Secure your Box 0.1 (how's that for originality? :-)) ================================================= NOTE: This text is only intended as a starting point, it is by no means a complete guide to all aspects of security and it does not pretend to be. ================================================= /* start */ When you install Linux for the first time it may be the case that the distribution of your choice does not, by default, have a secure configuration. The aim of this text is to help those who access the Internet via a dial-up link (e.g. PPP or perhaps SLIP) to their ISP from their new stand-alone Linux box to close any gaping security holes. Firstly, if you don't need any of the facilites provided by the portmap (e.g. NFS) or inetd (e.g. telnet, pop, smtp, http etc.) daemons, then why bother running these services at all? Use "ntsysv" on a RedHat system to edit the services that are automatically run. Secondly, there are three files in the /etc directory that you need to concern yourself with, they are: /etc/hosts.allow /etc/hosts.deny /etc/inetd.conf Open /etc/hosts.deny and set it to this policy, which denies access to remote services to all hosts except those specifically allowed in the /etc/hosts.allow file: ALL: ALL Now open /etc/hosts.allow file and set this policy, which allows access from your machine only: ALL: LOCALHOST See the relevant manpages for a wealth of detail ("man 5 hosts_access"). Now it is the turn of the /etc/inetd.conf file, so open it. You'll see entries similar to the below: #ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd Those entries for which for the first character on the line is a hash ("#") are disabled, the others are not. Edit the file and disable just about everything you don't know you need by inserting a hash in each appropriate location. Once that's done you need to send the inetd daemon (assuming it is running) the SIGHUP signal to restart it with the new configuration: kill -1 inetd Make *sure* you include the hyphen before the 1 in the above command, or you will be sorry! Do a "ps aux | more" and look at the first entry to see if you can guess why ;-) These simple steps will go some considerable way to improving the configuration of your system, but much more can be done. Judicious use of various commands and tools can show you exactly what ports are open on your system and which ones you ought therefore to secure. One such command is "netstat" (see the manpage for more details of syntax etc.), which when used as below can be most useful: netstat -paut Send the output to a file or pipe it through more if necessary, and notice how it shows each TCP and UDP port that is listening along with the process that owns the port. Another incredibly useful command that does much the same thing is "lsof" (lists open files), it might not be installed on your box by default so look through your distro CD or website. Search the output with grep for the string "LISTEN" as below, and observe the results: lsof | grep LISTEN I came across the above at the http://www.linux.com website, there are two particularly interesting sections there, one dealing with security and another with tuning, which consists of general useful tips to aid and enhance performance and functionality, most certainly worth a visit. The nmap scanner can perform a similar task, and you don't have to be on the same machine to do it either (note that scanning machines you don't control is considered by some to be a dubious activity, so don't do it), you can download it from: http://www.insecure.org/nmap/ Try this with it: nmap -sTU localhost There are other useful tools for auditing your box, this one, called Saint, is quite nice and very easy to use as well, it is controlled via your web browser: http://www.wwdsi.com/saint/ Another thing you might want to consider as a dial-up user is using a logger such as ippl or iplog, which you can get here: http://www.numb.org/~odin/ http://www.via.ecp.fr/~hugo/ippl/ These daemons log TCP, UDP and ICMP traffic and are very useful for detecting port scans and attempts to compromise your box. By default output is sent to /var/log/messages. So you can watch what's happening in real-time, open a term if you're in X-Windows or switch to another virtual console otherwise and try this out: tail -f /var/log/messages Keep up to date with announcements of exploits and their appropriate fixes so you know what to look out for, these URLs are especially good: http://www.securityfocus.com http://www.freshmeat.net Oh yes, use "pmap_dump" to see RPC registered daemons... /* end */ rez