mirror of
git://slackware.nl/current.git
synced 2024-12-26 09:58:59 +01:00
5a12e7c134
Wed Aug 26 10:00:38 CDT 2009 Slackware 13.0 x86_64 is released as stable! Thanks to everyone who helped make this release possible -- see the RELEASE_NOTES for the credits. The ISOs are off to the replicator. This time it will be a 6 CD-ROM 32-bit set and a dual-sided 32-bit/64-bit x86/x86_64 DVD. We're taking pre-orders now at store.slackware.com. Please consider picking up a copy to help support the project. Once again, thanks to the entire Slackware community for all the help testing and fixing things and offering suggestions during this development cycle. As always, have fun and enjoy! -P.
218 lines
7.2 KiB
HTML
218 lines
7.2 KiB
HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html xmlns="http://www.w3.org/1999/xhtml">
|
|
<head>
|
|
<meta name="generator" content="HTML Tidy, see www.w3.org" />
|
|
<title>Security</title>
|
|
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
|
|
<link rel="HOME" title="Slackware Linux Essentials" href="index.html" />
|
|
<link rel="PREVIOUS" title="Talking to Other People"
|
|
href="basic-network-commands-talk.html" />
|
|
<link rel="NEXT" title="Host Access Control" href="security-host.html" />
|
|
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
|
|
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
|
|
</head>
|
|
<body class="CHAPTER" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
|
|
alink="#0000FF">
|
|
<div class="NAVHEADER">
|
|
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
|
|
cellspacing="0">
|
|
<tr>
|
|
<th colspan="3" align="center">Slackware Linux Essentials</th>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td width="10%" align="left" valign="bottom"><a href="basic-network-commands-talk.html"
|
|
accesskey="P">Prev</a></td>
|
|
<td width="80%" align="center" valign="bottom"></td>
|
|
<td width="10%" align="right" valign="bottom"><a href="security-host.html"
|
|
accesskey="N">Next</a></td>
|
|
</tr>
|
|
</table>
|
|
|
|
<hr align="LEFT" width="100%" />
|
|
</div>
|
|
|
|
<div class="CHAPTER">
|
|
<h1><a id="SECURITY" name="SECURITY"></a>Chapter 14 Security</h1>
|
|
|
|
<div class="TOC">
|
|
<dl>
|
|
<dt><b>Table of Contents</b></dt>
|
|
|
|
<dt>14.1 <a href="security.html#SECURITY-DISABLE">Disabling Services</a></dt>
|
|
|
|
<dt>14.2 <a href="security-host.html">Host Access Control</a></dt>
|
|
|
|
<dt>14.3 <a href="security-current.html">Keeping Current</a></dt>
|
|
</dl>
|
|
</div>
|
|
|
|
<p>Security on any system is important; it can prevent people launching attacks from your
|
|
machine, as well as protect sensitive data. This chapter is all about how to start
|
|
securing your Slackware box against script kiddies, crackers and rogue hamsters alike.
|
|
Bear in mind that this is only the start of securing a system; security is a process, not
|
|
a state.</p>
|
|
|
|
<div class="SECT1">
|
|
<h1 class="SECT1"><a id="SECURITY-DISABLE" name="SECURITY-DISABLE">14.1 Disabling
|
|
Services</a></h1>
|
|
|
|
<p>The first step after installing Slackware should be to disable any services you don't
|
|
need. Any services could potentially pose a security risk, so it is important to run as
|
|
few services as possible (i.e. only those that are needed). Services are started from two
|
|
main places - <tt class="COMMAND">inetd</tt> and init scripts.</p>
|
|
|
|
<div class="SECT2">
|
|
<h2 class="SECT2"><a id="AEN5081" name="AEN5081">14.1.1 Services started from <tt
|
|
class="COMMAND">inetd</tt></a></h2>
|
|
|
|
<p>A lot of the daemons that come with Slackware are run from <tt
|
|
class="COMMAND">inetd</tt>(8). <tt class="COMMAND">inetd</tt> is a daemon that listens on
|
|
all of the ports used by services configured to be started by it and spawns an instance
|
|
of the relevant daemon when a connection attempt is made. Daemons started from <tt
|
|
class="COMMAND">inetd</tt> can be disabled by commenting out the relevant lines in <tt
|
|
class="FILENAME">/etc/inetd.conf</tt>. To do this, open this file in your favorite editor
|
|
(e.g. <tt class="COMMAND">vi</tt>) and you should see lines similar to this:</p>
|
|
|
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
|
<tr>
|
|
<td>
|
|
<pre class="PROGRAMLISTING">
|
|
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
|
|
</pre>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
|
|
<p>You can disable this service, and any others you don't need, by commenting them out
|
|
(i.e. adding a <var class="LITERAL">#</var> (hash) symbol to the beginning of the line).
