Previous Section Next Section

A.13 Chapter 12: Securing TCP and UDP Services

  • Routinely examine your inetd configuration file and startup files.

  • If your standard software does not offer this level of control, consider installing the tcpwrapper program to better regulate and log access to your servers. Then contact your vendor and ask when equivalent functionality will be provided as a standard feature in the vendor's systems.

  • Disable any unneeded network services.

  • Disable any services that provide nonessential information to outsiders that might enable them to gather information about your systems.

  • Run a host-based, packet-filtering firewall on every system.

  • Make sure that your version of the ftpd program is up-to-date.

  • If you support anonymous FTP, don't have a copy of your real /etc/passwd as an ~ftp/etc/passwd.

  • Make sure that /etc/ftpusers contains at least the account names root, uucp, and bin. The file should also contain the name of any other account that does not belong to an actual human being.

  • Frequently scan the files in your ftp account and determine their usage.

  • Make sure that all directory permissions and ownership on your ftp account are set correctly.

  • If your software allows, configure any "incoming" directories so that files dropped off cannot then be downloaded again without operator intervention. (If your software doesn't allow this, consider changing to software that does.)

  • Make sure that your sendmail program will not deliver mail directly to a file.

  • Make sure that your sendmail program does not have a wizard's password set in the configuration file.

  • Limit the number of "trusted users" in your sendmail.cf file.

  • Make sure that your version of the sendmail program does not support the debug, wiz, or kill commands.

  • Delete the "decode" alias in your aliases file. Examine carefully any other alias that delivers to a program or file.

  • Make sure that your version of the sendmail program is up to date, with all published patches in place.

  • Make sure that the aliases file cannot be altered by unauthorized individuals.

  • Consider replacing sendmail with smap, postfix, or another more tractable network agent.

  • Have an alias for every non-user account so that mail to any valid address is delivered to a person and not to an unmonitored mailbox.

  • Consider disabling SMTP commands such as VRFY and EXPN with settings in your sendmail configuration. Enable authentication warnings.

  • Limit DNS zone transfers to authorized servers.

  • Configure your nameserver to refuse to perform recursive queries for outsiders.

  • Make sure that you are running the latest version of the nameserver software (e.g., bind) with all patches applied.

  • Make sure that all files used by the nameserver software are properly protected against tampering, and perhaps against reading by unauthorized users.

  • Run the nameserver daemon as a non-root user and in a chroot jail environment.

  • Use IP addresses instead of domain names in places where this practice makes sense.

  • Make sure that TFTP access, if enabled, is limited to a single directory containing boot files.

  • Tell your users about the information that the finger program makes available on the network.

  • Make sure that your finger program is more recent than November 5, 1988.

  • Disable or replace the finger service with something that provides less information.

  • Read a book on web server security.

  • If you are using POP or IMAP, configure your system to use APOP or Kerberos for authentication. Provide POP and IMAP over SSL TLS.

  • Disable the RPC portmapper or restrict access to it.

  • Consider running the authd/identd daemon for all machines in the local net. Use a version that returns encrypted identifiers.

  • Configure your NNTP server to restrict who can post articles or transfer Usenet news. Make sure that you have the most recent version of the software.

  • Consider establishing a (secure) NTP connection to keep your clocks in synch.

  • Uninstall or disable SNMP. If you must use it, block SNMP connections from outside your organization.

  • Disable rexec, rlogin, and rsh. Use SSH instead.

  • Routinely scan your system for suspicious .rhosts files. Make sure that all existing .rhosts files are set to mode 600.

  • Consider not allowing users to have .rhosts files on your system.

  • If you have a plus sign (+) in your /etc/hosts.equiv file, remove it.

  • Do not place usernames in your /etc/hosts.equiv file.

  • Restrict access to your printing software via the /etc/hosts.lpd file.

  • Make your list of trusted hosts as small as possible. "None" is an ideal size.

  • Block incoming RIP packets; use static routes where possible and practical.

  • Set up your logindevperm or fbtab files to restrict permissions on frame buffers and devices, if this is possible on your system.

  • If your X11 Server blocks on null connections, get an updated version.

  • Enable the best X11 authentication possible in your configuration (e.g., Kerberos, Secure RPC, "magic cookies") instead of using xhost. Alternatively, tunnel X11 connections through SSH.

  • Disable the rexd RPC service.

  • Be very cautious about installing MUDs, IRCs, or other servers.

  • Scan your network connections regularly with netstat, lsof, and nmap.

  • Scan your network with tools such as Nesuss and ISS to determine if you have uncorrected vulnerabilities—before an attacker does the same.

  • Re-evaluate why you are connected to the network at all, and disconnect machines that do not really need to be connected.

    Previous Section Next Section