[EMAIL PROTECTED] wrote:
> I disabled most of the unused services in inetd.conf, including
> TFTP. I do have a few services which I am not familiar with, and am
> wondering if I can get away with removing the following lines from
> inetd.conf:
> discard stream tcp nowait root internal
> discard dgram udp wait root internal
When you connect to this port, anything sent to it is discarded.
> daytime stream tcp nowait root internal
> daytime dgram udp wait root internal
When you connect to this port, you get the daytime ...
Fri Sep 25 18:01:54 1998
> time stream tcp nowait root internal
> time dgram udp wait root internal
This will sync with the time daemon.
> I've never had much of a need to mess with inetd.conf. Are these
> services accessible via TCP sockets? I'm using Debian 2.0, and they
Not by default that I know of .. you could most likely wrap them on your
own though ..
> were listed as internal services. Does this mean that they are
> internal to inetd in the sense that they don't interface to a TCP
> port, or that the actual code for providing these services is internal
> to inetd, as opposed to some external utility such as in.telnetd,
Yes to the latter. I believe they are internal to inetd.
> etc. Furthermore, running nmap on my machine reveals activity on the
> following ports: 9, 13, 37, 111, and 113. Note that I've omitted ports
> such as 23, 25, 53, etc. which I know about. :) Can services on these
> ports be disabled without adversely affecting my box?
Anything that you are not using actively is probably a good thing to disable..
If you want to find out what the ports are ... just grep the numbers out
of the /etc/services file..
> I would also like to regularly be able to scan syslog entries, quickly
> locating any attempts to gain unauthorized access to my system. But,
> how would I go about sorting these from the regular syslog messages,
> such as those produced by qmail when legitimate email is
> sent/received, for example. In Debian, are such messages sent to a
> different logfile? If not, is there a standard mechanism which
> programs use for logging such attempts, and if so, how can I quickly
> spot these attempts and have them sent to /dev/console?
All this is configurable (the log paths) via the /etc/syslog.conf.
As for syslog watching ... I personally use 'abacus sentry' .. which you can
find more info on at : http://www.psionic.com/abacus/abacus_sentry.html
It's a bit involved to set up .. but I find it quite effective.
once you set it up, it will parse that file and send wierdnesses to you via
email.
> Furthermore, what else can I do to protect my system? And while I'm
> thinking about it, is there some way to avoid sending unencrypted
> passwords when retrieving mail from mail.utexas.edu? It doesn't appear
> as if SSH is running there, but is there a site between resnet and
> mail through which I can tunnel encrypted data?
This is a interesting problem ... what I've done at home is semi-non kosher
but it prevents any cleartext passwords ...
I have an account with dyn.ml.org and a MX entry in that also .. then I have
all my email forwarded to that dyn.ml.org address, and have my sendmail
wrapped, and then allowed in all the utexas mail servers and whatnot ...
this way all the mail just bounces straight through the firewall and to
me.
I could write a book myself on all the crap I've done to secure unix
boxes and the best way to go about that ... I just haven't sat down and
done it yet :)
Aaron
---------------------------------------------------------------------------
Send administrative requests to [EMAIL PROTECTED]
