bit set. ! --syn prevents TCP
connections starting from port 22 of another computer.
In this way it is possible for you to contact other SSH servers and to
receive their answers, but it is not possible to initiate a connection
from port 22 of another computer to your computer, as the first
packet of the TCP handshake is discarded.
(End of Exercise)
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
62/110
Workbook6-20 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
63/110
Application-level Gateway
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Workbook7-1
To report suspected copying, please call 1-800-PIRATES.
S E C T I O N 7 Application-level Gateway
In this section of the workbook, you learn how to do the following:
Install and Configure Squid on 7-2
Configure SSL in Squid on 7-7
Configure Proxy Authentication on 7-10
Configure Content Filtering on 7-14
Analyze Squid Log File on 7-17
Use Dante on 7-19
Configure rinetd on 7-25
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
64/110
Workbook7-2 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Version 1
To report suspected copying, please call 1-800-PIRATES.
SUSE LINUX Security/Self-Study Workbook
Exercise 7-1 Install and Configure Squid
Use Mozilla in all Squid
exercises. Konqueror does nothandle proxy authentication
very well, which might lead toconfusing error messages.
In this exercise you install and configure Squid and configure a web
browser to test your Squid setup. For some parts of the exercise you
will work with a partner.
The exercise consists of the following parts:
Part I: Install Squid and Mozilla
Part II: Configure Squid
Part III: Configure Mozilla to Use the Proxy
Part IV: Monitor Access to Squid
Part V: Test Your Partners Proxy
Part I: Install Squid and Mozilla
To install Squid, do the following:
1. Start YaST by selecting Start > System > YaST.
2. When prompted for the root password, enter novell; then selectOK.
3. Start Package Manager by selecting
Install and Remove Software
on the right side of the YaST dialog.
4. In Package Manager, make sure that the Filter menu in the upper
left corner is set to Search.5. Enter squid in the Search field; then select Search.
6. On the right side, select the check box before the squid entry inthe Results list.
7. In the Search field, enter mozilla; then select Search.
-
7/31/2019 Novell Course 3058 SUSE Linux Security WorkBook
65/110
Application-level Gateway
Version 1 Copying all or part of this manual, or distributing such copies, is strictly prohibited. Workbook7-3
To report suspected copying, please call 1-800-PIRATES.
8. On the right side, select the check box before the mozilla entryin the Results list.
9. In the lower right corner of Package Manager, select Accept.
10. When YaST displays a dialog about package dependencies,
select OK.
11. After all packages have been installed, close YaST by selecting
Close.
Part II: Configure Squid
To configure Squid, do the following:
1. Open a terminal and su to the root user.
2. Open the file/etc/squid/squid.confin a text editor.
3. Find the configuration tag http