Re: Security tutorials considered inadequate

From: David (david_at_nospam.spam)
Date: 01/07/05

  • Next message: Colin McKinnon: "Re: Ways to detect intrusion"
    Date: Fri, 07 Jan 2005 20:54:41 GMT
    
    

    On 2005-01-05, Charles Packer <mailbox@cpacker.org> wrote:
    >
    > Okay...Ah, I see that "service sendmail stop"
    > stops SMTP also.
    Sendmail is a program that provides SMTP (Simple Mail
    Transfer Protocol) service.
    > How about the other things that are "listening":
    > 6000, printer, linuxconf, login, shell, ftp, auth,
    > 953, 1024, sunrpc. Actually, I know how to
    > prevent ftp from starting up: edit inetd.conf...just
    > haven't gotten around to it yet. For the rest of them,
    > can I just put a "chkconfig" statement for each in
    > my .tcshrc file? I recall doing this for sendmail once,
    > and it didn't work. Looks like it would be easier to stop
    > them after startup than learn all the stuff in prg's
    > generous and lengthy followup...and I'm a professional
    > programmer, too, whose Redhat 6 box has been perfectly
    > adequate for home use these several years.

    Charles,

    1. The easiest way to prevent services from loading at startup is to
    start X (kde or gnome) and from the menu go to "run-level editor"
    "services" or similar (in RH9+KDE system setting>server setting>services),
    then uncheck any service that you don't want to be loaded at startup. This
    way, you will see the description of each service.

    2. If you prefer to work from the command line:

    root# chkconfig --list |grep -i 3:on ##if your system boots to text login

    or

    root# chkconfig --list |grep -i 5:on ##if your system boots to graphical login

    this will list the services that are configured to load at your
    default run level.

    For each service listed there that you don't want to be loaded
    at startup issue:

    root# chkconfig --del [service name]

    This will remove the service from run levels 2,3,4,5. Remember that not
    all the services listed there are "listening" and make sure not to remove
    iptables or ipchains (your firewall). You can always add the service back
    to startup by issuing "chkconfig --add [service name]".

    3. If your system is to be used as a desktop and you don't need
    SMTP to send and receive mail the only listening services you need
    are X and CUPS (if you have a printer) and "netstat -tap |grep -i listen"
    should look similar to:

    tcp 0 0 *:x11 *:* LISTEN
    1763/
    tcp 0 0 localhost.localdoma:ipp *:* LISTEN
    2725/cupsd

    For extra security:

    root# xhost -
    prevents unauthorized connections to your X server

    add to your /etc/hosts.deny the line
    ALL:ALL EXCEPT localhost #tcp wrappers will allow connections
    to supported services, only from your machine.

    in the menus of KDE and GNOME you can edit the security level
    of the firewall.

    This way you, will have multiple layers of protection:
    1. firewall 2. tcp wrappers and xhost access control

    I recommend reading "Running Linux, Fourth Edition"
    http://www.amazon.com/exec/obidos/tg/detail/-/0596002726/qid=1105124346/sr=1-10/ref=sr_1_10/103-4498176-6587056?v=glance&s=books

    You may find this HOWTO useful
    http://www.tldp.org/HOWTO/Security-Quickstart-HOWTO/index.html

    David


  • Next message: Colin McKinnon: "Re: Ways to detect intrusion"

    Relevant Pages

    • Re: Exchange behind WatchGuard Firewall
      ... If the server is in a DMZ there is definately a firewall involved. ... Proxy services usually only transmit standard SMTP and not extended SMTP ... | Subject: Re: Exchange behind WatchGuard Firewall ...
      (microsoft.public.exchange2000.connectivity)
    • Re: Exchange behind WatchGuard Firewall
      ... first article deals with sending SMTP out through the firewall. ... I don't believe SMTP will really be involved. ... Watchguard. ... > Watchguard firwalls usually come with a SMTP Proxy service running on ...
      (microsoft.public.exchange2000.connectivity)
    • Symantec Enterprise Firewall (SEF) SMTP proxy inconsistencies
      ... Symantec Enterprise Firewall (SEF) SMTP proxy inconsistencies ...
      (Bugtraq)
    • Re: Diff b/w cheap and expensive firewalls
      ... > You need to separate the idea that a router with NAT is a firewall from ... > what a real firewall is/does. ... > SMTP server. ...
      (comp.security.firewalls)
    • Re: Ipchains and smtp rule
      ... Subject: Ipchains and smtp rule ... > I had the same problem with my iptables firewall, ... > found ICMP-embedded TCP packets of type 3 which always where dropped. ... > I solved the problem by accepting related & established ICMP connections ...
      (Focus-Linux)