Help Files: Basic Unix Security Checklist

Home > Help Files > Security > Basic Unix Security

This checklist provides a way for users to quickly secure their system to a minimum level. The general idea in securing UNIX machine is: disable any programs/daemons you don't need and use secure versions of the ones you do. For more info on securing UNIX systems, please refer to UNIX Configuration Guidelines

  • Look into /etc/inetd.conf and disable all services you don't need. You should have the following disabled. 
        uucp   stream  tcp     nowait  root    /usr/sbin/uucpd         uucpd
    tftp   dgram   udp     wait    root    /usr/sbin/tftpd         tftpd
    daytime stream tcp     nowait  root    internal                daytime
    daytime dgram  udp     wait    root    internal                daytime
    echo   stream  tcp     nowait  root    internal                echo
    echo   dgram   udp     wait    root    internal                echo
    discard stream tcp     nowait  root    internal                discard
    discard dgram  udp     wait    root    internal                discard
    chargen stream tcp     nowait  root    internal                chargen
    chargen dgram  udp     wait    root    internal                chargen
    time   stream  tcp     nowait  root    internal                time
    time    dgram   udp     wait    root    internal                time
    ftp     stream  tcp     nowait  root    /usr/sbin/ftpd          ftpd
    telnet  stream  tcp     nowait  root    /usr/sbin/telnetd       telnetd
    shell   stream  tcp     nowait  root    /usr/sbin/rshd          rshd
    login   stream  tcp     nowait  root    /usr/sbin/rlogind       rlogind
    exec    stream  tcp     nowait  root    /usr/sbin/rexecd        rexecd
    The following programs should be disabled if you don't need them or have access control. 
     
    rquotad/1       dgram   rpc/udp wait root /usr/sbin/rpc.rquotad    rpc.rquotad
    rstatd/2-4      dgram   rpc/udp wait root /usr/sbin/rpc.rstatd    rpc.rstatd
    rusersd/1-2     dgram   rpc/udp wait root /usr/sbin/rpc.rusersd    rpc.rusersd
    sprayd/1        dgram   rpc/udp wait root /usr/sbin/rpc.sprayd    rpc.sprayd
    walld/1         dgram   rpc/udp wait root /usr/sbin/rpc.rwalld   rpc.rwalld
    finger	    stream  tcp     nowait  root    /usr/sbin/fingerd       fingerd
    comsat	    dgram   udp     wait    root    /usr/sbin/comsat        comsat
    talk	    dgram   udp     wait    root   /usr/sbin/talkd         talkd
  • Install TCP Wrapper
    Use TCP wrapper to allow only certain hosts/users access to the daemons. For example, you can use TCP wrapper to allow only users in the .berkeley.edu domain to connect to your machine.

  • Install SSH
    SSH can be used to replace telnet, ftp, rlogin, rexec, and any other rpc* programs.

  • Install the latest patches from your vendor.

  • Enforce good password rules for your users. Remove all un-needed users from the system. However, remember that good passwords are useless if you use telnet or ftp, as they can be sniffed.

 

Comments to consult@newton.berkeley.edu
© 1998-2009 UC Regents