In light of the recent threads on this list concerning cracking, I
thought I'd post some questions regarding Linux security. Until
setting my box up on resnet, security wasn't a major concern. But, now
it is. :) Basically, I'll outline what I've done for anyone who is
interested, and then state what I'd like to do but am not sure how.
I disabled most of the unused services in inetd.conf, including
TFTP. I do have a few services which I am not familiar with, and am
wondering if I can get away with removing the following lines from
inetd.conf:
discard stream tcp nowait root internal
discard dgram udp wait root internal
daytime stream tcp nowait root internal
daytime dgram udp wait root internal
time stream tcp nowait root internal
time dgram udp wait root internal
I've never had much of a need to mess with inetd.conf. Are these
services accessible via TCP sockets? I'm using Debian 2.0, and they
were listed as internal services. Does this mean that they are
internal to inetd in the sense that they don't interface to a TCP
port, or that the actual code for providing these services is internal
to inetd, as opposed to some external utility such as in.telnetd,
etc. Furthermore, running nmap on my machine reveals activity on the
following ports: 9, 13, 37, 111, and 113. Note that I've omitted ports
such as 23, 25, 53, etc. which I know about. :) Can services on these
ports be disabled without adversely affecting my box?
I would also like to regularly be able to scan syslog entries, quickly
locating any attempts to gain unauthorized access to my system. But,
how would I go about sorting these from the regular syslog messages,
such as those produced by qmail when legitimate email is
sent/received, for example. In Debian, are such messages sent to a
different logfile? If not, is there a standard mechanism which
programs use for logging such attempts, and if so, how can I quickly
spot these attempts and have them sent to /dev/console?
Furthermore, what else can I do to protect my system? And while I'm
thinking about it, is there some way to avoid sending unencrypted
passwords when retrieving mail from mail.utexas.edu? It doesn't appear
as if SSH is running there, but is there a site between resnet and
mail through which I can tunnel encrypted data?
I realize this message seems a bit disorganized, and
apologize. Hopefully, I'll be able to gain some useful insite, as well
as helping others to be aware of security issues which are involved in
running a secure Linux box.
Nolan Darilek
[EMAIL PROTECTED]
ICQ UIN: 15709478
-------------------------------------------------------------------------------
"It's easier said than done."
... and if you don't believe it, try proving that it's easier done than
said, and you'll see that "it's easier said that `it's easier done than
said' than it is done", which really proves that "it's easier said than
done".
---------------------------------------------------------------------------
Send administrative requests to [EMAIL PROTECTED]
