LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/LG/issue89/gonzales.html

484 lines
44 KiB
HTML
Raw Permalink Blame History

<!--startcut ==============================================-->
<!-- *** BEGIN HTML header *** -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML><HEAD>
<title>Security Administration with Debian GNU/Linux LG #89</title>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
ALINK="#FF0000">
<!-- *** END HTML header *** -->
<!-- *** BEGIN navbar *** -->
<!-- *** END navbar *** -->
<!--endcut ============================================================-->
<TABLE BORDER><TR><TD WIDTH="200">
<A HREF="http://www.linuxgazette.com/">
<IMG ALT="LINUX GAZETTE" SRC="../gx/2002/lglogo_200x41.png"
WIDTH="200" HEIGHT="41" border="0"></A>
<BR CLEAR="all">
<SMALL>...<I>making Linux just a little more fun!</I></SMALL>
</TD><TD WIDTH="380">
<CENTER>
<BIG><BIG><STRONG><FONT COLOR="maroon">Security Administration with Debian GNU/Linux</FONT></STRONG></BIG></BIG>
<BR>
<STRONG>By <A HREF="../authors/gonzales.html">Jose Salvador Gonzalez Rivera</A></STRONG>
</CENTER>
</TD></TR>
</TABLE>
<P>
<!-- END header -->
<OL>
<LI> <a
href="#1">Introduction</a>
<LI> <a
href="#2">Installing Debian</a>
<LI> <a
href="#3">Vulnerabilities
Analysis</a>
<LI> <a
href="#4">Security
Administration</a>
<OL>
<LI> <a
href="#5">Permissions
and Attributes</a>
<LI> <a
href="#6">Sticky
Bit</a>
<LI> <a
href="#7">Umask</a>
<LI> <a
href="#8">Quotas
and Limit</a>
<LI> <a
href="#9">User
Activities</a>
<LI> <a
href="#10">Logs
and Services</a>
</OL> </OL>
<A NAME="1"></A>
<h2>Introduction</h2>
<p>Debian has a package manager (DPKG) that resolves dependency problems
automatically. It help us to automatically keep up to date programs looking
for new versions on the internet, resolving and completing the files and
libraries dependencies which a package requires, making system administration
easy and keeping us up to date with the new security changes. It also shows
some important and substantial security features: it doesn't have commercial
goals, also doesn't obey mercantile urgencies, It has a good pursuit of errors,
problems are fixed in less than 48 hours and it's priority is to develop a
complete and reliable operating system. </p>
<p><b>Before Installing</b> </p>
<p>From a security and reliability standpoint, it's better to have separate
hard disk partitions for directories that are large, and especially to separate
those which are frequently-changing (/tmp and /var) from those that can be
mounted read-only except when installing software (/usr). Some people also make
separate partitions for /home and /usr/local. Separate partitions
mean that if one gets corrupted, the others won't be affected. It also means
you can mount some partitions (especially /usr and /boot) read-only except when
doing system administration: this decreases the likelihood of corruption or
mistakes dramatically. Don't do the distribution default, which is
usually to put everything in one partition. Of course, you can go overboard if
you use too many partitions, and if you don't anticipate your sizes correctly
you may end up with wasted space in some partitions and not enough space in
others. In that case you'll either have to back up the files and repartition,
or use symbolic links to steal space from another partition. Both strategies
are undesirable, so think beforehand about how many partitions are appropriate
for this machine, which directories contain irreplaceable data, and leave some
extra space for unexpected additions later.
