[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Protecting Linux
On Sun, 19 Sep 1999, Stanislav Malyshev a.k.a Frodo wrote:
> Part of it. Better solution would be to use firewalling (ipchains) or even
> external firwealling (like, router rules), if you are sure you can handle
> this. If you employ both methods, you are just protected better.
for the casual dial-up user, my usual suggestion is this:
1. disable all services of inetd (/etc/inetd.conf), EXCEPT for the ident
service - this one is used by various servers on the net, and lack of
it might cause few services to deny you of their service (not very
many, though). don't forget to restart inetd after modifying the file,
and check that the services actually do not work any more (e.g. telne
127.0.0.1 and get a 'connection refused' shows that the telnet daemon
service is not active, etc.
2. disable all those hefty services launched from the various rc files of
your favourite run-level (the level number depends on your
distribution). This would include sendmail, portmap, mountd, httpd,
etc. i usually do this by renaming the SXXsendmail file to
no.SXXsendmail - just in case i'll need it sometime. the rc script
loads refers only to files begining with 'S' or 'K'.
3. when running an X server, configure it to only support Unix domain
sockets (those odd files created in some directory under /tmp) if you
can find out how (according to the 'Xserver(1)' man page, this is done
by specifying '-nolisten tcp' to the X server. for example:
startx -- -nolisten tcp
to check that this actually worked, try to telnet to port 6000 (or
6001, 6002, and up to 6009) of your machine, while your X server is
running. if you get a connection refused - you've got it made.
4. there will be a few services that can't be easily disabled (e.g. lpr -
if you got a printer, you want it running - at least set up
'/etc/hosts.lpd' for minimum security). sometimes you'll need to
run other services (sendmail, portmap, etc) when you test or write
programs that need to use them. in that case, i guess that firewalling
(or rather port filtering) is your best option. when you use firwalling
rules, use the pasimistic approach (i.e. disable everything, then
enable things you know that you'd need).
5. if you're realy up to it - read some book about security on unix
systems.
guy
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il