Will --
You've already gotten some pretty good responses to your concerns, but they
are not quite complete. They told you the easiest ways to disable the
services but, depending on your situation, possibly not the best.
If you have a single Linux workstation, connected to the Internet via a PPP
modem connection to an ISP, then do what other have already suggested.
Specifically:
a. go into the file /etc/inetd.conf and comment out ( = add a leading # to
the line) the lines with the services you want to block. This way you can
take care of telnet, ftp, finger, pop3, imapd -- in typical Linux
installations, everything *except* sendmail, httpd, NFS, and Samba, all of
which normally don't run through inetd. DON'T, BTW, edit /etc/services; that
is just a "dictionary" of standard services and should be left alone -- make
the changes in inetd.conf only.
b. restart inetd so the changes take effect. The easiest way is to look up
inetd's pid ( ps ax |grep inetd), kill the program (kill -9 pid, replacing
pid with the number you found), then restart inetd (inetd), always working
as root. I think "kill -SIGHUP pid" also works instead of killing and
restarting.
As to sendmail, either it runs or it doesn't. If you get INCOMING mail by
SMTP, you need it (or an equivalent that answers on port 25) running. If
instead you receive mail by POP3 or imap (for example, if you run
fetchmail), you don't need to run the sendmail daemon (though you will need
to make provision for clearing the outgoing mail queue periodically). Killit
and remove (or comment out) the lines that start it from the appropriate rc
script.
Same for httpd -- either it runs or it doesn't. (Well, actually it CAn run
through inetd, but this method is uncommon.) If you aren't hosting a Web
site, kill it and remove the lines that start it from the appropriate rc script.
NFS runs through the rpc system. If you don't use it, kill rpc.portdaemon,
rpc.nfsd, and rpc.mountd. I don't run Samba, so I can;t tell you how to
handle that one.
All of the above is what to do if you can simply turn the services off. If
you can't -- perhaps because your Linux host also acts as a server on a LAN
-- you need to restrict access to the services. You can (probably) do this
with the files /etc/hosts.allow and /etc/hosts.deny . Your inetd.conf file
probably already has entries on almost every line to run requests through
tcpd (also knows as tcp wrappers), and tcpd checks these files. So does the
portmapper used by NFS. So you can use them to restrict access to IP
addresses on your LAN. If, for example, your LAN is 192.168.42.0, you would
set up the files about like this:
in hosts.deny:
ALL: ALL
in hosts.allow
ALL: 192.168.42.0/255.255.255.0
For the details, see "man 5 hosts_access".
Handling sendmail and https in the LAN case requires some expertise in the
individual applications and is beyond what I can write up off the top of my
head.
At 01:24 AM 1/14/99 -0500, [EMAIL PROTECTED] wrote:
>Oh my god!!! I'm scared
[deleted]
>
>HOW CAN I STOP THESE SERVICES FROM RUNNING?
>
>Can I deny anyone from the out side (not sitting at the computer) from getting
>into my machine?
>
>I don't want just anyone poking around in my machine.
[deleted]
------------------------------------"Never tell me the odds!"---
Ray Olszewski -- Han Solo
762 Garland Drive
Palo Alto, CA 94303-3603
650.321.3561 voice 650.322.1209 fax [EMAIL PROTECTED]
----------------------------------------------------------------
