[wellylug] Why security for home PCs could be more important than you realise

Don Jones don.jones at linuxmail.org
Tue Nov 5 17:17:19 NZDT 2002 

> Well - That's a nice topic for a meeting :)
> 
> First of all - FORGET TELNET, ONLY SSH !!! (i've been screwed for using
> telnet - someone "sniffed" and rootkitted a SuSE-based server that i've
> built...
> 
> Second - if you don't need it - disable it :) Thats why i always go for
> "custom" installs, and leave what I don't need.

Good advice - choose the expert or custom install option rather than the default. It also helps to think about what exactly you want the box to do, ie if its a desktop system you probably dont want squid installed, you may also need to resist the temptation to install everything you can think of because youve heard people talk about it and think you may just want to have a play with it. Once youve dont this select only the packages that you realy want.

Network services are obviously where you are the most vulnerable (unless you run a multi user system) so after installation you need to check what network services your machine is offering. To do this you should use tools like "lsof -i" "netstat -na" to look for listening daemons (sockstat -4 on FreeBSD is also very good). Also if you have a second machine a very good idea is to portscan the new machine using nmap (or scan localhost on the local machine). After identifying which processes are running determine which of these services you REALY want to be running, perhaps something like sshd. Anything else you will want to turn off, there are obviously a bunch of ways to turn off services like:

kill -9 `cat /var/run/process.pid` 
or 
ps -auxww | grep service name 
and then kill the process(es) or 
killall processname
or
/usr/local/apache/bin/apachectl stop (eg for apache  - some other programs have their own start, stop and reload commands)
or
/etc/init.d/servicename stop (on redhat and redhat based systems)
or 
/usr/local/etc/rc.d/servicename stop (on *BSD systems)

that turns it off for now - but next you need to ensure that the service isnt started on boot, to do this on a redhat based system use the tool chkconfig which is a sort of frontend tool to the scripts residing in the /etc/rc.d which control which services get started at which runlevels

"chkconfig --list" gives a list of processes

here is an example of how to switch off a service (xinetd in this case):

$ chkconfig --list xinetd
xinetd         	0:off	1:off	2:off	3:on	4:on	5:on	6:off
$ chkconfig --level 345 xinetd off

what it is actually doing is removing the symlink /etc/rc.d/rc5.d/S56xinetd (and the 2 in rc3.d and rc4.d ) which is pointing to /etc/init.d/xinetd, you could obviously do this manually, but this tool saves time, there are also gui tools for this, but I think it helps to understand what the frontend is actually doing in the background.

Other systems have other ways of doing this (eg freebsd uses /usr/local/etc/rc.d/ and /etc/rc.conf). Im not to sure how other distros do this - debain, slackware, users??

my example of xinetd is important here aswell - xinetd is a sort of meta daemon which runs other daemons - often telnet and ftp. If you dont want any of these services running then turn off the xinetd daemon as above, if you wish to turn off the individual services you can actually also use the chkconfig tool or edit /etc/xinetd.conf directly. Note: Some other distros or older systems may use inetd (perhaps in conjunction with tcpwrappers for access control).

The last step is now you know which network services you run find out what version you are running and then keep up to date with any security issues with that service, and patch/upgrade when there is an issue. Also note that some services like apache may be making use of other components like openSSL or PHP so be aware of security issues with them aswell.

Anyway the basic idea is to: 
1/ identify the network services you are running.
2/ decide which of the services from 1 you REALY want to run.
3/ shutdown the processes you do not wish to run right now.
4/ ensure that these services do not start next time you boot the system.
5/ keep uptodate with patches of the services you have chosen to run.

Thats it, um sorry to those who know all this already, but I think this is an important thing to do on any Linux system which can greatly improve your security and anyone who hasent done this yet should be encouraged to do so.

Also Im curious how other distros deal with runlevel startup - any debian/gentoo/suse users care to point out the differences?

Don Jones

------------------------------
DeCSS in 7 lines of perl:

#!/usr/bin/perl -w
# 531-byte qrpff-fast, Keith Winstein and Marc Horowitz <sipb-iap-dvd at mit.edu>
# MPEG 2 PS VOB file on stdin -> descrambled output on stdout
# arguments: title key bytes in least to most-significant order
$_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;$t=255;@t=map{$_%16or$t^=$c^=(
$m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;$t^=(72, at z=(64,72,$a^=12*($_%16
-2?0:$m&17)),$b^=$_%64?12:0, at z)[$_%8]}(16..271);if((@a=unx"C*",$_)[20]&48){$h
=5;$_=unxb24,join"", at b=map{xB8,unxb8,chr($_^$a[--$h+84])}@ARGV;s/...$/1$&/;$
d=unxV,xb25,$_;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=$t&($d>>12^$d>>4^
$d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*8^$q<<6))<<9,$_=$t[$_]^
(($h>>=8)+=$f+(~$g&$t))for at a[128..$#a]}print+x"C*", at a}';s/x/pack+/g;eval
-- 

Powered by Outblaze

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Get 128 Bit SSL Encryption!
http://us.click.yahoo.com/JjlUgA/vN2EAA/kG8FAA/0XFolB/TM
---------------------------------------------------------------------~->

  .-.   Wellington
  /V\   Linux
 // \\  Users       
/(   )\ Group
 ^^-^^
        http://wlug.paradise.net.nz/

To unsubscribe from this group, send an email to:
wellylug-unsubscribe at egroups.com
  

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

More information about the wellylug mailing list