 |
Before you put your Linux system on ANY network the first
thing to look at is what services you need to offer. Services
that you do not need to offer should be disabled so that you
have one less thing to worry about and attackers have one
less place to look for a hole.
-
There are a number of ways to disable services under Linux.
You can look at your /etc/inetd.conf file and see what
services are being offered by your inetd. Disable any that
you do not need by commenting them out (# at the beginning
of the line), and then sending your inetd process a SIGHUP
by typing as root
killall -HUP inetd
-
You can also remove (or comment out) services in your
/etc/services file. This will mean that local clients will
also be unable to find the service (i.e., if you remove
Secure FTP, and try and ftp to a remote site from that machine it
will fail with an "unknown service" message). It's usually
not worth the trouble to remove services, since it provides
no additional security. If a local person wanted to use Secure FTP
even though you had commented it out, they would make their
own client to use the common Secure FTP port and will still
be able to connect.
-
One of the services that we strongly suggest that you
disable is telnet. For a secure alternative to telnet,
please see our page on
installing, and using Secure Shell Client.
-
If you know you are not going to use some particular
package, you can also delete it entirely.
rpm -e packagename
under the Red Hat distribution will erase an entire
package. Under Debian
dpkg --remove packagename
does the same thing.
-
Additionally, you really want to disable the rsh/rlogin/rcp
utilities, including login (used by rlogin), shell (used by
rcp), and exec (used by rsh) from being started in
/etc/inetd.conf. These protocols are extremely insecure and
have been the cause of exploits in the past.
-
You should check your /etc/rc.d/rcN.d, (where N is your
systems run level) and see if any of the servers started in
that directory are not needed. The files in /etc/rc.d/rcN.d
are actually symbolic links to the directory
/etc/rc.d/init.d. Renaming the files in the init.d
directory has the effect of disabling all the symbolic
links in /etc/rc.d/rcN.d. If you only wish to disable a
service for a particular run level, rename the appropriate
file by replacing the upper-case S with a lower-case s,
like this:
root# cd /etc/rc6.d
root# mv S45dhcpd s45dhcpd
If you have BSD style rc files, you will want to check
/etc/rc* for programs you don't need.
-
Most Linux distributions ship with tcp_wrappers "wrapping"
all your TCP services. A tcp_wrapper (tcpd) is invoked from
inetd instead of the real server. tcpd then checks the host
that is requesting the service, and either executes the
real server, or denies access from that host. tcpd allows
you to restrict access to your TCP services. You should
make a /etc/hosts.allow and add in only those hosts that
need to have access to your machine's services.
Keep in mind that tcp_wrappers only protect services executed
from inetd, and a select few others. There very well may be
other services running on your machine. You can use
netstat -ta
to find a list of all the services your machine is offering.
|
