Before you put your Linux system on ANY network the first thing to look at is what services you need to offer. Services that you do not need to offer should be disabled so that you have one less thing to worry about and attackers have one less place to look for a hole.
There are a number of ways to disable services under Linux. You can
look at your /etc/inetd.conf
file and see what services are being
offered by your inetd
. Disable any that you do not need by commenting
them out (#
at the beginning of the line), and then sending
your inetd process a SIGHUP.
You can also remove (or comment out) services in your /etc/services
file. This will mean that local clients will also be unable to find
the service (i.e., if you remove ftp
, and try and ftp to a remote site
from that machine it will fail with an "unknown service" message). It's
usually not worth the trouble to remove services from /etc/services
, since it provides no
additional security. If a local person wanted to use ftp
even though
you had commented it out, they would make their own client that used
the common FTP port and would still work fine.
Some of the services you might want to leave enabled are:
ftp
telnet
(or ssh
)pop-3
or imap
identd
If you know you are not going to use some particular package, you can
also delete it entirely. rpm -e packagename
under
the Red Hat distribution will erase an entire package. Under Debian
dpkg --remove
does the same thing.
Additionally, you really want to disable the rsh/rlogin/rcp utilities,
including login (used by rlogin
), shell (used by rcp
),
and exec (used
by rsh
) from being started in /etc/inetd.conf
.
These protocols are extremely insecure and have been the cause of exploits
in the past.
You should check /etc/rc.d/rc[0-9].d
(on Red Hat;
/etc/rc[0-9].d
on Debian), and see if any of the servers started in those
directories are not needed. The files in those directories are
actually symbolic links to files in the directory
/etc/rc.d/init.d
(on Red Hat; /etc/init.d
on Debian).
Renaming the files in the init.d
directory
disables all the symbolic links that point to that file. If you
only wish to disable a service for a particular run level, rename the
appropriate symbolic link by replacing the upper-case S
with a lower-case
s
, like this:
root# cd /etc/rc6.d
root# mv S45dhcpd s45dhcpd
If you have BSD-style rc
files, you will want to check
/etc/rc*
for programs you don't need.
Most Linux distributions ship with tcp_wrappers "wrapping" all your
TCP services. A tcp_wrapper (tcpd
) is invoked from inetd
instead of
the real server. tcpd
then checks the host that is requesting the
service, and either executes the real server, or denies access from that
host. tcpd
allows you to restrict access to your TCP services. You
should make a /etc/hosts.allow
and add in only those hosts that need
to have access to your machine's services.
If you are a home dial up user, we suggest you deny ALL. tcpd
also logs
failed attempts to access services, so this can alert you if
you are under attack. If you add new services, you should be sure to
configure them to use tcp_wrappers if they are TCP-based. For example, a normal
dial-up user can prevent outsiders from connecting to his machine,
yet still have the ability to retrieve mail, and make network
connections to the Internet. To do this, you might add the following
to your /etc/hosts.allow
:
ALL: 127.
And of course /etc/hosts.deny would contain:
ALL: ALL
which will prevent external connections to your machine, yet still allow you from the inside to connect to servers on the Internet.
Keep in mind that tcp_wrappers only protects services executed from
inetd
, and a select few others. There very well may be other
services running on your machine. You can use netstat -ta
to
find a list of all the services your machine is offering.