Chapter 12. Securing TCP and UDP Services

Connecting a Unix computer to the Internet is not an action that should be taken lightly. Although the TCP/IP protocol suite and the Unix operating system themselves have few inherent security problems, many security flaws have been found with their specific implementations and distributions. Before you place a Unix computer on the Internet, you must make certain that no security problems have been reported with the specific software release that you intend to use. Otherwise, you may find that your machine is identified, broken into, and compromised before you even have a chance to download the latest software patch!

Generally speaking, there are two ways to assure the security of a Unix system that you intend to place on the Internet:

• You can install the latest release of your vendor's operating system onto a freshly formatted hard drive on a clean computer. Then, using a second computer, go to the vendor's web site and download any software patches, fixes or updates. Copy those updates from the second computer to your new machine, install the updates, and then place your new computer on the Internet. Once the computer is on the Internet, be vigilant: get on all of the mailing lists for software updates, be on the lookout for security flaws, and install the patches as quickly as humanly possible (see Chapter 17 for more details about this process).

• Alternatively, you can get an old computer that uses an operating system and a hardware architecture that is not widely used. Install your operating system on this hardware. Search the Web and security- related mailing lists to see if any security problems have been reported with the specific combination of hardware and software that you intend to use. If you can find no reports of flaws, you are probably safe.

You can combine these two approaches if you wish. For example, you could purchase a SPARC-based computer, but instead of running Sun's Solaris, run a copy of OpenBSD. There are few known exploits for the OpenBSD operating system; if new exploits are discovered , it is likely that they will be developed for OpenBSD running on Intel, rather than OpenBSD running on SPARC-based systems. (Note, however, that using an unusual combination of software and hardware does not mean that you do not need to still watch for security vulnerability announcements and patch them as necessary. Furthermore, using unusual systems may make you vulnerable to exploits that have simply not been addressed on your system because nobody has gotten around to them yet.)

No matter what underlying hardware and software you decide upon, you need to understand the specific services that your Unix-based computer is making available to the Internet. There are literally thousands of network servers available for hundreds of Internet protocols that run on Unix systems. Each of these servers has its own security issues. While this chapter cannot discuss them all, it does introduce the most popular ones, explore their security issues, and give you a framework for understanding other servers that we do not mention.

For additional information on Unix Internet servers and their security issues, we especially recommend the following books:

• Web Security, Privacy and Commerce , by Simson Garfinkel with Gene Spafford (O'Reilly, 2001).

• Building Internet Firewalls , by Elizabeth D. Zwicky, Simon Cooper, and D. Brent Chapman (O'Reilly, 2000).

• DNS and BIND , by Paul Albitz and Cricket Liu (O'Reilly, 2001).

• Sendmail , by Bryan Costales with Eric Allman (O'Reilly, 2002).

• Unix Network Programming , by W. Richard Stevens (Prentice Hall, 1998).

Other references are listed in Appendix C.