Securing a Linux System


In this article:

Before you put your Linux system on ANY network, the first thing to look at is what services you need to offer. Services that you do not need to offer should be disabled so that you have one less thing to worry about and attackers have one less place to look for a hole.

There are a number of ways to disable services under Linux, including: 

Reviewing inetd service offerings

You can look at your/etc/inetd.conf file and see what services are being offered by your inetd. Disable any that you do not need by commenting them out (# at the beginning of the line), and then sending your inetd process a SIGHUP by entering as root:

kill -HUP  inetd

top

Removing or commenting out services

You can also remove (or comment out) services in your /etc/services file. This will mean that local clients will also be unable to find the service (i.e., if you remove Secure FTP, and try to ftp to a remote site from that machine it will fail with an "unknown service" message). It is usually not worth the trouble to remove services, since it provides no additional security. If a local person wanted to use Secure FTP even though you had commented it out, they would make their own client to use the common Secure FTP port and will still be able to connect. One of the services that we strongly suggest that you disable is telnet. 

If you know you are not going to use some particular package, you can also delete it entirely. Entering the following command: 

rpm  -e  packagename

under the Red Hat distribution will erase an entire package. 

top

Disabling rsh/rlogin/rcp utilities

Additionally, you really want to disable the rsh/rlogin/rcp utilities, including login (used by rlogin), shell (used by rcp), and exec (used by rsh) from being started in /etc/inetd.conf. These protocols are extremely insecure and have been the cause of exploits in the past.

You should check your /etc/rc.d/rcN.d, (where N is your systems run level) and see if any of the servers started in that directory are not needed. The files in /etc/rc.d/rcN.d are actually symbolic links to the directory /etc/rc.d/init.d. Renaming the files in the init.d directory has the effect of disabling all the symbolic links in /etc/rc.d/rcN.d. If you only wish to disable a service for a particular run level, rename the appropriate file by replacing the upper-case S with a lower-case s, like this: 

root#  cd  /etc/rc6.d

root#  mv  S45dhcpd  s45dhcpd

top

Invoking tcp_wrappers

Most Linux distributions ship with tcp_wrappers "wrapping" all your TCP services. A tcp_wrapper (tcpd) is invoked from inetd instead of the real server. tcpd then checks the host that is requesting the service, and either executes the real server, or denies access from that host. tcpd allows you to restrict access to your TCP services. You should make a /etc/hosts.allow and add in only those hosts that need to have access to your machine's services.

Keep in mind that tcp_wrappers only protect services executed from inetd, and a select few others. There very well may be other services running on your machine. You can use the following command: 

netstat -ta

to find a list of all the services your machine is offering.

top