Re: [vox-tech] re: DNS and security
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [vox-tech] re: DNS and security
On Fri, 19 Aug 2005, Cylar Z wrote:
> 1. DNS. How will editing resolv.conf solve my DNS
> issue? My understanding is that that file is the
> configuration file for the named daemon. I'm not
> running named. Shouldn't need to. A previous install
> (Xandros/Debian) ran fine without it. It shouldn't be
> required, since my registrar handles incoming DNS, and
> outgoing lookups (websurfing) should be handled by my
> ISP's nameservers. What I need to know is how to tell
> my server where those nameservers are.
Rick answered this on the other post but: Yeah, you need "resolv.conf" --
it's used to translate, for example, "www.google.com" to "188.8.131.52" so
your computer can connect to Google's website. So it's used by programs
other than named (I'm not sure if named uses it although you can probably
configure it fall back on it.)
> 2. FTP. Not running an anoymous server. Just need to
> upload files for my webpages. Is there a more secure
> method I can use (please specify how, don't just say
> "yes, there is")?
As Rick mentioned, you can use `scp`. It works over the ssh connection
so you won't need to configure anything extra if you already have sshd
running. `scp`'s syntax is as follows:
scp local_file username@remote_server:path
will transfer "local_file" to the "remote_server" under "path" as user
"username." It's a little cryptic but you'll get used to it after a
On Windows, WinSCP or PSCP can be used, so you won't be left in the dark
if you have to transfer something from Windows to your server. You can
find links to download them from http://www.openssh.com/windows.html
You also wanted to know how to shut down the FTP server on your other
post, so here it goes: The FTP daemon may be running as a stand-alone
server, or via xinetd. Let's see how it's running on your system, if at
all, by running `netstat` as root:
# netstat -tlp | grep ftp
If you don't see anything, you're not running ftp. If you see something
similar to this:
tcp 0 0 *:ftp *:* LISTEN 1125/xinetd
then you're running it via `xinetd` (see the last column that says
1125/xinetd). If you see instead:
tcp 0 0 *:ftp *:* LISTEN 1125/ftpd
then you have the ftpd daemon running on your system as a stand-alone
daemon, and it tells you the daemon's name is "ftpd". Remember the name
of the daemon because it's important in the next paragraph.
If it's running via xinetd, you'll need to configure the xinetd file so it
doesn't monitor the ftp port, then restart xinetd. If it's running as a
stand-alone, then you'll need to shut it down and disable it from the
system. The former, Rick explained in the previous e-mail. The latter, I
think you want to use `chkconfig --del <daemon_name>` since you're using
Fedora (but my knowledge is based on RedHat systems so it may be off), and
also shut down the daemon, which I guess is
`/etc/rc.d/init.d/<daemon_name> stop` since you're using Fedora (again, my
knowledge may be off here since I don't use Fedora.)
> 3. Daemons. Where can I find a comprehensive guide
> (including non-free books) to what service does what?
> I don't mean a one-line description, I mean someplace
> that will really explain it to me in depth. Or, can
> someone at least identify the generic ones ESSENTIAL
> to my system? Remember, I use ssh to connect and am
> running http server. That's all my box does. What
> daemons are necessary besides cron, sshd and httpd?
I had the exact same question when I started using Linux. I don't
know any such list but here's some things to guide you through your
1. Not everything in /etc/rc.d/*/* are daemons. Some things just
configure a few things and quit, or maybe run a couple programs to
check the system and quit, etc. Instead of going through the
list of scripts in /etc/rc.d/rcX.d/, I recommend using `ps -aefx` to
see the list of running programs, and using `netstat -tulp` to
see the list of open ports on your system, then shutting down the
daemons that start those processes or open up those ports.
2. Here's some things running on my system that I think you'll want to run
on yours. From `ps -aefx`:
init - This runs everything -- starts up the system and the whole
shbang. Leave it alone.
[*] - Anything in brackets seem to be needed by the kernel or the
kernel modules. Leave them alone... unless you know some
kernel modules you don't need -- then you can remove them
via `rmmod` and editing /etc/modules.conf.
Some sort of logging daemon - This is used to make system logs.
Leave it. There are several kinds. I seem to be running
`syslogd` and `klogd`. I think `klogd` is for logging kernele
messages. Important stuff. The logs are stored in /var/log/*
Some sort of mail daemon - So when something goes wrong on your
system, the program that detects the error can e-mail you. This
is pretty important, too, IMHO. You mentioned "sendmail" and
that's what this is. I'm running "exim4". Just different mail
daemons. "sendmail" is supposed to be difficult to configure and
misconfigurations can lead to security holes but if it works for
you that's great. If you're not allowing people to connect to
your system to send mails (only mail deliveries within the
system), configure it to disable the "smtp" port (TCP port 25).
inetd/xinetd - It's not all that necessary. It runs other programs.
You can run Apache off of it or FTP daemons off of it and all
that. Not really necessary and you can disable it safely and
run the servers you want as stand-alone modules instead of as
xinetd processes. Probably a good idea to do that, actually.
sshd - Yeah, you want that. For ssh and scp.
apache - Yeah, you want that, too. For the Apache webserver.
cron, Anacron, etc. - These are used to rotate the logs, among other
things. You don't want the logs created by `syslogd` to just
build up until your hard drive gets full, so you can run cron
(Anacron is one version of cron) to delete old logs automatically.
It can be scheduled to do other things automatically, too, by
executing programs on a regular basis. The scheduled events
are configured via /etc/cron* files but there's a program to
help you edit those files "properly" but the method escapes me
at the moment. I think you use the `crontab` program. Anyway.
Keep it around for cleaning up the logs if for nothing else.
atd - This daemon is used to execute a single command at a specific
time. Kind of like cron, but it lets you execute the program only
once, instead of executing it on a regular basis like cron.
Usually not necessary. I do like to execute a single command at
certain times, so I leave it hanging around, queue up a command
from time to time and let atd run it. You can create command
to execute via the `at` command. It's okay to shut it down if
you don't plan on using it.
getty - This program lets you log into the computer from the console.
One program runs per console. These programs are launched from
/etc/inittab. You probably won't need to mess with them, unless
you want to save some memory by killing off a few of them since
you won't be doing much console logging-in. But leave a couple
open so you can debug from console in emergencies. There's also
different types of getties -- mingetty, mgetty, etc.
ntpd - I like to run this so I can keep my computer's clock accurate.
Boy, they don't make computers like they used to -- the computers
I've been buying these days get so much clock skew. Running
ntpd will keep the time accurate by fetching time from other
computers running off of Atomic clocks or computers that are
only one or two or three off of Atomic clocks. This daemon
will open up a port and let other people get date off of your
computer, too, though, but you can configure it to disable that.
mysql - Some websites ineract with mysql locally. You may need this
if one of your web applications use databases. Or it may need
another type of
And from `netstat -tulp` (type `netstat -ntulp` to list port numbers
instead of names):
TCP port "www" (TCP port 80) - Needed by Apache.
TCP port "ssh" (TCP port 22) - Needed by ssh and scp.
TCP port "smtp" (TCP port 25) - Needed by mail daemon, but
make sure it's accepting connections only locally (you should see
"localhost:smtp" or "127.0.0.1" but not "*:smtp".
TCP port "mysql" (TCP port 3306) - Needed by MySQL, if you're running
MySQL. Again, make sure it's accepting connections only locally.
UDP port "ntp" (UDP port 123) - Needed by NTP, if you're running NTP.
Again, make sure it's accepting connections only locally.
Everything else, you can probably shut off without problems. When in
doubt, Google about the program or ask here if you can't find it on
Google. Again, just because there's an entry in /etc/rc.d/rcX.d/ doesn't
mean it's a daemon -- there's probably a disk integrity checking in there
and things like that you should leave alone. Check `ps -aefx` to list the
programs that are running on the system and disable those individually.
Also check `netstat -tulp` to see what ports are open and which programs
are keeping those ports open and disable the ones you don't need.
You should also install some security programs such as firewall and
intrusion detection tools, but be careful not to firewall yourself out...!
>.< If you want to go even further, if you're able, install a hardware
firewall between your computer and the rest of the Internet and set it up
so it forwards only the ports you really want open -- it'll be another
level of protection in case you forgot something... but it can also be an
extra source of headache so be careful.
Mark K. Kim
AIM: markus kimius
PGP key fingerprint: 7324 BACA 53AD E504 A76E 5167 6822 94F0 F298 5DCE
PGP key available on the homepage
vox-tech mailing list