kill –HUP PID
chkconfig
If you don’t have an inetd.conffile, your version of Linux is probably run- ning xinetd(www.xinetd.org) — a more secure replacement for inetd — to listen for incoming network application requests. You can edit the /etc/
xinetd.conffile if this is the case. For more information on the usage of xinetd and xinetd.conf, enter man xinetdor man xinetd.confat a Linux command prompt. If you’re running Red Hat 7.0 or later, you can run the /sbin/chkconfigprogram to turn off the daemons you don’t want to load.
For example, you can enter the following to disable the snmp daemon:
chkconfig --del snmpd
You can also enter chkconfig —listat a command prompt to see what ser- vices are enabled in the xinetd.conffile.
The chkconfig program can be used to disable other services, such as FTP, telnet, and Web server.
Access control
TCP Wrappers can control access to critical services that you run, such as FTP or HTTP. This program controls access for TCP services and logs their usage, helping you control access via hostname or IP address and track mali- cious activities.
You can download it from www.stanford.edu/group/itss-ccs/security/
unix/tcpwrappers.html. Figure 12-9:
Viewing the process IDs for running daemons using ps -aux.
.rhosts and hosts.equiv Files
Linux — and all the flavors of UNIX — are very file-based operating systems.
Practically everything that’s done on the system involves the manipulation of files. This is why so many attacks against Linux are at the file level.
Hacks
If hackers can capture a user ID and password by using a network analyzer, or can crash an application and gain root access via a buffer overflow, one thing they look for is what users are trusted by the local system. The /etc/hosts.
equivand .rhostsfiles list this information.
.rhosts
The $home/.rhostsfiles in Linux specify which remote users can access the Berkeley Software Distribution (BSD) r-commands (such as rsh, rcp, and rlogin) on the local system without a password. This file is in a specific user’s home directory, such as /home/jsmith. A .rhostsfile may look like the this:
tribe scott tribe eddie
This file allows users Scott and Eddie on the remote-system tribe to login to the local host with the same privileges as the local user. If a plus sign (+) is entered in the remote-host and user fields, any user from any host could log in to the local system. The hacker can add entries into this file by
Manually manipulating it.
Running a script that exploits an insecure Common Gateway Interface (CGI) script on a Web-server application that’s running on the system.
This configuration file is a prime target for a hacker attack. On most Linux systems I’ve tested, these files aren’t enabled by default. However, a user can create one in his or her home directory on the system — intentionally or accidentally — which can create a major security hole on your system.
hosts.equiv
The /etc/hosts.equivspecifies which accounts on the system can access services on the local host. For example, if tribewere listed in this file, all users on the tribe system would be allowed access! As with the .rhostsfile, external hackers can read this file and then spoof their IP address and host- name to gain unauthorized access to the local system. Hackers can also use the names located in the .rhostsand hosts.equivfiles to look for names of other computers to attack.
Countermeasures
Use both of the following countermeasures to prevent hacker attacks against the .rhostsand hosts.equivfiles in your Linux system.
Disabling commands
A good way to prevent abuse of these files is to disable the BSD r-commands altogether. This can be done by either
Commenting out the lines starting with shell, login,and execin inetd.conf.
Editing the rexec, rlogin,and rshfiles located in the /etc/
xinetd.ddirectory. Open each file in a text editor, and change disable=no to disable=yes, as shown in Figure 12-10.
In Red Hat Linux, you can disable the BSD r-commands with the setup program:
1. Enter setupat a command prompt.
2. Select System Services from the menu.
3. Remove the asterisks next to each of the r-services.
Blocking access
A couple of countermeasures can block rogue access of the .rhostsand hosts.equivfiles:
Block spoofed addresses at the firewall, as I outline in Chapter 9.
Set the permissions on these files so that only the owners can read them.
Figure 12-10:
The rexec file showing the disable option.