diff options
Diffstat (limited to 'slackbook/html/security.html')
-rw-r--r-- | slackbook/html/security.html | 218 |
1 files changed, 218 insertions, 0 deletions
diff --git a/slackbook/html/security.html b/slackbook/html/security.html new file mode 100644 index 00000000..34249a8b --- /dev/null +++ b/slackbook/html/security.html @@ -0,0 +1,218 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<meta name="generator" content="HTML Tidy, see www.w3.org" /> +<title>Security</title> +<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" /> +<link rel="HOME" title="Slackware Linux Essentials" href="index.html" /> +<link rel="PREVIOUS" title="Talking to Other People" +href="basic-network-commands-talk.html" /> +<link rel="NEXT" title="Host Access Control" href="security-host.html" /> +<link rel="STYLESHEET" type="text/css" href="docbook.css" /> +<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> +</head> +<body class="CHAPTER" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084" +alink="#0000FF"> +<div class="NAVHEADER"> +<table summary="Header navigation table" width="100%" border="0" cellpadding="0" +cellspacing="0"> +<tr> +<th colspan="3" align="center">Slackware Linux Essentials</th> +</tr> + +<tr> +<td width="10%" align="left" valign="bottom"><a href="basic-network-commands-talk.html" +accesskey="P">Prev</a></td> +<td width="80%" align="center" valign="bottom"></td> +<td width="10%" align="right" valign="bottom"><a href="security-host.html" +accesskey="N">Next</a></td> +</tr> +</table> + +<hr align="LEFT" width="100%" /> +</div> + +<div class="CHAPTER"> +<h1><a id="SECURITY" name="SECURITY"></a>Chapter 14 Security</h1> + +<div class="TOC"> +<dl> +<dt><b>Table of Contents</b></dt> + +<dt>14.1 <a href="security.html#SECURITY-DISABLE">Disabling Services</a></dt> + +<dt>14.2 <a href="security-host.html">Host Access Control</a></dt> + +<dt>14.3 <a href="security-current.html">Keeping Current</a></dt> +</dl> +</div> + +<p>Security on any system is important; it can prevent people launching attacks from your +machine, as well as protect sensitive data. This chapter is all about how to start +securing your Slackware box against script kiddies, crackers and rogue hamsters alike. +Bear in mind that this is only the start of securing a system; security is a process, not +a state.</p> + +<div class="SECT1"> +<h1 class="SECT1"><a id="SECURITY-DISABLE" name="SECURITY-DISABLE">14.1 Disabling +Services</a></h1> + +<p>The first step after installing Slackware should be to disable any services you don't +need. Any services could potentially pose a security risk, so it is important to run as +few services as possible (i.e. only those that are needed). Services are started from two +main places - <tt class="COMMAND">inetd</tt> and init scripts.</p> + +<div class="SECT2"> +<h2 class="SECT2"><a id="AEN5081" name="AEN5081">14.1.1 Services started from <tt +class="COMMAND">inetd</tt></a></h2> + +<p>A lot of the daemons that come with Slackware are run from <tt +class="COMMAND">inetd</tt>(8). <tt class="COMMAND">inetd</tt> is a daemon that listens on +all of the ports used by services configured to be started by it and spawns an instance +of the relevant daemon when a connection attempt is made. Daemons started from <tt +class="COMMAND">inetd</tt> can be disabled by commenting out the relevant lines in <tt +class="FILENAME">/etc/inetd.conf</tt>. To do this, open this file in your favorite editor +(e.g. <tt class="COMMAND">vi</tt>) and you should see lines similar to this:</p> + +<table border="0" bgcolor="#E0E0E0" width="100%"> +<tr> +<td> +<pre class="PROGRAMLISTING"> +telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd +</pre> +</td> +</tr> +</table> + +<p>You can disable this service, and any others you don't need, by commenting them out +(i.e. adding a <var class="LITERAL">#</var> (hash) symbol