Using Linux To
Share An Internet
Connection; Pt.4
By default, Linux is a powerful operating system that automatically
configures many services (eg, a web server) straight out of the box.
In this final article in our gateway series, we show you how to
improve security by shutting down any services that you don’t need
and restricting access to those you do need.
By GREG SWAIN
You can’t be too careful about security when connected
to the Internet, especially if you have a network behind
your Linux box. Security must be built into the gateway
from the beginning, otherwise you could end up being
“cracked”.
Don’t think that you’re safe just because you are using a
dial-up connection. It’s quite possible for someone to find
you and telnet their way into an unprotected machine in
a matter of minutes.
As well as having an effective firewall, there are a couple of other things you can do to improve security. This
involves shutting down any services that you don’t need
and restricting access to any that you do need.
Turning off services
The easiest way to deny access to a service is to turn
it off. The first thing you need to do is take a look at
the /etc/inetd.conf file (this is now /etc/xinetd.conf in
later distributions such as Red Hat 7.0). This file lists
all the Internet services started by the inetd Internet su-
per-server daemon. You can disable any service listed in
inetd.conf by placing a “#” (comment) at the start of the
line.
For example, to disable the ftp and telnet services, edit
the lines to look like this:
# ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
# telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
Note that this doesn’t stop you from ftping or telneting out from your machine. Instead, it stops your
Linux box from behaving as an ftp and telnet server,
so that these services are no longer potential pathways
into your machines. The telnet service is a real risk
– make sure that you don’t leave this running on an
unprotected system.
In fact, if you don’t need to run any Internet services,
you can quite safely comment out everything in /etc/
inetd.conf. This will still allow you to access email and
Tip 1: Logging Out & Logging In
You don’t have to reboot Linux to log out as root and
log back in as a user. All you have to do is quit Xwindows
(click K -> Logout in KDE), type logout at the terminal
prompt (or hit Ctrl-D) and then log back on using your
user name and password. You can then restart KDE or
Gnome by issuing the command startx.
The procedure is identical for logging out as a user and
logging back on as root.
Fig.1 (left): you can turn off the
services listed in /etc/inetd.conf
by placing a “#” (ie, a comment)
at the start of each line. Turn off
all services that aren’t required.
www.siliconchip.com.au
September 2001 77
Fig.2: distributions that use xinetd.conf store
a configuration file for each service in the
/etc/xinetd.d folder. A service is disabled by
opening its configuration file and changing
the disable = no line to disable = yes.
news, do all your usual web browsing and transfer ftp
files.
Once you’ve commented out the services you don’t need,
you have to restart the inetd daemon with this command:
killall -HUP inetd
Recent Linux distributions that use /etc/xinetd.conf store
one configuration file for each service in the /etc/xinetd.d
folder. In that case, you disable a service by opening its
configuration file and changing the disable = no line to
disable = yes (Fig.2). You will need to do this for each
service you want disabled.
When you’ve finished editing these files, issue the
command /sbin/service xinetd restart to pick up the
changes.
Note that many services will already be disabled by
default. Note too that not all network services are started
through inetd or xinetd. Instead, some are started when
the system boots.
An easy way to disable (or re-enable) services is to
use the ntsysv utility that’s included in both Red Hat
Linux and Mandrake Linux. Issuing the command ntsysv
brings up the tool as shown in Fig.3 below. You use the tab
and arrow keys to move around, the spacebar to select or
deselect a service and the F1 key to obtain a description
of the selected service.
Note that the ntsysv command on its own only configures your current run level. If you want to configure other
run levels, then you need to include the level switch. For
example, ntsysv --level 3456 lets you configure services
for run levels 3, 4, 5 & 6.
Don’t turn off all the services listed by the ntsysv
utility, as this could cause problems. Only turn off those
network features that you don’t need. As a rule, you can
turn off telnet, wu-ftp & tftp (both FTP servers), httpd (the
Apache web server) and finger (this allows remote client
to identify local users).
If you don’t need any of the Internet super services
started by inetd or xinetd, you can disable these as well.
That simple step will stop all the services launched
by inetd or xinetd in one swoop (after restarting,
that is).
Restricting access to services
Any services that are left running in /etc/inetd.conf
can be secured by “TCP wrappers”. For example, you
might want to use your Linux box as a local web or email
server.
The idea here is to restrict access to services based
on the host’s IP address. There are two files to edit here:
/etc/hosts.deny and /etc/hosts.allow.
