|
|
1. Turn off ports that are not needed.When installing a Unix system, one of the first steps that should be taken is to disable all TCP/UDP ports and only enable the ones that are really necessary. To do this (on most Unix systems), perform the following steps from a root shell: 1. Comment out ALL lines in /etc/inetd.conf with a text editor such as VI. An easy command for doing this would be “:1,$s/^/#/” (w/o quotes). 2. Comment back in only the lines for entries of services that you will need (such as telnetd and/or ftpd). 3. Save the file and exit. 4. Find out the PID (process ID) for inetd (e.g. ps –ef | grep inetd) Execute “kill -HUP #” (where “#” is the PID number of inetd). This will signal the inetd service daemon to run with the modified inetd.conf file. The reason for shutting off as many ports as possible is simply to minimize risk. Programs that listen on ports can be attacked by anyone on the Internet unless your system is behind a firewall. Devious hackers on the net can write programs that exploit known bugs or other vulnerabilities. By shutting off the port or running tcp-wrappers, you can stop most attacks right at the entry point to your system. This is the most effective thing you can do to
defend against network attacks. On
your most secure servers, we recommend that you turn all ports off and install
only Secure Shell (Ssh) in place of telnet and ftp. |
|