Network management Toolkit

Improve Linux security

Tags:
Daemon,
Open Source,
FTP,
Network

Mary Ann Richardson Tech Republic

Published: 08 Oct 2002 10:39 BST

One of the attractions of Linux is its native support for a wide range of TCP/IP services, many of which are configured to run by default. Those default services, however, can expose your Linux networked workstation to external intruders.

If your workstation is connected to a TCP/IP network with active network services, you're exposing your system to all other clients on the network. If the telnet server application is active, a telnet client running on another workstation on the network can easily establish a login session on your system; it needs only the address of your system and the port or socket number of a network service running on your system. And like other commonly used TCP/IP applications, telnet has a standard defined port number, 23, which is also the address of the running telnet server application. So any telnet client running on any remote workstation on the network can establish a login session to your workstation over port 23.

To reduce your workstation's vulnerability to such an attack, users should first find out what networked services are running, determine which ones can be retained with minimum security risk, and stop the rest of those services. There are three places to look for active network services on your workstation: the /etc/inetd.conf file, the /etc/xinetd.conf file, and the /etc/rc.d directories.

Services run by the inetd daemon
The Linux inetd daemon is a network service utility that provides a central point of control for all Internet services running on a system. The inetd daemon listens for network ports listed in the /etc/inetd.conf file. Each line of the inetd.conf file lists one service that inetd is to listen for. When an incoming request matches a network port number specified in the file, inetd assigns the appropriate application to the incoming socket. For example, if an incoming request asks for port 21 and ftp is listed in the /etc/inetd.conf file, inetd will then connect the client to the ftp service, after which it resumes listening in on the other ports listed in its configuration file.

To find out if the inetd daemon is running on a workstation, open a terminal window and enter the following command:ps aux | grep inetd

Figure A

The results of this command, shown in Figure A, indicate if the service is running and when it was started. Once you know the inetd daemon is running, you should enter the following command to see which network services inetd is listening for:grep -v "^#" /etc/inetd.conf

The results of this command are also shown in Figure A. There, you can clearly see that inetd is listening for ftp, finger, and ntalk, among others.

Figure A shows the /etc/inetd.conf file as configured by the installation script that came with the Red Hat 6.1 CD. However, the file needs considerable modification to secure the system. This can be done by editing the file through a text editor, such as vi, and removing unnecessary services. For example, lines specifying older utilities, such as talk and ntalk, which allow interactive communications between you and another user on the network, should be deleted. Another older utility, finger, which runs by default over port 79 and allows a remote client to find out user information, should also be deleted. These services do not have security features required for today's networks.

Shell and login are RPC-based daemons that should be replaced with their more secure versions (i.e., SSH and slogin, respectively). The ftp and telnet services should also be replaced by their more secure counterparts, scp or http for ftp, and sshd for telnet. (Note that large installations should not be running http on every desktop. Instead, workstations in these installations should be accessing the Web via a separate Web server.)

Another problem is that root is entered in the user field of many services. It is recommended that services never be run as root unless absolutely necessary, and then only if they are strictly monitored. If they are not, the user field of each line should be replaced with nobody, which is preferred.

Services run by the xinetd daemon
If you find that inetd is not present on your workstation, it doesn't mean that you have no active network services. Later versions of Linux, such as Red Hat 7.0 and above, have replaced the inetd daemon with the extended Internet services daemon, xinetd. Like inetd, xinetd listens for connection requests from client applications. When it receives a connection request to a port, xinetd starts up the TCP/IP service for that port, handing over the port to the network service so the client can work with the service.

To see if xinetd is running on your system, open a terminal window and enter the same ps command listed above, replacing inetd with xinetd:ps aux | grep xinetd

Figure B

The results of this command, shown in Figure B, indicate if the xinetd service is running and when it was started. Just like inetd, xinetd also works with a configuration file, /etc/xinetd.conf. This file can be found by entering the following command:

grep -v "^#" /etc/xinetd.conf

Go to section: