[Malvern] Superfluous ports.

[Andy Lowton]

On Fri, 2005-01-14 at 14:18 +0000, Geoff Bagley wrote:
> How does one identify and close down superfluous TCP/IP ports,
> if possible,  flagging up warnings if access be attempted ?


Here is the relevant section out of one my reports. It's in latex but
you should still be able to work out what it says. To detect access
attempts, use snort or a firewall or TCP-Wrappers.

cheers

andy

---------------------------------------------------------------

As can be seen from Table \ref{adl-tab-1}, there were a great many
services available on this system, each one providing an opportunity for
an attacker to establish a connection.  
During the course of the tests, all the UNIX systems were discovered to
have a similar number of services available.

Whilst it is relatively rare for a remote exploit to be discovered in a
particular service, a great deal of information can be gained which will
aid an attacker in compromising the
 system. Using the knowledge gained from these services, an attacker may
then establish an interactive session using \textit{telnet},
\textit{ftp}, \textit{rlogin} or \textit{rsh}.
  

Recommendation - Turn offf extraneous Internet services

This can be achieved for the majority of services by commenting out the
lines in \textit{/etc/inetd.conf} and restarting the \textit{inetd}
daemon\footnote{Determine the PID of \textit{inetd} using the
\textit{ps} command and restart using: \textit{kill -HUP <PID>}}. The
remaining services are removed by editing the system startup scripts and
rebooting the s
ystem\footnote{The exact method of achieving this varies with the
particular UNIX variant.

The remaining services that are required for the system to perform it's
designated function, should be protected by ensuring that all security
related patches are applied, and wher
e possible, access restricted to legitimate client systems
\footnote{TCP-Wrappers may be used to achieve this, and are discussed in
a later section.}.