Red Hat NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE Guida di Installazione Pagina 18
- Pagina / 82
- Indice
- SEGNALIBRI
Valutato. / 5. Basato su recensioni clienti
3.4. Exceptions
Above we used the criteria of turning off all unnecessary services. Sometimes that is not so obvious. And
sometimes what may be required for one person's configuration is not the same for another's. Let's look at a
few common services that fall in this category.
Again, our rule of thumb is if we don't need it, we won't run it. It's that simple. If we do need any of these,
they are prime candidates for some kind of restrictive policies via firewall rules or other mechanisms (see
below).
identd − This is a protocol that has been around for ages, and is often installed and running by
default. It is used to provide a minimal amount of information about who is connecting to a server.
But, it is not necessary in many cases. Where might you need it? Most IRC servers require it. Many
mail servers use it, but don't really require it. Try your mail setup without it. If identd is going to be a
problem, it will be because there is a time out before before the server starts sending or receiving
mail. So mail should work fine without it, but may be slower. A few ftp servers may require it. Most
don't though. Older versions of Red Hat started identd via inetd. Recent versions start this via init
scripts.
•
If identd is required, there are some configuration options that can greatly reduce the information that
is revealed:
/usr/sbin/in.identd in.identd −l −e −o −n −N
The −o flag tells identd to not reveal the operating system type it is run on and to instead always
return "OTHER". The −e flag tells identd to always return "UNKNOWN−ERROR" instead of the
"NO−USER" or "INVALID−PORT" errors. The −n flag tells identd to always return user numbers
instead of user names, if you wish to keep the user names a secret. The −N flag makes identd check
for the file .noident in the user's home directory for which the daemon is about to return a user
name. It that file exists then the daemon will give the error "HIDDEN−USER" instead of the normal
"USERID" response.
Mail server (MTA's like sendmail, qmail, etc) − Often a fully functional mail server like sendmail is
installed by default. The only time that this is actually required is if you are hosting a domain, and
receiving incoming mail directly. Or possibly, for exchanging mail on a LAN, in which case it does
not need Internet exposure and can be safely firewalled. For your ISP's POP mail access, you don't
need it even though this is a common configuration. One alternative here is to use fetchmail for POP
mail retrieval with the −m option to specify a local delivery agent: fetchmail −m procmail for
instance works with no sendmail daemon running at all. Sendmail, can be handy to have running, but
the point is, it is not required in many situations, and can be disabled, or firewalled safely.
•
BIND (named) − This often is installed by default, but is only really needed if you are an
authoritative name server for a domain. If you are not sure what this means, then you definitely don't
need it. BIND is probably the number one crack target on the Internet. BIND is often used though in
a "caching" only mode. This can be quite useful, but does not require full exposure to the Internet. In
other words, it should be restricted or firewalled. See special handling of individual
applications below.
•
Security Quick−Start HOWTO for Red Hat Linux
3.4. Exceptions 15
- Hal Burgiss 1
- Table of Contents 2
- 1. Introduction 4
- 1.2. Notes 5
- 1.3. Copyright 5
- 1.4. Credits 6
- 1.5. Disclaimer 6
- 1.7. Feedback 7
- 2. Foreword 8
- 2.2. Before We Start 9
- 3.1. System Audit 10
- 3.3. Stopping Services 12
- 3.3.1. Stopping Init Services 13
- 3.3.2. Inetd 14
- 3.3.2. Inetd 12 15
- 3.3.3. Xinetd 16
- 3.3.4. When All Else Fails 17
- 3.4. Exceptions 18
- 4. Step 2: Updating 20
- 4. Step 2: Updating 18 21
- 5.1. Strategy 22
- 5.2.1. ipchains 23
- 5.2.1. ipchains 21 24
- 5.2.2. iptables 26
- 5.2.2. iptables 24 27
- 5.3. Tcpwrappers (libwrap) 29
- 5.3.1. xinetd 31
- 5.4. PortSentry 32
- 5.5. Proxies 32
- 5.6. Individual Applications 33
- 5.7. Verifying 35
- 5.8. Logging 36
- 5.9. Where to Start 37
- 6. Intrusion Detection 39
- # chattr +i /bin/ps 40
- −−−i−−−−−−−−−− /bin/ps 40
- # chattr −i /bin/ps 40
- 7. General Tips 43
- # must exist 44
- root: hal@bigcat 44
- 8. Appendix 46
- 8.2. Common Ports 48
- 8.3. Netstat Tutorial 51
- 8.4. Attacks and Threats 59
- 8.4.2. Rootkits 60
- 8.4.3. Worms and Zombies 60
- 8.4.4. Script Kiddies 61
- 8.4.5. Spoofed IPs 61
- 8.4.6. Targeted Attacks 61
- 8.4.8. Brute Force 62
- 8.5. Links 63
- 8.6. Editing Text Files 65
- 8.7. nmap 68
- 8.8. Sysctl Options 71
- 8.8. Sysctl Options 69 72
- 8.9. Secure Alternatives 73
- 8.9. Secure Alternatives 71 74
- 8.9. Secure Alternatives 72 75
- 8.9. Secure Alternatives 73 76
- 8.10.2. iptables II 77
- 8.10.2. iptables II 75 78
- 8.10.2. iptables II 76 79
- 8.10.2. iptables II 77 80
- 8.10.3. Summary 81
- 8.10.4. iptables mini−me 82
© 2020, manymanuals.it. Tutti i diritti riservati | 0.033 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Commenti su questo manuale