Red Hat NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE Guida di Installazione

Security Quick−Start HOWTO for Red Hat LinuxHal Burgiss [email protected]. 1.2, 2002−07−21Revision HistoryRevision v. 1.2 2002−07−21 Revised by: h

3. Step 1: Which services do we really need?In this section we will see which services are running on our freshly installed system, decide which we r

*:telnet *:* LISTEN 988/inetd *:finger *:* LISTEN 988/inetd *:sunrpc *:*

There may be individual situations where it is desirable to make exceptions to the conclusions reached above.See below.3.2. The Danger Zone (or r00t

below). Also, where xinetd is used, it can control those services as well. chkconfig can tell us what servicesthe system is configured to run, but

To view only the ones that are "on": # chkconfig −−list | grep "\bon\b" | lessThe first column is the service name, and the remain

# the running INETD process, edit this file, then send the# INETD process a SIGHUP signal.## Version: @(#)/etc/inetd.conf 3.10 05/27/93## Aut

Check your logs for errors, and run netstat again to verify all went well.A quicker way of getting the same information, using grep: $ grep −v &apos

/etc/xinetd.d/rlogin: disable = no /etc/xinetd.d/rsh: disable = no /etc/xinetd.d/telnet: disable = no /etc/xinetd.d/wu−ftpd: disable = noAt

3.4. ExceptionsAbove we used the criteria of turning off all unnecessary services. Sometimes that is not so obvious. Andsometimes what may be requir

3.5. Summary and Conclusions for Step 1In this section we learned how to identify which services are running on our system, and were given sometips o

Table of Contents1. Introduction...

4. Step 2: UpdatingOK, this section should be comparatively short, simple and straightforward compared to the above, but noless important.The very fi

are updated according to what Red Hat has made available since the initial release. At least as long as RedHat is still supporting the release a

5. Step 3: Firewalls and Setting Access PoliciesSo what is a "firewall"? It's a vague term that can mean anything that acts as a prote

generating a very basic set of firewall rules (see below). This may be adequate, but it is still recommended toknow the proper syntax and how the

# ipchains.sh## An example of a simple ipchains configuration. ## This script allows ALL outbound traffic, and denies # ALL inbound connection attempt

# request is blocked, ie we won't respond to someone else's pings,# but can still ping out. $IPCHAINS −A input −p icmp −−icmp−type echo−re

−d <IP address> [port]: This rule only applies to the destination address as specified.Also, it may include port or port range. −l : Any packe

#!/bin/sh## iptables.sh## An example of a simple iptables configuration. ## This script allows ALL outbound traffic, and denies # ALL inbound connecti

$IPTABLES −A INPUT −m state −−state ESTABLISHED,RELATED −j ACCEPT$IPTABLES −A INPUT −m state −−state NEW −i ! $WAN_IFACE −j ACCEPT$IPTABLES −A INPUT −

/etc/sysconfig/ipchains.As mentioned, this is a fairly minimalist set of rules, and possibly a sufficient starting point. An example/etc/sysconfig/ip

Table of Contents7. General Tips...

/etc/hosts.allow, where specific services are listed, along with the specific host addresses allowed toaccess these services. While hostnames can be

to only our sshd daemon from any host associated with .myworkplace.com. Note the leading "." in thisexample. And then also, the single ho

connections from 192.168.1.0, our LAN. For xinetd's purposes, this denotes any IP address beginningwith "192.168.1". Note that the sy

using a web proxy like "squid" (http://www.squid−cache.org/), every time we browse to a web site, we wouldactually be connecting to our lo

editor. If using xdm (or variants such as gdm, kdm, etc), this option would be specified in/etc/X11/xdm/Xservers (or comparable) as :0 local /usr/

As always, anytime you make system changes, backup the configuration file first, restart the appropriatedaemon afterward, and then check the appropr

5.8. LoggingLinux does a lot of logging. Usually to more than one file. It is not always obvious what to make of all theseentries −− good, bad or ind

http://freshmeat.net/projects/fwlogwatch/ by Boris Wesslowski, is a similar idea, but supports morelog formats. • 5.9. Where to StartLet's take

implemented any of the above steps yet, now is a good time to take a break, go back to the top, and have at it.The most important steps are the ones

6. Intrusion DetectionThis section will deal with how to get early warning, how to be alerted after the fact, and how to clean upfrom intrusion attem

1. Introduction1.1. Why me?Who should be reading this document and why should the average Linux user care about security? Those newto Linux, or unfam

The first thing an intruder typically does is install a "rootkit". There are many prepackaged rootkits availableon the Internet. The rootk

end. Remember though such changes may not be "visible" to any system tools. Sometimes the intruder is not so smart and forgets about root&a

The steps to take, in this order:Pull the plug and disconnect the machine. You may be unwittingly participating in criminal activity,and doing to oth

7. General TipsThis section will quickly address some general concepts for maintaining a more secure and reliable system ornetwork. Let's emphas

/etc/security/*, including /etc/security/limits.conf, where again various sanelimits can be imposed. An in depth look at PAM is beyond the scope of t

Even if it is just one LAN box to another. If you find you need to run a particular service, and it is for just you, or maybe a relatively smallnumbe

8. Appendix8.1. Servers, Ports, and PacketsLet's take a quick, non−technical look at some networking concepts, and how they can potentially impa

computer will open a connection to a "port" on another computer, and thus be able to exchange data via theconnection that has been establi

One more point on ports: ports are only accessible if there is something listening on that port. No one canforce a port open if there is no service

