|
Previous | Table of Contents | Next |
By editing the /etc/inetd.conf file so that it resembles the following output, you can reduce the number of active processes. This reduces the load on the system and, more importantly, does not accept TCP connections on unnecessary ports.
# # Internet server configuration database # # BSDI $Id: inetd.conf,v 2.1 1995/02/03 05:54:01 polk Exp $ # @(#)inetd.conf 8.2 (Berkeley) 3/18/94 # # ftp stream tcp nowait root /usr/libexec/tcpd ftpd -l -A # telnet stream tcp nowait root /usr/libexec/tcpd telnetd # shell stream tcp nowait root /usr/libexec/tcpd rshd # login stream tcp nowait root /usr/libexec/tcpd rlogind -a # exec stream tcp nowait root /usr/libexec/tcpd rexecd # uucpd stream tcp nowait root /usr/libexec/tcpd uucpd # finger stream tcp nowait nobody /usr/libexec/tcpd fingerd # tftp dgram udp wait nobody /usr/libexec/tcpd tftpd # comsat dgram udp wait root /usr/libexec/tcpd comsat # ntalk dgram udp wait root /usr/libexec/tcpd ntalkd # pop stream tcp nowait root /usr/libexec/tcpd popper # ident stream tcp nowait sys /usr/libexec/identd identd -l # #bootp dgram udp wait root /usr/libexec/tcpd bootpd -t 1 # echo stream tcp nowait root internal # discard stream tcp nowait root internal # chargen stream tcp nowait root internal # daytime stream tcp nowait root internal # tcpmux stream tcp nowait root internal # time stream tcp nowait root internal # echo dgram udp wait root internal # discard dgram udp wait root internal # chargen dgram udp wait root internal # daytime dgram udp wait root internal # time dgram udp wait root internal # Kerberos authenticated services #klogin stream tcp nowait root /usr/libexec/rlogind rlogind -k #eklogin stream tcp nowait root /usr/libexec/rlogind rlogind -k -x #kshell stream tcp nowait root /usr/libexec/rshd rshd -k # Services run ONLY on the Kerberos server #krbupdate stream tcp nowait root /usr/libexec/registerd registerd #kpasswd stream tcp nowait root /usr/libexec/kpasswdd kpasswdd
The reason for turning off all these services is to reduce the likelihood that your system will be compromised while the firewall is being installed and configured. You should also use the console to perform the initial setup and configuration of the firewall. With the /.etc/inetd.conf file updated, inetd must be signaled to know that some changes have been made. This signal is generated using the command:
kill -1 inetd.pid
The process identifier (PID) can be procured, and inetd restarted by using this command sequence:
pc# ps -aux | grep inetd root 108 0.0 1.4 144 200 ?? Is 3:03AM 0:00.11 inetd pc# kill -1 108
To ensure that the services are turned off, you can attempt to connect to a service offered by inetd:
pc# telnet pc ftp Trying 204.191.3.150 telnet: Unable to connect to remote host: Connection refused pc#
Now that the inetd services are disabled, disable other services that are part of the system start-up files and the kernel. Some of these services are system specific, which might require some exploration. Nevertheless, try to find the following services and processes and turn them off.
gated, cgd | pcnfsd | rwhod |
mountd | portmap | sendmail |
named | printer | timed |
nfsd | rstatd | xntpd |
nfsiod |
Tip: While timed, which is when the NTP time server process is turned off, you should configure your firewall to get time updates via an NTP server. This allows your firewall clock to have accurate time, which may prove invaluable should you take legal action.
After turning off these daemons, the process table on the sample system now looks like this:
pc.unilabs.org$ ps -aux USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND chrish 89 2.3 2.1 280 304 p0 Ss 4:24AM 0:00.25 -ksh (ksh) root 1 0.0 1.7 124 244 ?? Is 4:18AM 0:00.07 /sbin/init -- root 2 0.0 0.1 0 12 ?? DL 4:18AM 0:00.01 (pagedaemon) root 15 0.0 3.2 816 464 ?? Is 4:19AM 0:00.08 mfs -o rw -s 1 root 36 0.0 1.5 124 220 ?? Ss 4:19AM 0:00.17 syslogd root 71 0.0 0.5 72 72 ?? Ss 4:19AM 0:00.05 update root 73 0.0 1.8 284 256 ?? Is 4:19AM 0:00.05 cron root 75 0.0 1.3 140 192 ?? Ss 4:19AM 0:00.04 inetd root 84 0.0 2.0 220 292 co Is+ 4:19AM 0:00.26 -csh (csh) root 88 0.1 2.0 156 292 ?? S 4:24AM 0:00.13 telnetd root 0 0.0 0.1 0 0 ?? DLs 4:18AM 0:00.00 (swapper) chrish 95 0.0 1.6 136 232 p0 R+ 4:24AM 0:00.02 ps -aux pc.unilabs.org$
The ps command output shown now represents a quiet system. For clarification, the mfs command in the ps output is for a memory-based temporary file system on the BSDI Version 2.0 Operating System. However, this does not really list the actual services that are provided on this system. In the sample inetd.conf file presented earlier, virtually all the available network services were disabled. This is illustrated in the output of the netstat command:
pc# netstat -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 pc.telnet stargazer.1037 ESTABLISHED tcp 0 0 *.telnet *.* LISTEN udp 0 0 *.syslog *.* Active Unix domain sockets Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr f0764400 dgram 0 0 0 f0665c94 0 f0665214 f074e480 dgram 0 0 0 f0665c94 0 0 f0665c00 dgram 0 0 f0665780 0 f06d6194 0 /dev/log pc#
The tools directory in the Toolkit distribution includes a utility called portscan, which probes a system to determine what TCP services are currently being offered. This program probes the ports on a system and prints a list of available port numbers, or service names. The output of the command is shown here:
pc# ./portscan pc 7 9 13 19 21 23 25 512 513 shell 1053 1054 1055 1056 1057 pc#
Previous | Table of Contents | Next |