Securing-Optimizing-RH-Linux-1_2_46
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
46
O PrivacyOptions=authwarnings
To read:
O PrivacyOptions=authwarnings,noexpn,novrfy
Because unethical individuals too often abuse these commands, the change prevents spammers
from using the EXPN and VRFY commands available in Sendmail. See the Sendmail
configuration and installation section in this book for more information on this topic.
Edit the sendmail.cf file (vi /etc/sendmail.cf) and change the line:
O SmtpGreetingMessage=$j Sendmail $v/$Z; $b
To read:
O SmtpGreetingMessage=$j Sendmail $v/$Z; $b NO UCE C=xx L=xx
This change doesn't actually affect anything, but was recommended by folks in the
news.admin.net-abuse.email newsgroup as a legal precaution. It modifies the banner which
Sendmail displays upon receiving a connection. You should replace the xx in the C=xx L=xx''
entries with your country and location codes. For example, in my case, I would use C=CA L=QC''
for Canada, Quebec.
14. Prevent your system from responding to ping request
Preventing your system for responding to ping request can be a big improvement in your network
security since no one can ping on your server and receive an answer. The TCP/IP protocol suite
has a number of weaknesses that allows an attacker to leverage techniques in the form of covert
channels to surreptitiously pass data in otherwise benign packets. Preventing your server from
responding to ping request can help to minimize this problem.
An...
[root@deep /]# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
... should do the job too and your system won't respond to ping on any interface. You can add this
line in your /etc/rc.d/rc.local file so the command will be automatically set if your system reboot.
Not responding to pings would at least keep most "crackers" out because they would never even
know it's there.
To turn it back on, simply
[root@deep /]# echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all"
15. Dont let system issue file to be displayed
If you don't want your systems issue file to be displayed when people log in remotely, you can
change the telnet option in your /etc/inetd.conf file to look like:
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd -h
Adding the -h flag on the end will cause the daemon to not display any system information and
just hit the user with a login: prompt. This hack is only necessary if youre using Telnet daemon
on your server (instead I recommend to use SSH).
16. The /etc/host.conf file