Securing a Basic Linux System.

Examples are shown using a typical Red Hat Linux install, but can easily be adapted to any flavor of Linux. RedHat Linux was chosen for this demonstration because of the large marketshare it currently enjoys.

Checking for open ports

There are a number of good tools for checking for open ports. Two of my favorites are netstat and nmap. Netstat is used if you have local access, use nmap to scan a remote machine. Remember to check your system for open ports regularly... occasionally newly installed software will open ports without telling you, and it's also a sign that your system may have been compromised.

$netstat -a

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 90.0.0.100:1797         netadsrv.iworld.com:www CLOSE_WAIT  
tcp        1      0 90.0.0.100:1796         overdrive.iworld.co:www CLOSE_WAIT  
tcp        1      0 90.0.0.100:1794         overdrive.iworld.co:www CLOSE_WAIT  
tcp        1      0 90.0.0.100:1793         overdrive.iworld.co:www CLOSE_WAIT  
tcp        0      0 *:1785                  *:*                     LISTEN      
tcp        0      0 90.0.0.100:832          90.0.0.10:ssh           ESTABLISHED 
tcp        0      0 *:6000                  *:*                     LISTEN      
tcp        0      0 *:printer               *:*                     LISTEN      
tcp        1      0 90.0.0.100:1454         207.25.71.195:www       CLOSE_WAIT  
tcp        0      0 *:ssh                   *:*                     LISTEN      
tcp        0      0 *:auth                  *:*                     LISTEN      
tcp        0      0 *:time                  *:*                     LISTEN      
tcp        0      0 *:daytime               *:*                     LISTEN      
tcp        0      0 *:discard               *:*                     LISTEN      
udp        0      0 90.0.0.100:1546         fes-d019.icq.aol.c:4000 ESTABLISHED 
udp        0      0 *:discard               *:*                                 
raw        0      0 *:icmp                  *:*                     7           
raw        0      0 *:tcp                   *:*                     7           


$nmap 127.0.0.1
Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on celeborn (127.0.0.1):
Port    State       Protocol  Service
9       open        tcp        discard         
13      open        tcp        daytime         
22      open        tcp        ssh             
37      open        tcp        time            
113     open        tcp        auth            
515     open        tcp        printer         
6000    open        tcp        X11             

Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds

Note: Nmap, by default only scans ports 1-1024, in order it to scan all ports, use the -p1- switch... this scans ports 1-65535.

Initilization Scripts

/etc/inittab (controls init scripts)

rc.d (runlevel directory) - Red Hat Runlevels.

  • rc0.d - shutdown (halt)
  • rc1.d - single user mode
  • rc2.d - multiuser mode (without NFS)
  • rc3.d - full multiuser mode
  • rc4.d - unused
  • rc5.d - X11
  • rc6.d - reboot

    ** Note: runlevels can vary widely from *nix to *nix (and Linux to Linux). The files listed in rc?.d directories are symbolic links to files located in the init.d directory. In the case of redhat these are located /etc/rc.d/init.d and /etc/rc.d/rc?.d I have not seen RedHat 7.0 yet, but I'm told that the rc?.d directories have been moved from /etc/rc.d to /etc.

    Runlevel Tools

  • chkconfig (redhat)
  • ntsysc (redhat)
  • update-rc.d (debian)
  • rm / mv

    S* filenames are run when the systems enters a specific runlevel. K* filenames are stopped when the system enters a runlevel, all others are ignored... instead of deleting links, many people change filenames from S* to s*.

