484 lines
44 KiB
HTML
484 lines
44 KiB
HTML
<!--startcut ==============================================-->
|
||
<!-- *** BEGIN HTML header *** -->
|
||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
||
<HTML><HEAD>
|
||
<title>Security Administration with Debian GNU/Linux LG #89</title>
|
||
</HEAD>
|
||
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
|
||
ALINK="#FF0000">
|
||
<!-- *** END HTML header *** -->
|
||
|
||
<!-- *** BEGIN navbar *** -->
|
||
<!-- *** END navbar *** -->
|
||
|
||
<!--endcut ============================================================-->
|
||
|
||
<TABLE BORDER><TR><TD WIDTH="200">
|
||
<A HREF="http://www.linuxgazette.com/">
|
||
<IMG ALT="LINUX GAZETTE" SRC="../gx/2002/lglogo_200x41.png"
|
||
WIDTH="200" HEIGHT="41" border="0"></A>
|
||
<BR CLEAR="all">
|
||
<SMALL>...<I>making Linux just a little more fun!</I></SMALL>
|
||
</TD><TD WIDTH="380">
|
||
|
||
|
||
<CENTER>
|
||
<BIG><BIG><STRONG><FONT COLOR="maroon">Security Administration with Debian GNU/Linux</FONT></STRONG></BIG></BIG>
|
||
<BR>
|
||
<STRONG>By <A HREF="../authors/gonzales.html">Jose Salvador Gonzalez Rivera</A></STRONG>
|
||
</CENTER>
|
||
|
||
</TD></TR>
|
||
</TABLE>
|
||
<P>
|
||
|
||
<!-- END header -->
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<OL>
|
||
<LI> <a
|
||
href="#1">Introduction</a>
|
||
|
||
|
||
<LI> <a
|
||
href="#2">Installing Debian</a>
|
||
|
||
<LI> <a
|
||
href="#3">Vulnerabilities
|
||
Analysis</a>
|
||
|
||
<LI> <a
|
||
href="#4">Security
|
||
Administration</a>
|
||
|
||
<OL>
|
||
<LI> <a
|
||
href="#5">Permissions
|
||
and Attributes</a>
|
||
|
||
<LI> <a
|
||
href="#6">Sticky
|
||
Bit</a>
|
||
|
||
<LI> <a
|
||
href="#7">Umask</a>
|
||
|
||
<LI> <a
|
||
href="#8">Quotas
|
||
and Limit</a>
|
||
|
||
<LI> <a
|
||
href="#9">User
|
||
Activities</a>
|
||
|
||
<LI> <a
|
||
href="#10">Logs
|
||
and Services</a>
|
||
|
||
</OL> </OL>
|
||
|
||
|
||
<A NAME="1"></A>
|
||
<h2>Introduction</h2>
|
||
|
||
<p>Debian has a package manager (DPKG) that resolves dependency problems
|
||
automatically. It help us to automatically keep up to date programs looking
|
||
for new versions on the internet, resolving and completing the files and
|
||
libraries dependencies which a package requires, making system administration
|
||
easy and keeping us up to date with the new security changes. It also shows
|
||
some important and substantial security features: it doesn't have commercial
|
||
goals, also doesn't obey mercantile urgencies, It has a good pursuit of errors,
|
||
problems are fixed in less than 48 hours and it's priority is to develop a
|
||
complete and reliable operating system. </p>
|
||
|
||
<p><b>Before Installing</b> </p>
|
||
|
||
<p>From a security and reliability standpoint, it's better to have separate
|
||
hard disk partitions for directories that are large, and especially to separate
|
||
those which are frequently-changing (/tmp and /var) from those that can be
|
||
mounted read-only except when installing software (/usr). Some people also make
|
||
separate partitions for /home and /usr/local. Separate partitions
|
||
mean that if one gets corrupted, the others won't be affected. It also means
|
||
you can mount some partitions (especially /usr and /boot) read-only except when
|
||
doing system administration: this decreases the likelihood of corruption or
|
||
mistakes dramatically. Don't do the distribution default, which is
|
||
usually to put everything in one partition. Of course, you can go overboard if
|
||
you use too many partitions, and if you don't anticipate your sizes correctly
|
||
you may end up with wasted space in some partitions and not enough space in
|
||
others. In that case you'll either have to back up the files and repartition,
|
||
or use symbolic links to steal space from another partition. Both strategies
|
||
are undesirable, so think beforehand about how many partitions are appropriate
|
||
for this machine, which directories contain irreplaceable data, and leave some
|
||
extra space for unexpected additions later.
