Secure Your Linux Server
Pages: 1, 2, 3
/etc/securetty
Next, edit your /etc/securetty file. This script allows you to define what services have access to your TTY device. A TTY device is a fancy designation for any basic input/output device. In this case, the device is your Linux console.
The file contains a list of services by which root can access your console. The most important items here will be to disable (comment out by using a # in front of the line) telnet. The reason for this is that telnet broadcasts unencrypted packets. In layman's terms, it shouts your vital user password through a bullhorn for the world to hear. Obviously, you don't need your root password broadcast this way. A Red Hat 9 box starts with a /etc/securetty file containing:
# pico /etc/securetty
vc/1
#vc/2
#vc/3
#vc/4
#vc/5
#vc/6
#vc/7
#vc/8
#vc/9
#vc/10
#vc/11
tty1
#tty2
#tty3
#tty4
#tty5
#tty6
#tty7
#tty8
#tty9
#tty10
#tty11Comment out (place a # in front of the appropriate line) all devices except vc/1 and tty1, effectively preventing root access except from these single consoles. The only way to access root, then, is to use su -.
/etc/ftpusers
In the same way that disabling telnet is important for root, so should you disable FTP for root transactions. As a side note, it is also a good idea for a normal FTP user to find an SFTP client. This will allow secure FTP transactions to occur, as long as the hosting provider gives Secure Shell (SSH) access to its users.
When you edit /etc/ftpusers, make sure that root is not among the listed users. If it is, comment it out by putting a # at the start of the line.
/etc/xinetd.conf
Older versions of Linux use /etc/inetd.conf instead of this file, and it has a slightly different syntax and use. The xinetd.conf file is crucial to your networking. It starts services that pertain to your network connections. From it, you can (and should!) disable services that are not running or necessary.
Descend further, to the /etc/xinet.d/ directory, which contains a file for each of the default internetworking services. On a standard Red Hat 9 system, this directory includes chargen, chargen-udp, daytime, daytime-udp, echo, echo-udp, finger, finger-udp, ntalk, rexec, rlogin, rsh, rsync, servers, services, talk, telnet, time, and time-udp.
The contents of these files resemble:
# default: off
# description: A daytime server. This is the tcp \
# version.
service daytime
{
type = INTERNAL
id = daytime-stream
socket_type = stream
protocol = tcp
user = root
wait = no
disable = yes
}If you do not need, or are not familiar with, any of the services listed, go into the file and set the disable attribute to yes until you can familiarize yourself with that service's use. Whenever you make any changes to these files, make sure to restart the inet daemon using:
# /etc/rc.d/init.s/inet restart