    Common RedHat rc?.d files

    S01kerneld (Automatically loads kernel modules as the system needs them)
    S05apmd (power management for laptops)
    S10xntpd (network time protocol)
    S10network (Activates/Deactivates all network interfaces configured to start at boot time)
    S11portmap (required if you have any rpc services, such as NIS or NFS)
    S15sound (saves sound card settings)
    S15netfs (Mounts and unmounts all Network File System (NFS) mount points)
    S20random (Saves and restores system entropy pool for higher quality random number generation)
    S20rstatd (Try to avoid running any r services, they provide too much information to remote users)
    S20rusersd
    S20rwhod
    S20rwalld
    S20bootparamd (Used for diskless clients, you probably don't need this vulnerable service)
    S25squid (proxy server)
    S30syslog (Used by many daemons to log messages to various system log files)
    S30nscd (Name Switch Cache Daemon - Used with NIS or NIS+ for handling passwd & group lookups)
    S34yppasswdd (Required if you are an NIS server, this is an extremely vulnerable service)
    S35ypserv (Required if you are a NIS server, this is an extremely vulnerable service)
    S35dhcpd (Starts dhcp server daemon)
    S40atd (Used for the at service, similar to cron, but not required by the system)
    S45pcmcia (PCMCIA services, only needed for laptops)
    S50inet (starts other internet services as needed... see /etc/inetd.conf file)
    S50snmpd (SNMP daemon, can give remote users detailed information about your system)
    S55named (DNS server, If you are setting up DNS, upgrade to the latest version of BIND)
    S55routed (RIP, don't run this unless your REALLY need it.)
    S55arpwatch
    S55xntpd
    S60bootparamd (Used for diskless clients, you probably don't need this vulnerable service)
    S60lpd (Printing services)
    S60mars-nwe (Netware file and print server)
    S60nfs (Used for NFS server, do not run unless you absolutely have to)
    S72amd (AutoMount daemon, used to mount remote file systems)
    S72autofs
    S75gated (Used to run other routing protocols, such as OSPF)
    S75keytable (loads selected keyboard map.)
    S80sendmail (You can still send email if you turn this script off, you just will not be able to receive or relay) special note: Most new users use X based pop clients... so you may not need this at all...
    S85httpd (Apache webserver, Upgrade to latest version)
    S85gpm (mouse may not be needed...)
    S85postgresql (loads postgresql database server)
    S86mcserve (Midnight Commander Server - Allows remote users to use midnight commander to manipulate files on the server)
    S87ypbind (Required if you are an NIS client)
    S90squid (Squid proxy server)
    S90xfs (X font server)
    S91smb (Samba - smbd/nmbd daemons for Windows/Lan manager networking)
    S95innd (News server)
    S99linuxconf (Used to remotely configure Linux systems via browser... crackers dream)
    S99local (catch all....)

    inetd.conf

    Common services found in inetd.conf
    I personally recommend disabling everything, unless you need a specific protocol... After changing the /etc/inetd.conf file, dont forget to run kill

    echo - used for testing (port 7)
    chargen - used for testing (port 19)
    discard - used for testing (port 9)
    daytime (port 13)
    time
    ftp - allows ftp server (port 21)
    telnet - allows telnet access (port 23)
    gopher - allows gopher access. Gopher is a document retrieval system that predates http (port70)
    smtp - allows inbound mail port - this normally runs as its own daemon (port 25)
    http - starts web server (port 80)
    nntp - starts usenet news server (119)
    shell (port 514)
    login (port 513)
    exec
    talk
    ntalk
    dtalk
    pop-2 - acts as a pop-2 server (email) (port109)
    pop-3 - acts as a pop-3 server (email) (port 110)
    imap - acts as an imap server (email) (port 143)
    uucp - transfers file transfer requests queued by uucp(port 540)
    tftp - boot server (port 69)
    bootps - boot server (port 68)
    finger - gives out user information (port 79)
    cfinger - gives out user information (port 2003)
    systat - gives out system information (port 11)
    netstat - gives out system information
    time - a method of sychonizing computer clocks on a network
    auth - runs the identd daemon - identifies the server (needed on some IRC servers)(port 113)

    **Note: Don't forget to stop/start inetd after making any changes to inetd.conf

  • localhost$ kill -HUP $PID
  • or
  • /etc/rc.d/rc3.d/S50inet restart

    TCP Wrappers

    This comes installed by default in most distributions of Linux.
    Configuration files are found in /etc/hosts.allow and /etc/hosts.deny
    I always recommend starting restrictive, and working up form there, in hosts.deny, ender ALL:ALL to deny all outside access to the wrapped applications (usually running out of init). All attempts to uses wrapped services will be logged.

    Secure Shell

    I highly recommend replacing telnet, ftp, etc with ssh, ssh2 or openssh.

    ipchains

    ipchains is a powerful set of rules for packet level firewalling. In this example, we are using it to protect sensitive ports on a server... think of it as a personal firewall.

    #!/bin/bash
    
    # Flushes previous filter
    /sbin/ipchains -F input
    
    #Blocks specific ports and logs attempts
    /sbin/ipchains -A input -p tcp --destination-port 9 -j REJECT -l  -i eth0
    /sbin/ipchains -A input -p tcp --destination-port 13 -j REJECT -l -i eth0
    .
    .
    .
    /sbin/ipchains -A input -p tcp --destination-port 6000 -j REJECT -l -i eth0
    
    #Blocks the ping packets - option, and not necessarily desirable
    /sbin/ipchains -A input -p icmp -j REJECT -l -i eth0
    
    

    NWCLUG - Oct. 3, 2000 - Ken Beach
    For more information, please feel free to email me at: squirrel@squirrelsnest.org