l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
November 4: Social gathering
Next Installfest:
TBD
Latest News:
Oct. 24: LUGOD election season has begun!
Page last updated:
2001 Dec 30 16:57

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Brand New Install
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Brand New Install





Patrick Lickiss <pblickiss@ucdavis.edu> writes:

> Lastly, the reason I was going to go to the install was for help
> turning off unnecessary/dangerous services,

You're implicit goal seems to be to make sure your box doesn't turn into
a warez, pron, 31337 irc, mp3 repository run by volunteer sysadmins.  A
noble goal :)

Turn off what you don't need and examine your needs closely.  I would
recommend turning off all services explicitly first, then go back and
turn on what you know you need.

Comment (#) out every line in /etc/inetd.conf.  I leave a perl script
that does that as an exercise for the reader :)

Install lsof and see what has sockets open: 
        
        lsof | inet

This should show you all the processes and the ports (named in
/etc/services) that are on now.  kill them all. Find out which boot
script turns them on and make sure to comment out the start up lines (or
rename the files).

Get familiar with ipchains and block everything, even if you are sure
that you have turned it off.  Make sure that you can get out into the
world though.  A common mistake (of mine at least) is to block dns
resolution.  No name service!  Also make sure to block icmp except for
types 0,3,4,8,11,12.  Ok, maybe you can block ping.

tcpwrappers can be fun.  this month's sys admin magazine has a nice
little article on sending messages to those that are not welcome.

tcpdump is your friend.  run it and monitor your logs.  install
tcptrace.

I also hear good things about portsentry and snort.  I have not used
them. I hear xinetd has some nice features, but I wouldn't know from
first hand experience.

Also, get a fresh kernel, compile and install.  Why?  Experience is
good, yes, but you want to get rid of any ip stack problems that have
been patched since your distro came out.

-Ricardo


LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.