The following services are useful and applicable in certain cirmcumstances. Often these processes only apply to servers, as opposed to workstations. The system administrator should take a hard look at all these processes and if they are not needed, disable them.
- anacron-This service is an enhanced cron replacement It can run jobs that were scheduled for execution while the computer was turned off.
- atd-This service runs scheduled batch jobs.
- autofs-This service auto mounts file systems on demand.
- arpwatch-This service is used to construct and monitor an ARP table, which keeps track of IP address-to-MAC address pairings.
- apmd-This is the advanced power management daemon, primarily used on laptops and other battery-backed devices. The apmd daemon senses the hardware and suspends or shuts down the workstation or laptop.
- crond-This service is used to schedule jobs for later execution. Many system administrator tasks can be run with cron. If this can't be disabled, authorization to run cron jobs should be limited to a few users.
- gpm-This service is the text-mode cut-and-paste daemon. This service has been a source of security concerns and performance problems in the past. Unless specific text-based applications are being used that require this mouse support, gpm should be disabled.
- httpd-This service is the Apache web server. Web servers are a high-visability target for attacks. It is unlikely that a user's workstation needs to be running a web server. In the vast majority of cases, this service should be disabled.
- innd-This service is the INternet News System (INN) news server. Normally this is run on a server and not a workstation.
- irda-This service is the Infrared TTY manager. Infrared is rarely used on a UNIX workstation, so this should be disabled.
- mysqld and postgresql-This service provides SQL database services. Usually, SQL databases are run on servers and not workstations.
- named-This service is the BIND name server used when running a Domain Name Service (DNS). This service will allow the host to resolve domain names into IP addresses. It is unusual for this service to be running on a workstation. DNS has important security concerns and needs to be configured and maintained carefully.
- nscd-This service provides password and group lookup services for use with network authentication such as that used in Lightweight Directory Access Protocol (LDAP).
- ntpd-Network Time Protocol (NTP) time synchronization services. If time synchronization is important, the network administrator should set up a local server to reduce the security risk.
- netfs-This service mounts NFS file systems.
- RIP-Routers use Route IP Protocol (RIP) to pass routing information. It is unlikely that the UNIX workstation is acting as a router, so this should be disabled.
- sendmail-This service is a mail transport agent that allows users to send mail from the workstation. Normally, the network administrator will set up one mail server to service many users and workstations. If the workstation must run its own mail server, consider using qmail or postfix, which are more secure.
- smb-This service runs the smbd and nmbd SAMBA daemons, which allow the sharing of files with Microsoft Windows platforms.
- snmpd-Runs the supporting daemon for the Simple Network Management Protocol. Unless absolutely needed, this service should be disabled due to past and present security issues.
Because the system administrator should disable unneeded processes, he or she must be able to detect and manage these services. Three good applications for this are ps, netstat, and nmap.
The ps command
This process gives a snapshot of the current processes running. The ps command will need to be run as root to pick up all the processes on the workstation. Following is a shortened output from ps:
# ps -aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.2 0.0 1376 440 ? S 19:44 0:04 init  root 2 0.0 0.0 0 0 ? SW 19:44 0:00 [keventd] root 9 0.0 0.0 0 0 ? SW 19:44 0:00 [bdflush] root 5 0.0 0.0 0 0 ? SW 19:44 0:00 [kswapd] root 217 0.0 0.0 0 0 ? SW 19:45 0:00 [kjournald] root 278 0.0 0.0 0 0 ? SW 19:45 0:00 [knodemgrd] root 498 0.0 0.0 1440 508 ? S 19:45 0:00 syslogd -m 0 root 502 0.0 0.0 1372 424 ? S 19:45 0:00 klogd -x root 558 0.0 0.0 1496 480 ? S 19:45 0:00 /sbin/cardmgr root 623 0.0 0.1 3508 1132 ? S 19:45 0:00 /usr/sbin/sshd root 790 0.0 0.0 2264 440 ? S 19:46 0:00 login - root root 791 0.0 0.0 1348 56 tty2 S 19:46 0:00 /sbin/mingetty tty2 root 796 0.0 0.0 4340 352 tty1 S 19:47 0:00 -bash root 1637 0.0 0.0 2832 888 pts/2 R 20:18 0:00 ps -aux
The netstat command
The netstat command prints all of the following:
- Network connections
- Routing tables
- Interface statistics
- Masquerade connections
- Multicast memberships
netstat can display a list of open sockets identified either by their port number or by the service assigned to that port as listed in /etc/services. If you don't specify any address families, the active sockets of all configured address families will be printed.
Knowing what ports are open on the workstation and accessible from the network is important to operating UNIX safely. The administrator should recognize every open port and understand the need for the application that is using that port. If the administrator does not recognize the port or service, he or she must track down the service and understand why that service needs to be running on that particular workstation.
Following is a sample listing of open ports and sockets used as reported by netstat. Note that the -p option provides the application that is responsible for the open port. Knowing the application is important in tracking down and closing ports.
# netstat -ap Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID /Program name tcp 0 0 *:ssh *:* LISTEN 559 /sshd tcp 0 0 localhost.localdoma:ipp *:* LISTEN 584 /cupsd udp 0 0 *:bootpc *:* 474 /dhclient udp 0 0 *:631 *:* 584 /cupsd Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 1209 /tmp/.font-unix/fs7100 unix 2 [ ACC ] STREAM LISTENING 1343 /tmp/.X11-unix/X0 unix 2 [ ACC ] STREAM LISTENING 1368 /tmp/ssh-XXobUrxB/agent.808 unix 2 [ ACC ] STREAM LISTENING 1835 /tmp/.ICE-unix/dcop877-1086703459 unix 2 [ ACC ] STREAM LISTENING 1960 /tmp/mcop-root/m_r_tmp-037e unix 7 [ ] DGRAM 956 /dev/log unix 2 [ ACC ] STREAM LISTENING 2005 /tmp/.ICE-unix/906
Note that this powerful tool will also provide the current routing table. Following is router table information provided by netstat:
# netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.123.0 * 255.255.255.0 U 0 0 0 eth0 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default pix 0.0.0.0 UG 0 0 0 eth0
The nmap command
nmap is a very good port scanner that ships with many UNIX distributions and is available for all. nmap is designed to allow system administrators to scan hosts to determine what services are running. nmap supports a large number of scanning techniques, such as the following:
- TCP connect()
- TCP SYN (half open)
- ftp proxy (bounce attack)
- ICMP (ping sweep)
- ACK sweep
- Xmas Tree
- SYN sweep
- IP Protocol
- Null scan
The following shows the output of two nmap scans of a Linux host. nmap can be run over the network or against the host that it resides on, as in these scans. The -sT option tells nmap to run a TCP Connect scan, therefore, nmap will attempt to connect to every port to determine the service running on that port. The first scan is against the host's external interface. The second scan of the localhost interface avoids the iptables (firewall) filtering that protects the host. Notice that port 631 is being blocked by iptables. iptables is discussed in detail in the "Hardening UNIX" section of this tutorial.
In this tutorial:
- UNIX and Linux Security
- Network and development tools
- UNIX/Linux as a poor target
- Open source issues
- Detecting hardware changes
- Disk partitioning
- Prepare for the eventual attack
- Controlling the Configuration
- Kernel configurations
- Kernel modules
- proc file system
- Operating UNIX Safely
- Uncommon services
- Processes controlling processes
- The chkconfig command
- Controlling users
- Encryption and certificates
- Hardening UNIX
- Packet filtering with iptables