Quiz time: What do you think are the two most important files on your system? Justify your answer. Note: There's not necessarily a right or wrong answer to this, so tell me what you think. My answer to this "quiz" is the substance of today's article.
Personally, I think the two most important files on anybody's system are /etc/inetd.conf and /etc/sysconfig.conf. These two files are probably the least reviewed, most poorly understood files on the average system. While I believe Caldera, Debian, Red Hat, and others do a good job, I don't trust them to set up these two files.
By default, any average install will include inetd and syslogd. One is in charge of starting a number of servers on the system (typically Telnet, FTP, finger, and a number of others), and the other is in charge of telling syslogd what to log. On every system I've set up, these two files have had to be modified. Okay, my modifications are specific to the system and its use, but the modifications tend to look similar across various system typesthat is, servers, firewalls, workstations, and special-purpose systems. Basically four different variations on those particular files exist.
So what's wrong with what Caldera or Debian or Red Hat or anyone puts in their particular files? Nothing. They're just not right for me, so they're not right. It's a case of trying to put together a configuration suitable for the majority of the situations. Kinda like the "universal" partit doesn't fit anything.
The first thing I always do is look at /etc/inetd.conf. Lately, all the distros I've looked at use TCP Wrappers. There really is no excuse for not doing so, and if your distro doesn't use it, I'd say it's time for a new distro. I comment out all the services I don't want running at all, and then I restart inetd.
I then check the /etc/inetd.conf file with tcpdck. Everyone should get in this habit. The tcpdchk utility will tell you if you've managed to munge your inetd.conf file. I've looked at and modified /etc/inetd.conf hundreds of times (probably more like thousands), and I still use it. There's just no excuse not to. I've fat-fingered keys before and will almost certainly do it again.
Then I set up my /etc/hosts.allow file. I choose not to use /etc/hosts.deny, but you must ensure that your TCP Wrappers software has been written with process_options. Most distributions have done this. You might also want to verify whether your distribution is compiled in the PARANOID option. Caldera and Debian don't, but Red Hat does. I can't speak for the others at this moment, but be aware that even with Caldera, Debian, and Red Hat, this could change in the very next release.
Once I have what I think is a well-done /etc/hosts.allow file, I always check it, too. I check every single service that I allow to run from inetd.conf using tcpdmatch. I check a combination of IP/hostnames with or without users that are supposed to be permitted access, and then I do the same with one or more that should be denied access.