1
0
Fork 0
mirror of git://slackware.nl/current.git synced 2025-01-14 08:01:11 +01:00
slackware-current/slackbook/html/security.html

219 lines
7.2 KiB
HTML
Raw Normal View History

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Security</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="Slackware Linux Essentials" href="index.html" />
<link rel="PREVIOUS" title="Talking to Other People"
href="basic-network-commands-talk.html" />
<link rel="NEXT" title="Host Access Control" href="security-host.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>
<body class="CHAPTER" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">Slackware Linux Essentials</th>
</tr>
<tr>
<td width="10%" align="left" valign="bottom"><a href="basic-network-commands-talk.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom"></td>
<td width="10%" align="right" valign="bottom"><a href="security-host.html"
accesskey="N">Next</a></td>
</tr>
</table>
<hr align="LEFT" width="100%" />
</div>
<div class="CHAPTER">
<h1><a id="SECURITY" name="SECURITY"></a>Chapter 14 Security</h1>
<div class="TOC">
<dl>
<dt><b>Table of Contents</b></dt>
<dt>14.1 <a href="security.html#SECURITY-DISABLE">Disabling Services</a></dt>
<dt>14.2 <a href="security-host.html">Host Access Control</a></dt>
<dt>14.3 <a href="security-current.html">Keeping Current</a></dt>
</dl>
</div>
<p>Security on any system is important; it can prevent people launching attacks from your
machine, as well as protect sensitive data. This chapter is all about how to start
securing your Slackware box against script kiddies, crackers and rogue hamsters alike.
Bear in mind that this is only the start of securing a system; security is a process, not
a state.</p>
<div class="SECT1">
<h1 class="SECT1"><a id="SECURITY-DISABLE" name="SECURITY-DISABLE">14.1 Disabling
Services</a></h1>
<p>The first step after installing Slackware should be to disable any services you don't
need. Any services could potentially pose a security risk, so it is important to run as
few services as possible (i.e. only those that are needed). Services are started from two
main places - <tt class="COMMAND">inetd</tt> and init scripts.</p>
<div class="SECT2">
<h2 class="SECT2"><a id="AEN5081" name="AEN5081">14.1.1 Services started from <tt
class="COMMAND">inetd</tt></a></h2>
<p>A lot of the daemons that come with Slackware are run from <tt
class="COMMAND">inetd</tt>(8). <tt class="COMMAND">inetd</tt> is a daemon that listens on
all of the ports used by services configured to be started by it and spawns an instance
of the relevant daemon when a connection attempt is made. Daemons started from <tt
class="COMMAND">inetd</tt> can be disabled by commenting out the relevant lines in <tt
class="FILENAME">/etc/inetd.conf</tt>. To do this, open this file in your favorite editor
(e.g. <tt class="COMMAND">vi</tt>) and you should see lines similar to this:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
</pre>
</td>
</tr>
</table>
<p>You can disable this service, and any others you don't need, by commenting them out
(i.e. adding a <var class="LITERAL">#</var> (hash) symbol to the beginning of the line).
The above line would then become:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
#telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
</pre>
</td>
</tr>
</table>
<p>After <tt class="COMMAND">inetd</tt> has been restarted, this service will be
disabled. You can restart <tt class="COMMAND">inetd</tt> with the command:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">kill -HUP $(cat /var/run/inetd.pid)</kbd>
</pre>
</td>
</tr>
</table>
</div>
<div class="SECT2">
<h2 class="SECT2"><a id="AEN5102" name="AEN5102">14.1.2 Services started from init
scripts</a></h2>
<p>The rest of the services started when the machine starts are started from the init
scripts in <tt class="FILENAME">/etc/rc.d/</tt>. These can be disabled in two different
ways, the first being to remove the execute permissions on the relevant init script and
the second being to comment out the relevant lines in the init scripts.</p>
<p>For example, SSH is started by its own init script at <tt
class="FILENAME">/etc/rc.d/rc.sshd</tt>. You can disable this using:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">chmod -x /etc/rc.d/rc.sshd</kbd>
</pre>
</td>
</tr>
</table>
<p>For services that don't have their own init script, you will need to comment out the
relevant lines in the init scripts to disable them. For example, the portmap daemon is
started by the following lines in <tt class="FILENAME">/etc/rc.d/rc.inet2</tt>:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
# This must be running in order to mount NFS volumes.
# Start the RPC portmapper:
if [ -x /sbin/rpc.portmap ]; then
echo "Starting RPC portmapper: /sbin/rpc.portmap"
/sbin/rpc.portmap
fi
# Done starting the RPC portmapper.
</pre>
</td>
</tr>
</table>
<p>This can be disabled by adding <var class="LITERAL">#</var> symbols to the beginnings
of the lines that don't already start with them, like so:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
# This must be running in order to mount NFS volumes.
# Start the RPC portmapper:
#if [ -x /sbin/rpc.portmap ]; then
# echo "Starting RPC portmapper: /sbin/rpc.portmap"
# /sbin/rpc.portmap
#fi
# Done starting the RPC portmapper.
</pre>
</td>
</tr>
</table>
<p>These changes will only take effect after either a reboot or changing from and back to
runlevel 3 or 4. You can do this by typing the following on the console (you will need to
log in again after changing to runlevel 1):</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">telinit 1</kbd>
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">telinit 3</kbd>
</pre>
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="basic-network-commands-talk.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="security-host.html"
accesskey="N">Next</a></td>
</tr>
<tr>
<td width="33%" align="left" valign="top">Talking to Other People</td>
<td width="34%" align="center" valign="top">&nbsp;</td>
<td width="33%" align="right" valign="top">Host Access Control</td>
</tr>
</table>
</div>
</body>
</html>