|
||
|
||
<h2><a name=2></a>Installing Debian</h2>
|
||
|
||
<p>The Debian installation, text mode, consists of two phases. The first one
|
||
consists of installing the base system and the second one allows us to
|
||
configure several details and the installation of additional packages. It is
|
||
also necessary to identify those services that the system will offer. It
|
||
doesn't make sense to install packages that could open ports and offer
|
||
unnecessary services, so we will begin installing just the base system and
|
||
after that the services our system will offer. </p>
|
||
|
||
<h2><a name=3></a>Vulnerability Analysis</h2>
|
||
|
||
<p>There are some software tools to perform vulnerability verification or
|
||
security auditing in our servers; these tools are intended to detect well-known
|
||
security problems and also to offer detailed information in how to solve almost
|
||
any problem you find. This kind of analysis is also called "ethical
|
||
hacking" because we can check the way our servers can be penetrated as an
|
||
intruder would do it. Nessus audits insecurity. Its main advantage is that it
|
||
is totally modernized with the latest attacks, with the possibility to include
|
||
them in plug-ins form. It is available for any UNIX flavor from its Web site:
|
||
<A HREF="http://www.nessus.org/">www.nessus.org</A> It is composed of two programs: </p>
|
||
|
||
<p><b>Nessusd</b> </p>
|
||
|
||
<p>The server performs the exploration. It should be started with root
|
||
privileges and uses the ports 1241 and 3001 to listen to nessus client's
|
||
requests. To install it is necessary to type the following command: </p>
|
||
|
||
<pre># apt-get install nessusd</pre>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>It
|
||
only runs in UNIX and the client should be authenticated by means of a login
|
||
and a password that has to be activated in the system with the different
|
||
options offered by <code><span style='font-size:10.0pt;font-family:"Courier New"'>nessus-adduser</span></code>
|
||
command. </p>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'><b>Nessus
|
||
Client</b> </p>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>It
|
||
is the client who communicates with <code><span style='font-size:10.0pt;
|
||
font-family:"Courier New"'>nessusd</span></code>. This program has its own
|
||
graphical front end for administrative purposes. It's not just for UNIX but for
|
||
Windows too. Also one of its tasks is report generation at the end of the
|
||
exploration, showing the vulnerabilities found and their possible solutions. To
|
||
install it we have to type: </p>
|
||
|
||
<pre># apt-get install nessus</pre>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'><i>Nessus</i>
|
||
uses a couple of keys stored in the <code><span style='font-size:10.0pt;
|
||
font-family:"Courier New"'>.nessus.keys</span></code> directory located in
|
||
user's HOME. They are used to communicate with <code><span style='font-size:
|
||
10.0pt;font-family:"Courier New"'>nessusd</span></code>. </p>
|
||
|
||
<h2 style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'><a
|
||
name=4></a>Security Administration</h2>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>I
|
||
do not want to repeat the HOWTO and manuals information so I will focus on
|
||
specific points and situations not considered frequently, the use of limits and
|
||
files attributes. </p>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'><a
|
||
name=5></a><b>Permissions and Attributes</b> </p>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>The
|
||
Linux permissions and attributes system allows us to restrict file access to
|
||
non authorized users. The basic permissions are read (r), writ (w) and execute
|
||
(x). </p>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>To
|
||
visualize a directory permission structure we type <code><span
|
||
style='font-size:10.0pt;font-family:"Courier New"'>ls -l</span></code> </p>
|
||
|
||
<pre>total 44</pre><pre>drwxr-xr-x<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>2 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>4096 May 27<span style="mso-spacerun: yes"><EFBFBD> </span>2000 backups</pre><pre>drwxr-xr-x<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>4 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>4096 Jul 17 14:36 cache</pre><pre>drwxr-xr-x<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>7 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>4096 Jul 17 09:30 lib</pre><pre>drwxrwsr-x<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>2 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>staff<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>4096 May 