A major objective in Unix security is to disable services or daemons that are unnecessary for normal system operations. In this article we provide a brief survey of the Unix services that should be disabled on most Unix servers. Industry experience has shown these services to be vulnerable to attack.
Threats can be greatly reduced where these services are not enabled. The best defense is to disable services that are not needed. This area is a high priority for IT security professionals and IT auditors. Thankfully, guidance is available on what services are necessary and should be enabled and what services are not necessary and should be disabled.
To identify active services and the associated port numbers, we recommend using the Internet Assigned Numbers Authority (IANA). Services and ports have been standardized and documented in the IANA online database of well-known ports (superseding the previous RFC 1700). This database is available at the URL provided in the reference section below.
These standardized services and ports are independent of the Unix vendor or version. Each service has a port number and protocol type (TCP/UDP) which is activated through the Unix /etc/inet/services file. The specific configuration characteristics of each service are setup in the /etc/inet/inetd.conf file. The Unix file permissions and ownership of these critical files should be restricted to administrators only - there is no reason to grant 'world' access.
The CIS Solaris Benchmark makes the recommendation to create a secure baseline of system services. This baseline makes it possible to monitor for deviations and potential vulnerabilities. It is also useful to system administrators, security professionals and auditors.
We have compiled the list of services below from the Center for Internet Security (CIS) Benchmark, the US Department of Defense Security Technical Implementation Guide (STIG) and from our professional IT audit experience. This list is by no means comprehensive since there are potentially thousands of services that may be active. This must be a customized approach since what is unnecessary in one organization may be very necessary in another organization. For the following services, consider carefully whether each should be active or not:
-Telnet is the virtual terminal service. It is necessary only to telnet to the server itself. Otherwise it is unnecessary. -File Transfer Protocol. Two ports are used - FTP commands and actual data transfer. It is necessary only on an FTP server. Otherwise it is unnecessary. -Trivial File Transfer Protocol (TFTP). It is necessary only for TFTP boot servers. Otherwise it is unnecessary. -rlogin/rsh/rcp remote services are necessary only if the server must receive inbound requests. These are vulnerable services and generally not necessary. -rexec remote service is necessary only if system must receive inbound 'exec' requests. This is a vulnerable service and generally not necessary. -DHCP is used for dynamically assigning IP addresses and other network information. It is necessary only for a DHCP server. Otherwise it is unnecessary. -SMTP is required for transporting email from system to system. It is only necessary if the system must receive mail from other systems. Otherwise it is unnecessary. -Domain Name System (DNS) name resolution service. This service is only necessary if the server is a DNS primary or secondary server. It is unnecessary for DNS clients. -Network Filesytem (NFS) is used to access remote file systems. It is used only if the system is an NFS server. Otherwise it is unnecessary. -Network Information Service (NIS/NIS+) server is used for network-based authentication. It is only necessary on systems that are acting as an NIS server for the local site. Otherwise it is unnecessary. -'Route' is used only if the system is a network router. It is almost always unnecessary.
References: Unix - Security Technical Implementation Guide (STIG). Version 5. 2005. US Defense Information Systems Agency. US Department of Defense. http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf
Solaris Benchmark v2.1.3 (Solaris 10). The Center for Internet Security (CIS). 2007. http://www.cisecurity.org
Internet Assigned Numbers Authority (IANA) http://www.iana.org/assignments/port-numbers
Threats can be greatly reduced where these services are not enabled. The best defense is to disable services that are not needed. This area is a high priority for IT security professionals and IT auditors. Thankfully, guidance is available on what services are necessary and should be enabled and what services are not necessary and should be disabled.
To identify active services and the associated port numbers, we recommend using the Internet Assigned Numbers Authority (IANA). Services and ports have been standardized and documented in the IANA online database of well-known ports (superseding the previous RFC 1700). This database is available at the URL provided in the reference section below.
These standardized services and ports are independent of the Unix vendor or version. Each service has a port number and protocol type (TCP/UDP) which is activated through the Unix /etc/inet/services file. The specific configuration characteristics of each service are setup in the /etc/inet/inetd.conf file. The Unix file permissions and ownership of these critical files should be restricted to administrators only - there is no reason to grant 'world' access.
The CIS Solaris Benchmark makes the recommendation to create a secure baseline of system services. This baseline makes it possible to monitor for deviations and potential vulnerabilities. It is also useful to system administrators, security professionals and auditors.
We have compiled the list of services below from the Center for Internet Security (CIS) Benchmark, the US Department of Defense Security Technical Implementation Guide (STIG) and from our professional IT audit experience. This list is by no means comprehensive since there are potentially thousands of services that may be active. This must be a customized approach since what is unnecessary in one organization may be very necessary in another organization. For the following services, consider carefully whether each should be active or not:
-Telnet is the virtual terminal service. It is necessary only to telnet to the server itself. Otherwise it is unnecessary. -File Transfer Protocol. Two ports are used - FTP commands and actual data transfer. It is necessary only on an FTP server. Otherwise it is unnecessary. -Trivial File Transfer Protocol (TFTP). It is necessary only for TFTP boot servers. Otherwise it is unnecessary. -rlogin/rsh/rcp remote services are necessary only if the server must receive inbound requests. These are vulnerable services and generally not necessary. -rexec remote service is necessary only if system must receive inbound 'exec' requests. This is a vulnerable service and generally not necessary. -DHCP is used for dynamically assigning IP addresses and other network information. It is necessary only for a DHCP server. Otherwise it is unnecessary. -SMTP is required for transporting email from system to system. It is only necessary if the system must receive mail from other systems. Otherwise it is unnecessary. -Domain Name System (DNS) name resolution service. This service is only necessary if the server is a DNS primary or secondary server. It is unnecessary for DNS clients. -Network Filesytem (NFS) is used to access remote file systems. It is used only if the system is an NFS server. Otherwise it is unnecessary. -Network Information Service (NIS/NIS+) server is used for network-based authentication. It is only necessary on systems that are acting as an NIS server for the local site. Otherwise it is unnecessary. -'Route' is used only if the system is a network router. It is almost always unnecessary.
References: Unix - Security Technical Implementation Guide (STIG). Version 5. 2005. US Defense Information Systems Agency. US Department of Defense. http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf
Solaris Benchmark v2.1.3 (Solaris 10). The Center for Internet Security (CIS). 2007. http://www.cisecurity.org
Internet Assigned Numbers Authority (IANA) http://www.iana.org/assignments/port-numbers
About the Author:
Looking for certified IT auditors at reasonable rates. Continental Audit Services, is your provider to control risks, improve security and comply with regulations. IT best practices applied to all major operating systems, databases and other technology. Visit www.continentalaudit.com.
{ 0 comments... read them below or add one }
Post a Comment