Ok, So I've been lazy over the past 3 years with the SCO server I maintain, as it just primarily hosts my private networked proprietary software, until now.
We have dedicated net access, in which the SCO server is not setup for and not going to be setup to connect to the internet by any direct means.
So I decided to get SuSE 8.0 professional for a firewall, and being the 'obsessive' person that I am I have over indulged myself with security issues. Which brings me to 'inetd.conf'. I got the Security Essentials by Tom Roxon, if memory serves me correctly, and I dove in head first. So I have decided to impower some of the linux security stuff on the main SCO server which leads me to
inetd.
I shutdown all most all the services, except a few that (barring my ignorance) feel that I need to keep running. This leaving me with some questions about 'chargen', 'discard', 'tcpmux' 'time' and 'daytime'.
Can someone helpme out with what these do as 'services', and any info as to what they do, exactly or somewhere in the same ballpark at least. My man pages dont say squat about chargen and discard.
Also, if I turn them off as services started by inetd, will they still be available for onetime use in other area that may "require" them?
Sorry this was so long, but thanks in advance for any information you may contribute!
P.S. I also learned that cp'ing the .profile from "/" and then editing it was not such a good idea.
Ok, so is either one of these time daemons control the "system" time that I call for in my software, that would require it to be started by inetd.conf?
I do have the /etc/services file. I piped it over to lp for a copy to pin on the wall next to my moniter!
There is a daemon called NTPD that is a network time protocol. That goes out and gets time from certain stratum level based on a Nuclear clock that the Naval Observatory has.
That is probably not what you need. or have. Do a ps -eaf |grep ntpd. or " type ntpd" to see if it is loaded on your box.
Turn all of those off.
chargen provides a very quick and easy denial of service attack against you. The rest are just plain not needed. A good security rule is to not allow anything to run that is not necessary.
Under most circumstances, I simply turn inetd / xinetd off altogether. I don't run any servers on my home machines.
If I want to be able to connect to my machine internally via network, but leave the outside (public network) closed up, I use xinetd, since you can bind to an interface.
Even a service as benign as ntpd (as discussed below) can wreak havoc if someone wants to mess with you. Say for example, you set it up insecurely... Any person can spoof their way into tricking your machine to thinks it's another time, or even another day. Next thing you know your cron jobs are all messed up, they may be able to create / modify files on your machine (should they break in) that have different dates / times, etc...
If you're going to run a firewall, the ideal situation (assuming that this box can be dedicated to only that) would be to turn off everything. Allow console access only, no remote services, just IP forwarding. A Unix like OpenBSD works great for this, since it installs pretty bare by default.
There are a few good books out there on building firewalls. It might be a good idea to invest a few bucks in one.
I have. I bought Linux Firewalls, Real World Linux Security, Hacking Linux Exposed, and various other Unix Admin books I've gathered up, and BUTT loads of favorites saved on firewalls and security. My favorites folder is pushing 3mg now.
We are waiting on a new Compaq server to be made and delivered which is gonna leave me with the Proliant 3000 with dual PII 400's, 384 RAM, 3 9GB hd's > With "ONE" purpose!!! Be the Bouncer!!!
I also have the previous server. An old P1, junker. Would this be a good candidate for a mail gate/server to filter/scan all incoming E-mails????
It really depends on the volume of email bouncing through...
It may be enough if you are scanning a few emails an hour without attachments, but if you're handling a few hundred or more per hour with heavy attachments (if you're doing virus scanning, zip files can be murder - DoS risk from Zip of death attacks on AV software? • The Register This is very easy to create one of these files using /dev/zero, dd, and zip...), you may get some big performance hits...
