Protect yourself from intruders who attempt to break into your UNIX or Linux system. Here are some things to do to make intrusion more difficult.
Some daemons are started when the system boots, and remain active as long as the system remains up. For these persistent daemons, you need to look at the initialization scripts or programs used to start services when the system boots. Other services are not started at boot time, but instead are managed by either inetd or xinetd.
If your
system is configured with inetd,
look at /etc/inetd.conf, and remove, or simply prefix with a "#"
character
to make it a comment, any entry providing a service you don't need.
For example, if you aren't delivering mail on your Linux workstation,
you don't need to have pop and imap daemons accepting connections --
disable
them with the "#" prefix:
#pop stream tcp nowait root /etc/uva/tcp_wrapper/tcpd
/usr/local/etc/popper popper
#imap stream tcp nowait root /etc/uva/tcp_wrapper/tcpd
/usr/local/etc/imapd4 imapd
If you are
using xinetd, its configuration will be in the directory
/etc/xinetd.d. Each file in the directory defines a service, and you
should add "disable = yes" to any that you want to disable. For
example,
to turn off the finger service, the configuration would look like this:
service finger
{
socket_type = stream
wait = no
user = nobody
server = /usr/sbin/in.fingerd
disable = yes
}
After editing either inetd.conf or the files in /etc/xinetd.d, be sure to send a HUP signal to the inetd or xinetd process.
Also look at the persistent daemons which are running outside of inetd's control, and ask yourself whether your server really needs to run these. For instance, if you have an nfsd process running, ask if you need to share your filesystems with other hosts. If not, remove the /etc/exports (or /etc/dfs/dfstab on Solaris) file and disable the start of the NFS daemons.
UNIX servers use one of two methods to start persistent daemons at boot time. If your system uses /etc/inittab to control what scripts are being run, you'll have to modify those scripts to take out any daemons you don't want started. If your system uses the scripts in /etc/init.d, with links to them in directories named for the run level, such as /etc/rc3.d, you disable a service by removing or renaming the link(s) in the /etc/rc[0-6].d directories with a lower case letter (e.g., mv S76snmpdx s76snmpdx).
Linux - Configure IPtables or IPchains. IPtables is available with the Linux 2.4 kernel to manage the IP firewall rules. IPchains is used with the Linux 2.2 kernel, and is also available with the 2.4 kernel. You can use one of these to define whose IP addresses you will accept or reject. The rules can be different for incoming and outgoing packets. We have a model configurations or scripts which can be installed on a Linux system to define the rules such that only packets originating inside the virginia.edu domain are accepted.
AIX 4.3.x includes the ability to filter packets as part of IBM's IP Security implementation. Setting up the rules can be a little tricky, and it's best to get advice from someone who's done it before. ITC can help. View an example.
IRIX - Configure filter rules. IRIX 6.5.x supports IP filtering.
Solaris - IP filtering is not part of the Sun operating system through version 8, but it is part of a separately licensed product, SunScreen, available from Sun. A free "light" version of SunScreen 3.1 is also available only for Solaris 8. Solaris 9 includes SunScreen 3.2. An ipf package to implement IP filtering on Solaris (and other operating systems) is available from Australian National University.
The tcp wrapper daemon, tcpd, comes as a part of recent Linux installations, but you still have to add it for AIX, Irix, or Solaris installations.
Configure hosts.allow and hosts.deny files for tcpd
and sshd.
Both ssh and the tcp wrapper tcpd use a pair of configuration files to
define what hosts are allowed to make connections to specific TCP
services on your machine. Use these to limit access to those services
and prevent unwanted intrusion attempts.
Configure inetd to use the tcp wrapper.
The tcpd installation for AIX, Irix and Solaris doesn't modify your
inetd.conf or syslog.conf files; you have to do that yourself.
Linux systems: ITC has on linuxload.itc.virginia.edu update RPMs for RedHat 6.2 and 7.x, and 8.0. Be sure to periodically check the advisories for your version of Linux to see if you need to apply any recent updates. (If you're running something other than RedHat check the appropriate site for your Linux distribution.)
ITC can give you advice on updating AIX 4.3. Contact us.
ITC patch server for Solaris 2.x
If you are supporting an NFS service, pay close attention to how you set up /etc/exports (or /etc/dfs/dfstab on Solaris). The syntax of the entry can lead to some confusion, and if you get it wrong, you might end up giving away access to systems that you really didn't intend to allow access to your files. You also need to pay attention to the user ids assigned to accounts on both the client and server systems. If you don't understand these, read an explanation of /etc/exports syntax and UID assignment.
Silicon Graphics, Inc. IRIX security web site.
Linux Security documentation from linuxsecurity.com.
Solaris
Operating Environment Security Sun Microsystems paper.