[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Protecting Linux




On Sun, 19 Sep 1999, Stanislav Malyshev a.k.a Frodo wrote:

> Part of it. Better solution would be to use firewalling (ipchains) or even
> external firwealling (like, router rules), if you are sure you can handle
> this. If you employ both methods, you are just protected better. 

for the casual dial-up user, my usual suggestion is this:

1. disable all services of inetd (/etc/inetd.conf), EXCEPT for the ident
   service - this one is used by various servers on the net, and lack of
   it might cause few services to deny you of their service (not very
   many, though). don't forget to restart inetd after modifying the file,
   and check that the services actually do not work any more (e.g. telne
   127.0.0.1 and get a 'connection refused' shows that the telnet daemon
   service is not active, etc.

2. disable all those hefty services launched from the various rc files of
   your favourite run-level (the level number depends on your
   distribution). This would include sendmail, portmap, mountd, httpd, 
   etc. i usually do this by renaming the SXXsendmail file to 
   no.SXXsendmail - just in case i'll need it sometime. the rc script
   loads refers only to files begining with 'S' or 'K'.

3. when running an X server, configure it to only support Unix domain
   sockets (those odd files created in some directory under /tmp) if you
   can find out how (according to the 'Xserver(1)' man page, this is done
   by specifying '-nolisten tcp' to the X server. for example:

   startx -- -nolisten tcp

   to check that this actually worked, try to telnet to port 6000 (or
   6001, 6002, and up to 6009) of your machine, while your X server is
   running. if you get a connection refused - you've got it made.

4. there will be a few services that can't be easily disabled (e.g. lpr -
   if you got a printer, you want it running - at least set up
   '/etc/hosts.lpd' for minimum security). sometimes you'll need to
   run other services (sendmail, portmap, etc) when you test or write
   programs that need to use them. in that case, i guess that firewalling
   (or rather port filtering) is your best option. when you use firwalling
   rules, use the pasimistic approach (i.e. disable everything, then
   enable things you know that you'd need).

5. if you're realy up to it - read some book about security on unix
   systems.

guy


=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il