Free2Code
Tutorials » Browse » Security
Tutorials - Setting up and maintaining a secure server - Securing your installation
This article written by
  OldSite

Member since
  October 11, 2006

Crackers:

Often people install Linux and leave all the standard services running. When they do this, there is a high chance that the services are exploitable. The first thing a cracker will do to get into a box is port scan the box, to find out which TCP services are running.

Admins:

Sometimes, when you install Linux, there are some un-wanted services running. The easiest way to turn them off is to port scan yourself, just like a cracker would. Port scanning basically checks all the (common) TCP ports to see if they are open, and if they are, it tells you. The most popular portscanner is called Nmap. The nmap download page has instructions on installation. Once you have installed nmap, you can run it on your local system: “nmap localhost”.

Note: Some services may run local-only or external-only, so it’s best to nmap from the outside if possible!

[admin@server admin]$ nmap localhost

Starting nmap V. **** ( www.insecure.org/nmap/ )
Warning:  You are not root -- using TCP pingscan rather than ICMP
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1550 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp                     
22/tcp     open        ssh                     
80/tcp     open        http                    
3306/tcp   open        mysql                   

Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
[admin@server admin]$

As you can see, this server only has 4 ports open to the public. They are:
Port 21 (FTP) – File Transfer Protocol
Port 22 (SSH) – Secure Shell
Port 80 (HTTP) – Web server
Port 3306 (MySQL) – Well.. MySQL :)

This is a server I run, I would consider it fairly secure.

Note that MySQL is open in this example! This was a localhost port scan – it’s fine to have MySQL open on localhost, but running it externally without a firewall blocking it is a bit silly.

As a quick example why running Windows as a server is a bad idea, look at this scan of a standard Windows XP installation:

Starting nmap V. **** ( www.insecure.org/nmap/ )
Interesting ports on ******* (***.***.***.***):
(The 1596 ports scanned but not shown below are in state: closed)
Port       State       Service
135/tcp    open        loc-srv                 
139/tcp    open        netbios-ssn             
445/tcp    open        microsoft-ds            
1025/tcp   open        NFS-or-IIS              
5000/tcp   open        UPnP                    

Nmap run completed -- 1 IP address (1 host up) scanned in 1 second

As you can see from this example, a lot of unwanted services are open :)

Linux isn’t completely free of guilt with this either, as most large distrobutions like RedHat install services that are just as bad on their default installs. However, it is definatly easier to turn them off on Linux.

So we see a port open on our box, now how do we close it? Nmap is very helpful for this as well, as you may have noticed it gives standard service names for every port it finds open. On RedHat Linux, there are 2 places you will generally find these services control scripts (to turn it off, etc).

Note: This tutorial has been partially updated from an older tutorial, so it still references RedHat here. Hopefully I’ll get time to update this for Debian later. For now, Google is your friend!

As an example, lets say telnet was open on the box.

The first place to look for services is in the init scripts.. Type in “ls /etc/rc.d/init.d/”. You will see a list of possible services ( not all of them listen on ports, like apm etc ). Lets see if telnet can be turned off this way: Type “ls /etc/rc.d/init.d/telnet” and “ls /etc/rc.d/init.d/telnetd” ( it is very common to add a d to the end of service names. For example “ssh” is actually “sshd” ). Seeing as telnet is not in this directory, this probably means it is running from xinetd ( xinetd is a server program which runs other services from inside itself. You use it’s config files to change what it runs ). However, firstly I will show you how to turn off a service. Firstly:

/etc/rc.d/init.d/<service> stop

This will turn off the service.

chkconfig --level 0123456 <service> off

This will stop that service from starting at boot, etc.

Now, taking the example of telnet, which was not in the init scripts, where do we look next? xinetd.

Type "ls /etc/xinetd.d/". You should see another list of services. And yes, among them is telnet!

Type "cat /etc/xinetd.d/telnet".. You will see a line "disable = " then either yes or no. Seeing as we want to turn off this service, we want to set “disable = yes” ( to say, yes, disable it ).

Now, type "/etc/rc.d/init.d/xinetd restart". This will restart xinetd, and turn off any services you disabled.

Assuming you are doing this from the console of a server, I would suggest removing every service from the system, until you see no ports open in nmap. Once you have a clean system, you can then add in the good services.

Continue to HTTP Servers »
In this tutorial:
  1. Introduction
  2. Linux Distributions & Installation
  3. Securing your installation
  4. HTTP Servers
  5. FTP Servers
  6. SSH Servers
  7. Keeping your server secure
  8. Summary
Copyright © Free2Code Online · Privacy Policy

Generated in 36.4ms using 3 (7 cached) SQL queries.

Valid HTML 4.01 Transitional   Valid CSS!

icons