You may not be aware of it but there are often running servers or
sevices that listen to ports on your system that are unsafe.
The SANS top 20 http://www.sans.org/top20/
Vulnerabilities to UNIX Systems
U1 BIND Domain Name System
U2 Remote Procedure Calls (RPC)
U3 Apache Web Server
U4 General UNIX Authentication Accounts with No Passwords or Weak
U5 Clear Text Services
U7 Simple Network Management Protocol (SNMP)
U8 Secure Shell (SSH)
U9 Misconfiguration of Enterprise Services NIS/NFS
U10 Open Secure Sockets Layer (SSL)
So let us do some real work now to secure our system:
There is this command ( as root )
-tap | grep LISTEN
That will show you the active servers on your system and what port they
listen to . . . . but this needs far more information . . . . let us
say that in general only the services you allowed running above should
be seen in there . . .
0 0 *:ipp
( This one is okay, the cups printer deamon, and needs to be running ! )
Another command is:
It shows you the same servers, but now with the port numbers they
like I said, the cupsserver is okay, but if any of the following
servers are active and in LISTEN mode, it would be safer to shut them
named or BIND
sendmail ( Only needed if you run a mailserver )
X ( the part that listens to tcp )
And, if you're not running a web server, you should also shut down any
running httpd process.
can shut down the processes for the current session with "kill PID" (
where PID is the number you see just before the name of the service . .
in our example it would be: 1662 )
To prevent those services from
starting up at boot permanently ( and they are not in the MCC
"services" tool ) you will have to edit the /etc/inetd.conf file.
A radical way to do this is back up the old /etc/inetd.conf file:
mv /etc/inetd.conf /etc/inetd.conf.OLD
and replace it by an empty file:
. . This will eliminate most of the ones listed above that can not be
found in the MCC.
Then to stop X from listening to a certain port:
In Mandrake and PCLos: add the bold part to the last line in
the "/etc/X11/xdm/Xservers" file:
local /bin/nice -n -10 /usr/X11R6/bin/X -deferglyphs 16 -nolisten
In Slackware: add the bold part to the last line in the
local /usr/X11R6/bin/X -nolisten tcp
this exercise the two commands I gave you above ( netstat and nmap )
should return no entries then only cupsd. And maybe the samba, mail or
webserver you absolutely want running.
Have FUN securing your system . . . next time we look at rootkits
A last one for our Slackware users . . to disable sshd:
mv /etc/rc.d/rc.sshd /etc/rc.d/rc.sshd.OLD
-- Apr 21 2004 ( Revised Dec 13 2005 ) --