This content is no longer maintained. Please visit our new website.

ACCC Home Page Academic Computing and Communications Center  
Accounts / Passwords Email Labs / Classrooms Telecom Network Security Software Computing and Network Services Education / Teaching Getting Help
 
How to Secure Your PC
0 Contents 1 Introduction 2 Win9x 3 Win2000 4 Linux

Securing Red Hat Linux

     
 
     
Disabling All Unnecessary Network Services
   
     
What is a service?
  Before you can disable a service on your machine, it helps to understand what a service is. When we say service we mean a program running on your machine that allows people who are not on your machine to access it and perform some function. For example, if you were running a web server on your machine so other people could connect to your machine and view web pages, that would be a service.

When you are running a service on your computer that allows others access via the network, that service is listening on a port. Each service has a well known port number that is assigned by an Internet agency. For example, telnet listens on TCP port 23 and a mail server will listen on TCP port 25.

Notice that the above says "TCP port 25". Where did the TCP come from? TCP (short for Transmission Control Protocol) is one of the two main protocols that your computer uses to accept connections. The other is UDP (User Datagram Protocol). For each protocol there are 65,535 possible ports for a service to listen on for each protocol. In other words, since we have both TCP and UDP, there are 65,535 x 2 or 131,070 possible ports for a service to be active on.

 
     
Why should these services be disabled?
  So why do we care about what ports are being used (open) on the computer? Each port that is open has a program listening on that port and accepting connections from remote computers. If there are bugs in the programs listening on those open ports, or if the programs are not configured properly, many times they can be exploited by the remote user and tricked into doing things that they never intended to do such as giving someone more power and control over your computer than they should have.

You may think that if you keep your patches up to date, that you will be okay. For the most part, this is true. Unfortunately, oftentimes hackers are quicker to exploit newfound bugs than operating system vendors are to patch them. Also, you cannot be sitting at your computer 24 hours a day watching the vendor web sites for patches. Thus, it is in your best interest to minimize the number of services running.

 
     
How can these services be disabled?
  Services can be started a number of ways on Linux. The two main starting points are through the init scripts and through inetd (xinetd on Red Hat 7.1 and higher). Services can also be started using cron or the "at" command.

NOTE: One thing to keep in mind when enabling/disabling services in the following sections is that any service started via inetd.conf is definitely a network service, whereas the other methods could be starting programs that do not access the network at all.

Disabling services that are started in inetd.conf

The first place to check for services that are started is in inetd.conf. This file is almost always located in /etc, so the full path to the file would be /etc/inetd.conf

Any line that starts with a '#' character is a comment line and can be ignored. One good way to see which services have not yet been disabled is to issue the command: 

grep -v ^# /etc/inetd.conf
This command lists all of the lines in /etc/inetd.conf that do not begin with a comment character.

To disable a service, you need to edit the inetd.conf file (with your favorite editor) and insert a '#' at the beginning of each line for the services that you wish to disable. It's always a good idea to make a backup copy of the file before you make any changes, just in case something goes wrong while you're editing.

NOTE: If you are running Red Hat 7.2 or higher, a new version of inetd is running (called xinetd) and services are enabled/disabled using chkconfig as described in the following section.

Disabling services that are started via the rc scripts

When Linux. is started, that are scripts (programs) in certain directories that cause certain programs to be executed. Most of these scripts cause services to be started. Red Hat Linux. has a nice utility to control the enabling or disabling of these scripts that start services. This utility, called chkconfig can be used to easily see what services are starting and then allow you to disable them. To see which scripts chkconfig has under its control, type: 
chkconfig --list
You should see output with lines similar to the following (only more of them):

atd             0:off   1:off   2:off   3:on    4:on    5:on    6:off
rwhod           0:off   1:off   2:off   3:off   4:off   5:off   6:off
keytable        0:off   1:on    2:on    3:on    4:on    5:on    6:off
nscd            0:off   1:off   2:off   3:off   4:off   5:off   6:off
syslog          0:off   1:off   2:on    3:on    4:on    5:on    6:off
gpm             0:off   1:off   2:on    3:on    4:on    5:on    6:off
kudzu           0:off   1:off   2:off   3:on    4:on    5:on    6:off
kdcrotate       0:off   1:off   2:off   3:off   4:off   5:off   6:off
portmap         0:off   1:off   2:off   3:on    4:off   5:off   6:off



In looking at the above, you see that the output includes the numbers 0-6 followed 
  by a colon and either "on" or "off". Exactly what the numbers mean is beyond the 
  scope of this article. For our purposes, we just want to know that if we want a 
  service to be disabled, we should only see "off" after the numbers for the 
  corresponding lines. 



