Unix Security - Services

Services

Unnecessary system software should not be installed or configured on a system. Software which is no longer required should be removed completely, if possible.

• Identify what services are running
  • netstat -na
  • lsof
  • nmap
  • sockstat -4 (FreeBSD)

The commands inetd and xinetd act as super-servers for a variety of network protocols such as rlogin, telnet and ftp.

Turning off unnecessary services

• using update-rc.d on Debian
• using chkconfig on Red Hat Linux
• using /etc/rc.conf and /usr/local/etc/rc.d on FreeBSD (mention /etc/rc.local)
• using rc-update on Gentoo Linux

This approach is usually called proactive security. There are some operating systems which are secure by default. Amongst others, the free BSD flavours (FreeBSD, NetBSD, and OpenBSD) are proactively secure. For example, the output of netstat on a NetBSD 3.0 workstation clearly outlines this technique:

$ netstat -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost.smtp *.* LISTEN tcp 0 0 *.ssh *.* LISTEN Active Internet6 connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp6 0 0 localhost.smtp *.* LISTEN tcp6 0 0 *.ssh *.* LISTEN Active UNIX domain sockets Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr c0d10d80 dgram 0 0 0 c0cd8680 0 c0cb7000 -> /var/run/log c0cb7000 dgram 0 0 0 c0cd8680 0 0 -> /var/run/log c0cd8680 dgram 0 0 cb9639e8 0 c0d10d80 0 /var/run/log

The following example from a BSD system

$ sockstat -4 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root sendmail 569 4 tcp localhost.smtp *.* root sshd 593 4 tcp *.ssh *.*

Shows that on this machine only the SSH service is listening to the public network interface of the computer. sendmail is listening to the loopback interface only. Access to a service may be further restricted by using a firewall.