Chapter 21. Security

Table of Contents
21.1. Introduction
21.2. Closing services

21.1. Introduction

With the increasing usage of the Internet and wireless networks security is getting more important every day. It is impossible to cover this subject in a single chapter of an introduction to GNU/Linux. This chapter covers some basic security techniques that provide a good start for desktop and server security.

Before we go on to specific subjects, it is a good idea to make some remarks about passwords. Computer authorization largely relies on passwords. Be sure to use good passwords in all situations. Avoid using words, names, birth dates and short passwords. These passwords can easily be cracked with dictionary attacks or brute force attacks against hosts or password hashes. Use long passwords, ideally eight characters or longer, consisting of random letters (including capitals) and numbers.

21.2. Closing services

21.2.1. Introduction

Many GNU/Linux run some services that are open to a local network or the Internet. Other hosts can connect to these services by connecting to specific ports. For example, port 80 is used for WWW traffic. The /etc/services file contains a table with all commonly used services, and the port numbers that are used for these services.

A secure system should only run the services that are necessary. So, suppose that a host is acting as a web server, it should not have ports open (thus servicing) FTP or SMTP. With more open ports security risks increase very fast, because there is a bigger chance that the software servicing a port has a vulnerability, or is badly configured. The following few sections will help you tracking down which ports are open, and closing them.

21.2.2. Finding open ports

Open ports can be found using a port scanner. Probably the most famous port scanner for GNU/Linux is nmap. nmap is available through the "n" disk set.

The basic nmap syntax is: nmap host. The host parameter can either be a hostname or IP address. Suppose that we would like to scan the host that nmap is installed on. In this case we could specify the localhost IP address, 127.0.0.1:


$ nmap 127.0.0.1

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on localhost (127.0.0.1):
(The 1596 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp                     
22/tcp     open        ssh                     
23/tcp     open        telnet                  
80/tcp     open        http                    
6000/tcp   open        X11                     

Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds

In this example you can see that the host has five open ports that are being serviced; ftp, ssh, telnet, http and X11.

21.2.3. inetd

There are two ways to offer TCP/IP services: by running server applications stand-alone as a daemon or by using the internet super server, inetd(8). inetd is a daemon which monitors a range of ports. If a client attempts to connect to a port inetd handles the connection and forwards the connection to the server software which handles that kind of connection. The advantage of this approach is that it adds an extra layer of security and it makes it easier to log incoming connections. The disadvantage is that it is somewhat slower than using a stand-alone daemon. It is thus a good idea to run a stand-alone daemon on, for example, a heavily loaded FTP server.

You can check whether inetd is running on a host or not with ps, for example:


$ ps ax | grep inetd
 2845 ?        S      0:00 /usr/sbin/inetd

In this example inetd is running with PID (process ID) 2845. inetd can be configured using the /etc/inetd.conf file. Let's have a look at an example line from inetd.conf:


# File Transfer Protocol (FTP) server:
ftp     stream  tcp     nowait  root    /usr/sbin/tcpd  proftpd

This line specifies that inetd should accept FTP connections and pass them to tcpd. This may seem a bit odd, because proftpd normally handles FTP connections. You can also specify to use proftpd directly in inetd.conf, but it is a good idea to give the connection to tcpd. This program passes the connection to proftpd in turn, as specified. tcpd is used to monitor services and to provide host based access control.

Services can be disabled by adding the comment character (#) at the beginning of the line. It is a good idea to disable all services and enable services you need one at a time. After changing /etc/inetd.conf inetd needs to be restarted to activate the changes. This can be done by sending the HUP signal to the inetd process:


# ps ax | grep 'inetd'
   2845 ?        S      0:00 /usr/sbin/inetd
# kill -HUP 2845

If you do not need inetd at all, it is a good idea to remove it. If you want to keep it installed, but do not want Slackware Linux to load it at the booting process, execute the following command as root:


# chmod a-x /etc/rc.d/rc.inetd