Service level security

Services running on a vanilla Linux system can give the cracker a host of information about your system that should otherwise not be available. Remember, the more information an intruder can gain about your system, the better chance they have at breaking in and doing some damage.

The first thing that needs to be addresses are the /etc/issue and the /etc/issue.net files. These files give the user information prior to logging on about what O/S you are running as well as the version. Visitors are only welcome onto your system if they are authorized to do so. Therefore, it should be clear to users that access to this systems is restricted. Replace the /etc/issue command with a clear message to this effect. Give nothing away.

On Debian systems, there is the .hushlogin file. This, if set in the users home directory, will ensure that minimal information is printed when the users logs into the system. Without this file, there will be a relatively long message each time the user logs in.

Secondly, ensure that unnecessary services are terminated. There are two types of service:

  1. Those services that are run as daemons on the system,

  2. those services that are run from the super-daemon xinetd (or inetd for Debian)

Daemon based services are removed and inserted using the update-rc.d script. [8]

For example, to remove the advanced power management daemon (apmd) from the startup scripts we could use:

update-rc.d apmd remove
            

This will update all the links in the /etc/rc#.d that point to /etc/rc.init/ for the apmd. To reverse the process:

update-rc.d apmd defaults
            

Debian is excellent in this respect as a default installation will not install many services that are not required. RedHat, SuSE and Mandrake on the other hand start many unwanted services on installation. Fortunately that have, for the most part, stopped including telnet in these services and have instead adopted secure shell (ssh) in it's stead.

One quick means of checking what is running at startup is using the netstat command:

netstat -l
            

will show all listening services on your host.

Those services that are not started from the /etc/init.d directory are started using the inetd (or xinetd in the modern commercial distro's). Both will be addressed here.

Inetd:

Inetd is controlled by the /etc/inetd.conf file. Services such as telnet, finger, bootp and others are started from the superdaemon. Placing a comment (#) in front of the relevant entry in the inetd.conf file will stop this service. In so doing, root will need to send a signal to the inetd daemon to ensure that is re-reads it's configuration file and stops/starts the relevant services. Disabling inetd services can be simply enabled or disabled using the update-inetd command in Debian and the chkconfig command in the commercial distro's.

Xinetd:

Xinetd is similarly controlled using a global configuration file (/etc/xinetd.conf). In addition however, each service has an entry in the /etc/xinetd.d/ directory. Entries are a little more complex than their inetd counterparts, but with a quick glance over the files in this directory, the astute reader will quickly discover their syntax and how to enable or disable services. The advantage that xinetd has over it's older counterpart is that services can be configured in more complex and restrictive ways. Simply put though, it is evident that the system administrator should disable all unnecessary services on the server prior to deployment.

Using both the chkconfig command (in SuSE, RedHat, Fedora or Mandrake), or the update-inetd command in Debian will automatically restart the superdaemon. Modifying the /etc/inetd.conf or /etc/xinetd.d/<file to modify> will require that we send a SIGHUP (-1) signal to the superdaemon.

An application called nmap is useful for checking what services are running on a system. Running the command:

nmap &lt;ip address&gt;
                

on the IP address of the server will show what services are currently enabled. Output from an nmap to my server shows the following output:

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-04-22 08:28 SAST
Interesting ports on mtnkiosk (127.0.0.1):
(The 1654 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
972/tcp  open  unknown
2049/tcp open  nfs

Nmap run completed -- 1 IP address (1 host up) scanned in 0.988 seconds
                

Once all unnecessary services are removed or disabled, we can begin to address issues of connection to our host. Without implementing a firewall, both xinetd (the older inetd is far more permissive and is not able to control security of the services running to the same degree as it's younger cousin xinetd) and tcp-wrappers give us the ability to control who has access to our services.



[8] In RedHat, SuSE and Mandrake, the chkconfig command is used to modify these daemons and services.

chkconfig -level 2345 apmd off
                    

would be the standard way of achieving this in the other commercial distro's.