This month we continue our look at the steps required to harden a Linux system by considering how Linux services can be secured. In fact, securing system services — subsystems like printing and electronic mail, file and web serving, and remote access (telnet, ftp, rlogin, rsh, imap, and so on) — represents a large part of the hardening task.
This month we continue our look at the steps required to harden a Linux system by considering how Linux services can be secured. In fact, securing system services — subsystems like printing and electronic mail, file and web serving, and remote access (telnet, ftp, rlogin, rsh, imap, and so on) — represents a large part of the hardening task.
In general, the guiding principle of securing system services is install only those packages that the system actually needs. As we noted last month, potential intruders can’t exploit software that isn’t present on the system. When removing a package isn’t possible or practical, then unneeded services should be disabled.
The following list represents the general tasks associated with securing system services:
Disable or remove all unneeded services.
Specify logging and access control for all services, allowing only the minimum access necessary.
When appropriate, use chroot to run a service in a confined directory.
If at all possible, create a special user to run server processes. For example, run named as user named.
Use secure versions of daemons when they are available.
Restrict access to facilities services like cron to system administrators.
If a server lets you limit the number of daemon processes, specify a limit. Setting limits can help prevent some denial of service attacks.
Finally, be sure to secure all services, whether they seem security-related or not (e.g., printing).
Locating and Disabling Linux Services
Before you disable unnecessary services — or even…
Please log in to view this content.
Not Yet a Member?
Register with LinuxMagazine.com and get free access to the entire archive, including:
