Like a Windows system, your chosen Linux distribution will likely be installed with a large number of programs configured to run automatically, without human intervention. On Windows systems these programs are called services; on Linux they are called daemons. In an effort to minimize the amount of software that is running and thus reduce the number of software targets a hacker might try to exploit, you should disable any daemons that are not needed. Determining which daemons are needed will require some investigation and testing.

Add a note hereYou’ll find a list and brief description of daemons in Fedora Core 5 at www.mjmwired.net/resources/mjm-services-fc5.html.

Add a note hereTo configure the daemons, navigate to System | Administration | Services. (Fedora actually uses the Windows terminology to refer to the daemons as services.) This will open the GUI interface shown in Figure 14.1.

Image from book
Add a note hereFigure 14.1: Daemon Control Panel

Add a note hereHighlighting a service in the leftmost pane will pull up a description and some additional details in the Description and Status panes, respectively. Disabling a service is as easy as removing the check mark next to the service in question, then clicking Save in the upper-right corner of the window and rebooting.


Add a note hereDifferent services are handled differently with respect to the time at which your changes take effect. When changes are made to services managed through xinetd, xinetd is immediately restarted; thus your changes will take effect immediately. When the service is not managed by xinetd, the same is not true. In those cases you will need to either stop the service manually, go to a command prompt, type telinit and press Enter to reinitialize the run level, or simply reboot.

Add a note hereIf you are administering the bastion host without access to a GUI front end, you will need to control daemons via the startup scripts. It’s also a good idea to know how to control the daemons without the GUI because the GUI interface will vary from system to system. The methods for startup scripts can also vary from one distribution to another.The startup services in Fedora Core are managed by startup scripts located in /etc/rc.d/init.d. All you need to do is comment out the line that calls the specific script by inserting a # at the front of the line that calls it.You can also edit the individual scripts themselves for control of the way the services are initialized.The preferred way on Fedora Core is to use the chkconfig utility, which can be found in many distributions.You must be logged in as root to use this utility. Abbreviated output from chkconfig --list is shown in Figure 14.2.

Click to collapse
Add a note hereFigure 14.2: Listing Services with chkconfig

Add a note hereAs you can see, apmd (which is used for monitoring and logging the battery status) is configured to start for run levels two through five. Since our bastion host has no battery to monitor, we can disable apmd for all run levels by entering:

Add a note herechkconfig --level 123456 apmd off

Add a note hereIf you want to remove the service entirely form the startup script, type:

Add a note herechkconfig –del apmd

Add a note here Removing Optional Software

Add a note hereAs with Windows, you will also likely end up with some software you don’t need. Removing the software is most easily accomplished with Pirut, the built-in GUI tool you can access by navigating to Applications | Add/Remove Software. Once it finishes checking what is currently installed on the system, you see the Package Manager window, which allows you to search for packages, install packages, or remove them. When you use the Browse button, your interface is hierarchical and looks almost exactly like the one you used to install the operating system.The Package Manager window is shown in Figure 14.3.

Image from book
Add a note hereFigure 14.3: Package Manager

Add a note hereTo remove the aforementioned apmd package, highlight the Base System category in the left pane, and then highlight the Base group in the right pane. Click Optional packages and a new window will open showing all packages in the Base group, as shown in Figure 14.4. Simply clear the check mark next to apmd and click Close. Back at the Package Manager window, click Apply. Click Continue on the next window to verify your changes, and finally, click OK when the update is completed.

Image from book
Add a note hereFigure 14.4: Package Listing

Add a note herePackages can also be managed from the command line using the RPM Package Manager (RPM).You can view a list of all installed packages by entering:

Add a note hererpm –q -a

Add a note hereFor example, to install the apmd package, you would need to first obtain the package file itself (from www.redhat.com/download/mirror.html, for example) or use the RPMs that were included on the installation CDs.Then enter the following command to install apmd:

Add a note hererpm –i apmd-3.2.2-3.2.i386.rpm

Add a note hereIf the installation is successful, you should see output similar to the following;

Add a note herePreparing... ########################################### [100%]
1:apmd-3.2.2-3.2 ########################################### [100%]

Add a note hereYou can even install a package directly from the Internet by specifying the full FTP or HTTP path as the path to the RPM, as follows:

Add a note hererpm –i ftp://somesite.com/5/i386/RPMS/apmd-3.2.2-3.2.i386.rpm

Add a note hereTo uninstall the package, you must use the package name, which can differ from the name of the RPM file.To uninstall apmd, enter the following command, using the –e switch, for erase:

Add a note hererpm –e apmd-3.2.2-3.2


Add a note hereThere are various tools for package management. Here’s a brief summary of the tools included in Fedora Core 5:

Add a note here pup GUI tool for updating software, accessed at Applications | System Tools | Software Updater.

Add a note here pirut GUI tool for managing software packages, accessed at Applications | Add/Remove Software.

Add a note here rpm Command-line tool for managing software packages.

Add a note here yum Yellowdog updater modified; command-line tool for managing software packages.

Add a note here yum Extender A GUI interface for YUM (install with yum install yumex).

Add a note herePirut and yum will automatically ensure you have the most current version of a package. Both of these will also automatically check and install any dependencies for the software you install. Rpm does not include this functionality; you will need to check for dependencies manually when using rpm. YUM only works on RPM based systems, and not all systems will have YUM available/installed, therefore it is suggested that you understand how to manage packages with RPM even if you choose to use YUM for you day to day management.

Add a note hereThere is no universal list to tell you which packages you should leave installed and which ones you should remove.You will need to evaluate each service based on your requirements. However, at a minimum the following services are ones you probably do need to have installed/running, unless you are very sure you don’t need them:

  • Add a note here haldaemon Used for gathering and maintaining information concerning hardware devices

  • Add a note here iptables Manages IPTables firewalls

  • Add a note here messagebus Used for sending notification for certain system events

  • Add a note here network Manages the activation of network interface at boot-up

  • Add a note here NTPd Used to synchronize time via the NTP protocol

  • Add a note here sshd Runs OpenSSH server

  • Add a note here syslogd Used for system logging

  • Add a note here xinetd Manages the startup of services

Tools & Traps…Services to Be Avoided at All Costs

Add a note hereThere are some services that you would never want exposed to an untrusted network such as the Internet. In most cases this means they should not be running on a bastion host. These services include the following:

  • Add a note here portmap Used to manage RPC connections

  • Add a note here Telnet Used for unencrypted remote console access

  • Add a note here rsh, rlogin, rexec Used for unencrypted remote console access

  • Add a note here nfs, lockd, mountd, statd Used for Network File System (NFS) and related services

  • Add a note here lpd Printer service

Add a note hereAll these services are inherently insecure. A variety of alternatives is available that take advantage of encryption and superior authentication methods. If you absolutely must use any of these services, you should protect them by tunneling them in IPSec or equivalent.


Post a Comment