If you don't pop mail from this machine, turn off inetd completely (you
don't need it).  If you do, put a # sign in front of all _except_ pop3,
then stop and start inetd.

Then also run:

netstat -tupan

and look at all your open ports.  If you don't need the service, turn it
off.  If you only need the service locally, block it with iptables from
external use.  You should protect your system with iptables:

iptables -t filter -i <ext_dev> -A FORWARD -m state --state
ESTABLISHED,RELATED -j ACCEPT iptables -t filter -A INPUT -i <ext_dev> -m
state --state ESTABLISHED,RELATED -j ACCEPT iptables -t filter -A FORWARD
-i <ext_dev> -m state --state NEW,INVALID -j DROP iptables -t filter -A
INPUT -i <ext_dev> -m state --state NEW,INVALID -j DROP

replace ext_dev with your external device, i.e., ppp0 (or ppp+), eth0,
etc.

On Wed, 13 Feb 2002 23:35:17 -0600
begin  daddy <[EMAIL PROTECTED]> spewed forth:

> With my recent hacker scare I decided to look into my security.  Here 
> is a portion of my inetd.conf file.  I only use my internet 
> connection receive email (pop3) and surf the internet at this point.  
> What can I turn off?
> 
> #echo dgram   udp     wait    root    internal
> discard       stream  tcp     nowait  root    internal
> discard dgram udp     wait    root    internal
> daytime       stream  tcp     nowait  root    internal
> daytime dgram udp     wait    root    internal
> #chargen stream       tcp     nowait  root    internal
> #chargen dgram        udp     wait    root    internal
> time  stream  tcp     nowait  root    internal
> time  dgram   udp     wait    root    internal
> #
> # These are standard services.
> #
> ftp     stream  tcp     nowait  root    /usr/sbin/tcpd in.ftpd -l -a
> telnet  stream  tcp     nowait  root    /usr/sbin/tcpd in.telnetd
> 
> #
> # Mail and news
> #
> # Do not uncomment either unless you *really* know what you are doing.
> # Both are started as standalone daemons from the /etc/rc.d scripts.
> #smtp stream  tcp     nowait  root    /usr/bin/smtpd  smtpd
> #nntp stream  tcp     nowait  root    /usr/sbin/tcpd  in.nntpd
> 
> #
> # Shell, login, exec and talk are BSD protocols.
> #
> shell   stream  tcp     nowait  root    /usr/sbin/tcpd in.rshd
> login   stream  tcp     nowait  root    /usr/sbin/tcpd in.rlogind
> exec    stream  tcp     nowait  root    /usr/sbin/tcpd in.rexecd
> talk    dgram   udp     wait    nobody.tty /usr/sbin/tcpd in.talkd
> ntalk   dgram   udp     wait    nobody.tty /usr/sbin/tcpd in.ntalkd
> #dtalk        stream  tcp     wait    nobody.tty      /usr/sbin/tcpd  in.dtalkd
> 
> #
> # Pop and imap mail services et al
> #
> pop2    stream  tcp     nowait  root    /usr/sbin/tcpd ipop2d
> pop3    stream  tcp     nowait  root    /usr/sbin/tcpd ipop3d
> imap    stream  tcp     nowait  root    /usr/sbin/tcpd imapd
> #
> # The Internet UUCP service.
> #
> uucp  stream  tcp     nowait  uucp    /usr/sbin/tcpd  /usr/sbin/uucico -l
> #
> # Tftp service is provided primarily for booting.  Most sites
> # run this only on machines acting as "boot servers." Do not uncomment
> # this unless you *need* it.
> #
> #tftp dgram   udp     wait    root    /usr/sbin/tcpd  in.tftpd
> #bootps       dgram   udp     wait    root    /usr/sbin/tcpd  bootpd
> #
> #  This is for the finger service
> # 
> finger  stream  tcp     nowait  nobody  /usr/sbin/tcpd in.fingerd -u
> /var/run/.ppp_socket stream  unix    nowait  root    
> /usr/sbin/ppp-envoy ppp-envoy -da
> #
> # Finger, systat and netstat give out user information which may be
> # valuable to potential "system crackers."  Many sites choose to 
> disable
> # some or all of these services to improve security.
> #
> #systat       stream  tcp     nowait  nobody  /usr/sbin/tcpd  /bin/ps -auwwx
> #netstat stream       tcp     nowait  nobody  /usr/sbin/tcpd  /bin/netstat --inet
> #
> # Authentication
> #
> auth    stream  tcp     nowait  root    /usr/sbin/in.identd in.identd
> swat    stream  tcp     nowait.400 root    /usr/sbin/tcpd swat
> #
> # End of inetd.conf
> 
> Sometime in the near future I would like to use this box as a gateway 
> to a home network.  Would I need to reactivate anything at that 
> point?  Thanks for the input.  
> 
> Mark
> _______________________________________________
> Linux-users mailing list - http://linux.nf/mailman/listinfo/linux-users
> Subscribe/Unsubscribe info, Archives,and Digests are located at the
> above URL.

Ciao,

David A. Bandel
-- 
Focus on the dream, not the competition.
                -- Nemesis Racing Team motto
Internet (H323) phone: 206.28.187.30
_______________________________________________
Linux-users mailing list - http://linux.nf/mailman/listinfo/linux-users
Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL.

Reply via email to