Securing your Linux Installation

• Securing your system:
  • tcp-wrappers
    • /etc/hosts.deny
    • /etc/hosts.allow
    • Format for entries: daemon_list : client_list [ : shell_command ]
  • services in /etc/inetd.conf
    • What you don't need:
      • Any of the rhost services (rsh, rlogin, rexec, etc). If you want this functionality in a secure setting, use ssh
      • finger
      • tftpd, bootps -- normally only used for net-booting other machines
      • For any service that you don't understand, it's safe to turn that service off 99% of the time (at the very least, turn it off long enough to learn what it is, and then decide whether to turn it back on or not)
    • What you might want:
      • telnetd
      • ftpd
      • identd
  • standalone services
    • These services are found in /etc/rc.d/init.d, and linked into the proper runlevels in /etc/rc.d
    • If you don't need or want a service, remove the S* link to that service in the relevant runlevel. For example, if there is a script /etc/rc.d/init.d/sendmail that starts sendmail, and that script is linked into runlevel 3 as /etc/rc.d/rc3.d/S20sendmail, then to turn off sendmail, simply remove that link.
• To firewall or not to firewall
• Links:
  • ACM's Security Workshop