First, open up the /etc/hosts.deny file and add
the following rule to the end of the commented
section:
# /etc/hosts.deny
ALL: ALL
This tells the “TCP wrappers” to deny connections to all services from all hosts. It will
also stop local machines on your network from
accessing any wanted services, so we need to
weaken the rules by adding some exceptions to
/etc/hosts.allow. Open this file and add these
lines:
# /etc/hosts.allow
ALL: 127.0.0.1
ALL: 192.168.0.
This tells the “TCP wrappers” to allow connections to the services in /etc/inetd.conf from
Fig.3: the ntsysv utility makes it easy to disable individual services.
the local machine (127.0.0.1) and from the
You can also disable multiple services by turning off inetd or xinetd.
78 Silicon Chip
www.siliconchip.com.au
Check These Websites For Firewall Tools & Linux Security
Security really is a big subject and we’ve only covered
the basics in this series. If you want to find out more, point
your web browser to: http://www.linuxfirewall.org
Included on this website are a number of firewall tools
that you can use to create your own ipchain rules. In particular, take a look at PMFirewall and the Firewall Design
Tool. These are both script files that ask you a series of
questions and then create firewall rules based on your
answers.
Other tools worth looking at are Kfirewall 0.4.2 (which is
a GUI front end for ipchains) and Gnome-Lokkit 0.43.
Another good Linux security website is located at:
http://www.linux-firewall-tools.com/linux Be sure to
check the Firewall & LAN Security FAQ on this site.
An excellent text on Linux security and other topics is
Securing & Optimizing Linux: RedHat Edition. This publication includes an ipchains firewall and is available for free
download from: www.linuxdoc.org/LDP/solrhe
The Linux Network Administrators Guide, 2nd Edition
is another excellent reference on security and firewalls
(both ipchains and iptables). You can download it from:
www.ibiblio.org/pub/Linux/docs/linux-doc-project/nag2
What about iptables?
Recent distributions of Linux (eg, RedHat 7.0 and later)
include a replacement for ipchains called iptables – although ipchains is still included and you can still run the
ipchains firewall. The very latest releases, however, don’t
have ipchains compiled into the kernel but generally include
it as a loadable module. In that case, try adding the following lines at the very beginning of the rc.firewall script (we
haven’t tested this, by the way):
# Load ipchains module
/sbin/modprobe ipchains
Alternatively, you could use an iptables firewall script. The
following two websites list iptables firewalls:
www.spodzone.org.uk/packages/secure/iptables.sh
www.amber.co.uk/iptablesrc
The Linux Network Administrators Guide, 2nd Edition
also includes an iptables firewall.
Don’t Take Security For Granted
For the home user, running the simple ipchains firewall from the
June issue and turning off all external services makes for a fairly
secure system. Just keep an eye on the log files for any untoward
activity and you should be OK.
That said, we don’t offer any guarantees – the net is not a safe
place! If security is vital to your organisation, be sure to seek expert
professional advice when it comes to setting up a firewall. Don’t
just rely on the advice given in our articles.
It’s also vital that you install the latest updates and security fixes,
to prevent a hacker from taking advantage of a known security
hole. You can get these from your distribution’s website (eg, www.
redhat.com) or by visiting www.securityfocus.com
Fig.4 (left): chkconfig --list lets you quickly check
which services are running.
Fig.5 (below): the netstat utility shows which
services are listening for TCP packets.
local network (192.168.0.). And yes, you must
include the full stop at the end of the second
line.
Finding out what’s running?
You can quickly find out what services are running using the command chkconfig --list. This begins by listing
all the system services and their run levels, then lists the
services managed by xinetd (see Fig.4).
You can also use chkconfig to turn a service off. For
example, chkconfig --level 345 xinetd off turns xinetd
off at run levels 3, 4 and 5. You will have to reboot for the
change to take effect.
Another handy tool is the netstat utility. This is used to
www.siliconchip.com.au
show which services are listening for TCP packets. Typing
netstat -ant, for example, gives a response as shown in
Fig.5. In this case, ports 6000, 139, 515, 22, etc are listening
and you can find out which services these correspond to
by looking in /etc/services.
Finally, you should check out the “Firewall And
Proxy Server Howto”, along with these two documents: (1) “Controlling Access To Services” from www.
polarhome.com/service/manual/RedHat/s1-sysadmin-access; and (2) “Securing Your Net Connection” from www.
SC
noether.freeserve.co.uk/secure
September 2001 79
