Not able to disable finger & telnet command in Solaris 8

UNIX Solaris
1

Hi
I need to disable finger & telnet command in solaris 8

I have put the # infront of finger and telnet line in /etc/inetd.conf file. Further I have run the below command

kill -1 <process id of inetd >

But when I am running finger command it is till giving information for remote machine

--- Post updated at 10:56 AM ---

Just to add that it is showing details of user through which I am login to this server along with details of server thorugh which I login to this server.

For example:

If I currently login to host1 (Solaris 10) then login to host2 ( Solaris 8 where I am facing issue) through host1 then in finger command on host2, I am getting only local user detail through which I login to host2 along with host details

--- Post updated at 11:15 AM ---

As per my understanding we don't even need to run above kill command as finger command will only run when it is invoked through the command line as it happened when command got invoked due to that inetd command will reread the /etc/inetd.conf file and run the finger daemon and if I put the # in front of finger line in /etc/inetd.conf then it should not be invoked. But it is getting invoked. Further same thing is happring in Solaris 9 as well.

Please correct me if I am wrong

I need to disable finger command due to security reason.

2

Just disable the daemon processes so they do not start when the system is booted.

Or, better yet, just remove or move the daemon executables so they cannot be executive from any scripts (because the name has been changed).

For example, if telnetd is located in /usr/bin just rename it to disabled_telnetd , kill the existing running process and you are done.

Of course, the most secure is to just remove those executables from the server altogether... End of story. Remove them, kill any running processes... system more secure :slight_smile:

If you think you might need them again someday, move them to a backup server, or external disk or media and be happy.

1 Like
3

You need to restart or reload the inetd/xinetd process so that it reads the new inetd.conf or inetd.d files.. You can also give a kill -HUP to the inetd/xinetd process.

1 Like
4

You certainly can use built in utilities like configuration files to disable executables.

But if you REALLY want to be secure (insure telnetd cannot run in the future, for example), just remove them from the server or just change the name (move them) to something like

mv telnetd disabled_by_amity_nov_2013_telnetd

That is what I do... and then they are easy to search for as well, if you need to find them.

I do this a lot on production web servers because malware cannot execute a file if it does not exist. For example, curl .

If you do this, for example:

mv curl to amity_curl

Then malware which uses curl to download backdoors, etc. cannot access curl since they have no idea you renamed it.

There are many simple things you can do to keep your system more secure than what is considered "traditional ways" to do things.

Anyway, YMMV, but this is what I do. But then again, I have manage public sites on the Internet for decades which are constantly under attack, 365 days a year, 24 hours a day.

1 Like
5

Also, FYI.. on my servers:

ubuntu:/usr/bin# finger
-bash: /usr/bin/finger: Permission denied

ubuntu:/usr/bin# l finger
-r--r--r-- 1 root root 27104 Nov 11  2016 finger

etc etc....

6

Just one more question if I run the below command , It will only reread the configuration file of inetd.conf only and will not restart inetd or its child process/daemon as this Production Environment

kill -1 <process id of inetd >
7

I certainly agree about removing inherently insecure daemons/utilities altogether, preferably through configuration management tooling if there are many servers (I use ansible for Solaris) so that it stays removed.

I was merely responding to a part in post #1 to give the poster more insight into why inetd was not responding to the config file changes...

1 Like
8

pgrep inetd shows the process and
pkill -HUP inetd reloads it.
It is necessary to inform inetd, because it starts the service daemons in inetd.conf on demand.
-1 should be identical to -HUP
When the fingerd service is disabled the finger command works nevertheless. But a remote finger @thishost does not get any data from this host.

1 Like
9

Here is how I have made sure telnetd is not available:

ubuntu# find / -name telnetd
ubuntu#

That's very secure for telnetd ....

Here is how I secure fingerd:

ubuntu# find / -name fingerd
ubuntu#

That's very secure for fingerd ...

On production servers, I do not rely on configuration files for security when there are more secure ways to do things, especially when it comes to commands which can be used to exploit the system. It's easy to make a mistake in a config file, or even have some errand process overwrite one.

However, when the "not needs command" are off the server, it is really better.... if you really care about security.

For curl, for example (which I need from time to time), I have a wrapper:

ubuntu# cat /usr/bin/curl
#!/bin/sh
/usr/bin/php  /usr/bin/neo_curl.php  $@
#

Then, the PHP script above just logs as much details as it can (and does not call curl ) ..... Because I have seen way too much malware attempting to use curl to download malicious code.

Of course, you don't need PHP do to this... but that is what I use to wrap, generally speaking, because I like logging the built in HTTPD globals vars.

When I need curl , I call it with a totally different name.

The more simple you secure you system (remove unneeded insecure commands, remove default names of exploitable commands, add more logging), the more secure your system will be.

At least, that is what I do..... and it works very well.

1 Like
10
Moderator comments were removed during original forum migration.