Jump to content


Linux security


  • Please log in to reply
18 replies to this topic

#1 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 26 March 2004 - 07:13 PM

Because I am preparing a series of Tips on security I am moving a few posts from another thread to this one . . . some changes have been made in my posts to clear things up. Please all have a look and post me your remarks so I can make changes, or try to explain better !

rolanaj, on Mar 26 2004, 10:29 PM, said:

A list of services you don't need running will be very helpful.  I have checked out setting up your firewall in the MCC but pretty much left it as is, as I wasn't sure what needed to be changed if anything.
Rolana . . . . . because so many systems are configured differently and everyone has other needs it is hard to set up general rules . . . but like I said I am working on it . . . . :)A few services you should NOT de-activate and you do need if present on your system are:

Quote

apmd : Advanced Power Management Daemon atd : daemon for the at command. Runs "one-off" scheduled operations outside the cron daemon, as set by the command line. crond : provides a daemon to perform scheduled operations without user interaction daytime : provides the system's notion of the time of day echo : displays a line of text fam : the File Alteration Monitor. This server tracks changes to the filestystem, passing the information along to the appropriate application. keytable : provides the appropriate keyboard mapping partmon : monitors the contents of a partition, preventing writing 0 byte files when the partition is full random : random number generator syslog : a system-wide logging utility xinetd : the Extended Internet Services Daemon
Now if we concentrate on PCLos . . . . in the menu under "Configuration" you will find "Configure your Computer" this brings up the Master Control Center ( same as MCC in Drake ) there under "System" you have "DrakxServices" . . this brings up a GUI with all the services running ( or not ) and there is an info button at every item . . also there is a stop-button for every service where you can temporary stop the service and see if it affects the smooth running of your system ( on a reboot it will start again if you leave the checkmark  . . the trick is: Note down every change you make ! Only if you are 100% sure you take away the checkmark !-- A few services that are running by default in PCLos and that you can safely disable are:hpoj ( If you do NOT have a HP printer )nfs ( to comunicate with other Linux computers on a network )nfslock ( idem )portmap ( server stuff )smb ( if you do not run samba to comunicate with a Windows computer on the network )swat ( also samba related, admin tool for samba )wlan ( wireless lan config/activate etc. )-- You DO need:alsaanacronatdcrondcupsdevfsddmfamgmpinternetiptables ( for the firewall to work )keytablekheaderpcscdrandomrawdevicesservicesslpdsound tmdnsxfsxinetdFor Mandrake you will see that the MCC has "System" too and "Services" . . the same tool . . also you will see that it is far better configured then PCLos . . . . the only thing I always turn of there is "numlock":) BrunoPS: Your firewall in Mandrake is configured according to the ( dial up ) internet connection you had set up prior to setting up the firewall. You can rest assured that it is set up correctly >_<

#2 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 26 March 2004 - 07:46 PM

PART 2 Also there is this command ( as root )
netstat -tap | grep LISTEN
That will show you the active servers on your system and what port they listen to . . . . but this needs far more information  . . . . let us say that in general only services you allowed running above should be seen in there . . . :-/ Example:
tcp        0      0 *:ipp                   *:*                     LISTEN      1758/cupsd
( This one is okay, the cups printer deamon, and needs to be running ! )Another command is:
nmap -sS 127.0.0.1
It shows you the same servers, but  now with the port numbers they listen to. But if any of the following servers are active and in LISTEN mode, it would be safer to shut them down:   fingerftpd  kdesshlockd mountd named or BINDnfsdrpcrloginrsh sendmailsnmpsslsshstatd  rusertelnetd X ( the part that listens to tcp )And, if you're not running a web server, you should also shut down any running httpd process.You can shut down the processes for the current session with "kill PID" ( where PID is the number you see just before the name of the service . . in our example it would be: 1662 )To prevent those services from starting up at boot permanently ( and they are not in the MCC "services" tool ) you will have to edit the  /etc/inetd.conf file ( in most distro's that is . . . . . >_< ).:) Bruno

