Re: Security tutorials considered inadequate
From: David (david_at_nospam.spam)
Date: Fri, 07 Jan 2005 20:54:41 GMT
On 2005-01-05, Charles Packer <firstname.lastname@example.org> wrote:
> Okay...Ah, I see that "service sendmail stop"
> stops SMTP also.
Sendmail is a program that provides SMTP (Simple Mail
Transfer Protocol) service.
> How about the other things that are "listening":
> 6000, printer, linuxconf, login, shell, ftp, auth,
> 953, 1024, sunrpc. Actually, I know how to
> prevent ftp from starting up: edit inetd.conf...just
> haven't gotten around to it yet. For the rest of them,
> can I just put a "chkconfig" statement for each in
> my .tcshrc file? I recall doing this for sendmail once,
> and it didn't work. Looks like it would be easier to stop
> them after startup than learn all the stuff in prg's
> generous and lengthy followup...and I'm a professional
> programmer, too, whose Redhat 6 box has been perfectly
> adequate for home use these several years.
1. The easiest way to prevent services from loading at startup is to
start X (kde or gnome) and from the menu go to "run-level editor"
"services" or similar (in RH9+KDE system setting>server setting>services),
then uncheck any service that you don't want to be loaded at startup. This
way, you will see the description of each service.
2. If you prefer to work from the command line:
root# chkconfig --list |grep -i 3:on ##if your system boots to text login
root# chkconfig --list |grep -i 5:on ##if your system boots to graphical login
this will list the services that are configured to load at your
default run level.
For each service listed there that you don't want to be loaded
at startup issue:
root# chkconfig --del [service name]
This will remove the service from run levels 2,3,4,5. Remember that not
all the services listed there are "listening" and make sure not to remove
iptables or ipchains (your firewall). You can always add the service back
to startup by issuing "chkconfig --add [service name]".
3. If your system is to be used as a desktop and you don't need
SMTP to send and receive mail the only listening services you need
are X and CUPS (if you have a printer) and "netstat -tap |grep -i listen"
should look similar to:
tcp 0 0 *:x11 *:* LISTEN
tcp 0 0 localhost.localdoma:ipp *:* LISTEN
For extra security:
root# xhost -
prevents unauthorized connections to your X server
add to your /etc/hosts.deny the line
ALL:ALL EXCEPT localhost #tcp wrappers will allow connections
to supported services, only from your machine.
in the menus of KDE and GNOME you can edit the security level
of the firewall.
This way you, will have multiple layers of protection:
1. firewall 2. tcp wrappers and xhost access control
I recommend reading "Running Linux, Fourth Edition"
You may find this HOWTO useful