SECURITY: SERVERS & SERVICES
You may not be aware of it but there are often running servers or sevices that listen to ports on your system that are unsafe.
The SANS top 20 http://www.sans.org/top20/
QUOTE (Info @ Website) |
Top Vulnerabilities to UNIX Systems
U1 BIND Domain Name System
U2 Remote Procedure Calls (RPC)
U3 Apache Web Server
U4 General UNIX Authentication Accounts with No Passwords or Weak Passwords
U5 Clear Text Services
U6 Sendmail
U7 Simple Network Management Protocol (SNMP)
U8 Secure Shell (SSH)
U9 Misconfiguration of Enterprise Services NIS/NFS
U10 Open Secure Sockets Layer (SSL) |
So let us do some real work now to secure our system:
There is this command ( as root )
CODE
|
# netstat -tap | grep LISTEN |
That will show you the active servers on your system and what port they listen to . . . . but this needs far more information . . . . let us say that in general only the services you allowed running above should be seen in there . . .
Example:
QUOTE (Text @ Screen) |
tcp 0 0 *:ipp *:* LISTEN 1758/cupsd
|
( This one is okay, the cups printer deamon, and needs to be running ! )
Another command is:
CODE |
# nmap -sS 127.0.0.1 |
It shows you the same servers, but now with the port numbers they listen to.
So, like I said, the cupsserver is okay, but if any of the following servers are active and in LISTEN mode, it would be safer to shut them down:
finger
ftpd
kdessh
lockd
mountd
named or BIND
nfsd
rpc
rlogin
rsh
sendmail ( Only needed if you run a mailserver )
snmp
ssl
ssh
statd
ruser
telnetd
X ( the part that listens to tcp )
And, if you're not running a web server, you should also shut down any running httpd process.
You can shut down the processes for the current session with "kill PID" ( where PID is the number you see just before the name of the service . . in our example it would be: 1662 )
To prevent those services from starting up at boot permanently ( and they are not in the MCC "services" tool ) you will have to edit the /etc/inetd.conf file.
A radical way to do this is back up the old /etc/inetd.conf file:
CODE |
# mv /etc/inetd.conf /etc/inetd.conf.OLD |
and replace it by an empty file:
CODE |
# touch /etc/inetd.conf |
. . This will eliminate most of the ones listed above that can not be found in the MCC.
Then to stop X from listening to a certain port:
In Mandrake and PCLos: add the bold part to the last line in the "/etc/X11/xdm/Xservers" file:
QUOTE (Text @ Screen) |
:0 local /bin/nice -n -10 /usr/X11R6/bin/X -deferglyphs 16 -nolisten tcp |
In Slackware: add the bold part to the last line in the "/etc/X11/xdm/Xservers" file:
QUOTE (Text @ Screen) |
:0 local /usr/X11R6/bin/X -nolisten tcp |
After this exercise the two commands I gave you above ( netstat and nmap ) should return no entries then only cupsd. And maybe the samba, mail or webserver you absolutely want running.
Have FUN securing your system . . . next time we look at rootkits
A last one for our Slackware users . . to disable sshd:
CODE |
# mv /etc/rc.d/rc.sshd /etc/rc.d/rc.sshd.OLD |

Bruno
-- Apr 21 2004 ( Revised Dec 13 2005 ) --