<h2><a name=2></a>Installing Debian</h2>
<p>The Debian installation, text mode, consists of two phases. The first one
consists of installing the base system and the second one allows us to
configure several details and the installation of additional packages. It is
also necessary to identify those services that the system will offer. It
doesn't make sense to install packages that could open ports and offer
unnecessary services, so we will begin installing just the base system and
after that the services our system will offer. </p>
<h2><a name=3></a>Vulnerability Analysis</h2>
<p>There are some software tools to perform vulnerability verification or
security auditing in our servers; these tools are intended to detect well-known
security problems and also to offer detailed information in how to solve almost
any problem you find. This kind of analysis is also called &quot;ethical
hacking&quot; because we can check the way our servers can be penetrated as an
intruder would do it. Nessus audits insecurity. Its main advantage is that it
is totally modernized with the latest attacks, with the possibility to include
them in plug-ins form. It is available for any UNIX flavor from its Web site:
<A HREF="http://www.nessus.org/">www.nessus.org</A> It is composed of two programs: </p>
<p><b>Nessusd</b> </p>
<p>The server performs the exploration. It should be started with root
privileges and uses the ports 1241 and 3001 to listen to nessus client's
requests. To install it is necessary to type the following command: </p>
<pre># apt-get install nessusd</pre>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>It
only runs in UNIX and the client should be authenticated by means of a login
and a password that has to be activated in the system with the different
options offered by <code><span style='font-size:10.0pt;font-family:"Courier New"'>nessus-adduser</span></code>
command. </p>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'><b>Nessus
Client</b> </p>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>It
is the client who communicates with <code><span style='font-size:10.0pt;
font-family:"Courier New"'>nessusd</span></code>. This program has its own
graphical front end for administrative purposes. It's not just for UNIX but for
Windows too. Also one of its tasks is report generation at the end of the
exploration, showing the vulnerabilities found and their possible solutions. To
install it we have to type: </p>
<pre># apt-get install nessus</pre>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'><i>Nessus</i>
uses a couple of keys stored in the <code><span style='font-size:10.0pt;
font-family:"Courier New"'>.nessus.keys</span></code> directory located in
user's HOME. They are used to communicate with <code><span style='font-size:
10.0pt;font-family:"Courier New"'>nessusd</span></code>. </p>
<h2 style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'><a
name=4></a>Security Administration</h2>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>I
do not want to repeat the HOWTO and manuals information so I will focus on
specific points and situations not considered frequently, the use of limits and
files attributes. </p>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'><a
name=5></a><b>Permissions and Attributes</b> </p>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>The
Linux permissions and attributes system allows us to restrict file access to
non authorized users. The basic permissions are read (r), writ (w) and execute
(x). </p>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>To
visualize a directory permission structure we type <code><span
style='font-size:10.0pt;font-family:"Courier New"'>ls -l</span></code> </p>
<pre>total 44</pre><pre>drwxr-xr-x<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>2 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>4096 May 27<span style="mso-spacerun: yes"><EFBFBD> </span>2000 backups</pre><pre>drwxr-xr-x<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>4 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>4096 Jul 17 14:36 cache</pre><pre>drwxr-xr-x<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>7 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>4096 Jul 17 09:30 lib</pre><pre>drwxrwsr-x<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>2 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>staff<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>4096 May 27<span style="mso-spacerun: yes"><EFBFBD> </span>2000 local</pre><pre>drwxrwxrwt<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>2 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>4096 May 27<span style="mso-spacerun: yes"><EFBFBD> </span>2000 lock</pre><pre>drwxr-xr-x<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>5 root <span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD></span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>4096 Jul 17 14:35 log</pre><pre>drwxrwsr-x<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>2 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>mail<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>4096 Jun 13<span style="mso-spacerun: yes"><EFBFBD> </span>2001 mail</pre><pre>drwxr-xr-x<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>3 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>4096 Jul 17 14:36 run</pre><pre>drwxr-xr-x<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>3 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>4096 Jul 17 14:34 spool</pre><pre>drwxr-xr-x<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>5 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span><span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD></span>4096 Jul 17 14:35 state</pre><pre>drwxrwxrwt<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>2 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>4096 May 27<span style="mso-spacerun: yes"><EFBFBD> </span>2000 tmp</pre>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>The
permission column has 10 characters divided in 4 groups: </p>