27<span style="mso-spacerun: yes"><EFBFBD> </span>2000 local</pre><pre>drwxrwxrwt<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>2 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>4096 May 27<span style="mso-spacerun: yes"><EFBFBD> </span>2000 lock</pre><pre>drwxr-xr-x<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>5 root <span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD></span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>4096 Jul 17 14:35 log</pre><pre>drwxrwsr-x<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>2 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>mail<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>4096 Jun 13<span style="mso-spacerun: yes"><EFBFBD> </span>2001 mail</pre><pre>drwxr-xr-x<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>3 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>4096 Jul 17 14:36 run</pre><pre>drwxr-xr-x<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>3 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>4096 Jul 17 14:34 spool</pre><pre>drwxr-xr-x<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>5 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span><span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD></span>4096 Jul 17 14:35 state</pre><pre>drwxrwxrwt<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>2 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>4096 May 27<span style="mso-spacerun: yes"><EFBFBD> </span>2000 tmp</pre>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>The
|
||
permission column has 10 characters divided in 4 groups: </p>
|
||
|
||
<pre>- rw- rw- r--</pre><pre><![if !supportEmptyParas]> <![endif]><o:p></o:p></pre>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>The
|
||
first part indicates the file type: </p>
|
||
|
||
<pre>-<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>common file.</pre><pre>d<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>directory.</pre><pre>l<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span><span style="mso-spacerun: yes"><EFBFBD></span>symbolic link.</pre><pre>s<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>socket.</pre>
|
||
|
||
<p class=MsoNormal style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'><![if !supportEmptyParas]> <![endif]><o:p></o:p></p>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>The
|
||
other characters indicate if the owner, the owner group and all others have
|
||
permission to read, write or execute the file. The <code><span
|
||
style='font-size:10.0pt;font-family:"Courier New"'>chmod</span></code> command
|
||
is used to change permission with - + = operators to remove, add or to assign
|
||
permissions. For example: </p>
|
||
|
||
<pre>$ chmod +x foo</pre>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>Assigns
|
||
to foo execution attributes. To remove execution permission to the group
|
||
members we type: </p>
|
||
|
||
<pre>$ chmod g-r foo</pre>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>Another
|
||
way to change the permission schema is by the octal system where each number
|
||
represents a place-dependant permission for owner, group or all others. </p>
|
||
|
||
<pre>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>no permission</pre><pre>1<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>execution</pre><pre>2<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>writing</pre><pre>3<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>writing and execution</pre><pre>4<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>reading</pre><pre>5<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>reading and execution</pre><pre>6<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>reading and writing</pre><pre>7<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>reading, writing and execution</pre>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>For
|
||
example, if we type: </p>
|
||
|
||
<pre>$ chmod 751 foo</pre>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>We
|
||
assign read, write and execute permission to the file owner (7), the group can
|
||
read it and to execute it (5) and can be executed by everybody else (1). </p>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>We
|
||
can also modify file attributes with chattr and list them with <code><span
|
||
style='font-size:10.0pt;font-family:"Courier New"'>lsattr</span></code>, this
|
||
allows us to increase file and directory security. Attributes can be assigned
|
||
in this way: </p>
|
||
|
||
