Justify Enabled Daemons

One very important element of a server setup is to avoid unneeded daemons. Every responsible daemon increases the chance for an attacker to find a hole to break into a system. Therefore, active processes and listening network ports need to be carefully considered. The OSSTMM includes a concept called business justification—enable a service only if it is justified by the system's business need.

One first step is to check the currently running processes, which you can do with the ps command. Using this command, all currently running daemons can be seen and justified. But just checking the process list isn't sufficient because daemons like xinetd or inetd might be capable of starting services on demand. Therefore, it doesn't hurt to check which network sockets accept incoming connections with netstat. To display the process name that uses a specific port, use the -p option of the netstat command or do the lookup manually using fuser (from the psmisc package). Here's a short example:

Active Internet connections (only servers)

Active Internet connections (only servers)

Proto Recv-Q

Send-Q Local

Address

Foreign Address

State

PID/Program name

tcp C

C C.C.C

C:111

C.C.C.C:*

LISTEN

34 4 7/portmap

tcp C

C C.C.C

C:631

C.C.C.C:*

LISTEN

3249/cupsd

tcp C

C C.C.C

C:632

C.C.C.C:*

LISTEN

3249/cupsd

tcp C

C 12 7.C

C.1:25

C.C.C.C:*

LISTEN

3 614/master

tcp C

C :::22

LISTEN

3321/sshd

Of course, you need to check the port listening state for all protocols to justify the current system state. Usually this involves checking TCP and UDP ports.

host:™# ip address show dev ethO

2: ethO: iEROADMST, MULT J CAST, UP> mtu 1500 qdisc pfifo.fast qlen 1000 link/ether 00:16:3e;4e:2b:a2 brd ff:ff:ff:ff:ff:ff inet 192.168.1.23/24 brd 192.16G.1.255 scope global ethO inetS fe80J;21613ef f;f e4e;2ba2/64 scope link host:"** I]

In case a daemon is only needed for local running processes, you can configure almost all daemons to bind only to the loopback (lo, 127.0.0.1) interface. This makes the application unreachable from outside the host, but still allows local processes to access the service.

The same consideration needs to be taken in case a host has more than one Ethernet interface. Daemons can be configured to bind only to the specific IP addresses they are intended to serve.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment