Eliminate Unneeded and Unsecured Services to Avoid Getting Hacked
Unneeded and unsecured services can lead to an open door for hackers. When you know which daemons and applications are running — such as FTP, telnet, and a web server — it’s nice to know exactly which versions are running so you can look up their associated vulnerabilities and decide whether to turn them off. The National Vulnerability Database site is a good resource for determining vulnerabilities.
Several security tools can help determine vulnerabilities. These types of utilities might not identify all applications down to the exact version number, but they’re a very powerful way of collecting system information.
Be especially mindful of these known security weaknesses in a system:
Anonymous FTP — especially if it isn’t properly configured — can provide a way for an attacker to download and access files on your system.
Telnet and FTP are vulnerable to network analyzer captures of the cleartext user ID and password the applications use. Their logins can also be brute-force attacked.
Old versions of sendmail have many security issues.
R-services, such as rlogin, rdist, rexecd, rsh, and rcp, are especially vulnerable to attacks.
Many web servers run on Linux, so you can’t overlook the importance of checking for weaknesses in Apache, Tomcat, and your specific applications. For example, a common Linux vulnerability is that usernames can be determined via Apache when it doesn’t have the UserDir directive disabled in its httpd.conf file.
You can exploit this weakness manually by browsing to well-known user folders, such as http://www.your~site.com/user_name or, better yet, by using a vulnerability scanner, such as webInspect or QualysGuard, to automatically enumerate the system. Either way, you may be able to find out which Linux users exist and then launch a web password-cracking attack. There are also numerous ways to access system files (including /etc/passwd) via vulnerable CGI code.
Likewise, FTP is often running unsecured on Linux systems. There are Linux systems with anonymous FTP enabled that were sharing sensitive healthcare and financial information to everyone on the local network. So, don’t forget to look for the simple stuff.
The following tools can perform more in-depth information gathering beyond port scanning to enumerate your Linux systems and see what hackers see:
Nmap can check for specific versions of the services loaded. Simply run Nmap with the -sV command-line switch.
Amap is similar to Nmap, but it has a couple of advantages:
Amap is much faster for these types of scans.
Amap can detect applications that are configured to run on nonstandard ports, such as Apache running on port 6789 instead of its default 80.
Amap was run with the following options to enumerate some commonly hacked ports:
-1 makes the scan run faster.
-b prints the responses in ASCII characters.
-q skips reporting of closed ports.
21 probes the FTP control port.
22 probes the SSH port.
23 probes the telnet port.
80 probes the HTTP port.
netstat shows the services running on a local machine. Enter this command while logged in:
List Open Files (lsof) displays processes that are listening and files that are open on the system.
Countermeasures against hack attacks on unneeded services
You can and should disable the unneeded services on your Linux systems. This is one of the best ways to keep your Linux system secure. Like reducing the number of entry points in your house, the more entry points you eliminate the fewer places an intruder can break in.
Disabling unneeded services
The best method of disabling unneeded services depends on how the daemon is loaded in the first place. You have several places to disable services, depending on the version of Linux you’re running.
inetd.conf (or xinetd.conf)
If it makes good business sense, disable unneeded services by commenting out the loading of daemons you don’t use. Follow these steps:
Enter the following command at the Linux prompt:
The process ID (PID) for each daemon, including inetd, is listed on the screen.
Make note of the PID for inetd.
Open /etc/inetd.conf in the Linux text editor vi by entering the following command:
When you have the file loaded in vi, enable the insert mode by pressing I.
Move the cursor to the beginning of the line of the daemon that you want to disable, such as httpd, and type # at the beginning of the line.
This step comments out the line and prevents it from loading when you reboot the server or restart inetd.
To exit vi and save your changes, press Esc to exit the insert mode, type :wq, and then press Enter.
This tells vi that you want to write your changes and quit.
Restart inetd by entering this command with the inetd PID:
kill –HUP PID
If you don’t have an inetd.conf file, your version of Linux is probably running the xinetd program — a more secure replacement for inetd — to listen for incoming network application requests. You can edit the /etc/xinetd.conf file if this is the case. For more information on the usage of xinetd and xinetd.conf, enter man xinetd or man xinetd.conf at a Linux command prompt.
If you’re running Red Hat 7.0 or later, you can run the /sbin/chkconfig program to turn off the daemons you don’t want to load.
You can also enter chkconfig --list at a command prompt to see what services are enabled in the xinetd.conf file.
If you want to disable a specific service, say snmp, enter the following:
chkconfig --del snmpd
TCP Wrappers can control access to critical services that you run, such as FTP or HTTP. This program controls access for TCP services and logs their usage, helping you control access via hostname or IP address and track malicious activities.