<pre>A<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Do not update the atime file attribute allowing to limit the input and output to disk.</pre><pre>a<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Open the file only in update mode.</pre><pre>c<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>File compressed automatically.</pre><pre>d<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Marks file so dump program will not touch it</pre><pre>i<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>File can not be erased, renamed, modified or linked.</pre><pre>s<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Fills the erased file blocks with zeroes.</pre><pre>S<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Changes in file will be immediately recorded.</pre><pre>u<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>File content will be saved when erasing the file.</pre>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>An
|
||
example to assign "immutability", so the file can not be modified,
|
||
erased, linked or renamed would be: </p>
|
||
|
||
<pre>lsattr foo.txt</pre><pre>-------- foo</pre><pre><![if !supportEmptyParas]> <![endif]><o:p></o:p></pre><pre><![if !supportEmptyParas]> <![endif]><o:p></o:p></pre><pre>chattr +i foo.txt</pre><pre><![if !supportEmptyParas]> <![endif]><o:p></o:p></pre><pre><![if !supportEmptyParas]> <![endif]><o:p></o:p></pre><pre>lsattr foo.txt</pre><pre><![if !supportEmptyParas]> <![endif]><o:p></o:p></pre><pre><![if !supportEmptyParas]> <![endif]><o:p></o:p></pre><pre>----i--- foo.txt</pre>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'><a
|
||
name=6></a><b>Sticky bit</b> </p>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>If
|
||
any user has writing permission on a certain directory, he will be able to
|
||
erase any file contained in that directory although he is neither the owner nor
|
||
has privileges. To assign permissions to a directory so that no user can erase
|
||
another user's files we assign the sticky bit with chmod: </p>
|
||
|
||
<pre>ls -ld temp</pre><pre><![if !supportEmptyParas]> <![endif]><o:p></o:p></pre><pre>chmod +t temp</pre><pre><![if !supportEmptyParas]> <![endif]><o:p></o:p></pre><pre>ls -ld temp</pre>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'><a
|
||
name=7></a><b>Umask</b> </p>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>When
|
||
we create files or directories they have predetermined permissions, commonly 664
|
||
for files and 775 for directory This is done by the umask value. To assign more
|
||
restrictive permissions as 666 for files and 777 for directory, it is advisable
|
||
to establish the umask value at 077 inside each user's profile in <code><span
|
||
style='font-size:10.0pt;font-family:"Courier New"'>~/.bash_profile</span></code>
|
||
</p>
|
||
|
||
<pre># /etc/profile: system-wide .profile file for the Bourne shell (sh(1))</pre><pre># and Bourne compatible shells (bash(1), ksh(1), ash(1), ...).</pre><pre><![if !supportEmptyParas]> <![endif]><o:p></o:p></pre><pre>PATH="/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games"</pre><pre><![if !supportEmptyParas]> <![endif]><o:p></o:p></pre><pre>if [ "$BASH" ]; then</pre><pre><span style="mso-spacerun: yes"><EFBFBD> </span>PS1='\u@\h:\w\$ '</pre><pre>else</pre><pre><span style="mso-spacerun: yes"><EFBFBD> </span>if [ "`id -u`" -eq 0 ]; then</pre><pre><span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>PS1='# '</pre><pre><span style="mso-spacerun: yes"><EFBFBD> </span>else</pre><pre><span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>PS1='$ '</pre><pre><span style="mso-spacerun: yes"><EFBFBD> </span>fi</pre><pre>fi</pre><pre><![if !supportEmptyParas]> <![endif]><o:p></o:p></pre><pre>export PATH PS1</pre><pre>umask 022</pre>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'><a
|
||
name=8></a><b>Quotas and Limits</b> </p>
|
||
|
||
<p class=MsoNormal style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>Since
|
||
Linux is a multi-user operating system, it is possible that several users could
|
||
be filling the hard disk or wasting the disk's resources, so a quota disk can
|
||
be a good choice. To make this, it is enough to modify the <code><span
|
||
style='font-size:10.0pt;font-family:"Courier New"'>/etc/fstab</span></code>
|
||
file adding usrquota, then create two files for the partition: <code><span
|
||
style='font-size:10.0pt;font-family:"Courier New"'>quota.user</span></code> and
|
||
<code><span style='font-size:10.0pt;font-family:"Courier New"'>quota.grup</span></code>:
|
||
</p>
|
||
|
||
<pre>touch /home/quota.user</pre><pre>touch /home/quota.group</pre><pre>chmod 660 /home/quota.user</pre><pre>chmod 660 /home/quota.group</pre>
|
||
|
||
<p class=MsoNormal style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>Then
|
||
restart the system and the assigned quota can be modified with edquota. It is
