Configuring network services
After I upgraded my Linux
system, I felt the need to pay attention to the network services which
are installed and run by default.
I started out looking at the start-up scripts in
/etc/rc.d, wondering how best to control the startup of the various
network daemons.
I also looked at the control files for the Internet
super-server inetd.
Eventually I found that running linuxconf, then
selecting Control Panel->Control Service Activity, gives a
menu-driven way to disable a number of network services I was sure I
did not need. This is likely to be an area where configuration differs
from one version of Linux to another.
The list of process I quickly disabled was as follows:
amd |
atd |
crond |
dhcpd |
httpd |
inet |
innd |
isdn4linux |
ldap |
netfs |
network |
nfs |
nfslock |
portmap |
postfix |
usb |
I may well want to start running some of these for
projects in the future (such as httpd), but disabling things which are
not in use gives me time to check them for any security fixes, and so
on.
Sometime later, I discovered the command lines
utilities chkconfig and ntsysv and spent a while
figuring out how they manipulate the files in /etc/rc.d/init.d. They
make symlinks to these files in the various rc
directories whose names determine which services to start/stop when
moving between different run-levels. Perhaps the most useful discovery
was that chkconfig can be used to reset the symlinks to the
supplied defaults specified in the comment line near the start of each
of the rc scripts. This information was useful when I wrote an rc
script which uses ipchains(8) (see separate notes on IP packet filtering ). And in
case you're wondering, linuxconf correctly understands the script
changes made by the command line programs.
Firewalls
To further protect those services still enabled from prying external
sources, I used IP packet filtering techniques to create a firewall
from scratch. For details refer to my article on Linux firewalls.
Viruses and Trojans
Finally, if all else fails and something nasty gets installed on my
system, I want to be able to find out before too long.
There are commercially available virus scanners for
UNIX and Linux systems - Sophos
have articles explaining their approach.
In the spirit of these articles, however, I have been
concentrating on open source alternatives.
I periodically run a suite of programs known as chkrootkit.
This checks for and reports the existence of a number of well-known
malicious changes to common system utilities and files. Sets of these
Trojan files on Linux are known as "rootkits" by the way.
I installed the programs from the September 2002 issue
of Linux Format. For more
details, consult the chkrootkit
web site.
To install, make and run the tool, I used the commands
from the README file which worked first time. Obviously you should
update chkrootkit regularly from the web site, as new trojans are
invented.
Much more regularly than that, I run the Clam Antivirus software. This works
pretty much like the familiar virus scanners on Windows systems. There
is virus database, and a tool to download up-to-date virus definitions.
This may be done from the command line or automatically. An Internet
connection is of course needed. The download tool is configured to
connect to the Clam Antivirus site (see below).
I installed the programs from the October 2002 issue of
Linux Format.
For more details, consult the Clam
Antivirus web site.
To install, make and run the tool, I attempted to
follow the commands from the INSTALL file. The configuration stage
failed and pointed me to the User Guide. I figured this was
clamdoc.pdf, opened this using xpdf, and discovered I had failed to set
up users/groups needed. This done, the installation went fine (as
root). Three utilities are created in /usr/local/bin:
clamscan
|
The scanner
|
freshclam
|
Virus definition download tool
|
sigtool
|
Signing tool
|
There are good manual pages for all these installed in /usr/local/man.
I was impressed by the ease of installation and use.
Just update the virus definitions, run
clamscan -r /
and you're away.
When scanning all filesystems using the above command,
the following points emerged:
- A virus was reported in /proc/kcore. A search of
Google Groups led me to others who saw the same problem and it seems
the virus scanner is clever enough to detect virus signatures in
memory, put there by the virus scanner itself.
- A virus was reported in win386.swp in a DOS
partition. The virus reported is one previously detected by Norton
Antivirus whilst scanning incoming mail. I assume this has also left a
virus signature in memory, dumped into the Windows swap file.
- A test virus from the supplied distribution was
reported.
- A virus was reported in the virus definitions file
viruses.db.
I was pretty happy with those results - better to do a thorough job and
take no chances with those viruses! |