SECURITY: SERVERS
& SERVICES
You may not be aware of it but there are often running servers or
sevices that listen to ports on your system that are unsafe.
The SANS top 20
http://www.sans.org/top20/
| QUOTE (Info
@ Website) |
Top
Vulnerabilities to UNIX Systems
U1 BIND Domain Name System
U2 Remote Procedure Calls (RPC)
U3 Apache Web Server
U4 General UNIX Authentication Accounts with No Passwords or Weak
Passwords
U5 Clear Text Services
U6 Sendmail
U7 Simple Network Management Protocol (SNMP)
U8 Secure Shell (SSH)
U9 Misconfiguration of Enterprise Services NIS/NFS
U10 Open Secure Sockets Layer (SSL) |
So let us do some real work now to secure our system:
There is this command ( as root )
CODE
|
| #
netstat
-tap | grep LISTEN |
That will show you the active servers on your system and what port they
listen to . . . . but this needs far more information . . . . let us
say that in general only the services you allowed running above should
be seen in there . . .
Example:
| QUOTE (Text
@ Screen) |
tcp
0 0 *:ipp
*:*
LISTEN
1758/cupsd
|
( This one is okay, the cups printer deamon, and needs to be running ! )
Another command is:
| CODE |
| #
nmap
-sS 127.0.0.1 |
It shows you the same servers, but now with the port numbers they
listen to.
So,
like I said, the cupsserver is okay, but if any of the following
servers are active and in LISTEN mode, it would be safer to shut them
down:
finger
ftpd
kdessh
lockd
mountd
named or BIND
nfsd
rpc
rlogin
rsh
sendmail ( Only needed if you run a mailserver )
snmp
ssl
ssh
statd
ruser
telnetd
X ( the part that listens to tcp )
And, if you're not running a web server, you should also shut down any
running httpd process.
You
can shut down the processes for the current session with "kill PID" (
where PID is the number you see just before the name of the service . .
in our example it would be: 1662 )
To prevent those services from
starting up at boot permanently ( and they are not in the MCC
"services" tool ) you will have to edit the /etc/inetd.conf file.
A radical way to do this is back up the old /etc/inetd.conf file:
| CODE |
| #
mv /etc/inetd.conf /etc/inetd.conf.OLD |
and replace it by an empty file:
| CODE |
| #
touch /etc/inetd.conf |
. . This will eliminate most of the ones listed above that can not be
found in the MCC.
Then to stop X from listening to a certain port:
In Mandrake and PCLos: add the bold part to the last line in
the "/etc/X11/xdm/Xservers" file:
| QUOTE (Text
@ Screen) |
| :0
local /bin/nice -n -10 /usr/X11R6/bin/X -deferglyphs 16 -nolisten
tcp |
In Slackware: add the bold part to the last line in the
"/etc/X11/xdm/Xservers" file:
| QUOTE (Text
@ Screen) |
| :0
local /usr/X11R6/bin/X -nolisten tcp |
After
this exercise the two commands I gave you above ( netstat and nmap )
should return no entries then only cupsd. And maybe the samba, mail or
webserver you absolutely want running.
Have FUN securing your system . . . next time we look at rootkits
A last one for our Slackware users . . to disable sshd:
| CODE |
| #
mv /etc/rc.d/rc.sshd /etc/rc.d/rc.sshd.OLD |
Bruno
-- Apr 21 2004 ( Revised Dec 13 2005 ) --
