l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
December 2: Social gathering
Next Installfest:
TBD
Latest News:
Nov. 18: Club officer elections
Page last updated:
2005 Aug 20 14:03

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] re: DNS and security
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] re: DNS and security



On Fri, 19 Aug 2005, Cylar Z wrote:
[snip]
> 1. DNS. How will editing resolv.conf solve my DNS
> issue? My understanding is that that file is the
> configuration file for the named daemon. I'm not
> running named. Shouldn't need to. A previous install
> (Xandros/Debian) ran fine without it. It shouldn't be
> required, since my registrar handles incoming DNS, and
> outgoing lookups (websurfing) should be handled by my
> ISP's nameservers. What I need to know is how to tell
> my server where those nameservers are.

Rick answered this on the other post but:  Yeah, you need "resolv.conf" --
it's used to translate, for example, "www.google.com" to "66.102.7.147" so
your computer can connect to Google's website.  So it's used by programs
other than named (I'm not sure if named uses it although you can probably
configure it fall back on it.)

> 2. FTP. Not running an anoymous server. Just need to
> upload files for my webpages. Is there a more secure
> method I can use (please specify how, don't just say
> "yes, there is")?

As Rick mentioned, you can use `scp`.  It works over the ssh connection
so you won't need to configure anything extra if you already have sshd
running.  `scp`'s syntax is as follows:

   scp local_file username@remote_server:path

will transfer "local_file" to the "remote_server" under "path" as user
"username."  It's a little cryptic but you'll get used to it after a
while.

On Windows, WinSCP or PSCP can be used, so you won't be left in the dark
if you have to transfer something from Windows to your server.  You can
find links to download them from http://www.openssh.com/windows.html

You also wanted to know how to shut down the FTP server on your other
post, so here it goes:  The FTP daemon may be running as a stand-alone
server, or via xinetd.  Let's see how it's running on your system, if at
all, by running `netstat` as root:

   # netstat -tlp | grep ftp

If you don't see anything, you're not running ftp.  If you see something
similar to this:

   tcp      0      0 *:ftp       *:*           LISTEN     1125/xinetd

then you're running it via `xinetd` (see the last column that says
1125/xinetd).  If you see instead:

   tcp      0      0 *:ftp       *:*           LISTEN     1125/ftpd

then you have the ftpd daemon running on your system as a stand-alone
daemon, and it tells you the daemon's name is "ftpd".  Remember the name
of the daemon because it's important in the next paragraph.

If it's running via xinetd, you'll need to configure the xinetd file so it
doesn't monitor the ftp port, then restart xinetd.  If it's running as a
stand-alone, then you'll need to shut it down and disable it from the
system.  The former, Rick explained in the previous e-mail.  The latter, I
think you want to use `chkconfig --del <daemon_name>` since you're using
Fedora (but my knowledge is based on RedHat systems so it may be off), and
also shut down the daemon, which I guess is
`/etc/rc.d/init.d/<daemon_name> stop` since you're using Fedora (again, my
knowledge may be off here since I don't use Fedora.)

> 3. Daemons. Where can I find a comprehensive guide
> (including non-free books) to what service does what?
> I don't mean a one-line description, I mean someplace
> that will really explain it to me in depth. Or, can
> someone at least identify the generic ones ESSENTIAL
> to my system? Remember, I use ssh to connect and am
> running http server. That's all my box does. What
> daemons are necessary besides cron, sshd and httpd?

I had the exact same question when I started using Linux.  I don't
know any such list but here's some things to guide you through your
experience:

1. Not everything in /etc/rc.d/*/* are daemons.  Some things just
   configure a few things and quit, or maybe run a couple programs to
   check the system and quit, etc.  Instead of going through the
   list of scripts in /etc/rc.d/rcX.d/, I recommend using `ps -aefx` to
   see the list of running programs, and using `netstat -tulp` to
   see the list of open ports on your system, then shutting down the
   daemons that start those processes or open up those ports.

2. Here's some things running on my system that I think you'll want to run
   on yours.  From `ps -aefx`:

     init - This runs everything -- starts up the system and the whole
          shbang.  Leave it alone.

     [*] - Anything in brackets seem to be needed by the kernel or the
         kernel modules.  Leave them alone... unless you know some
         kernel modules you don't need -- then you can remove them
         via `rmmod` and editing /etc/modules.conf.

