Securing a UNIX Machine for Beginners
Summary: Advice on securing your Unix machine by turning off unneeded services.
Many people like the power and flexibility associated with UNIX. However, some of the people who set up UNIX machines are not aware that with all that power and flexibility comes a maintenance burden - mainly because the more network-based services you have running, the more likely it is that eventually a security hole will be found in one of those services, requiring that you patch your system.
This document describes a way to keep most of that power and flexibility, but to also reduce the maintenance burden by turning off unneeded services.
Before we get started, the most important thing you can do to keep your machine secure, is to use a recent version of your chosen OS, subscribe to the CERT mailing list (or BugTraq instead if you have the time and curiosity), and apply patches as needed.
How to make your machine more secure
(And easier to keep up to date on patches because
there'll be fewer patches you need to apply)
- Most of what we'll be doing involves turning off unneeded services in /etc/inetd.conf.
- Go ahead and edit /etc/inetd.conf. Entries that have a "#" are a comment. All those lines that aren't commented out, are services that are launched by inetd. The odds that any given one of these services will develop a (known) security hole isn't that high, but the odds that any one of them will is noticeably higher. So we want to turn off all the unneeded ones.
- Services we recommend always turning off include: echo, daytime, chargen, time.
- Services we recommend turning off if you can include... everything else. If this isn't a mission critical machine, we'd actually recommend that you turn off everything, and then add back services you later discover you needed. Of course, on a machine that must be available, it's better to only turn off services you know you won't need.
- For specifics of how to turn off a service that's launched by inetd, see Turning off an inetd-launched service.
- Not all network services on UNIX are launched by inetd. Some run as standalone
daemons. Sendmail and Samba are both packages that have the option of either
running off of inetd, OR running as standalone daemons.
- If you don't need to process e-mail on this machine (including local e-mail), we recommend turning off sendmail. See turning off sendmail for specifics.
- If you don't need to share files or printers from your UNIX machine to machines running Microsoft operating systems, we recommend turning off samba. See turning off samba for specifics.
- Note that you may have other network services that are not launched by inetd. These are only two of the most common.
Further Information
If you're interested in further securing your system, we recommend installing ssh, and possibly an SSL ftp. These make it more feasible to turn off things like telnet, rlogin, rsh and ftp, which send passwords over the network unencrypted or rely on IP-based authentication. Sadly, many malicious people like to break into computers and then sniff unencrypted passwords off the network (allowing them to break into many other computers!) - so using encrypting equivalents can really reduce the severity of a break in.
Additional Resources
Finally, here are some links you can check out for more information.
- Installing Security Patches
- rootshell.com - for a huge list of security exploits - the things we're trying to protect against
- comp.security.unix for ongoing discussion of UNIX security issues
- Linux Security HOWTO
- Misc UNIX security links
- SunSolve Online - Security Information
- Red Hat Errata. Select your version of Red Hat. Be sure to check both "general" and architecture specific errata. Search for "security" with your web browser in both.
