40
Chapter 4. Workstation Security
The example below illustrates the granularity possible when configuring
sudo
:
%users
localhost=/sbin/shutdown h now
This example states that any user can issue the command
/sbin/shutdown h now
as long as they
issue it from the console.
The man page for
sudoers
has a detailed listing of options for this file.
4.5. Available Network Services
While user access to administrative controls is an important issue for system administrators within
an organization, keeping tabs on which network services is of paramount importance to anyone who
installs and operates a Linux system.
Many services under Linux behave as network servers. If a network service is running on a machine,
then a server application called a daemon is listening for connections on one or more network ports.
Each of these servers should be treated as potential avenue of attack.
4.5.1. Risks To Services
Network services can pose many risks for Linux systems. Below is a list of some of the primary issues:
Buffer Overflow Attacks Services which connect to ports number 0 through 1023 must run as
an administrative user. If the application has an exploitable buffer overflow, an attacker could gain
access to the system as the user running the daemon. Because exploitable buffer overflows exist,
crackers will use automated tools to identify systems with vulnerabilities and once they have gained
access, they will use automated rootkits to maintain their access to the system.
Denial of Service Attacks (DoS) By flooding a service with requests, a denial of service attack
can bring a system to a screeching halt as it tries to log and answer each request.
Script Vulnerability Attacks If a server is using scripts to execute server side actions, as Web
servers commonly do, a cracker can mount an attack improperly written scripts. These script vul
nerability attacks could lead to a buffer overflow condition or allow the attacker to alter files on the
system.
To limit exposure to attacks over the network all services that are unused should be turned off.
4.5.2. Identifying and Configuring Services
To enhance security, most network services installed with Red Hat Linux are turned off by default.
There are, however some notable exceptions:
lpd
A printer server, required by the
lpr
command.
portmap
A necessary component for the NFS, NIS, and other RPC protocols.
xinetd
A super server that controls connections to a host of subordinate servers, such as
wu
ftpd
,
vsftpd
,
telnet
, and
sgi fam
(which is necessary for the Nautilus file manager).
sendmail
The Sendmail mail transport agent is enabled by default, but only listens for connec
tions on the localhost.
sshd
The OpenSSH server, which is a secure replacement for Telnet.
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved