Much of this document is concerned with security-related software --- that is, software added to the basic operating-system. However, in this section we consider steps which should be taken towards securing a system which do not involve such software: removing unnecessary services --- software listening for connections from remote hosts; ensuring (vendor-supplied) patches and updates are applied; and chrooting services.

Unnecessary Services: NFS, Sendmail and Others

Any service --- daemon listening on a port for requests for sessions from remote hosts --- potentially opens a door for a would-be intruder, for example, through buffer overflows. As a general rule, therefore, run services which listen on TCP and UDP ports, like NFS, Sendmail (or other mail delivery agent) and FTP only if you really need to.

An alarming number of Unix/Linux installations run an equally alarming number of services by default. To change this quickly and easily (without uninstalling anything) simply edit: on older versions of Linux, /etc/inetd.conf; on newer versions of Linux, the xinetd configuration; on Solaris, /etc/inetd.conf.

Of course, applying all available patches and making use of the security-related software mentioned below, will make your system "quite secure", but nothing is as good as simply eliminating crackable services.

On most Unix systems, a programme needs to have root privileges to run a service on a port number less than 1024 (e.g., SMTP on port 25; telnet on 23; HTTP on 80). However, once a programme has bound to a given port (below 1024) there is not usually any reason why root privileges need to be maintained --- most programmes then drop these privileges and run as, for example, nobody, a user with almost no privileges. Apache can do this and does on most systems.

Some email servers do not give up root privileges after initialisation, the classic example being sendmail. Through buffer-overflows it is sometimes possible to trick a daemon listening on a port into running arbitrary code with the daemon's uid --- if this is root then the intruder can potentially take control of the system.

In short, if it is possible to run a service without root privilege, do so!

Wrapping Services

One can further reduce the probability of a system being compromised through a security hole in a service by wrapping daemons.

chrooting Services

The chroot command forces a program to run under a subset of the file system, without allowing access from it to any other parts of the file system --- anonymous ftp is commonly handled this way. For example,

chroot /var/local/ftpd ftpd

Unfortunately setting up, for example, a web-server chrooted is not as simple as it might seem --- all files that the daemon (in this case it could be httpd) need must be accessible within the subset of the file system: configuration files (which might reside in /etc), shared-object files (which could be in /usr/lib)... Guides for chrooting a web-server can be found below.

More

• A step-by-step example of chrooting a web-server at at the NCSA web-site.
• A second guide to chrooting a web-server at penguin.epfl.ch.
• Whilst using chroot helps make daemons/services more secure, it's certainly not impossible to break out of a chroot.

As security holes are found in software, they are fixed and patches and updates posted --- get these and install them; unpatched systems are a mine of opportunity to a potential intruder. There are many web sites to watch, including those from RedHat and Solaris, where patches and updates are posted for download and installation.

2.2.1. RedHat Linux

• RedHat offer regular Update Service Packages on CDs.
  
  
• For those interested in automatic downloads and updates, RedHat offer support through their RedHat Network. From the web site: Red Hat Network is an Internet solution for managing one or more Red Hat Linux systems. All Security Alerts, Bug Fix Alerts, and Enhancement Alerts (collectively known as Errata Alerts) can be retrieved directly from Red Hat. You can even have updates automatically delivered directly to your system as soon as they are released... One system can be registered for free, others require a fee. (Though of course, updated packages can be pushed out to other RedHat machines.)
  
  
• Alternatively, all updates from RedHat can be found at their FTP site. Regular inspection of this site and comparison to the current state of your system can be eased greatly by regularly running a script designed to check FTP-sites for new updates and download them.

2.2.2. SuSE Linux

YaST2 has an on-line update module. You don't need to register to run this. You need to run this as root.

2.2.3. Debian Linux

Debian has had apt-get for years. Simply run apt-get [-u] update and sit back.

2.2.4. Solaris

• Sun summarise released and upcoming patches on their main web site. There is also a separate site from which you can download patches patches and view security bulletins.

2.2.5. Other

• Security Focus (BugTraq) provides just that: vulnerabilities and patches are listed for Microsoft products, Solaris and Linux. There are also articles by "columnists" and information on security-related tools.
  
  
• The CERT Coordination Center (CERT/CC). From the web site: The CERT is a center of Internet security expertise, at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. We study Internet security vulnerabilities, handle computer security incidents, publish security alerts, research long-term changes in networked systems, and develop information and training to help you improve security at your site.
  
  
• FIRST (Forum of Incident Response and Security Teams). From the web site: This coalition, the Forum of Incident Response and Security Teams (FIRST), brings together a variety of computer security incident response teams from government, commercial, and academic organizations.