|
||
also possible to limit users, i.e. to limit CPU's time usage, the number of
|
||
open files, data segment size, etc. For this we use the <code><span
|
||
style='font-size:10.0pt;font-family:"Courier New"'>ulimit</span></code> command,
|
||
the commands must be placed in <code><span style='font-size:10.0pt;font-family:
|
||
"Courier New"'>/etc/profile</span></code> and every time a user obtains a shell
|
||
those commands are executed. The options are: </p>
|
||
|
||
<pre>-a<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Show current limits</pre><pre>-c<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Maximum core file size</pre><pre>-d<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Maximum process data segment size</pre><pre>-f<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Maximum files created by shell size</pre><pre>-m<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Maximum locked memory size</pre><pre>-s<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Maximum stack size</pre><pre>-t<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Maximum CPU time in seconds</pre><pre>-p<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Pipe size</pre><pre>-n<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Maximum opened files number</pre><pre>-u<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Maximum process number</pre><pre>-v<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Maximum virtual memory size</pre><pre><![if !supportEmptyParas]> <![endif]><o:p></o:p></pre><pre>core file size (blocks)<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0</pre><pre>data seg size (kbytes)<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>unlimited</pre><pre>file size (blocks)<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>unlimited</pre><pre>max locked memory (kbytes)<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>unlimited</pre><pre>max memory size (kbytes)<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>unlimited</pre><pre>open files<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span><span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD></span>1024</pre><pre>pipe size (512 bytes)<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>8</pre><pre>stack size (kbytes)<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>8192</pre><pre>cpu time (seconds)<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>unlimited</pre><pre>max user processes<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>256</pre><pre>virtual memory (kbytes)<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>unlimited</pre>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'><a
|
||
name=9></a><b>User Activities</b> </p>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>The
|
||
user's command record is stored in the <code><span style='font-size:10.0pt;
|
||
font-family:"Courier New"'>~/.bash_history</span></code> file. The user could
|
||
consult it with the <code><span style='font-size:10.0pt;font-family:"Courier New"'>history</span></code>
|
||
command, using the direction keys (up and down). However there are several ways
|
||
to avoid this, for example <code><span style='font-size:10.0pt;font-family:
|
||
"Courier New"'>history-c</span></code> command erases the current record. Replacing
|
||
the contents of the environment variable <code><span style='font-size:10.0pt;
|
||
font-family:"Courier New"'>HISTFILE</span></code> to null is another way. Yet
|
||
another way is to kill the session with <code><span style='font-size:10.0pt;
|
||
font-family:"Courier New"'>kill -9 or kill -9 0</span></code>. </p>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>In
|
||
order to record users behavior there is a tool called <i>snoopy</i> which logs
|
||
this activity, however it could be considered a privacy issue, so if you
|
||
implement it would be wise to create policies and let users know that all their
|
||
activities are registered. It can be installed with <code><span
|
||
style='font-size:10.0pt;font-family:"Courier New"'>apt-get install snoopy</span></code>
|
||
At this moment the last version is <code><span style='font-size:10.0pt;
|
||
font-family:"Courier New"'>1.3-3</span></code>. </p>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>A
|
||
way to identify the processes using user's files is by the <code><span
|
||
style='font-size:10.0pt;font-family:"Courier New"'>fuser</span></code> command;
|
||
this is very useful in order to know what users have open files that disallow
|
||
umounting a certain file system. Another useful command to know the open files
|
||
and sockets list is <code><span style='font-size:10.0pt;font-family:"Courier New"'>lsof</span></code>.