     Some sort of logging daemon - This is used to make system logs.
         Leave it.  There are several kinds.  I seem to be running
         `syslogd` and `klogd`.  I think `klogd` is for logging kernele
         messages.  Important stuff.  The logs are stored in /var/log/*

     Some sort of mail daemon - So when something goes wrong on your
        system, the program that detects the error can e-mail you.  This
        is pretty important, too, IMHO.  You mentioned "sendmail" and
        that's what this is.  I'm running "exim4".  Just different mail
        daemons.  "sendmail" is supposed to be difficult to configure and
        misconfigurations can lead to security holes but if it works for
        you that's great.  If you're not allowing people to connect to
        your system to send mails (only mail deliveries within the
        system), configure it to disable the "smtp" port (TCP port 25).

     inetd/xinetd - It's not all that necessary.  It runs other programs.
        You can run Apache off of it or FTP daemons off of it and all
        that.  Not really necessary and you can disable it safely and
        run the servers you want as stand-alone modules instead of as
        xinetd processes.  Probably a good idea to do that, actually.

     sshd - Yeah, you want that.  For ssh and scp.

     apache - Yeah, you want that, too.  For the Apache webserver.

     cron, Anacron, etc. - These are used to rotate the logs, among other
        things.  You don't want the logs created by `syslogd` to just
        build up until your hard drive gets full, so you can run cron
        (Anacron is one version of cron) to delete old logs automatically.
        It can be scheduled to do other things automatically, too, by
        executing programs on a regular basis.  The scheduled events
        are configured via /etc/cron* files but there's a program to
        help you edit those files "properly" but the method escapes me
        at the moment.  I think you use the `crontab` program.  Anyway.
        Keep it around for cleaning up the logs if for nothing else.

     atd - This daemon is used to execute a single command at a specific
        time.  Kind of like cron, but it lets you execute the program only
        once, instead of executing it on a regular basis like cron.
        Usually not necessary.  I do like to execute a single command at
        certain times, so I leave it hanging around, queue up a command
        from time to time and let atd run it.  You can create command
        to execute via the `at` command.  It's okay to shut it down if
        you don't plan on using it.

     getty - This program lets you log into the computer from the console.
        One program runs per console.  These programs are launched from
        /etc/inittab.  You probably won't need to mess with them, unless
        you want to save some memory by killing off a few of them since
        you won't be doing much console logging-in.  But leave a couple
        open so you can debug from console in emergencies.  There's also
        different types of getties -- mingetty, mgetty, etc.

     ntpd - I like to run this so I can keep my computer's clock accurate.
        Boy, they don't make computers like they used to -- the computers
        I've been buying these days get so much clock skew.  Running
        ntpd will keep the time accurate by fetching time from other
        computers running off of Atomic clocks or computers that are
        only one or two or three off of Atomic clocks.  This daemon
        will open up a port and let other people get date off of your
        computer, too, though, but you can configure it to disable that.

     mysql - Some websites ineract with mysql locally.  You may need this
        if one of your web applications use databases.  Or it may need
        another type of

   And from `netstat -tulp` (type `netstat -ntulp` to list port numbers
   instead of names):

     TCP port "www" (TCP port 80) - Needed by Apache.

     TCP port "ssh" (TCP port 22) - Needed by ssh and scp.

     TCP port "smtp" (TCP port 25) - Needed by mail daemon, but
       make sure it's accepting connections only locally (you should see
       "localhost:smtp" or "127.0.0.1" but not "*:smtp".

     TCP port "mysql" (TCP port 3306) - Needed by MySQL, if you're running
       MySQL.  Again, make sure it's accepting connections only locally.

     UDP port "ntp" (UDP port 123) - Needed by NTP, if you're running NTP.
       Again, make sure it's accepting connections only locally.

Everything else, you can probably shut off without problems.  When in
doubt, Google about the program or ask here if you can't find it on
Google.  Again, just because there's an entry in /etc/rc.d/rcX.d/ doesn't
mean it's a daemon -- there's probably a disk integrity checking in there
and things like that you should leave alone.  Check `ps -aefx` to list the
programs that are running on the system and disable those individually.
Also check `netstat -tulp` to see what ports are open and which programs
are keeping those ports open and disable the ones you don't need.

You should also install some security programs such as firewall and
intrusion detection tools, but be careful not to firewall yourself out...!
>.<  If you want to go even further, if you're able, install a hardware
firewall between your computer and the rest of the Internet and set it up
so it forwards only the ports you really want open -- it'll be another
level of protection in case you forgot something... but it can also be an
extra source of headache so be careful.

-Mark


-- 
Mark K. Kim
AIM: markus kimius
Homepage: http://www.cbreak.org/
Xanga: http://www.xanga.com/vindaci
Friendster: http://www.friendster.com/user.php?uid=13046
PGP key fingerprint: 7324 BACA 53AD E504 A76E  5167 6822 94F0 F298 5DCE
PGP key available on the homepage
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!