69 − tftp, or Trivial File Transfer Protocol. Extremely insecure. LAN only, if really, really needed. 79 − Finger, used to provide information about

not the case, further reading is strongly recommended. The principles that will guide us in our quest are:There is no magic bullet. There is no one

513 − login, actually rlogin, aka Remote Login. No relation to the standard /bin/login that we use every timewe log in. Sounds dangerous, and is. Hi

6000 − X11 TCP port for remote connections. Low to moderate risk, but again, this should be LAN only.Actually, this can include ports 6000−6009 sinc

$ netstat −tuaActive Internet connections (servers and established)Proto Recv−Q Send−Q Local Address Foreign Address Statetcp

tcp 0 1 169.254.179.139:1175 64.152.100.93:119 SYN_SENT tcp 0 1 169.254.179.139:1173 64.152.100.93:119 SYN_SENT

Looking at /etc/services, we can tell that port 37 is a "time" service, which is a time server. 6000 isX11, and 80 is the standard port fo

tcp 6648 0 127.0.0.1:1162 127.0.0.1:8000 CLOSE_WAIT tcp 553 0 127.0.0.1:1164 127.0.0.1:8000 CLOSE_W

# netstat −tapActive Internet connections (servers and established) Local Address Foreign Address State PID/Program name *:prin

958 ? S 0:46 \_ named −u named 959 ? S 0:47 \_ named −u named 960 ? S 0:00 \_ named −u named 9

USER PID ACCESS COMMAND 631/tcp root 1315 f... cupsdSee the man pages for fuser and lsof command

If all else fails, and you can't find a process owner for an open port, suspect that it may be an RPC (RemoteProcedure Call) service of some kin

This document is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; withouteven the implied warranty of MERCHANTABILITY or FIT

even kernel version, and thus get even more information. "Worms", on the other hand, are automated andscan blindly, generally just looking

really try very hard. Just scan, look, try, move on if unsuccessful. There is always more IPs to be scanned. Ifyour firewall is effectively bouncing

network. In this case, the attacker will look the system over for weaknesses. And possibly make many different kindsof attempts, until he finds a cra

8.4.9. VirusesAnd now something not to worry about. Viruses seem to be primarily a Microsoft problem. For variousreasons, viruses are not a signific

Securing Red Hat:http://tldp.org/LDP/solrhe/Securing−Optimizing−Linux−RH−Edition−v1.3/index.htmlTools for creating custom ipchains and iptables firew

Linux Security.com: http://www.linuxsecurity.com/docs/Linux Newbie: http://www.linuxnewbie.org/nhf/intel/security/index.htmlThe comp.os.linux.security

There are a great many types of files, but I'm going to stretch it here, and class them into two really broadfamilies: Text files are just that.

o Enter insertion mode opening a new line BELOW current line.O Enter insertion mode opening a new line ABOVE current line.h move cursor left

pico −w file_2_editPico is so user friendly, no further instructions are needed. It _should_ be obvious (look at the bottom of thescreen for commands)

22/tcp open ssh 25/tcp open smtp 37/tcp open time 53/tc

small additions and clarifications.Version 1.1: Various corrections, amplifications and numerous mostly small additions. Too many to list. Ohyea, lea

This is more than just "interesting" ports −− it is everything. We picked up a couple of new ones in theprocess too. We've seen these

A brief note on UDP: nmap can not accurately determine the status of these ports if they are "filtered". Youprobably will get a false−posi

[ −e /proc/sys/net/ipv4/conf/all/log_martians ] &&\ echo 1 > /proc/sys/net/ipv4/conf/all/log_martians[ −e /proc/sys/net/ipv4/icmp_echo_igno

net.ipv4.ip_dynaddr = 1# end of example8.9. Secure AlternativesThis section will give a brief run down on secure alternatives to potentially insecure

## Set the location of ipchains (default).IPCHAINS=/sbin/ipchains# Local Interfaces## This is the WAN interface, that is our link to the outside world

## Let's start clean and flush all chains to an empty state.$IPCHAINS −F # Set the default policies of the built−in chains. If no match for any

## Trusted hosts/nets## This is our trusted host list. These have access to everything.for i in $TRUSTED; do $IPCHAINS −A input −s $i −j ACCEPTdone# P

## ICMP (ping)## ICMP rules, allow the bare essential types of ICMP only. Ping# request is blocked, ie we won't respond to someone else's pi

# Set a list of public server port numbers here...not too many!# These will be open to the world, so use caution. The example is# sshd, and HTTP (www)

# already set, so all is not lost here.[ −z "$WAN_IP" ] && echo "$WAN_IFACE not configured, aborting." && exit 1WA

2. ForewordBefore getting into specifics, let's try to briefly answer some questions about why we need to be concernedabout security in the firs

−−dport $i −j ACCEPT $IPTABLES −t nat −A PREROUTING −p tcp −d $WAN_IP −−dport $i \ −j DNAT −−to $FORWARD_HOST:$i done## Open, but Restricte

$IPTABLES −A DEFAULT −m state −−state NEW −i ! $WAN_IFACE −j ACCEPT# Enable logging for anything that gets this far.$IPTABLES −A DEFAULT −j LOG −m lim

8.10.4. iptables mini−meJust to demonstrate how succinctly iptables can be configured in a minimalist situation, the below is from theNetfilter team&

2.1. The Optimum ConfigurationIdeally, we would want one computer as a dedicated firewall and router. This would be a bare bonesinstallation, with no