|
||
To identify what process is using a certain socket we can type for example: </p>
|
||
|
||
<pre>lsoft -i -n -P | grep 80| grep LISTEN</pre>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'><a
|
||
name=10></a><b>Logs and Services</b> </p>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>The
|
||
<code><span style='font-size:10.0pt;font-family:"Courier New"'>faillog</span></code>
|
||
and <code><span style='font-size:10.0pt;font-family:"Courier New"'>lastlog</span></code>
|
||
files are inside <code><span style='font-size:10.0pt;font-family:"Courier New"'>/var/log</span></code>
|
||
which register the last successful and failed connections, they will be
|
||
analyzed in the intruders' detection section, but they are accessible to
|
||
everybody and it is convenient to limit their access with: </p>
|
||
|
||
<pre>chmod 660 /var/log/faillog</pre>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>And
|
||
</p>
|
||
|
||
<pre>chmod 660 /var/log/lastlog</pre>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>The
|
||
<code><span style='font-size:10.0pt;font-family:"Courier New"'>lilo.conf</span></code>
|
||
file is also accessible to all. It has the Linux loader configuration and by
|
||
this is why it is advisable to limit its access with: </p>
|
||
|
||
<pre>chmod 600 /etc/lilo.conf</pre>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>The
|
||
<code><span style='font-size:10.0pt;font-family:"Courier New"'>setuid</span></code>
|
||
is when a program makes a system call to assign itself a <code><span
|
||
style='font-size:10.0pt;font-family:"Courier New"'>UID</span></code> to
|
||
identify a process. Programs recorded with setuid can be executed by the owner
|
||
or by a process that reaches the appropriate privileges, being able to adopt
|
||
the program<61>s owner UID. To determine what files are setuid and setgid we can
|
||
carry out a search with: </p>
|
||
|
||
<pre>$ find / -perm -4000 -print</pre>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>When
|
||
installed, every UNIX opens many services but many of them are not necessary,
|
||
depending on the kind of server built. For example in my linux box I have the
|
||
following services: </p>
|
||
|
||
<pre>$ netstat -pn -l -A inet</pre><pre><![if !supportEmptyParas]> <![endif]><o:p></o:p></pre><pre>Active Internet connections (only servers)</pre><pre>Proto Recv-Q Send-Q Local Address<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>Foreign Address<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>State<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>PID/Program name</pre><pre>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:22<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>LISTEN<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>200/sshd</pre><pre>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:515<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>LISTEN<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>193/lpd</pre><pre>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:113<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span><span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD></span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>LISTEN<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>189/inetd</pre><pre>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:25<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>LISTEN<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>189/inetd</pre><pre>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:37<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>LISTEN<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>189/inetd</pre><pre>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:13<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>LISTEN<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>189/inetd</pre><pre>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:9<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>LISTEN<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>189/inetd</pre><pre>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:1024<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>LISTEN<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>180/rpc.statd</pre><pre>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span><span style="mso-spacerun: yes"><EFBFBD><EFBFBD></span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:111<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>LISTEN<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>116/portmap</pre><pre>udp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:9<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>189/inetd</pre><pre>udp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:1024<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>180/rpc.statd</pre><pre>udp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:780<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>180/rpc.statd</pre><pre>udp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:111<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>116/portmap</pre><pre>udp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:68<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span><span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD></span>112/dhclient-2.2.x</pre><pre>raw<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:1<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>7<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>-</pre><pre>raw<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0 0.0.0.0:6<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>0.0.0.0:*<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>7<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>-</pre>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>This
|
||
shows information such as the protocol type, address and port as well as the
|
||
state it is in. With <code><span style='font-size:10.0pt;font-family:"Courier New"'>lsof</span></code>
|
||
we can obtain more precise and summarized information </p>
|
||
|
||