|
|
The above line would then become:</p>
|
|
|
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
|
<tr>
|
|
<td>
|
|
<pre class="PROGRAMLISTING">
|
|
#telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
|
|
</pre>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
|
|
<p>After <tt class="COMMAND">inetd</tt> has been restarted, this service will be
|
|
disabled. You can restart <tt class="COMMAND">inetd</tt> with the command:</p>
|
|
|
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
|
<tr>
|
|
<td>
|
|
<pre class="SCREEN">
|
|
<samp class="PROMPT">#</samp> <kbd
|
|
class="USERINPUT">kill -HUP $(cat /var/run/inetd.pid)</kbd>
|
|
</pre>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
|
|
<div class="SECT2">
|
|
<h2 class="SECT2"><a id="AEN5102" name="AEN5102">14.1.2 Services started from init
|
|
scripts</a></h2>
|
|
|
|
<p>The rest of the services started when the machine starts are started from the init
|
|
scripts in <tt class="FILENAME">/etc/rc.d/</tt>. These can be disabled in two different
|
|
ways, the first being to remove the execute permissions on the relevant init script and
|
|
the second being to comment out the relevant lines in the init scripts.</p>
|
|
|
|
<p>For example, SSH is started by its own init script at <tt
|
|
class="FILENAME">/etc/rc.d/rc.sshd</tt>. You can disable this using:</p>
|
|
|
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
|
<tr>
|
|
<td>
|
|
<pre class="SCREEN">
|
|
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">chmod -x /etc/rc.d/rc.sshd</kbd>
|
|
</pre>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
|
|
<p>For services that don't have their own init script, you will need to comment out the
|
|
relevant lines in the init scripts to disable them. For example, the portmap daemon is
|
|
started by the following lines in <tt class="FILENAME">/etc/rc.d/rc.inet2</tt>:</p>
|
|
|
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
|
<tr>
|
|
<td>
|
|
<pre class="PROGRAMLISTING">
|
|
# This must be running in order to mount NFS volumes.
|
|
# Start the RPC portmapper:
|
|
if [ -x /sbin/rpc.portmap ]; then
|
|
echo "Starting RPC portmapper: /sbin/rpc.portmap"
|
|
/sbin/rpc.portmap
|
|
fi
|
|
# Done starting the RPC portmapper.
|
|
</pre>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
|
|
<p>This can be disabled by adding <var class="LITERAL">#</var> symbols to the beginnings
|
|
of the lines that don't already start with them, like so:</p>
|
|
|
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
|
<tr>
|
|
<td>
|
|
<pre class="PROGRAMLISTING">
|
|
# This must be running in order to mount NFS volumes.
|
|
# Start the RPC portmapper:
|
|
#if [ -x /sbin/rpc.portmap ]; then
|
|
# echo "Starting RPC portmapper: /sbin/rpc.portmap"
|
|
# /sbin/rpc.portmap
|
|
#fi
|
|
# Done starting the RPC portmapper.
|
|
</pre>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
|
|
<p>These changes will only take effect after either a reboot or changing from and back to
|
|
runlevel 3 or 4. You can do this by typing the following on the console (you will need to
|
|
log in again after changing to runlevel 1):</p>
|
|
|
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
|
<tr>
|
|
<td>
|
|
<pre class="SCREEN">
|
|
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">telinit 1</kbd>
|
|
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">telinit 3</kbd>
|
|
</pre>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
<div class="NAVFOOTER">
|
|
<hr align="LEFT" width="100%" />
|
|
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
|
|
cellspacing="0">
|
|
<tr>
|
|
<td width="33%" align="left" valign="top"><a href="basic-network-commands-talk.html"
|
|
accesskey="P">Prev</a></td>
|
|
<td width="34%" align="center" valign="top"><a href="index.html"
|
|
accesskey="H">Home</a></td>
|
|
<td width="33%" align="right" valign="top"><a href="security-host.html"
|
|
accesskey="N">Next</a></td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td width="33%" align="left" valign="top">Talking to Other People</td>
|
|
<td width="34%" align="center" valign="top"> </td>
|
|
<td width="33%" align="right" valign="top">Host Access Control</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
</body>
|
|
</html>
|
|
|