Rishi L Khan <rishi@UDel.Edu> writes:
> If you're not using sunrpc or lpd, I would turn them off. The way I do it
> is turn off the services (/etc/init.d/portmap stop; /etc/init.d/lpd stop)
> and then edit /etc/init.d/lpd and /etc/init.d/portmap and add a line near
> the top that says "exit 0" (w/o quotes) so that when you restart, they
> don't come back.
It should be sufficient to do
update-rc.d -f portmap remove
update-rc.d -f lpd remove
update-rc.d -f bind remove
although, really, `dpkg -P portmap' is more like it.
> Also, if you don't need telnet, turn that off by commenting out the line
> starting with "telnet" in the /etc/inetd.conf file. Then restart inetd or
> send a kill -HUP to it.
No firewall should *EVER* run telnetd. Period. Purge the package, learn to
use ssh for everything.
> Addtionally, your firewall should filter all incoming tcp connection
> requests except the ones you want to keep (like ssh, etc). I'm not sure
> how to do that in iptables, because I use ipchains.
My script, previously plugged, does this with connection tracking.
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state INVALID -j DROP
right at the top, then
iptables -A block -p tcp --destination-port 22 -j ACCEPT
to open ssh to all incoming hosts, then
iptables -A block -j DROP
to drop everything else.
17:20:49 up 44 days, 7:19, 15 users, load average: 0.01, 0.06, 0.03
email@example.com |no se encuentra el sistema operativo
http://piglet.is.dreaming.org |(seen mid-windows 98 installation)