Jonathan's Contribution

Linux Configuration

Henry's Basic Security

[Home] [Up][Prev] [Next]

Some Basic Security

Disabling [CRTL][ALT][DEL]

Do this as root.
 
comment out
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now
 
in /etc/inittab then do a telinit q to re-initialise.

TCP Wrappers

One can never be safe enough. TCP Wrappers provide an additional level of security on all inetd services using tcpd.
 
This is my tcp configuration. Look at the man pages for tcpd, hosts.deny and hosts.allow, as well as TrinityOS.
 
Firstly comment out those services in /etc/inetd that you do not want to support. This is what Henry's looks like
 
>>>>>>>>>>>>>>>>>>>>>>>>/etc/inet.conf
#
# inetd.conf    This file describes the services that will be available
#               through the INETD TCP/IP super server.  To re-configure
#               the running INETD process, edit this file, then send the
#               INETD process a SIGHUP signal.
#
# Version:      @(#)/etc/inetd.conf     3.10    05/27/93
#
# Authors:      Original taken from BSD UNIX 4.3/TAHOE.
#               Fred N. van Kempen, <waltje@uwalt.nl.mugnet.org>
#
# Modified for Debian Linux by Ian A. Murdock <imurdock@shell.portal.com>
#
# Modified for RHS Linux by Marc Ewing <marc@redhat.com>
#
# <service_name> <sock_type> <proto> <flags>  <user> <server_path> <args>
#
# Echo, discard, daytime, and chargen are used primarily for testing.
#
# To re-read this file after changes, just do a 'killall -HUP inetd'
#
#echo   stream  tcp     nowait  root    internal
#echo   dgram   udp     wait    root    internal
#discard        stream  tcp     nowait  root    internal
#discard        dgram   udp     wait    root    internal
#daytime stream  tcp     nowait  root    internal
#daytime dgram   udp     wait    root    internal
#chargen        stream  tcp     nowait  root    internal
#chargen        dgram   udp     wait    root    internal
#time    stream  tcp     nowait  root    internal
#time    dgram   udp     wait    root    internal
#
# These are standard services.
#
ftp     stream  tcp     nowait  root    /usr/sbin/tcpd  in.ftpd -l -a
telnet  stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd
#
# Shell, login, exec, comsat and talk are BSD protocols.
#
#shell   stream  tcp     nowait  root    /usr/sbin/tcpd  in.rshd
#login   stream  tcp     nowait  root    /usr/sbin/tcpd  in.rlogind
exec    stream  tcp     nowait  root    /usr/sbin/tcpd  in.rexecd
#comsat dgram   udp     wait    root    /usr/sbin/tcpd  in.comsat
#talk    dgram   udp     wait    nobody.tty      /usr/sbin/tcpd  in.talkd
#ntalk   dgram   udp     wait    nobody.tty      /usr/sbin/tcpd  in.ntalkd
#dtalk  stream  tcp     wait    nobody.tty      /usr/sbin/tcpd  in.dtalkd
#
# Pop and imap mail services et al
#
#pop-2   stream  tcp     nowait  root    /usr/sbin/tcpd ipop2d
pop-3   stream  tcp     nowait  root    /usr/sbin/tcpd  ipop3d
imap    stream  tcp     nowait  root    /usr/sbin/tcpd  imapd
#
# The Internet UUCP service.
#
#uucp   stream  tcp     nowait  uucp    /usr/sbin/tcpd  /usr/lib/uucp/uucico    -l
#
# Tftp service is provided primarily for booting.  Most sites
# run this only on machines acting as "boot servers." Do not uncomment
# this unless you *need* it.
#
#tftp   dgram   udp     wait    root    /usr/sbin/tcpd  in.tftpd
#bootps dgram   udp     wait    root    /usr/sbin/tcpd  bootpd
#
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers."  Many sites choose to disable
# some or all of these services to improve security.
#
#finger  stream  tcp     nowait  nobody  /usr/sbin/tcpd  in.fingerd
#cfinger stream tcp     nowait  root    /usr/sbin/tcpd  in.cfingerd
#systat stream  tcp     nowait  guest   /usr/sbin/tcpd  /bin/ps -auwwx
#netstat        stream  tcp     nowait  guest   /usr/sbin/tcpd  /bin/netstat    -f inet
#
# Authentication
#
auth    stream  tcp     wait    root    /usr/sbin/in.identd in.identd -e -o
#
# End of inetd.conf

#linuxconf stream tcp wait root /bin/linuxconf linuxconf --http
#swat      stream  tcp     nowait.400      root /usr/sbin/swat swat

# CVS Password server
cvspserver stream tcp   nowait  root    /usr/bin/cvs cvs --allow-root=/usr/local/cvsroot pserver
<<<<<<<<<<<<<<<<<<<<<<<<<<<<</etc/inetd.conf
 
Here, note tha only protocols permitted are telnet, ftp, rexec (for MSWindows X server clients), pop3, imap, ident, and cvs.  We now go on to lock down access to those protocols launched by tcpd that we permit.  with /etc/hosts.deny and  /etc/hosts.allow .  We opt for a mostly closed policy, as it is more secure.
 
>>>>>>>>>>>>>>>>>>>>>>>/etc/hosts.deny
#
# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.

# Opt for a mostly closed policy. - More secure
ALL:    ALL
<<<<<<<<<<<<<<<<<<<<<<<<<</etc/hosts.deny
 
>>>>>>>>>>>>>>>>>>>>>>>/etc/hosts.allow
#
#
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
# Give complete access for all to the local host
ALL:            127.0.0.1, 192.168.0.3

# Full access to trusted hosts on local network
ALL:            192.168.0.1, 192.168.0.4, 192.168.0.6, 192.168.0.254

# Open up ftp to all, this is a public ftp server, (http does not use inetd)
in.ftpd:        ALL
# The local network has access to pop3.
ipop3d:         192.168.0.
<<<<<<<<<<<<<<<<<<<<<<</etc/hosts.allow
 
Note:  Eventhough we have a trusted private network, it is wise to only permit access on an as required basis.
 
To get the the new settings activated do a 'killall -HUP inetd' as root.
 
[Home] [Up][Prev][Next]

Last modified: Tue Feb 8 22:00:00 PST 2000
Copyright © Jonathan Marks, 1999, 2000. All rights reserved.
http://jon.novatek.co.nz/linux/config/henry-security.html.