An important objective in Unix security is to disable services or daemons that are unnecessary for normal system operations. In this article we provide a short survey which should be disabled in most Unix servers Unix services. Industry experience these services to be vulnerable to attack.
Disabling vulnerable services, threats against Unix servers it can be considerably reduced.Professional it security and it Auditors generally are a high priority. guidance is fortunately available services that are usually required and services that are normally not needed and should be disabled.
To identify active services and associated port numbers, we recommend using the Internet Assigned Numbers Authority (IANA) .Servicios and ports have been standardized and documented online IANA well-known ports database (replacing the previous RFC 1700). This database is available at the URL provided in the section reference below.
These standardized services and ports are independent of the version or Unix.cada provider service has a number and Protocol (TCP/UDP) port that fires on the Unix/etc/inet/services file type. The characteristics of each service-specific settings are configured in the file etc/inet/inetd.conf. Unix file permissions and ownership of these critical files should be limited to administrators only - there is no reason to grant access 'world'.
The CIS Solaris control makes the recommendation to create a secure system services baseline. This snapshot makes it possible to monitor the deviations and potential vulnerabilities. It is also useful to system administrators, security and audit professionals.
The list of services that are presented below is derived from the Center for Internet Security (CIS), the United States reference test Defense Department security technical implementation guide (STIG) and our audit experience it professionals. This list is not exhaustive, as there are potentially thousands of services can be active. Due to the different needs of organization must be a custom approach to determine what is needed and what is not. The following services must be carefully analysed for the requirements of the Organization and disabled if necessary.
-Telnet is the virtual terminal service. It is necessary only to telnet to your own server. Otherwise, it is not necessary. -File transfer protocol. Two ports are used: FTP commands and actual data transfer. It is necessary only on an FTP server. Otherwise, it is not necessary. -Trivial File Transfer Protocol (TFTP). It is necessary only for boot TFTP servers. Otherwise, it is not necessary. -remote services rlogin/rsh/RCP are necessary only if the server to receive incoming requests. These vulnerable services and is usually not necessary. -remote service rexec is necessary only if the system should receive incoming requests 'exec'. It is a vulnerable service, and is usually not necessary. -DHCP is used to dynamically allocate IP addresses and other information on the network. It is necessary for a DHCP server. Otherwise, it is not necessary. -SMTP is required to transport e-mail system to System. It is only required if the system should receive mail from other systems. Otherwise, it is not necessary. -System of domain names (DNS) domain name resolution service. This service is required only if the server is a primary or secondary DNS server. It is not required for DNS clients.-Extended network (NFS) is used to access remote file systems. Used only if the system is a server NFS.De otherwise isn't necessary. -Network information service (NIS / NIS +) server is used for network authentication. It is only necessary on systems that are acting as an NIS server for the local site.Otherwise, it is not necessary. -'Ruta' is used only if the system is always the red.Casi router it is unnecessary.
References: Unix: (STIG) security technical implementation guide. version 5.2005.United States Defense Information Systems Agency.United States Defense Department.http://IASE.Disa.mil/stigs/Stig/UNIX-Stig-V5R1.PDF
V2.1.3 benchmark Solaris (Solaris 10) .the Center for Internet Security (CIS). 2007.http://www.cisecurity.org
Internet Assigned Numbers Authority (IANA) http://www.iana.org/assignments/port-numbers
Do you want to know more about the audit of Unix.Servicios continental audit provides Certified Auditors it, at prices razonables.TI best practices applied to all major operating systems, databases and other www.continentalaudit.com tecnologías.Visite.?
continental audit unix vulnerable daemon servicesInternet Get Free Webhosting Now Security Auditors
0 comments:
Post a Comment