1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Security</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="Slackware Linux Essentials" href="index.html" />
<link rel="PREVIOUS" title="Talking to Other People"
href="basic-network-commands-talk.html" />
<link rel="NEXT" title="Host Access Control" href="security-host.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>
<body class="CHAPTER" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">Slackware Linux Essentials</th>
</tr>
<tr>
<td width="10%" align="left" valign="bottom"><a href="basic-network-commands-talk.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom"></td>
<td width="10%" align="right" valign="bottom"><a href="security-host.html"
accesskey="N">Next</a></td>
</tr>
</table>
<hr align="LEFT" width="100%" />
</div>
<div class="CHAPTER">
<h1><a id="SECURITY" name="SECURITY"></a>Chapter 14 Security</h1>
<div class="TOC">
<dl>
<dt><b>Table of Contents</b></dt>
<dt>14.1 <a href="security.html#SECURITY-DISABLE">Disabling Services</a></dt>
<dt>14.2 <a href="security-host.html">Host Access Control</a></dt>
<dt>14.3 <a href="security-current.html">Keeping Current</a></dt>
</dl>
</div>
<p>Security on any system is important; it can prevent people launching attacks from your
machine, as well as protect sensitive data. This chapter is all about how to start
securing your Slackware box against script kiddies, crackers and rogue hamsters alike.
Bear in mind that this is only the start of securing a system; security is a process, not
a state.</p>
<div class="SECT1">
<h1 class="SECT1"><a id="SECURITY-DISABLE" name="SECURITY-DISABLE">14.1 Disabling
Services</a></h1>
<p>The first step after installing Slackware should be to disable any services you don't
need. Any services could potentially pose a security risk, so it is important to run as
few services as possible (i.e. only those that are needed). Services are started from two
main places - <tt class="COMMAND">inetd</tt> and init scripts.</p>
<div class="SECT2">
<h2 class="SECT2"><a id="AEN5081" name="AEN5081">14.1.1 Services started from <tt
class="COMMAND">inetd</tt></a></h2>
<p>A lot of the daemons that come with Slackware are run from <tt
class="COMMAND">inetd</tt>(8). <tt class="COMMAND">inetd</tt> is a daemon that listens on
all of the ports used by services configured to be started by it and spawns an instance
of the relevant daemon when a connection attempt is made. Daemons started from <tt
class="COMMAND">inetd</tt> can be disabled by commenting out the relevant lines in <tt
class="FILENAME">/etc/inetd.conf</tt>. To do this, open this file in your favorite editor
(e.g. <tt class="COMMAND">vi</tt>) and you should see lines similar to this:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
</pre>
</td>
</tr>
</table>
<p>You can disable this service, and any others you don't need, by commenting them out
(i.e. adding a <var class="LITERAL">#</var> (hash) symbol to the beginning of the line).
The above line would then become:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
#telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
</pre>
</td>
</tr>
</table>
<p>After <tt class="COMMAND">inetd</tt> has been restarted, this service will be
disabled. You can restart <tt class="COMMAND">inetd</tt> with the command:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">kill -HUP $(cat /var/run/inetd.pid)</kbd>
</pre>
</td>
</tr>
</table>
</div>
<div class="SECT2">
<h2 class="SECT2"><a id="AEN5102" name="AEN5102">14.1.2 Services started from init
scripts</a></h2>
<p>The rest of the services started when the machine starts are started from the init
scripts in <tt class="FILENAME">/etc/rc.d/</tt>. These can be disabled in two different
ways, the first being to remove the execute permissions on the relevant init script and
the second being to comment out the relevant lines in the init scripts.</p>
<p>For example, SSH is started by its own init script at <tt
class="FILENAME">/etc/rc.d/rc.sshd</tt>. You can disable this using:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">chmod -x /etc/rc.d/rc.sshd</kbd>
</pre>
</td>
</tr>
</table>
<p>For services that don't have their own init script, you will need to comment out the
relevant lines in the init scripts to disable them. For example, the portmap daemon is
started by the following lines in <tt class="FILENAME">/etc/rc.d/rc.inet2</tt>:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
# This must be running in order to mount NFS volumes.
# Start the RPC portmapper:
if [ -x /sbin/rpc.portmap ]; then
echo "Starting RPC portmapper: /sbin/rpc.portmap"
/sbin/rpc.portmap
fi
# Done starting the RPC portmapper.
</pre>
</td>
</tr>
</table>
<p>This can be disabled by adding <var class="LITERAL">#</var> symbols to the beginnings
of the lines that don't already start with them, like so:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
# This must be running in order to mount NFS volumes.
# Start the RPC portmapper:
#if [ -x /sbin/rpc.portmap ]; then
# echo "Starting RPC portmapper: /sbin/rpc.portmap"
# /sbin/rpc.portmap
#fi
# Done starting the RPC portmapper.
</pre>
</td>
</tr>
</table>
<p>These changes will only take effect after either a reboot or changing from and back to
runlevel 3 or 4. You can do this by typing the following on the console (you will need to
log in again after changing to runlevel 1):</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">telinit 1</kbd>
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">telinit 3</kbd>
</pre>
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="basic-network-commands-talk.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="security-host.html"
accesskey="N">Next</a></td>
</tr>
<tr>
<td width="33%" align="left" valign="top">Talking to Other People</td>
<td width="34%" align="center" valign="top"> </td>
<td width="33%" align="right" valign="top">Host Access Control</td>
</tr>
</table>
</div>
</body>
</html>
|