<pre>- rw- rw- r--</pre><pre><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></pre>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>The
first part indicates the file type: </p>
<pre>-<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>common file.</pre><pre>d<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>directory.</pre><pre>l<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span><span style="mso-spacerun: yes"><EFBFBD></span>symbolic link.</pre><pre>s<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>socket.</pre>
<p class=MsoNormal style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>The
other characters indicate if the owner, the owner group and all others have
permission to read, write or execute the file. The <code><span
style='font-size:10.0pt;font-family:"Courier New"'>chmod</span></code> command
is used to change permission with - + = operators to remove, add or to assign
permissions. For example: </p>
<pre>$ chmod +x foo</pre>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>Assigns
to foo execution attributes. To remove execution permission to the group
members we type: </p>
<pre>$ chmod g-r foo</pre>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>Another
way to change the permission schema is by the octal system where each number
represents a place-dependant permission for owner, group or all others. </p>
<pre>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>no permission</pre><pre>1<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>execution</pre><pre>2<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>writing</pre><pre>3<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>writing and execution</pre><pre>4<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>reading</pre><pre>5<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>reading and execution</pre><pre>6<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>reading and writing</pre><pre>7<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>reading, writing and execution</pre>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>For
example, if we type: </p>
<pre>$ chmod 751 foo</pre>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>We
assign read, write and execute permission to the file owner (7), the group can
read it and to execute it (5) and can be executed by everybody else (1). </p>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>We
can also modify file attributes with chattr and list them with <code><span
style='font-size:10.0pt;font-family:"Courier New"'>lsattr</span></code>, this
allows us to increase file and directory security. Attributes can be assigned
in this way: </p>
<pre>A<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Do not update the atime file attribute allowing to limit the input and output to disk.</pre><pre>a<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Open the file only in update mode.</pre><pre>c<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>File compressed automatically.</pre><pre>d<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Marks file so dump program will not touch it</pre><pre>i<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>File can not be erased, renamed, modified or linked.</pre><pre>s<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Fills the erased file blocks with zeroes.</pre><pre>S<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Changes in file will be immediately recorded.</pre><pre>u<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>File content will be saved when erasing the file.</pre>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>An
example to assign &quot;immutability&quot;, so the file can not be modified,
erased, linked or renamed would be: </p>
<pre>lsattr foo.txt</pre><pre>-------- foo</pre><pre><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></pre><pre><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></pre><pre>chattr +i foo.txt</pre><pre><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></pre><pre><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></pre><pre>lsattr foo.txt</pre><pre><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></pre><pre><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></pre><pre>----i--- foo.txt</pre>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'><a
name=6></a><b>Sticky bit</b> </p>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>If
any user has writing permission on a certain directory, he will be able to
erase any file contained in that directory although he is neither the owner nor
has privileges. To assign permissions to a directory so that no user can erase
another user's files we assign the sticky bit with chmod: </p>
<pre>ls -ld temp</pre><pre><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></pre><pre>chmod +t temp</pre><pre><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></pre><pre>ls -ld temp</pre>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'><a
name=7></a><b>Umask</b> </p>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>When
we create files or directories they have predetermined permissions, commonly 664
for files and 775 for directory This is done by the umask value. To assign more
restrictive permissions as 666 for files and 777 for directory, it is advisable
to establish the umask value at 077 inside each user's profile in <code><span
style='font-size:10.0pt;font-family:"Courier New"'>~/.bash_profile</span></code>
</p>
<pre># /etc/profile: system-wide .profile file for the Bourne shell (sh(1))</pre><pre># and Bourne compatible shells (bash(1), ksh(1), ash(1), ...).</pre><pre><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></pre><pre>PATH=&quot;/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games&quot;</pre><pre><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></pre><pre>if [ &quot;$BASH&quot; ]; then</pre><pre><span style="mso-spacerun: yes"><EFBFBD> </span>PS1='\u@\h:\w\$ '</pre><pre>else</pre><pre><span style="mso-spacerun: yes"><EFBFBD> </span>if [ &quot;`id -u`&quot; -eq 0 ]; then</pre><pre><span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>PS1='# '</pre><pre><span style="mso-spacerun: yes"><EFBFBD> </span>else</pre><pre><span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>PS1='$ '</pre><pre><span style="mso-spacerun: yes"><EFBFBD> </span>fi</pre><pre>fi</pre><pre><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></pre><pre>export PATH PS1</pre><pre>umask 022</pre>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'><a
