[plug] Securing Red Hat Linux

John Summerfield summer at os2.ami.com.au
Mon Aug 10 15:37:39 WST 1998 

On Mon, 10 Aug 1998, Paul Wilson wrote:

> A while ago there was a talk at Digital that I missed - it concentrated on
> the practicalities of securing Red Hat Linux so that it was safe to use on
> the Internet (i.e. as a web server or somesuch).
> 
> Does anyone have notes/views/comments/experience that they'd be willing to
> pass on?

now let me see:
Don't run imap - the protucol's fine, the code holey.
Don't run any service you don't need. Not mentioned is that every bind on
several platforms gave the knowledgable root access. Finxed in in(I think)
8.1, Certainly 8.1.2 is availble and fixed.

Don't run echo: it sends IP packets back to the source. If the source is
forged and youself and someone sends you lots,,,

Don't run tftpd.
Don't run talkd (doesn't understand network byte order so can't talk to
big-endian computers. ntalk's fine).

don't run finger. Apart from anything else, it's a wonderful source of
email addresses. Also tells hackers which accounts they might try: onayone
who never logs in will probably not notice that someone's been in for a
free ride.
run 
find / -perm +6000 
to see what's setuid/setgid.

Some things that were said not to have to be setuid root in fact do: some
fo the print (lpxx) stuff comes to mind as I turned off the naughty bits
and they wouldn't work.

Some other points that have come up recently.
Some sites have discovered three documents and no others were requested
from their web servers:
test-cgi
handler
phf

All are known security holes: see http://www.rootshell.com/

Additionally I seem to have been subject to a port scan by a few of these
intruders: I've seen access to my mail (pop3) service from remote sites.

Keep up todate with patches. redhat is quite good with releasing updates.
i recently updated my 4.2 system with pretty well all the same parches
that apply to 5.0 (but, of course, compiled & linked with libc). The
exceptions are apache (I got the source from apache.org) and sendmail:
again, i got source and built from that.

btw You need sendmail 8.9 to avoid spammers hiding their source domain by
saying
"helo Imacomputeriwithanextraordinarilylongdomainname(over1kbytesofthis)"
and causing the "Received:" header to be truncated.

Now, I think, the "truncation"'s done in the middle.



 > 
> Are there any radical differences from the process of securing other
> Unixen?

The RH system was taken to demonstrate the technique, using a virgin
system. Very little (except a few comments) were RH-specific.


A point emphasised repeatedly:
Fo you don't need a service, don't run it. If you only need it part-time,
run it then then stop it.



> 
> Paul
> 

like my sig!!

More information about the plug mailing list