|
Strengthening Your System by Removing Unneeded Services from inetd.conf
Many administrators out there on the internet run services that
they don't really need, don't know about, or just don't care about. I
find it almost funny to see people out there with IMAP, Pop-2, and Pop-3
services running on a server that will probably never see a piece of mail.
The bottom line is just this:
If you don't use it, why do you have it running?
As obvious as this might seem, many would-be Systems
Administrators out there don't think about it: if it's not a mail server,
why run mail delivery services for the benefit of clients that will never
connect?
To make matters worse, the developers of many operating systems
don't seem to understand this either and the distributions enable more
services than is safe. A good example would be Linux. Bottom line is that
if you install a distribution of Linux straight from the box, and just let
it sit for three months, there is a good chance that anyone who has enough
brains to figure out gcc can break into your system.
An out-of-the-box installation of an operating system usually
isn't meant to just be a pre-configured web server, or any other server
for that matter. Any server connected to any network doesn't need to run
all of the default services installed with any given operating system
(except maybe OpenBSD -- shameless plug here, I apologize).
Now, after a pretty lengthy explanation of what this article is about
I'll cut to the chase -- how to disable those pesky unwanted services. Most
of the things that you are concerned about rest in /etc/inetd.conf. Here is
an example entry from that file.
finger stream tcp nowait nobody /usr/libexec/fingerd fingerd
Rather than rehashing the documentation on inetd, I think it will
be easier to just tell you what to keep or take out. The name of the
service, in the first column, is what you will be concerned with. The
name is usually fairly descriptive -- the one that says telnet runs,
obviously enough, the telnet service. To disable a service, simply
comment the entry out with a '#' sign as the first character of the line.
Here is a list of fairly common services and what they do, along
with my recommendation for keeping or disabling each one. As a general
rule of thumb, if you don't know what it is, then you probably don't use
it.
ftp: FTP is File transfer Protocol. If you
don't know what that is then you have
no business running a server. If you
use FTP keep it. Switching it to a
different port helps a bit if you're a
die-hard security person (to be covered
in a further article)
telnet: Do you or anyone else ever telnet to
the machine over the network? If so,
keep it.
shell: This is the server end of rsh. Again,
if you use rsh, keep it. Otherwise
kill it.
login: Server end of rlogin. If you use
it, keep it.
exec: Do you use rexec? If so, keep it.
uucpd: Most places don't use this and
it's not enabled in inetd.conf
by default in any recent versions
of *BSD. It's usually a good idea
to keep it commented out unless
you use it.
finger: You can argue either way as to
whether to keep it or not. On systems
not concerned with a high level of
security, it's okay to keep it.
Personally, in every system that I
administer, it's disabled.
ident: Do you IRC? If so, keep this.
This is the daemon that reports who
owns the application going out on the
specified port.
tftp: Do you netboot workstations? Keep it
if you do, otherwise trash it.
ntalk: Do you ever use talk between machines?
This opens up some problems with shell
users and talk bombs. I choose to disable
it, but it can be useful at times.
echo: A service used for testing. Whatever you
send to its port gets echoed right back.
Disable it.
discard: Basically like writing to /dev/null.
It's lost forever. Disable it.
chargen: Why? It generates characters. If
you're ever really bored, telnet to
the chargen port of a fast machine
on a T-3. Disable it.
time: Echoes the time. Some places use it.
I don't.
daytime: Essentially the same as time.
Services such as klogin, eklogin, kshell, ekshell, and kauth are
kerberos authenticated versions of services mentioned above. If you don't
use kerberos, why keep them enabled?
Also, once you disable these services, remember to kill -HUP the
inetd process to force a re-read of inetd.conf. It's such a simple thing
to do but many system administrators set themselves up for a lot of
frustration by forgetting. Might as well start with the basics, right?
I'd like to wrap up by apologizing for doing such a simplistic
article for the first issue of this ezine. Although many of us are *BSD
gurus looking for clever security tips, we really should begin with the
basics for our newer readers out there.
Next time we will discuss TCP Wrappers. What it is, why to use it,
and much much more. Be sure to stay tuned.
Gentry Bieker
|