name=8></a><b>Quotas and Limits</b> </p>
<p class=MsoNormal style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>Since
Linux is a multi-user operating system, it is possible that several users could
be filling the hard disk or wasting the disk's resources, so a quota disk can
be a good choice. To make this, it is enough to modify the <code><span
style='font-size:10.0pt;font-family:"Courier New"'>/etc/fstab</span></code>
file adding usrquota, then create two files for the partition: <code><span
style='font-size:10.0pt;font-family:"Courier New"'>quota.user</span></code> and
<code><span style='font-size:10.0pt;font-family:"Courier New"'>quota.grup</span></code>:
</p>
<pre>touch /home/quota.user</pre><pre>touch /home/quota.group</pre><pre>chmod 660 /home/quota.user</pre><pre>chmod 660 /home/quota.group</pre>
<p class=MsoNormal style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>Then
restart the system and the assigned quota can be modified with edquota. It is
also possible to limit users, i.e. to limit CPU's time usage, the number of
open files, data segment size, etc. For this we use the <code><span
style='font-size:10.0pt;font-family:"Courier New"'>ulimit</span></code> command,
the commands must be placed in <code><span style='font-size:10.0pt;font-family:
"Courier New"'>/etc/profile</span></code> and every time a user obtains a shell
those commands are executed. The options are: </p>
<pre>-a<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Show current limits</pre><pre>-c<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Maximum core file size</pre><pre>-d<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Maximum process data segment size</pre><pre>-f<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Maximum files created by shell size</pre><pre>-m<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Maximum locked memory size</pre><pre>-s<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Maximum stack size</pre><pre>-t<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Maximum CPU time in seconds</pre><pre>-p<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Pipe size</pre><pre>-n<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Maximum opened files number</pre><pre>-u<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Maximum process number</pre><pre>-v<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Maximum virtual memory size</pre><pre><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></pre><pre>core file size (blocks)<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0</pre><pre>data seg size (kbytes)<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>unlimited</pre><pre>file size (blocks)<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>unlimited</pre><pre>max locked memory (kbytes)<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>unlimited</pre><pre>max memory size (kbytes)<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>unlimited</pre><pre>open files<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span><span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD></span>1024</pre><pre>pipe size (512 bytes)<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>8</pre><pre>stack size (kbytes)<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>8192</pre><pre>cpu time (seconds)<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>unlimited</pre><pre>max user processes<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>256</pre><pre>virtual memory (kbytes)<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>unlimited</pre>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'><a
name=9></a><b>User Activities</b> </p>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>The
user's command record is stored in the <code><span style='font-size:10.0pt;
font-family:"Courier New"'>~/.bash_history</span></code> file. The user could
consult it with the <code><span style='font-size:10.0pt;font-family:"Courier New"'>history</span></code>
command, using the direction keys (up and down). However there are several ways
to avoid this, for example <code><span style='font-size:10.0pt;font-family:
"Courier New"'>history-c</span></code> command erases the current record. Replacing
the contents of the environment variable <code><span style='font-size:10.0pt;
font-family:"Courier New"'>HISTFILE</span></code> to null is another way. Yet
another way is to kill the session with <code><span style='font-size:10.0pt;
font-family:"Courier New"'>kill -9 or kill -9 0</span></code>. </p>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>In
order to record users behavior there is a tool called <i>snoopy</i> which logs
this activity, however it could be considered a privacy issue, so if you
implement it would be wise to create policies and let users know that all their
activities are registered. It can be installed with <code><span
style='font-size:10.0pt;font-family:"Courier New"'>apt-get install snoopy</span></code>
At this moment the last version is <code><span style='font-size:10.0pt;
font-family:"Courier New"'>1.3-3</span></code>. </p>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>A
way to identify the processes using user's files is by the <code><span
style='font-size:10.0pt;font-family:"Courier New"'>fuser</span></code> command;
this is very useful in order to know what users have open files that disallow
umounting a certain file system. Another useful command to know the open files
and sockets list is <code><span style='font-size:10.0pt;font-family:"Courier New"'>lsof</span></code>.