<pre>$ lsof -i | grep LISTEN</pre><pre><![if !supportEmptyParas]> <![endif]><o:p></o:p></pre><pre>portmap<span style="mso-spacerun: yes"><EFBFBD><EFBFBD> </span>116 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>4u<span style="mso-spacerun: yes"><EFBFBD> </span>IPv4<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>73<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>TCP *:sunrpc (LISTEN)</pre><pre>rpc.statd 180 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>5u<span style="mso-spacerun: yes"><EFBFBD> </span>IPv4<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>118<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>TCP *:1024 (LISTEN)</pre><pre>inetd<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>189 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>4u<span style="mso-spacerun: yes"><EFBFBD> </span>IPv4<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>126<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>TCP *:discard (LISTEN)</pre><pre>inetd<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>189 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>6u<span style="mso-spacerun: yes"><EFBFBD> </span>IPv4<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>128<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>TCP *:daytime (LISTEN)</pre><pre>inetd<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>189 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>7u<span style="mso-spacerun: yes"><EFBFBD> </span>IPv4<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>129<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>TCP *:time (LISTEN)</pre><pre>inetd<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>189 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>8u<span style="mso-spacerun: yes"><EFBFBD> </span>IPv4<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>130<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>TCP *:smtp (LISTEN)</pre><pre>inetd<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>189 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>9u<span style="mso-spacerun: yes"><EFBFBD> </span>IPv4<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>131<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>TCP *:auth (LISTEN)</pre><pre>lpd<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>193 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>6u<span style="mso-spacerun: yes"><EFBFBD> </span>IPv4<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>140<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>TCP *:printer (LISTEN)</pre><pre>sshd<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>200 root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>3u<span style="mso-spacerun: yes"><EFBFBD> </span>IPv4<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span>142<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>TCP *:ssh (LISTEN)</pre>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>This
|
||
shows us the service, port, proprietor and protocol used. To list the demons
|
||
that have <code><span style='font-size:10.0pt;font-family:"Courier New"'>inet.d</span></code>
|
||
we can revise their configuration file in <code><span style='font-size:10.0pt;
|
||
font-family:"Courier New"'>/etc/inetd.conf</span></code>: </p>
|
||
|
||
<pre>$ grep -v "^#" /etc/inetd.conf | sort -u</pre><pre><![if !supportEmptyParas]> <![endif]><o:p></o:p></pre><pre>daytime<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>stream<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>nowait<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>internal</pre><pre>discard<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>dgram<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>udp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>wait<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>internal</pre><pre>discard<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>stream<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>nowait<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>internal</pre><pre>ident<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>stream<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>wait<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>identd<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>/usr/sbin/identd<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>identd</pre><pre>smtp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>stream<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>nowait<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>mail<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>/usr/sbin/exim exim -bs</pre><pre>time<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>stream<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>nowait<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>internal</pre>
|
||
|
||
<p class=MsoNormal style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'><![if !supportEmptyParas]> <![endif]><o:p></o:p></p>
|
||
|
||
<p class=MsoNormal style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>And
|
||
to stop and disable a service, in this case we will disable the time, we have
|
||
the command: </p>
|
||
|
||
<p class=MsoNormal style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'><![if !supportEmptyParas]> <![endif]><o:p></o:p></p>
|
||
|
||
<pre>$ update-inetd -disable time</pre><pre><![if !supportEmptyParas]> <![endif]><o:p></o:p></pre>
|
||
|
||
<p class=MsoNormal style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>and
|
||
the file <code><span style='font-size:10.0pt;font-family:"Courier New"'>inetd.conf</span></code>
|
||
is modified like this: </p>
|
||
|
||
<p class=MsoNormal style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'><![if !supportEmptyParas]> <![endif]><o:p></o:p></p>
|
||
|
||
