These are examples from the article "Armoring Linux"
Blake Parker
bfp at world.std.com
Sun May 9 08:56:27 EDT 1999
Example A
This is an example of the /etc/inetd.conf file. Notice how everything is commented out except for ftp and telnetd.
#
# inetd.conf This file describes the services that will be available
# through the INETD TCP/IP super server. To re-configure
# the running INETD process, edit this file, then send the
# INETD process a SIGHUP signal.
#
# Version: @(#)/etc/inetd.conf 3.10 05/27/93
#
# Authors: Original taken from BSD UNIX 4.3/TAHOE.
# Fred N. van Kempen, <waltje at uwalt.nl.mugnet.org>
#
# Modified for Debian Linux by Ian A. Murdock <imurdock at shell.portal.com>
#
# Modified for RHS Linux by Marc Ewing <marc at redhat.com>
#
# <service_name> <sock_type> <proto> <flags> <user> <server_path> <args>
#
# Echo, discard, daytime, and chargen are used primarily for testing.
#
# To re-read this file after changes, just do a 'killall -HUP inetd'
#
#echo stream tcp nowait root internal
#echo dgram udp wait root internal
#discard stream tcp nowait root internal
#discard dgram udp wait root internal
#daytime stream tcp nowait root internal
#daytime dgram udp wait root internal
#chargen stream tcp nowait root internal
#chargen dgram udp wait root internal
#
# These are standard services.
#
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -L -i -o
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
#gopher stream tcp nowait root /usr/sbin/tcpd gn
# do not uncomment smtp unless you *really* know what you are doing.
# smtp is handled by the sendmail daemon now, not smtpd. It does NOT
# run from here, it is started at boot time from /etc/rc.d/rc#.d.
#smtp stream tcp nowait root /usr/bin/smtpd smtpd
#nntp stream tcp nowait root /usr/sbin/tcpd in.nntpd
#
# Shell, login, exec and talk are BSD protocols.
#
#shell stream tcp nowait root /usr/sbin/tcpd in.rshd
#login stream tcp nowait root /usr/sbin/tcpd in.rlogind
#exec stream tcp nowait root /usr/sbin/tcpd in.rexecd
#talk dgram udp wait root /usr/sbin/tcpd in.talkd
#ntalk dgram udp wait root /usr/sbin/tcpd in.ntalkd
#dtalk stream tcp waut nobody /usr/sbin/tcpd in.dtalkd
#
# Pop and imap mail services et al
#
#pop-2 stream tcp nowait root /usr/sbin/tcpd ipop2d
#pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d
#imap stream tcp nowait root /usr/sbin/tcpd imapd
#
# The Internet UUCP service.
#
#uucp stream tcp nowait uucp /usr/sbin/tcpd /usr/lib/uucp/uucico -l
#
# Tftp service is provided primarily for booting. Most sites
# run this only on machines acting as "boot servers." Do not uncomment
# this unless you *need* it.
#
#tftp dgram udp wait root /usr/sbin/tcpd in.tftpd
#bootps dgram udp wait root /usr/sbin/tcpd bootpd
#
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers." Many sites choose to disable
# some or all of these services to improve security.
#
# cfinger is for GNU finger, which is currently not in use in RHS Linux
#
#finger stream tcp nowait root /usr/sbin/tcpd in.fingerd
#cfinger stream tcp nowait root /usr/sbin/tcpd in.cfingerd
#systat stream tcp nowait guest /usr/sbin/tcpd /bin/ps -auwwx
#netstat stream tcp nowait guest /usr/sbin/tcpd /bin/netstat -f inet
#
# Time service is used for clock syncronization.
#
#time stream tcp nowait nobody /usr/sbin/tcpd in.timed
#time dgram udp wait nobody /usr/sbin/tcpd in.timed
#
# Authentication
#
#auth stream tcp nowait nobody /usr/sbin/in.identd in.identd -l -e -o
#
# End of inetd.conf
Example B
This is an example of the /etc/issue file.
#
#
# WARNING: You must have specific authorization to access
# this machine. Unauthorized users will be logged,
# monitored, and then shot on site!
#
#
Example C
This is an example of system accounts I leave in the /etc/passwd file. Notice how the password filed contains "x" and not the encrpyted password. Encrypted passwords are now securely stored in the /etc/shadow file as a result of the "pwconv" command.
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
mail:x:8:12:mail:/var/spool/mail:
uucp:x:10:14:uucp:/var/spool/uucp:
nobody:x:99:99:Nobody:/:
Example D
This is an example of /etc/ftpusers
root
bin
daemon
adm
lp
mail
uucp
nobody
Example E
This is an example of of the /etc/securetty file.
tty1
tty2
tty3
tty4
ttyp1 -- > Note, this entry now allows a remote user to login as root. Normarlly, you do NOT want this entry!
Example F
This is an example of the access control lists for TCP Wrappers. The syntax is
Service: Source (IP address, network, or name): <optional> : ALLOW or DENY
Example of /etc/hosts.allow
in.telnetd: 192.168.1.0/255.255.255.0 : banners /etc/bannerfile : ALLOW
in.ftpd: 192.168.1.30 :ALLOW
imapd: ALL : spawn (/usr/local/bin/ids.sh %d %h %H %u)
Example of /etc/hosts.deny. I highly recommend you always use this as your /etc/hosts.deny file.
ALL: ALL DENY
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.blu.org/pipermail/discuss/attachments/19990509/840cb1bb/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ybullet.gif
Type: image/gif
Size: 1007 bytes
Desc: not available
URL: <http://lists.blu.org/pipermail/discuss/attachments/19990509/840cb1bb/attachment.gif>
More information about the Discuss
mailing list