To identify what process is using a certain socket we can type for example: </p>
<pre>lsoft -i -n -P | grep 80| grep LISTEN</pre>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'><a
name=10></a><b>Logs and Services</b> </p>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>The
<code><span style='font-size:10.0pt;font-family:"Courier New"'>faillog</span></code>
and <code><span style='font-size:10.0pt;font-family:"Courier New"'>lastlog</span></code>
files are inside <code><span style='font-size:10.0pt;font-family:"Courier New"'>/var/log</span></code>
which register the last successful and failed connections, they will be
analyzed in the intruders' detection section, but they are accessible to
everybody and it is convenient to limit their access with: </p>
<pre>chmod 660 /var/log/faillog</pre>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>And
</p>
<pre>chmod 660 /var/log/lastlog</pre>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>The
<code><span style='font-size:10.0pt;font-family:"Courier New"'>lilo.conf</span></code>
file is also accessible to all. It has the Linux loader configuration and by
this is why it is advisable to limit its access with: </p>
<pre>chmod 600 /etc/lilo.conf</pre>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>The
<code><span style='font-size:10.0pt;font-family:"Courier New"'>setuid</span></code>
is when a program makes a system call to assign itself a <code><span
style='font-size:10.0pt;font-family:"Courier New"'>UID</span></code> to
identify a process. Programs recorded with setuid can be executed by the owner
or by a process that reaches the appropriate privileges, being able to adopt
the program<61>s owner UID. To determine what files are setuid and setgid we can
carry out a search with: </p>
<pre>$ find / -perm -4000 -print</pre>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>When
installed, every UNIX opens many services but many of them are not necessary,
depending on the kind of server built. For example in my linux box I have the
following services: </p>
<pre>$ netstat -pn -l -A inet</pre><pre><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></pre><pre>Active Internet connections (only servers)</pre><pre>Proto Recv-Q Send-Q Local Address<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Foreign Address<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>State<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>PID/Program name</pre><pre>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:22<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>LISTEN<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>200/sshd</pre><pre>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:515<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>LISTEN<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>193/lpd</pre><pre>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:113<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span><span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD></span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>LISTEN<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>189/inetd</pre><pre>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:25<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>LISTEN<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>189/inetd</pre><pre>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:37<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>LISTEN<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>189/inetd</pre><pre>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:13<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>LISTEN<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>189/inetd</pre><pre>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:9<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>LISTEN<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>189/inetd</pre><pre>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:1024<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>LISTEN<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>180/rpc.statd</pre><pre>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span><span style="mso-spacerun: yes"><EFBFBD><EFBFBD></span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:111<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>LISTEN<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>116/portmap</pre><pre>udp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:9<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>189/inetd</pre><pre>udp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:1024<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>180/rpc.statd</pre><pre>udp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:780<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>180/rpc.statd</pre><pre>udp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:111<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>116/portmap</pre><pre>udp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:68<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span><span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD></span>112/dhclient-2.2.x</pre><pre>raw<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:1<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>7<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>-</pre><pre>raw<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:6<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>7<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>-</pre>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>This
shows information such as the protocol type, address and port as well as the
state it is in. With <code><span style='font-size:10.0pt;font-family:"Courier New"'>lsof</span></code>
we can obtain more precise and summarized information </p>