to the beginning of the line). +The above line would then become:</p> + +<table border="0" bgcolor="#E0E0E0" width="100%"> +<tr> +<td> +<pre class="PROGRAMLISTING"> +#telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd +</pre> +</td> +</tr> +</table> + +<p>After <tt class="COMMAND">inetd</tt> has been restarted, this service will be +disabled. You can restart <tt class="COMMAND">inetd</tt> with the command:</p> + +<table border="0" bgcolor="#E0E0E0" width="100%"> +<tr> +<td> +<pre class="SCREEN"> +<samp class="PROMPT">#</samp> <kbd +class="USERINPUT">kill -HUP $(cat /var/run/inetd.pid)</kbd> +</pre> +</td> +</tr> +</table> +</div> + +<div class="SECT2"> +<h2 class="SECT2"><a id="AEN5102" name="AEN5102">14.1.2 Services started from init +scripts</a></h2> + +<p>The rest of the services started when the machine starts are started from the init +scripts in <tt class="FILENAME">/etc/rc.d/</tt>. These can be disabled in two different +ways, the first being to remove the execute permissions on the relevant init script and +the second being to comment out the relevant lines in the init scripts.</p> + +<p>For example, SSH is started by its own init script at <tt +class="FILENAME">/etc/rc.d/rc.sshd</tt>. You can disable this using:</p> + +<table border="0" bgcolor="#E0E0E0" width="100%"> +<tr> +<td> +<pre class="SCREEN"> +<samp class="PROMPT">#</samp> <kbd class="USERINPUT">chmod -x /etc/rc.d/rc.sshd</kbd> +</pre> +</td> +</tr> +</table> + +<p>For services that don't have their own init script, you will need to comment out the +relevant lines in the init scripts to disable them. For example, the portmap daemon is +started by the following lines in <tt class="FILENAME">/etc/rc.d/rc.inet2</tt>:</p> + +<table border="0" bgcolor="#E0E0E0" width="100%"> +<tr> +<td> +<pre class="PROGRAMLISTING"> +# This must be running in order to mount NFS volumes. +# Start the RPC portmapper: +if [ -x /sbin/rpc.portmap ]; then + echo "Starting RPC portmapper: /sbin/rpc.portmap" + /sbin/rpc.portmap +fi +# Done starting the RPC portmapper. +</pre> +</td> +</tr> +</table> + +<p>This can be disabled by adding <var class="LITERAL">#</var> symbols to the beginnings +of the lines that don't already start with them, like so:</p> + +<table border="0" bgcolor="#E0E0E0" width="100%"> +<tr> +<td> +<pre class="PROGRAMLISTING"> +# This must be running in order to mount NFS volumes. +# Start the RPC portmapper: +#if [ -x /sbin/rpc.portmap ]; then +# echo "Starting RPC portmapper: /sbin/rpc.portmap" +# /sbin/rpc.portmap +#fi +# Done starting the RPC portmapper. +</pre> +</td> +</tr> +</table> + +<p>These changes will only take effect after either a reboot or changing from and back to +runlevel 3 or 4. You can do this by typing the following on the console (you will need to +log in again after changing to runlevel 1):</p> + +<table border="0" bgcolor="#E0E0E0" width="100%"> +<tr> +<td> +<pre class="SCREEN"> +<samp class="PROMPT">#</samp> <kbd class="USERINPUT">telinit 1</kbd> +<samp class="PROMPT">#</samp> <kbd class="USERINPUT">telinit 3</kbd> +</pre> +</td> +</tr> +</table> +</div> +</div> +</div> + +<div class="NAVFOOTER"> +<hr align="LEFT" width="100%" /> +<table summary="Footer navigation table" width="100%" border="0" cellpadding="0" +cellspacing="0"> +<tr> +<td width="33%" align="left" valign="top"><a href="basic-network-commands-talk.html" +accesskey="P">Prev</a></td> +<td width="34%" align="center" valign="top"><a href="index.html" +accesskey="H">Home</a></td> +<td width="33%" align="right" valign="top"><a href="security-host.html" +accesskey="N">Next</a></td> +</tr> + +<tr> +<td width="33%" align="left" valign="top">Talking to Other People</td> +<td width="34%" align="center" valign="top"> </td> +<td width="33%" align="right" valign="top">Host Access Control</td> +</tr> +</table> +</div> +</body> +</html> + |