To make things easier to read, try the following command:

chkconfig --list | grep ":on"


This command will only show us the scripts that are executed sometime during startup.
  In order to disable a startup script, you also use the chkconfig command.
  For example, in the output above, we see that portmap is started and we do not 
  want it to be, so we need to disable it. This can be done by:



chkconfig --level 0123456 portmap off


This says to disable the "portmap" service for levels 0 through 6 (all levels).
 
     
Which services should I leave enabled?
  It is very difficult to give an answer to this question that will fit everyone. Click here to see a sample of what inetd.conf looks like. One thing that you should notice in this example is that every single line begins with a # character. This means that every service that inetd would control on a machine using this config file would be disabled. This is a great inetd.conf file!

Some of the services that you should leave enabled are: keytable, syslog, gpm, kudzu, network, random, apmd, crond, anacron, sshd and xinetd. Some others that you may want running depending on what your Linux machine is to be used for are: rawdevices and pppoe.

What about ftp?

Do not run this unless absolutely necessary. There have been security flaws discovered in the ftp server in the past that have allowed machines to be compromised. Use scp or sftp in place of ftp.

What about telnet?

You should not use telnet to login to your machine. All access to your machine should be done either directly at the console (i.e. keyboard connection directly to the machine) or via an secure shell (ssh) session. SSH sessions look just like telnet sessions, but the data stream is encrypted so that your data (and passwords) cannot be sniffed by an attacker on the network.

What about rshell, rlogin and rexec?

NO! The protocols are insecure. Use ssh in their place. These services should never be enabled.

What about tftp?

The tftpd server should not be enabled. It uses an insecure protocol.

What about fingerd?

It is commonly considered bad practice to run the fingerd service as it makes it too easy for an attacker to determine the usage patterns of a machine and when the best time to attack it are so that they are least likely to be detected. 		 
     
Apply Patches -- autoprm
 

The application of patches to your system on a timely basis is crucial to the security of your system. It is important to install all security patches for ALL programs that you have installed, regardless of whether or not they are network accessible programs or not. This helps prevent a non-privileged user ( both legitimate and illegitimate), from exploiting a bug in a non-networking program on the machine locally to escalate their system privileges.

Red Hat Linux. patches are distributed in rpm format which makes them very easy to apply. You can see what patches have been issued and download them at Red Hat's errata web page.

ACCC autorpm Server

ACCC maintains a autorpm server that mirrors redhat's update server. In addition, ACCC has prepared RPMs for the different versions of Red Hat Linux. that you can download and install so that your machine is automatically updated with the latest patches.

To setup your Linux machine so that it automatically updates via the ACCC autorpm server, follow these steps:

  1. FTP to autorpm.cc.uic.edu
  2. cd pub/autorpm
  3. download 2 files:
    • perl-libnet-1.0605-2.noarch.rpm
    • download the appropriate autorpm-redhat file for your system. The files are based on redhat version. For example for redhat 7.1, you would download autorpm-redhat7.1-1.0-1.i386.rpm
  4. Install the files using the rpm command. For example,
    rpm -Uvh autorpm-redhat7.1-1.0-1.i386.rpm
    rpm -Uvh perl-libnet-1.0605-2.noarch.rpm
  5. Setup a cron tab entry so that the autorpm command is issued on a regular basis. For example, use: crontab -e as root to enter a crontab entry similar to the following to have the command run daily at 1 AM.
    0 1 * * * /usr/local/bin/autorpm.pl
  
     
For More Info
 

The ACCC front-line consultants don't have the training to answer Linux questions. But there are lots of other resources.

You can subscribe to linux@uic.edu. (Send an email message with the single line "subscribe linux your-name " to listserv@uic.edu. Of course, don't include the quotes.) Many Linux users from the UIC community read this list and will answer questions.

There are all sorts of books on all levels, including the manuals that come with CD sets.

And, of course, there's the Web. Google found some 56,400,000 hits on "linux"; don't read all this before bedtime. But consider:

http://www.tldp.org/
The Linux Documentation Project, a central source for howtos, guides, FAQs, magazine articles, and more.
http://freshmeat.net/
Huge catalog of Linux software, much of it free.
http://www.codeweavers.com
From the makers of Crossover, which allows Word, Excel, IE, and so on to run on Linux. This is great if you don't like their native Linux work-alikes.
 
Desktop Management:
KDE and Gnome usually come with a distro, so you don't have to do a manual install. But these sites have screenshots and lists of included programs and features:
http://www.kde.org/
http://www.gnome.org/ 
 
 
CGI Previous:  3 Win2000

2004-12-3  security@uic.edu
UIC Home Page Search UIC Pages Contact UIC