<pre>$ lsof -i | grep LISTEN</pre><pre><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></pre><pre>portmap<span style="mso-spacerun: yes"><EFBFBD><EFBFBD> </span>116 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>4u<span style="mso-spacerun: yes"><EFBFBD> </span>IPv4<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>73<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>TCP *:sunrpc (LISTEN)</pre><pre>rpc.statd 180 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>5u<span style="mso-spacerun: yes"><EFBFBD> </span>IPv4<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>118<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>TCP *:1024 (LISTEN)</pre><pre>inetd<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>189 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>4u<span style="mso-spacerun: yes"><EFBFBD> </span>IPv4<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>126<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>TCP *:discard (LISTEN)</pre><pre>inetd<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>189 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>6u<span style="mso-spacerun: yes"><EFBFBD> </span>IPv4<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>128<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>TCP *:daytime (LISTEN)</pre><pre>inetd<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>189 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>7u<span style="mso-spacerun: yes"><EFBFBD> </span>IPv4<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>129<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>TCP *:time (LISTEN)</pre><pre>inetd<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>189 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>8u<span style="mso-spacerun: yes"><EFBFBD> </span>IPv4<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>130<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>TCP *:smtp (LISTEN)</pre><pre>inetd<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>189 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>9u<span style="mso-spacerun: yes"><EFBFBD> </span>IPv4<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>131<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>TCP *:auth (LISTEN)</pre><pre>lpd<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>193 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>6u<span style="mso-spacerun: yes"><EFBFBD> </span>IPv4<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>140<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>TCP *:printer (LISTEN)</pre><pre>sshd<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>200 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>3u<span style="mso-spacerun: yes"><EFBFBD> </span>IPv4<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>142<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>TCP *:ssh (LISTEN)</pre>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>This
shows us the service, port, proprietor and protocol used. To list the demons
that have <code><span style='font-size:10.0pt;font-family:"Courier New"'>inet.d</span></code>
we can revise their configuration file in <code><span style='font-size:10.0pt;
font-family:"Courier New"'>/etc/inetd.conf</span></code>: </p>
<pre>$ grep -v &quot;^#&quot; /etc/inetd.conf | sort -u</pre><pre><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></pre><pre>daytime<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>stream<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>nowait<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>internal</pre><pre>discard<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>dgram<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>udp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>wait<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>internal</pre><pre>discard<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>stream<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>nowait<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>internal</pre><pre>ident<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>stream<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>wait<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>identd<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>/usr/sbin/identd<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>identd</pre><pre>smtp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>stream<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>nowait<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>mail<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>/usr/sbin/exim exim -bs</pre><pre>time<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>stream<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>nowait<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>internal</pre>
<p class=MsoNormal style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>
<p class=MsoNormal style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>And
to stop and disable a service, in this case we will disable the time, we have
the command: </p>
<p class=MsoNormal style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>
<pre>$ update-inetd -disable time</pre><pre><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></pre>
<p class=MsoNormal style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>and
the file <code><span style='font-size:10.0pt;font-family:"Courier New"'>inetd.conf</span></code>
is modified like this: </p>
<p class=MsoNormal style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>
