Table 15-1 lists some of the services that you should disable or restrict if you wish to run a secure server. Many of these services are widely considered “safe” today, but that doesn’t mean that a serious flaw won’t be discovered in one of these services sometime in the future. For example, in the spring of 2001 a vulnerability was found with the Berkeley Internet Name Daemon (BIND) that allowed anyone on the Internet to obtain superuser privileges on any Unix computer running the most common version of the software package. Sites that had nameservers running on their web servers were vulnerable. Sites that had turned off their nameservers were not.
If you don’t need a service, disable it.
Table 15-1. Services to restrict on a secure server
Service to restrict | Reason |
---|---|
Bugs in DNS implementations can be used to compromise your web server. Ideally, you should deploy computers that are only used for nameservice and nothing else. If you cannot run your own secure nameservers, you may wish to obtain nameservice from an upstream provider. | |
Mail (SMTP, POP, IMAP, etc.) | |
finger | |
netstat, systat | snetstat and systat can reveal your system’s configuration and usage patterns. Do not provide these services on secure machines. |
chargen, echo | These services can be used to launch data-driven attacks and denial-of-service attacks. Disable them. |
FTP | |
Telnet | |
Berkeley “r” commands (rlogin, rsh, rdist, etc.) | These commands use IP addresses for authentication that can be (and have been) spoofed. Use ssh and scp instead. |