#3 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 26 March 2004 - 07:58 PM

PART 3Okay I gave a start to the process of making this Tip complete . . please give your remarks, additional info, questions etc. etc. . . So: Input please . . . . >_< :DB) Bruno

#4 OFFLINE   nlinecomputers

nlinecomputers

    Discussion Deity

  • No Longer a Member
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,932 posts

Posted 26 March 2004 - 10:28 PM

teacher, on Mar 26 2004, 04:25 PM, said:

NathanDon't overwhelm us.  Do you have a translation for all that in English?  I know OTOH is on the other hand but what on earth is OTHOOH?  Are you making up new acronyms?  That kind of advice needs to be broken down into baby steps!   :)
Julia,OTOOH On the other other hand.Sorry the extra H was a typo.   >_< Bruno looks good so far.  If you know of any websites that have lists of Linux services that might be a good idea to put in your tip.
Nathan Williams, N-Line Computers

How to kill a programmer:  Give him a shampoo bottle.  Lather, Rinse, Repeat.

#5 OFFLINE   jodef

jodef

    Multithreader

  • Members
  • PipPipPipPipPipPipPipPip
  • 1,429 posts

Posted 26 March 2004 - 10:59 PM

Simply Linux Chapter 7 Securing Linux provides some useful info:Must Read Security TipsP.S. it has also been updated with Pclos info haven't come across anything new but still reading >_< By the way Nathan,Bruno security tips a really good idea.

Edited by jodef, 26 March 2004 - 11:04 PM.


#6 OFFLINE   teacher

teacher

    Acute Mac

  • Honorary Moderators
  • 13,854 posts

Posted 27 March 2004 - 05:43 AM

JetBlackz's work is always great!Julia :)
Teacher
Beach Bum Extraordinaire

#7 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 27 March 2004 - 05:58 AM

Yep adding a link to JetBlackz is a good idea for the more advanced users ! Thanks Johann !Nathan  . . I am looking for a good site on servicesB) Bruno

#8 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 28 March 2004 - 02:18 PM

Found at http://www.sans.org/top20/The SANS top 20

Quote

Top Vulnerabilities to UNIX Systems U1 BIND Domain Name System U2 Remote Procedure Calls (RPC) U3 Apache Web Server U4 General UNIX Authentication Accounts with No Passwords or Weak Passwords U5 Clear Text Services U6 Sendmail U7 Simple Network Management Protocol (SNMP) U8 Secure Shell (SSH) U9 Misconfiguration of Enterprise Services NIS/NFS U10 Open Secure Sockets Layer (SSL)
:thumbsup: Bruno

#9 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 28 March 2004 - 05:39 PM

An interesting article on "nmap" . . . ( remember the command "nmap -sS 127.0.0.1" in previous post ? )Port scanning and Nmap 3.5:http://software.news...l?tid=78&tid=82:thumbsup: Bruno

#10 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 01 April 2004 - 04:13 PM

Please read PART 1, PART 2 and PART 3 again . . I made some changes to be more correct ;)B) Bruno

#11 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 01 April 2004 - 04:23 PM

Here is what I did in Mandrake 9.2 ( Mandrake 10.0 needed no adaption )In the MCC under services I disabled from starting at boot:hpoj smb swat wlan nfs nfslock portmap ( needed for remote printer in Drake 9.2 though ) postfixAnd I added the bold part to the last line in the  "/etc/X11/xdm/Xservers" file:

Quote

:0 local /bin/nice -n -10 /usr/X11R6/bin/X -deferglyphs 16 -nolisten tcp
( this also in Mandrake 10 and PCLos )B) Bruno

#12 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 01 April 2004 - 04:30 PM

Here is what I did in Slackware:
# mv /etc/inetd.conf /etc/inetd.confOLD # touch /etc/inetd.conf  # mv /etc/rc.d/rc.sendmail /etc/rc.d/rc.sendmail.OLD  # mv /etc/rc.d/rc.sshd /etc/rc.d/rc.sshd.OLD
  And I added the bold part to the last line in the "/etc/X11/xdm/Xservers" file:

Quote

:0 local /usr/X11R6/bin/X -nolisten tcp
B) Bruno

Edited by Bruno, 04 April 2004 - 01:43 PM.


