HostedDB - Dedicated UNIX Servers

Securing-Optimizing-RH-Linux-1_2_46
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 46 O PrivacyOptions=authwarnings To read: O PrivacyOptions=authwarnings,noexpn,novrfy Because unethical individuals too often abuse these commands, the change prevents spammers from using the “EXPN” and “VRFY” commands available in Sendmail. See the Sendmail configuration and installation section in this book for more information on this topic. Edit the sendmail.cf file (vi /etc/sendmail.cf) and change the line: O SmtpGreetingMessage=$j Sendmail $v/$Z; $b To read: O SmtpGreetingMessage=$j Sendmail $v/$Z; $b  NO UCE  C=xx L=xx This change doesn't actually affect anything, but was recommended by folks in the news.admin.net-abuse.email newsgroup as a legal precaution. It modifies the banner which Sendmail displays upon receiving a connection. You should replace the “xx” in the “C=xx L=xx'' entries with your country and location codes. For example, in my case, I would use “C=CA L=QC'' for Canada, Quebec. 14. Prevent your system from responding to ping request Preventing your system for responding to ping request can be a big improvement in your network security since no one can ping on your server and receive an answer. The TCP/IP protocol suite has a number of weaknesses that allows an attacker to leverage techniques in the form of covert channels to surreptitiously pass data in otherwise benign packets. Preventing your server from responding to ping request can help to minimize this problem. An... [root@deep /]# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all ... should do the job too and your system won't respond to ping on any interface. You can add this line in your “/etc/rc.d/rc.local” file so the command will be automatically set if your system reboot. Not responding to pings would at least keep most "crackers" out because they would never even know it's there. To turn it back on, simply [root@deep /]# echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all" 15. Don’t let system issue file to be displayed If you don't want your systems issue file to be displayed when people log in remotely, you  can change the telnet option in your “/etc/inetd.conf” file to look like: telnet  stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd -h Adding the “-h” flag on the end will cause the daemon to not display any system information and just hit the user with a login: prompt. This hack is only necessary if you’re using Telnet daemon on your server (instead I recommend to use SSH). 16. The “/etc/host.conf” file