$netstat -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 90.0.0.100:1797 netadsrv.iworld.com:www CLOSE_WAIT tcp 1 0 90.0.0.100:1796 overdrive.iworld.co:www CLOSE_WAIT tcp 1 0 90.0.0.100:1794 overdrive.iworld.co:www CLOSE_WAIT tcp 1 0 90.0.0.100:1793 overdrive.iworld.co:www CLOSE_WAIT tcp 0 0 *:1785 *:* LISTEN tcp 0 0 90.0.0.100:832 90.0.0.10:ssh ESTABLISHED tcp 0 0 *:6000 *:* LISTEN tcp 0 0 *:printer *:* LISTEN tcp 1 0 90.0.0.100:1454 207.25.71.195:www CLOSE_WAIT tcp 0 0 *:ssh *:* LISTEN tcp 0 0 *:auth *:* LISTEN tcp 0 0 *:time *:* LISTEN tcp 0 0 *:daytime *:* LISTEN tcp 0 0 *:discard *:* LISTEN udp 0 0 90.0.0.100:1546 fes-d019.icq.aol.c:4000 ESTABLISHED udp 0 0 *:discard *:* raw 0 0 *:icmp *:* 7 raw 0 0 *:tcp *:* 7 $nmap 127.0.0.1 Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Interesting ports on celeborn (127.0.0.1): Port State Protocol Service 9 open tcp discard 13 open tcp daytime 22 open tcp ssh 37 open tcp time 113 open tcp auth 515 open tcp printer 6000 open tcp X11 Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds
Note: Nmap, by default only scans ports 1-1024, in order it to scan all ports, use the -p1- switch... this scans ports 1-65535.
/etc/inittab (controls init scripts)
rc.d (runlevel directory) - Red Hat Runlevels.
** Note: runlevels can vary widely from *nix to *nix (and Linux to Linux). The files listed in rc?.d directories are symbolic links to files located in the init.d directory. In the case of redhat these are located /etc/rc.d/init.d and /etc/rc.d/rc?.d I have not seen RedHat 7.0 yet, but I'm told that the rc?.d directories have been moved from /etc/rc.d to /etc.
S* filenames are run when the systems enters a specific runlevel. K* filenames are stopped when the system enters a runlevel, all others are ignored... instead of deleting links, many people change filenames from S* to s*.
S01kerneld (Automatically loads kernel modules as the system needs them)
S05apmd (power management for laptops)
S10xntpd (network time protocol)
S10network (Activates/Deactivates all network interfaces configured to start at boot time)
S11portmap (required if you have any rpc services, such as NIS or NFS)
S15sound (saves sound card settings)
S15netfs (Mounts and unmounts all Network File System (NFS) mount points)
S20random (Saves and restores system entropy pool for higher quality random number generation)
S20rstatd (Try to avoid running any r services, they provide too much information to remote users)
S20rusersd
S20rwhod
S20rwalld
S20bootparamd (Used for diskless clients, you probably don't need this vulnerable service)
S25squid (proxy server)
S30syslog (Used by many daemons to log messages to various system log files)
S30nscd (Name Switch Cache Daemon - Used with NIS or NIS+ for handling passwd & group lookups)
S34yppasswdd (Required if you are an NIS server, this is an extremely vulnerable service)
S35ypserv (Required if you are a NIS server, this is an extremely vulnerable service)
S35dhcpd (Starts dhcp server daemon)
S40atd (Used for the at service, similar to cron, but not required by the system)
S45pcmcia (PCMCIA services, only needed for laptops)
S50inet (starts other internet services as needed... see /etc/inetd.conf file)
S50snmpd (SNMP daemon, can give remote users detailed information about your system)
S55named (DNS server, If you are setting up DNS, upgrade to the latest version of BIND)
S55routed (RIP, don't run this unless your REALLY need it.)
S55arpwatch
S55xntpd
S60bootparamd (Used for diskless clients, you probably don't need this vulnerable service)
S60lpd (Printing services)
S60mars-nwe (Netware file and print server)
S60nfs (Used for NFS server, do not run unless you absolutely have to)
S72amd (AutoMount daemon, used to mount remote file systems)
S72autofs
S75gated (Used to run other routing protocols, such as OSPF)
S75keytable (loads selected keyboard map.)
S80sendmail (You can still send email if you turn this script off, you just will not be able to receive or relay) special note: Most new users use X based pop clients... so you may not need this at all...
S85httpd (Apache webserver, Upgrade to latest version)
S85gpm (mouse may not be needed...)
S85postgresql (loads postgresql database server)
S86mcserve (Midnight Commander Server - Allows remote users to use midnight commander to manipulate files on the server)
S87ypbind (Required if you are an NIS client)
S90squid (Squid proxy server)
S90xfs (X font server)
S91smb (Samba - smbd/nmbd daemons for Windows/Lan manager networking)
S95innd (News server)
S99linuxconf (Used to remotely configure Linux systems via browser... crackers dream)
S99local (catch all....)
Common services found in inetd.conf
I personally recommend disabling everything, unless you need a specific protocol...
After changing the /etc/inetd.conf file, dont forget to run kill
echo - used for testing (port 7)
chargen - used for testing (port 19)
discard - used for testing (port 9)
daytime (port 13)
time
ftp - allows ftp server (port 21)
telnet - allows telnet access (port 23)
gopher - allows gopher access. Gopher is a document retrieval system that predates http (port70)
smtp - allows inbound mail port - this normally runs as its own daemon (port 25)
http - starts web server (port 80)
nntp - starts usenet news server (119)
shell (port 514)
login (port 513)
exec
talk
ntalk
dtalk
pop-2 - acts as a pop-2 server (email) (port109)
pop-3 - acts as a pop-3 server (email) (port 110)
imap - acts as an imap server (email) (port 143)
uucp - transfers file transfer requests queued by uucp(port 540)
tftp - boot server (port 69)
bootps - boot server (port 68)
finger - gives out user information (port 79)
cfinger - gives out user information (port 2003)
systat - gives out system information (port 11)
netstat - gives out system information
time - a method of sychonizing computer clocks on a network
auth - runs the identd daemon - identifies the server (needed on some IRC servers)(port 113)
**Note: Don't forget to stop/start inetd after making any changes to inetd.conf
This comes installed by default in most distributions of Linux.
Configuration files are found in /etc/hosts.allow and /etc/hosts.deny
I always recommend starting restrictive, and working up form there, in hosts.deny, ender ALL:ALL to deny all outside access to the wrapped applications (usually running out of init).
All attempts to uses wrapped services will be logged.
I highly recommend replacing telnet, ftp, etc with ssh, ssh2 or openssh.
ipchains is a powerful set of rules for packet level firewalling. In this example, we are using it to protect sensitive ports on a server... think of it as a personal firewall.
#!/bin/bash # Flushes previous filter /sbin/ipchains -F input #Blocks specific ports and logs attempts /sbin/ipchains -A input -p tcp --destination-port 9 -j REJECT -l -i eth0 /sbin/ipchains -A input -p tcp --destination-port 13 -j REJECT -l -i eth0 . . . /sbin/ipchains -A input -p tcp --destination-port 6000 -j REJECT -l -i eth0 #Blocks the ping packets - option, and not necessarily desirable /sbin/ipchains -A input -p icmp -j REJECT -l -i eth0
NWCLUG - Oct. 3, 2000 - Ken Beach
For more information, please feel free to email me at: squirrel@squirrelsnest.org