<pre>daytime<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>stream<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>nowait<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>internal</pre><pre>discard<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>dgram<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>udp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>wait<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>internal</pre><pre>discard<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>stream<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span><span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD></span>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>nowait<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>root<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>internal</pre><pre>ident<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>stream<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>wait<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>identd<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>/usr/sbin/identd<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>identd</pre><pre>smtp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>stream<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>tcp<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>nowait<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>mail<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span>/usr/sbin/exim exim -bs</pre>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>To
|
||
restart the daemon <code><span style='font-size:10.0pt;font-family:"Courier New"'>inetd</span></code>
|
||
we can use the command: </p>
|
||
|
||
<pre>$ /etc/init.d/inetd restart</pre>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>To
|
||
disable unnecessary services, I made the following shell script, remembering
|
||
that you can adapt it for your purposes. </p>
|
||
|
||
<pre>#!/bin/bash</pre><pre># ----------------------------------------------------------------------</pre><pre># Securing configuration files and deactivating unnecessary services</pre><pre># Jose Salvador Gonzalez Rivera jsgr@linuxpuebla.org</pre><pre># ----------------------------------------------------------------------</pre><pre>clear</pre><pre>raiz=0</pre><pre>if [ "$UID" -eq "$raiz" ]</pre><pre> then</pre><pre><span style="mso-spacerun: yes"><EFBFBD> </span>echo -e "Ok, Inits Shell Script...\n"</pre><pre> else</pre><pre><span style="mso-spacerun: yes"><EFBFBD> </span>echo -e "You need to be ROOT to run this este script...\a\n"</pre><pre><span style="mso-spacerun: yes"><EFBFBD> </span>exit</pre><pre>fi</pre><pre><![if !supportEmptyParas]> <![endif]><o:p></o:p></pre><pre>echo "Securing Logs..."</pre><pre>chmod 700 /bin/dmesg<span
|
||
style='mso-tab-count:3'><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span># Limits the kernel messages</pre><pre>chmod 600 /var/log/messages<span
|
||
style='mso-tab-count:2'><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span># Messages to the console</pre><pre>chmod 600 /var/log/lastlog<span
|
||
style='mso-tab-count:2'><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span># Register connections</pre><pre>chmod 600 /var/log/faillog<span
|
||
style='mso-tab-count:2'><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span># Register failed connections</pre><pre>chmod 600 /var/log/wtmp<span
|
||
style='mso-tab-count:3'><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span># Data Input and Output (last)</pre><pre>chmod 600 /var/run/utmp<span
|
||
style='mso-tab-count:3'><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span># Logged user data</pre><pre><span
|
||
style='mso-tab-count:5'><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span><span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span># commands who,w,users,finger</pre><pre>echo "Securing configurations..."</pre><pre>chmod 600 /etc/lilo.conf<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span># Configuration and password for LiLo</pre><pre>chmod 600 /etc/syslog.conf<span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span># Syslog configuration</pre><pre>chmod -R 700 /etc/init.d<span
|
||
style='mso-tab-count:1'><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> </span><span style="mso-spacerun: yes"><EFBFBD><EFBFBD><EFBFBD> </span># Init files directory</pre><pre><![if !supportEmptyParas]> <![endif]><o:p></o:p></pre><pre>echo "Removing the guilty bit..."</pre><pre>find / -perm -4000 -exec chmod a-s {} \;</pre><pre>find / -perm -2000 -exec chmod a-s {} \;</pre><pre><![if !supportEmptyParas]> <![endif]><o:p></o:p></pre><pre>echo "Removing the unnecessary services..."</pre><pre>/etc/init.d/lpd stop</pre><pre>update-rc.d -f lpd remove</pre><pre>/etc/init.d/nfs-common stop</pre><pre>update-rc.d -f nfs-common remove</pre><pre>/etc/init.d/portmap stop</pre><pre>update-rc.d -f portmap remove</pre><pre>update-inetd --disable time</pre><pre>update-inetd --disable daytime</pre><pre>update-inetd --disable discard</pre><pre>update-inetd --disable echo</pre><pre>update-inetd --disable chargen</pre><pre>update-inetd --disable ident</pre><pre><![if !supportEmptyParas]> <![endif]><o:p></o:p></pre><pre>echo "Restarting super daemon...\n"</pre><pre>/etc/init.d/inetd restart</pre><pre>cd && echo -e "Ok, Finishing the Shell Script...\n"</pre><pre><![if !supportEmptyParas]> <![endif]><o:p></o:p></pre>
|
||
|
||
<p style='tab-stops:45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt'>Well,
|
||
for all this I use the <code><span style='font-size:10.0pt;font-family:"Courier New"'>man</span></code>
|
||
pages of the programs, I hope this can help people get interested a little bit
|
||
more in Linux security, and specifically with Debian. <o:p></o:p></p>
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
<!-- *** BEGIN author bio *** -->
|
||
<P>
|
||
<P>
|
||
<!-- *** BEGIN bio *** -->
|
||
<P>
|
||
<img ALIGN="LEFT" ALT="[BIO]" SRC="../gx/2002/note.png">
|
||
<em>
|
||
Currently I'm an active member of the Puebla Linux User Group (GULP) in
|
||
México. I frequently participate in events to promove the use of Free
|
||
Software and Linux mainly. I accept any questions, comments or suggestions by
|
||
email.
|
||
</em>
|
||
<br CLEAR="all">
|
||
<!-- *** END bio *** -->
|
||
|
||
<!-- *** END author bio *** -->
|
||
|
||
|
||
<!-- *** BEGIN copyright *** -->
|
||
<hr>
|
||
<CENTER><SMALL><STRONG>
|
||
Copyright © 2003, Jose Salvador Gonzalez Rivera.
|
||
Copying license <A HREF="../copying.html">http://www.linuxgazette.com/copying.html</A><BR>
|
||
Published in Issue 89 of <i>Linux Gazette</i>, April 2003
|
||
</STRONG></SMALL></CENTER>
|
||
<!-- *** END copyright *** -->
|
||
<HR>
|
||
|
||
<!--startcut ==========================================================-->
|
||
<CENTER>
|
||
<!-- *** BEGIN navbar *** -->
|
||
<!-- *** END navbar *** -->
|
||
</CENTER>
|
||
</BODY></HTML>
|
||
<!--endcut ============================================================-->
|