[2502] in SIPB_Linux_Development
Re: Linux security one-sheet
daemon@ATHENA.MIT.EDU (Emil Sit)
Thu Feb 4 22:54:54 1999
To: security-internal@MIT.EDU
Cc: linux-dev@MIT.EDU
In-Reply-To: Your message of "Thu, 04 Feb 1999 21:40:51 EST."
<199902050240.VAA12930@e51-075-17.mit.edu>
Date: Thu, 04 Feb 1999 22:54:49 EST
From: Emil Sit <sit@MIT.EDU>
-----BEGIN PGP SIGNED MESSAGE-----
> Many of the vulnerable services are run by your inetd. To turn them
> off, edit /etc/inetd.conf to comment out any lines that start with the
> following:
In addition to those listed, RedHat (and others) does ship with
other services enabled which may not be necessary. One of the RH-A
packages does disable a number of inetd services automatically when
installed. The only thing that I actually run out of inetd is
fingerd, talk and ntalk. Everything else is disabled. Users should
be encouraged only to enable those services which they need.
In RH-A 4.2 and greater, there is also an /etc/athena/inetd.conf.
It has switched services and we default to access_off. You might
want to remind people who access_on to make sure they have srvtabs
and such.
The standard /etc/athena/inetd.conf also enabled kpop as an unswitched
service. I don't really see any reason for that being enabled and
perhaps we should not enable it in the 5.2 release.
> Many linux installations also include an NFS server by default. To
> disable it, you need to move the server binaries so they won't be found.
Hm. If /etc/exports does not exist, RH 4.2 does not start the RPC daemons.
I believe Debian will not start the daemons if /etc/exports does not
contain any exports. It seems perhaps cleaner to just move
/etc/exports to /etc/exports.disabled or something similar.
> idea to clear the setuid bit. As root, do
>
> chmod 755 /bin/mount /bin/umount
It seems like the "correct" way to clear the setuid bit would be to run:
chmod u-s /bin/mount /bin/umount
> As a general rule, you should look through your system log files
> occasionally for any suspicious activity.
Perhaps some more details on what constitutes "suspicious activity"
would be helpful, or perhaps it's not necessary.
- --
Emil Sit / Bronx Science '95, MIT '99 -- ESG, SIPB, Athena Consulting
PGP KeyID: 0xE63561E9 / Fingerprint: A68FD0693EDABA19 2671EC1F22498F58
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQBVAwUBNrpriSWuZ7zmNWHpAQGHwgH+PGYb1pzUcK4gCFniSaNdfii8pnXD/ccd
JEEBEmdYKOlyMyNOnlmEhqw+EO9P5fquEqNeDbz5bccI8Ku3U0SCcA==
=LAqO
-----END PGP SIGNATURE-----
