Also -
Learn about ipchains, the firewall software included with v2.2
kernel-based distros. It is, unfortunately, complex. It is a really cool
tool for security, though.
As far as services: Use either chkconfig, ntsysv or tksysv (if you're in
a GUI) to turn off services you don't need. Especially pay attention to
(i.e. turn off unless you KNOW you need them) sendmail, named, portmap,
httpd, identd, innd, linuxconf (yes, linuxconf - this service just allows
network access to linuxconf, and that is a Bad Thing (tm)), lpd, mars-nwe,
nfs and nfslock, r*, smb, and yp*.
The best advice I got about /etc/inetd.conf was that if I didn't know what
a service was, comment it out.
When I was more new to Linux, I made a lot of mistakes thinking I needed a
service to be running when I didn't. For instance, I thought I needed
sendmail since I was using e-mail. Sendmail only need be run if your
machine is a mail server, not a mail client.
The best thing you can do is get to know what the files in
/etc/rc.d/init.d are for. Read the man pages, determine if you REALLY
need it, and if not, disable it.
The most powerful tool you have in securing your server is the one you
carry between your ears.
Regards,
Thomas Cameron, RHCE, CNE, MCP, MCT
Three-Sixteen Technical Services, Inc.
A Subsidiary of Team Linux Corporation
Linux training in Austin, Texas -- http://training.three-sixteen.com
On Mon, 17 Apr 2000, Jack C. Miller wrote:
>
> My short laundry list of security tips:
>
> Disable services in inetd.conf that you don't need. Comment out ftp,
> telnet, the r* services, and anything else you don't absolutely have to
> have.
>
> Disable services that are started at boot time: bind, postgres, and all
> the other wacky stuff that many linux distributions install via the
> "kitchen sink approach". Find your default run-level and whack services
> out of its start up directory (/etc/init.d/rc3.d most likely).
>
> Know and love tcpwrappers; use it to limit services to known subnets or
> hosts as much as possible.
>
> Know and love secure shell; this should defacto replace telnet as your
> means of connecting to your system if it hasn't already.
>
> Subscribe to mailing lists that post security announcements. Update your
> system as soon as it is feasible if a hole is found in a service you run.
> I have found that bugtraq and ntbugtraq have good signal to noise ratios;
> the list moderators do a good job on both lists.
>
> Ultimately, the best approach to security is minimalism and vigilance.
> This route led me to OpenBSD, which I recommend highly to anyone who is
> interested in seeing how secure a unix can be out of the box.
>
> Jack Miller
>
> ---------------------------------------------------------------------------
> Send administrative requests to [EMAIL PROTECTED]
>
---------------------------------------------------------------------------
Send administrative requests to [EMAIL PROTECTED]