#13 OFFLINE   SonicDragon

SonicDragon

    Discussion Deity

  • Forum MVP
  • 4,188 posts

Posted 01 April 2004 - 06:35 PM

Let me see if i can put together some stuff on running nessus against yourself to see what you have running. The great thing about nessus is that in addition to showing you what's running, it also shows you how to fix the security problem!Quick slack security tip:Open up /etc/inetd.conf and comment out finger, ftp, talk, ntalk etc. (Bruno... is it safe to disable auth? I can't remember if i commented that out in /etc/inetd.conf or if it was already commented out)

#14 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 01 April 2004 - 06:40 PM

Sonic . . I commented everything out in /etc/inetd.conf first . . and all was in working order . . then I just replacec the old file with an empty one ( there has to be a file, but it can be empty :) )Both "nmap -sS 127.0.0.1" and "netstat -tap | grep LISTEN" report ZERO ;)Let us know all about nessus ;):w00t: Bruno

Edited by Bruno, 01 April 2004 - 06:46 PM.


#15 OFFLINE   SonicDragon

SonicDragon

    Discussion Deity

  • Forum MVP
  • 4,188 posts

Posted 01 April 2004 - 06:46 PM

Quote

Sonic . . I commented everything out in /etc/inetd.conf first . . and all was in working order . . then I just replacec the old file with an empty one ( there has to be a file, but it can be empty
Woops! Silly me, i didn't see that in your post. I think the only thing that is left in mine is the time server. Is that something that keeps my clock accurate, or is that something else that i should disable?

#16 OFFLINE   Bruno

Bruno

    Le Professeur Pingouin

  • Admin Emeritus
  • 37,904 posts

Posted 01 April 2004 - 06:49 PM

I guess that one can not hurt . . . . but, you could set up a cron job doing:
 rdate -s clock-1.cs.cmu.edu && hwclock --systohc
Or put this command it in KDE autorun, to run at boot . . . . :) Bruno

#17 OFFLINE   SonicDragon

SonicDragon

    Discussion Deity

  • Forum MVP
  • 4,188 posts

Posted 01 April 2004 - 09:24 PM

Thanks for all the tips!Those commands now show that nothing is running besides cups!I'll go look for that nessus info.

#18 OFFLINE   SonicDragon

SonicDragon

    Discussion Deity

  • Forum MVP
  • 4,188 posts

Posted 01 April 2004 - 09:30 PM

This page from the nessus website does a really good job explaining everything. * At the bottom it links to the next page which is the next set of instructions, and that page links to yet another :whistling:Some important things to note:You probably want to turn off the denial of service attack test unless you want to risk running a DOS attack against yourself. This is also mentioned in the directions.Turn off CUPS BEFORE you start the scan. I don't know if this happens to other people, but nessus finds the CUPS scripts and runs them and tells my printer to print like 20 test pages!Open up your process manager and kill "nessus" after you are done the scan. This will turn off the server so others can't use nessus to scan you.If you are on a network (say at work) you might not want to run this before getting in touch with your network admins.

#19 OFFLINE   linuxdude32

linuxdude32

    Board Bigwig

  • Members
  • PipPipPipPipPipPipPipPipPipPipPip
  • 2,702 posts

Posted 02 April 2004 - 02:42 AM

Looks pretty good, Bruno.  :devil: I don't think that fam is necessary (unless the distro has other programs that depend on it) though not a bad idea to have and xinetd is only needed if other services are dependent on it (like ftp server, or server, though they can be configured to start as deamons instead of by xinetd). In fact, like any service, if not needed to start anything else, xinetd should be disabled (same goes for inetd on certain distros, which does the same thing as xinetd but not as easily).
Jason Wallwork




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users