This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
From: "Phillips, Glenn" <Glenn.Phillips@airnz.co.nz> Subject: RE: Some security related questions Date: Thu, 11 Mar 1999 10:31:29 +1300 If you're worried about security then fer chris' sake turn off the "r-commands"! Well, at least to external use. They are a nightmare security-wise. The believe the hostname and allowed access based on that. I personally allow rsh to my routing-linux box, but only on the inside interface - you may want to do the same. If you're going ssh, you get better (more secure) versions of the Berkeley r-stuff in that. The talkd's are nothing important - switch 'em off. ( From man talkd: "Talkd is the server that notifies a user that someone else wants to ini-tiate a conversation. It acts a repository of invitations, responding to requests by clients wishing to rendezvous to hold a conversation." in.talkd and in.ntalkd are the same program. ) === From: Stefan Miltchev <miltchev@panther.middlebury.edu> Subject: Re: Some security related questions Date: > # Shell, login, exec and talk are BSD protocols. > # > shell stream tcp nowait root /usr/sbin/tcpd in.rshd > login stream tcp nowait root /usr/sbin/tcpd in.rlogind If you are running ssh you can safely uncomment shell and login, they are used for rsh and rlogin connections. > #exec stream tcp nowait root /usr/sbin/tcpd in.rexecd > talk dgram udp wait root /usr/sbin/tcpd in.talkd > ntalk dgram udp wait root /usr/sbin/tcpd in.ntalkd > #dtalk stream tcp waut nobody /usr/sbin/tcpd in.dtalkd You can get rid of the talk daemon too -- it is used to communicate with another user on a unix system. > Is it safe to comment these out also? What does each do? > > Second, can someone tell me how I can shutoff daemons (i.e. keep them from > running). I need to know what file to edit. You could use ntsysv to control which daemons are started automatically. > Finally, the linux box does not share any resources over the network (i.e. > no drives). Can I turn off NFS file sharing? Will this prevent me form > accessing my cd-rom drive or other local resources? How do I turn it off? Yes you can turn of nfsd and the portmapper. If you do not envision using them on the machine you could even uninstall the rpms. Also I would recommend installing sentry (blocks portscanning attempts) and logcheck (looks for suspicious activity in the logs), rpms are available at http://rufus.w3.org =================== From: "Kevin Myer" <kevin_myer@elanco.k12.pa.us> Subject: Re: Hack attempt, successful? Date: On Wed, 10 Mar 1999, [ISO-8859-1] Andr=E9 Dahlqvist wrote: First, its crack, not hack. Crackers break into boxes. Hackers modify and write code. > Mar 8 20:49:26 localhost telnetd[1152[: ttloop: peer died: Invalid or > incomplete multibyte or wide character. Dunno about this one. I've noticed it on one box I administer - it must be some sort of telnetd exploit attempt. I'd really like to know what this is if anyone on the list knows. > Mar 8 20:49:19 localhost imapd[1151]: connect from 195.21.29.6 > Mar 8 20:49:19 localhost imapd[1151]: error: cannot execute=20 > /usr/sbin/imapd: No such file or directory > Mar 8 20:49:23 localhost in.telnetd[1152]: connect from 195.21.29.6 > Mar 8 20:29:27 localhost ipop3d[1153]: error: cannot execute > /usr/sbin/ipop3d: no such file or directory Someone was trying to exploit your mail daemon services, which you wisely uninstalled (or maybe never installed in the first place). However, you didn't comment them out of /etc/inetd.conf - comment out the lines for pop3 and imap. inetd was trying to spawn those processes but they didn't exist. It doesn't LOOK like anything was successful, just that someone was knocking on your door. However, double check that every thing you don't need on that box is turned off or not installed (like NFS, ftp, etc.). Run tcp wrappers. Install something like sentry and tripwire for extra security measures. Don't take my word for it either - educate yourself as to the actual methods that crackers use to attack systems and you will be better prepared to defend against them. ================ From: John Summerfield <summer@OS2.ami.com.au> Subject: Re: Hack attempt, successful? Date: On Wed, 10 Mar 1999, Andr