<pre>daytime<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>stream<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>nowait<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>internal</pre><pre>discard<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>dgram<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>udp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>wait<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>internal</pre><pre>discard<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>stream<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span><span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD></span>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>nowait<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>internal</pre><pre>ident<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>stream<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>wait<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>identd<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>/usr/sbin/identd<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>identd</pre><pre>smtp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>stream<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>nowait<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>mail<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>/usr/sbin/exim exim -bs</pre>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>To
restart the daemon <code><span style='font-size:10.0pt;font-family:"Courier New"'>inetd</span></code>
we can use the command: </p>
<pre>$ /etc/init.d/inetd restart</pre>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>To
disable unnecessary services, I made the following shell script, remembering
that you can adapt it for your purposes. </p>
<pre>#!/bin/bash</pre><pre># ----------------------------------------------------------------------</pre><pre># Securing configuration files and deactivating unnecessary services</pre><pre># Jose Salvador Gonzalez Rivera jsgr@linuxpuebla.org</pre><pre># ----------------------------------------------------------------------</pre><pre>clear</pre><pre>raiz=0</pre><pre>if [ &quot;$UID&quot; -eq &quot;$raiz&quot; ]</pre><pre> then</pre><pre><span style="mso-spacerun: yes"><EFBFBD> </span>echo -e &quot;Ok, Inits Shell Script...\n&quot;</pre><pre> else</pre><pre><span style="mso-spacerun: yes"><EFBFBD> </span>echo -e &quot;You need to be ROOT to run this este script...\a\n&quot;</pre><pre><span style="mso-spacerun: yes"><EFBFBD> </span>exit</pre><pre>fi</pre><pre><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></pre><pre>echo &quot;Securing Logs...&quot;</pre><pre>chmod 700 /bin/dmesg<span
style='mso-tab-count:3'><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span># Limits the kernel messages</pre><pre>chmod 600 /var/log/messages<span
style='mso-tab-count:2'><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span># Messages to the console</pre><pre>chmod 600 /var/log/lastlog<span
style='mso-tab-count:2'><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span># Register connections</pre><pre>chmod 600 /var/log/faillog<span
style='mso-tab-count:2'><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span># Register failed connections</pre><pre>chmod 600 /var/log/wtmp<span
style='mso-tab-count:3'><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span># Data Input and Output (last)</pre><pre>chmod 600 /var/run/utmp<span
style='mso-tab-count:3'><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span># Logged user data</pre><pre><span
style='mso-tab-count:5'><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span><span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span># commands who,w,users,finger</pre><pre>echo &quot;Securing configurations...&quot;</pre><pre>chmod 600 /etc/lilo.conf<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span># Configuration and password for LiLo</pre><pre>chmod 600 /etc/syslog.conf<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span># Syslog configuration</pre><pre>chmod -R 700 /etc/init.d<span
style='mso-tab-count:1'><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span><span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span># Init files directory</pre><pre><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></pre><pre>echo &quot;Removing the guilty bit...&quot;</pre><pre>find / -perm -4000 -exec chmod a-s {} \;</pre><pre>find / -perm -2000 -exec chmod a-s {} \;</pre><pre><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></pre><pre>echo &quot;Removing the unnecessary services...&quot;</pre><pre>/etc/init.d/lpd stop</pre><pre>update-rc.d -f lpd remove</pre><pre>/etc/init.d/nfs-common stop</pre><pre>update-rc.d -f nfs-common remove</pre><pre>/etc/init.d/portmap stop</pre><pre>update-rc.d -f portmap remove</pre><pre>update-inetd --disable time</pre><pre>update-inetd --disable daytime</pre><pre>update-inetd --disable discard</pre><pre>update-inetd --disable echo</pre><pre>update-inetd --disable chargen</pre><pre>update-inetd --disable ident</pre><pre><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></pre><pre>echo &quot;Restarting super daemon...\n&quot;</pre><pre>/etc/init.d/inetd restart</pre><pre>cd &amp;&amp; echo -e &quot;Ok, Finishing the Shell Script...\n&quot;</pre><pre><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></pre>
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>Well,
for all this I use the <code><span style='font-size:10.0pt;font-family:"Courier New"'>man</span></code>
pages of the programs, I hope this can help people get interested a little bit
more in Linux security, and specifically with Debian. <o:p></o:p></p>
<!-- *** BEGIN author bio *** -->
<P>&nbsp;
<P>
<!-- *** BEGIN bio *** -->
<P>
<img ALIGN="LEFT" ALT="[BIO]" SRC="../gx/2002/note.png">
<em>
Currently I'm an active member of the Puebla Linux User Group (GULP) in
M&eacute;xico. I frequently participate in events to promove the use of Free
Software and Linux mainly. I accept any questions, comments or suggestions by
email.
</em>
<br CLEAR="all">
<!-- *** END bio *** -->
<!-- *** END author bio *** -->
<!-- *** BEGIN copyright *** -->
<hr>
<CENTER><SMALL><STRONG>
Copyright &copy; 2003, Jose Salvador Gonzalez Rivera.
Copying license <A HREF="../copying.html">http://www.linuxgazette.com/copying.html</A><BR>
Published in Issue 89 of <i>Linux Gazette</i>, April 2003
</STRONG></SMALL></CENTER>
<!-- *** END copyright *** -->
<HR>
<!--startcut ==========================================================-->
<CENTER>
<!-- *** BEGIN navbar *** -->
<!-- *** END navbar *** -->
</CENTER>
</BODY></HTML>
<!--endcut ============================================================-->
Reference in New Issue View Git Blame Copy Permalink