2.2.2 Open Network Ports (#2)
Just as every account on your system is a potential path for a cracker, every network service is a road to it. Most Linux distributions install "tons" of software and services by default. They deliberately prefer "easy" over "secure." Many of these are not necessary or wanted. Take the time to remove software and services you do not need. Better stilldo not install them to begin with.
To find out what services are being run, use the netstat -atuv command or use the ports program discussed in "Turn Off Unneeded Services" on page 86. Either will list all open ports on your system. Even a home system can have dozens or hundreds of ports open. A large Web server could have many more.
If there are services listed that you do not want to be provided by this box, disable them. Many distributions offer a Control panel to do this easily, including Red Hat and Mandrake. You might want to remove the binaries from the disk or chmod them to 0, especially any that are set-UID or set-GID.
NFS, finger, the shell, exec, and login r* services (rsh, rexec, and rlogin), FTP, telnet, sendmail, DNS, and linuxconf are some of the more popular services that get installed by default on many Linux distributions; at least some of these should not be enabled for most systems. Most of these are controlled by the inet daemon, inetd; these can be disabled by editing the /etc/inetd.conf file.
You do not need the FTP or telnet daemons to use the respective clients to connect into other systems. You do not need the sendmail daemon listening on port 25 to send mail out or to send mail to local users or to download mail via POP or IMAP. (You do need to invoke sendmail periodically to de-spool delayed outgoing mail. The techniques are explained in "Hardening for Very High Security" on page 306.) You only need DNS (named, the name daemon) if other systems will be querying yours for this data. Most programs running on your own system will be very happy to read /etc/resolv.conf and query your ISP's or organization's main DNS server instead of contacting a named process running on your system. Coincidentally named's ports are some of the most popular ports that crackers use to break into systems. If you do need to run named, use the recently added facilities that allow it to chroot itself and switch to a nonroot user.
All these services, except the normal installation of NFS,2 DNS, and sendmail, are started on demand by inetd. They may be turned off by commenting out their entries in /etc/inetd.conf. Many distributions offer a Control panel or Linuxconf to do this easily, including Red Hat and Mandrake. The standalone services are turned off by altering their entries under /etc/rc.d.
On Red Hatbased systems, issue the following commands to shut down portmap and prevent it from being restarted on reboot. Even as late as Red Hat 7.3 on a standard non-server install, the evil portmap is invoked.
/etc/rc.d/init.d/nfs stop /etc/rc.d/init.d/nfslock stop /etc/rc.d/init.d/portmap stop chkconfig --del nfs chkconfig --del nfslock chkconfig --del portmap
An alternative tool is the ASCII menu-based ntsysv program. Like chkconfig, ntsysv only manipulates the symbolic links under /etc/rc.d/rc[0-6].d so you also will need to explicitly shut down the service. To do both of these issue the commands:
/etc/rc.d/init.d/portmap stop ntsysv
On other distributions that use the System V-style of startup scripts (/etc/rc.d/rc[0-6].d directories for Red Hat derivations and /etc/rc.[0-b].d for Debian), rename the appropriate script under rcX.d (X usually is 3) that starts with a capital-S and has the service name in it. For example,
cd /etc/rc.d/rc3.d mv S11portmap K11portmap
Just as only scripts starting with "S" are invoked when entering the respective run level, scripts starting with "K" are invoked when exiting that run level. This is to turn off daemons that should run only in that run level. For example, this mechanism will turn off sshd, the SSH daemon, when switching from run level "3" (multiuser with networking) to run level "s" (single-user mode). Just as a selected Ssomething script can be disabled by renaming to ssomething, one of these latter scripts can be renamed from Ksomething to ksomething to disable it.
On Slackware and similar systems, simply comment out the lines that start them in /etc/rc.d/*. The grep program may be used to find these. Be sure to terminate any of these services that currently are running on your system after altering the configuration files.
If you do not want to bother with kill, a simple reboot will do this and verify that the configuration files were correctly altered. (A set of available rescue disks before this reboot would be a fine idea.)
The most careful SysAdmins will reboot their systems several times after making changes to startup scripts to ensure correct and reliable startup and operation.
To remove these services from your system, you can use your distribution's package manager to delete them. Red Hatbased installations (Red Hat, Mandrake, Caldera, Yellow Dog, TurboLinux) use RPM. Debian-based distributions (Debian and Corel) use dpkg. SuSE uses YAST and Slackware uses pkgtool.
Linux is like the Swiss Army knife of networkingit has one or two tools of mass destruction that get used all the time, others that are used less often, and some that are never used. Unlike the Swiss Army knife, you can slim down Linux to just the services you need, and discard those you do not. I will never use the awl or corkscrew on my knife just like I will never use rsh or finger. Decide which ports you want to have open (such as www and ftp) and close the rest. Closing unnecessary ports makes your system more secure and perform better.