ProblemYour server communicates with the surrounding network via services that listen on various open ports. Each open port represents a potential point of entry for an attacker. To minimize your risk of attack, you want to make sure that you close all unnecessary open ports. SolutionYou shouldn't have any services or network daemons listening that you don't need. Use netstat to get a list of all network daemons and the ports they are listening on. The following command produces such a list: $ netstat -an Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:7120 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN The output of this command won't tell you what each service is, but you'll see the protocol (e.g., TCP) and the port each one is listening on. For example, there is a service listening on port 22 over TCP. You may recognize this as the sshd (secure shell) server used for logging into the server over the network. If you didn't know this, or if there are other services that you don't recognize, you can look up port numbers in the file /etc/services. This file simply contains a mapping to common services, the ports they commonly listen on, and often a short description of what the service is for. The following shows a portion of this file: $ less /etc/services ... ftp-data 20/tcp ftp 21/tcp fsp 21/udp fspd ssh 22/tcp # SSH Remote Login Protocol ssh 22/udp ... Once you've taken inventory of all the services on your system, you should shut down any that you don't really need to have running. This is usually as simple as uninstalling the package, but you may want to just disable it instead. On Debian GNU/Linux based systems, you can disable services by deleting or renaming the startup script for that service in the /etc/init.d directory. (On Red Hat systems, this directory is /etc/rc.d/init.d.) To make sure you have really disabled a service, you should reboot your server to ensure it has not been restarted automatically. For those services that need to be running, such as ssh, you can reduce the risk of certain common attacks by having the service listen on a nonstandard port. The sshd daemon can be configured to listen on a high (nonprivileged port) by starting it with: $ sudo /usr/sbin/sshd -p 12345 This command tells sshd to listen on port 12345 instead of the default, port 22. You can also specify a new port in the sshd configuration file, such as: /etc/ssh/sshd_config: # Package generated configuration file # See the sshd(8) manpage for details # What ports, IPs and protocols we listen for Port 12345 ... To connect to the service, you'll have to specify this nonstandard port by passing the following option to your ssh client: $ ssh -p 12345 rob@example.com (Note that disguising ports is a form of security through obscurity, which is a controversial principle in security engineering. A system relying on security through obscurity may not be secure at all.) DiscussionEach service that is listening on a server requires the system administrator to spend a certain amount of energy to make sure the newly discovered vulnerabilities are quickly patched. The fewer services you have running, the easier it will be to keep the remaining ones secure. Try to decide if you really need each service on your system and if you do, take the time to keep it secure. The solution demonstrates one technique of minimizing the risk of a successful attack by moving the ssh daemon to a nonstandard port. What this does is cut down on the ease with which an attacker may try to brute-force his way into your system by guessing many different passwords with a script. With the service moved to a nonstandard port, an attacker has much less chance of knowing what that port is, and you greatly reduce your risk having user accounts compromised. Another way of securing a service is to restrict access to certain network addresses. For example, if you access your production server only from work and from home, you can add the following to your server's /etc/hosts.deny file: sshd: ALL EXCEPT 127.0.0.1,207.201.232. This tells your server to deny all traffic to this service except from the addresses or networks in the list. See Also
|