Often machines are compromised through services that they have no need to run. The following are common services that can usually be stopped:
To determine which services you are running --- more accurately, which are listening on a TCP or UDP port, try this
netstat -a | grep LIST
which will give output something like this:
tcp 0 0 *:rsync *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
tcp 0 0 *:2306 *:* LISTEN
tcp 0 0 *:www *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
This is easy. For many services, simply comment out the pertinent line in /etc/inetd.conf (for older Linux distributions and Solaris) or edit the appropriate file in /etc/xinetd.d (in recent Linux distributions); in other cases you will need to make simple changes to the init scripts on the machine; on Solaris 10, use the svcadm and svccfg commands.
On a Solaris 7 or 8 machine (or older distribution of Linux), simply comment out the relevant lines in /etc/inetd.conf, for example --- lines beginning with a # are comments ---
#shell stream tcp nowait root /usr/sbin/in.rshd in.rshd #login stream tcp6 nowait root /usr/sbin/in.rlogind in.rlogind #exec stream tcp nowait root /usr/sbin/in.rexecd in.rexecd #talk dgram udp wait root /usr/sbin/in.talkd in.talkd #ftp stream tcp nowait root /usr/sbin/in.ftpd in.ftpd #telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetdand then restart the inetd daemon
prompt]$ kill -HUP <PID>
To determine the PID on Solaris use ps -e,
prompt]$ ps -e | grep inetd
171 ? 0:00 inetd
giving, in this case, 171, and on Linux,
prompt]$ ps ax | grep inetd
904 ? S 0:00 inetd
6713 pts/0 S 0:00 grep inetd
giving, in this case, 904.
N.B. These changes will have no effect on clients --- you will still be able to connect to a remote machine via telnet or FTP.
On more recent Linux distributions inetd has been replaced with xinetd. Each service has a corresponding xinetd configuration file within /etc/xinetd.d, for example, /etc/xinetd.d/telnet. To stop a given service, edit the corresponding file and change
disable = no
to
disable = yes
then restart xinetd:
/etc/init.d/xinetd restart
Some services/daemons are started via scripts which live in /etc/init.d (or /etc/rc.d/init.d), or more precisely via links to scripts within this directory from one of /etc/rc[1-6].d, the directory name corresponding to the current runlevel. (RedHat linux usually runs at level 3 or 5 --- 3 for command-line logins and 5 for graphical logins; Solaris usually runs at level 2 or 3 --- 2 is multi-user state and 3 is extended multi-user state.)
For example, on a Linux box one might find the following files:
/etc/init.d/sendmail
/etc/rc0.d/K30sendmail
/etc/rc1.d/K30sendmail
/etc/rc2.d/S80sendmail
/etc/rc3.d/S80sendmail
/etc/rc4.d/S80sendmail
/etc/rc5.d/S80sendmail
/etc/rc6.d/S80sendmail
Such init scripts can be called upon to start and stop services --- roughly,
S means sendmail start and K means sendmail stop.
To prevent sendmail starting (as a daemon) on future boots simply
remove the S80sendmail links from appropriate directories/runlevels.
To stop the current sendmail service/daemon type
/etc/init.d/sendmail stop.
Some Linux distros provide scripts to help with such s-link removal (or creation). For example, RedHat provides chkconfig, e.g.:
chkconfig --level 235 tftp off
stops the tftp daemon from running at runlevels 2, 3 and 5. See
the man page for details.
It is not always obvious which daemon or process is responsible for listening on a particular port. For example, suppose that netstat -a | grep LIST gives
*.22 *.* 0 0 0 0 LISTEN
*.32797 *.* 0 0 0 0 LISTEN
and only the first (SSH) is wanted. On Linux one can use netstat -lnp:
tcp *:22 *:* LISTEN 19898/sshd
tcp *:32797 *:* LISTEN 29106/rpc.statd
showing the process (by both name and PID). On Solaris netstat
does not provide this information. The solution is to use lsof
(which is available for both Linux and Solaris):
prompt> lsof | grep 32797
mountd 525 root 8u inet 0x30000721a68 0t0 TCP *:32797 (LISTEN)
For example
prompt> svclist | grep finger
network/finger
prompt> svcadm disable network/finger
See the man pages for details.
| ...cont's | next... |