>>>>> "Marc" == Marc Shapiro <mshapiro@inetone.net> writes: Marc> I am trying to set up a linux server on the college campus that I Marc> attend. This will be, so far as I am aware, the only non Windows Marc> machine on campus. The campus sysadmin has security issues before Marc> she will allow access to the server through the firewall. I used Marc> tasksel when I set the machine up to install the "Standard UNIX Marc> Server." This got me such things as ftp, ftpd, telnet and Marc> telnetd. These are all for the good. Not good. ftp and telnet are (usually) security risks, as passwords are sent in the clear, and so people can sniff them. (ftp is OK if you just use it for anonymous ftp.) Use ssh instead. Marc> It also set up finger and fingerd, not so good; and talk, ytalk Marc> and talkd. I have uninstalled and purged the congiurations for Marc> the finger and talk series of services. This is probably enough Marc> to eventually make the sysadmin happy, but there are a number of Marc> ports which are active that we are not sure what is listening to Marc> them. Below is a list of ports (from before I did my deletes) and Marc> what the sysadmin's resources say they are: Helpful programs to figure out what's going on: netstat and lsof. They can help you figure out what programs are listening on your ports. The fact that your sysadmin doesn't know some of these, though, scares me. Marc> Port Service Comments Marc> ---- ---------------- -------------------------------- Marc> 9 discard What is this? It ignores all input. It isn't of much use other than network testing. It isn't much of a security risk, but if you're not going to use it, there's no reason to keep it open. It's usually handled natively by identd. Marc> 13 daytime What is this? Gives you the system time. Again, handled by identd. Again, turn it off if you don't need it. Marc> 21 ftp OK Not OK. See above. Marc> 22 unassigned Is this talkd? ssh. Use it instead of ftp and telnet. Marc> 23 telnet OK Not OK. See above. Marc> 25 smtp I dont have smtpd running and do Marc> not plan to set up a mail server. Marc> Is this exim listening here? Yes, this would be exim. If you don't need a mail server, get rid of it. I'm not sure if local programs would ever need to talk to it via port 25, so I just set it up to listen only on the loopback interface, using xinetd. Marc> 37 time This should stay? This is like daytime, but uses a different format. Turn it off if you don't need it. Marc> 79 finger This is gone, already. Marc> 111 sun RPC portmapper? Do I need this? Turn it off, unless you really know what you're doing. This is used for NIS and NFS, and is historically a big security hole. Marc> 113 authentication What is this? identd. You shouldn't need this. Marc> 515 printer No printer currently attatched, Marc> but not a problem. If you don't need it, get rid of it. There might not be any known exploits right now, but there might be in the future. The fewer services you have open, the less you have to worry about. Look through the harden* and bastille packages. Installing them would be a good idea. Subscribe to the -security and -security-announce lists, and keep your system patched. Look through http://www.debian.org/security/ and the "Securing Debian" manual. Set up an iptables firewall. Be paranoid. -- Hubert Chan <hubert@uhoreg.ca> - http://www.uhoreg.ca/ PGP/GnuPG key: 1024D/124B61FA Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA Key available at wwwkeys.pgp.net. Encrypted e-mail preferred.
Attachment:
pgpUNdUgLQBVm.pgp
Description: PGP signature