Hardening Linux
By David M Williams
Sunday, 12 August 2007 16:44
There’s no way a generic installer can assume what it is to be used for. And, as Linux is generally a cornucopia of software - and as more and more "non-techie" people adopt Linux - this has to add up to bucket loads of web servers, mail servers, ftp servers and more which are running, but aren’t needed. This is particularly true if your system has been running for some time. Modern distros, like Ubuntu, are far more defensive by default - but this doesn't help large and/or busy systems who can't afford to rebuild from scratch each time a new release is available.
There are tools to tighten up and harden your server – and we’ll introduce you to Bastille – but it’s important to understand how to do it manually too.
Disable unused services
The very first step is to seal any ports you aren’t deliberately using. Although Linux is secure by design, vulnerabilities are regularly discovered and it is only sensible to mitigate risk. It's a good idea to use nmap to check the services your computer is exposing. Check this over the Internet using your public IP address too.
The bulk of services provided by a Linux server are controlled by /etc/xinetd.conf. The xinetd process listens for many network requests and palms it off to the appropriate application. There are memory and performance reasons for doing this; instead of having many different listening servers all running from system boot, it is more efficient to launch and run xinetd instead, merely launching instances of the ssh or telnet or ftp or rlogin or other servers on demand.
/etc/xinetd.conf directs requests to configuration files found under /etc/xinetd.d. It’s a doddle to disable (or re-enable, if needed later) services: just comment out the appropriate entry in the configuration files. To disable ftp, for instance, edit /etc/xinetd.d/wu-ftpd. Add a “#” to the beginning of the “service ftp” line to comment it out. Save the file. Then restart xinetd with the command /etc/rc.d/init.d/xinetd restart. If you now try using ftp to connect to your server (from another machine, or ftp localhost on the server itself) you will find the connection fails.
Check out the services xinetd is running on your computer; other candidates you might like to consider removing are rlogin – which bypasses password authentication – and finger – which can give malicious people insight into when your computer is unattended.
If you have an older Linux system and can't find /etc/xinetd.conf then you’ll find the same is achieved by editing the single config file /etc/inetd.conf and commenting out entries as appropriate. Then restart inetd by finding out its process ID, or PID, with ps aux | grep inetd. The second column listed is the PID. Use kill –HUP xxx where xxx is inetd’s PID. However, if you have a Linux system of this age (RedHat Linux prior to version 7.0 for example) then you have an additional safety risk beyond open ports; you should also upgrade your software to be certain you are countering all known vulnerabilities. More on this following, but first it’s time to deal with services that don’t work through xinetd.
IT Institute industry certifications earn you credit towards our MBA or Master Degree qualification with Charles Sturt University. Click 
