Red Hat NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE Guida di Installazione Pagina 12
- Pagina / 82
- Indice
- SEGNALIBRI
Valutato. / 5. Basato su recensioni clienti
There may be individual situations where it is desirable to make exceptions to the conclusions reached above.
See below.
3.2. The Danger Zone (or r00t m3 pl34s3)
The following is a list of services that should not be run over the Internet. Either disable these (see below),
uninstall, or if you really do need these services running locally, make sure they are the current, patched
versions and that they are effectively firewalled. And if you don't have a firewall in place now, turn them off
until it is up and verified to be working properly. These are potentially insecure by their very nature, and as
such are prime cracker targets.
NFS (Network File System) and related services, including nfsd, lockd, mountd, statd, portmapper,
etc. NFS is the standard Unix service for sharing file systems across a network. Great system for
LAN usage, but dangerous over the Internet. And its completely unnecessary on a stand alone
system.
•
rpc.* services, Remote Procedure Call.*, typically NFS and NIS related (see above). •
Printer services (lpd). •
The so−called r* (for "remote", i.e. Remote SHell) services: rsh, rlogin, rexec, rcp etc. Unnecessary,
insecure and potentially dangerous, and better utilities are available if these capabilities are needed.
ssh will do everything these command do, and in a much more sane way. See the man pages for each
if curious. These will probably show in netstat output without the "r": rlogin will be just "login", etc.
•
telnet server. There is no reason for this anymore. Use sshd instead. •
ftp server. There are better, safer ways for most systems to exchange files like scp or via http (see
below). ftp is a proper protocol only for someone who is running a dedicated ftp server, and who has
the time and skill to keep it buttoned down. For everyone else, it is potentially big trouble.
•
BIND (named), DNS server package. With some work, this can be done without great risk, but is not
necessary in many situations, and requires special handling no matter how you do it. See the sections
on Exceptions and special handling for individual applications.
•
Mail Transport Agent, aka "MTA" (sendmail, exim, postfix, qmail). Most installations on single
computers will not really need this. If you are not going to be directly receiving mail from Internet
hosts (as a designated MX box), but will rather use the POP server of your ISP, then it is not needed.
You may however need this if you are receiving mail directly from other hosts on your LAN, but
initially it's safer to disable this. Later, you can enable it over the local interface once your firewall
and access policies have been implemented.
•
This is not necessarily a definitive list. Just some common services that are sometimes started on default Red
Hat installations. And conversely, this does not imply that other services are inherently safe.
3.3. Stopping Services
The next step is to find where each server on our kill list is being started. If it is not obvious from the
netstat output, use ps, find, grep or locate to find more information from the "Program name" or "PID" info
in the last column. There is examples of this in the Process Owner section in the netstat Tutorial of the
Appendix. If the service name or port number do not look familiar to you, you might get a real brief
explanation in your /etc/services file.
chkconfig is a very useful command for controlling services that are started via init scripts (see example
Security Quick−Start HOWTO for Red Hat Linux
3.2. The Danger Zone (or r00t m3 pl34s3) 9
- Hal Burgiss 1
- Table of Contents 2
- 1. Introduction 4
- 1.2. Notes 5
- 1.3. Copyright 5
- 1.4. Credits 6
- 1.5. Disclaimer 6
- 1.7. Feedback 7
- 2. Foreword 8
- 2.2. Before We Start 9
- 3.1. System Audit 10
- 3.3. Stopping Services 12
- 3.3.1. Stopping Init Services 13
- 3.3.2. Inetd 14
- 3.3.2. Inetd 12 15
- 3.3.3. Xinetd 16
- 3.3.4. When All Else Fails 17
- 3.4. Exceptions 18
- 4. Step 2: Updating 20
- 4. Step 2: Updating 18 21
- 5.1. Strategy 22
- 5.2.1. ipchains 23
- 5.2.1. ipchains 21 24
- 5.2.2. iptables 26
- 5.2.2. iptables 24 27
- 5.3. Tcpwrappers (libwrap) 29
- 5.3.1. xinetd 31
- 5.4. PortSentry 32
- 5.5. Proxies 32
- 5.6. Individual Applications 33
- 5.7. Verifying 35
- 5.8. Logging 36
- 5.9. Where to Start 37
- 6. Intrusion Detection 39
- # chattr +i /bin/ps 40
- −−−i−−−−−−−−−− /bin/ps 40
- # chattr −i /bin/ps 40
- 7. General Tips 43
- # must exist 44
- root: hal@bigcat 44
- 8. Appendix 46
- 8.2. Common Ports 48
- 8.3. Netstat Tutorial 51
- 8.4. Attacks and Threats 59
- 8.4.2. Rootkits 60
- 8.4.3. Worms and Zombies 60
- 8.4.4. Script Kiddies 61
- 8.4.5. Spoofed IPs 61
- 8.4.6. Targeted Attacks 61
- 8.4.8. Brute Force 62
- 8.5. Links 63
- 8.6. Editing Text Files 65
- 8.7. nmap 68
- 8.8. Sysctl Options 71
- 8.8. Sysctl Options 69 72
- 8.9. Secure Alternatives 73
- 8.9. Secure Alternatives 71 74
- 8.9. Secure Alternatives 72 75
- 8.9. Secure Alternatives 73 76
- 8.10.2. iptables II 77
- 8.10.2. iptables II 75 78
- 8.10.2. iptables II 76 79
- 8.10.2. iptables II 77 80
- 8.10.3. Summary 81
- 8.10.4. iptables mini−me 82
© 2020, manymanuals.it. Tutti i diritti riservati | 0.026 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Commenti su questo manuale