Tips Linux Explorers   All Things Linux Forum   Great Linux Links   LinuxClues.com   Hometown   Email 



SECURITY: SERVERS & SERVICES


You may not be aware of it but there are often running servers or sevices that listen to ports on your system that are unsafe.

The SANS top 20 http://www.sans.org/top20/

QUOTE (Info @ Website)
Top Vulnerabilities to UNIX Systems

U1 BIND Domain Name System

U2 Remote Procedure Calls (RPC)

U3 Apache Web Server

U4 General UNIX Authentication Accounts with No Passwords or Weak Passwords

U5 Clear Text Services

U6 Sendmail

U7 Simple Network Management Protocol (SNMP)

U8 Secure Shell (SSH)

U9 Misconfiguration of Enterprise Services NIS/NFS

U10 Open Secure Sockets Layer (SSL)



So let us do some real work now to secure our system:

There is this command ( as root )
 
CODE
# netstat -tap | grep LISTEN

That will show you the active servers on your system and what port they listen to . . . . but this needs far more information . . . . let us say that in general only the services you allowed running above should be seen in there . . .

Example:

QUOTE (Text @ Screen)
tcp        0      0 *:ipp                   *:*                     LISTEN      1758/cupsd

( This one is okay, the cups printer deamon, and needs to be running ! )

Another command is:
 
CODE
# nmap -sS 127.0.0.1

It shows you the same servers, but now with the port numbers they listen to.

So, like I said, the cupsserver is okay, but if any of the following servers are active and in LISTEN mode, it would be safer to shut them down:

finger
ftpd
kdessh
lockd
mountd
named or BIND
nfsd
rpc
rlogin
rsh
sendmail ( Only needed if you run a mailserver )
snmp
ssl
ssh
statd
ruser
telnetd
X ( the part that listens to tcp )

And, if you're not running a web server, you should also shut down any running httpd process.


You can shut down the processes for the current session with "kill PID" ( where PID is the number you see just before the name of the service . . in our example it would be: 1662 )
To prevent those services from starting up at boot permanently ( and they are not in the MCC "services" tool ) you will have to edit the /etc/inetd.conf file.
A radical way to do this is back up the old /etc/inetd.conf file:
 
CODE
# mv  /etc/inetd.conf  /etc/inetd.conf.OLD

and replace it by an empty file:
 
CODE
# touch /etc/inetd.conf

. . This will eliminate most of the ones listed above that can not be found in the MCC.

Then to stop X from listening to a certain port:
In Mandrake and PCLos: add the bold part to the last line in the "/etc/X11/xdm/Xservers" file:

QUOTE (Text @ Screen)
:0 local /bin/nice -n -10 /usr/X11R6/bin/X -deferglyphs 16 -nolisten tcp

In Slackware: add the bold part to the last line in the "/etc/X11/xdm/Xservers" file:

QUOTE (Text @ Screen)
:0 local /usr/X11R6/bin/X -nolisten tcp


After this exercise the two commands I gave you above ( netstat and nmap ) should return no entries then only cupsd. And maybe the samba, mail or webserver you absolutely want running.

Have FUN securing your system . . . next time we look at rootkits

A last one for our Slackware users . . to disable sshd:

CODE
# mv /etc/rc.d/rc.sshd /etc/rc.d/rc.sshd.OLD



Bruno


-- Apr 21 2004 ( Revised Dec 13 2005 ) --


Tips Linux Explorers   All Things Linux Forum   Great Linux Links   LinuxClues.com   Hometown   Email