There are several ways of customizing the network interfaces of the system to create a more secure system. One way is to unplug it from the wall, turn off the power and use it as a paperweight. As this is generally not most useful modus operandi of your Linux system, one must make some modifications to keep people out while still allowing others to get their work done.
I. The /etc/inetd.conf file and tcp_wrappers
ftp
telnet
gopher
smtp disallowed by
default
nntp disallowed
by default
shell
login
exec disallowed
by default
talk
pop-2 disallowed by
Fermi
pop-3 disallowed by
Fermi
imap disallowed
by Fermi
uucp disallowed
by default
finger
netstat disallowed by default
time
auth
B. The pop and imap services are disallowed at the Lab due to serious problems in the past with security holes in these services. To disallow services, such as the useless gopher services, simply comment out the service line in /etc/inetd.conf by adding a # sign to the front of the line, and restarting the inetd daemon either send a kill -HUP to the process ID associated or by issuing a command directly to the rc script to restart, i.e., '/etc/rc.d/init/inet restart'
C. tcp_wrappers are way to filter and log access from remote systems.
Access should then be granted on a service, machine or subnet basis in the /etc/hosts.allow file thusly:
ftp: .fnal.gov @dcdsv0.fnal.gov
ALL: .fnal.gov
The first line will allow anyone in the fnal.gov subnet and anyone in the netgroup dcdsv0.fnal.gov to ftp to the machine. The second line will allow all services to anyone in the fnal.gov domain.
2. Logs of access go to /var/log/messages.
B. xntp3 is a time client to sync the system to other systems in the subnet or other servers in the world. For example the cesium clock at the US Naval Observatory or at the National Institute for Standards in Technology.
C. xntp3 is run at boot time so a symbolic links should reside in the /etc/rc.d/rc3.d and rc5.d directories pointing to /etc/rc.d/init.d/xntpd3. Look at the startup script in the init.d dir and make sure that the daemon is started with the -b option. This will set xntpd3 to listen mode. It will then sync the system clock from periodic time broadcasts from the subnet routers.
2. To configure a Linux system as an NFS server the nfs daemon must
be installed and started and the /etc/export file must contain volume,
machine and permission entries. An example entry looks like this:
This specifies that the directory /mnt/51home/redhat-5.1 can be exported to topaz.fnal.gov in read-only mode.
3. Restart the NFS daemon with 'exportfs.'
b. add an entry to the /etc/fstab file like that looks like this:
This specifies the machine, volume, mount point, filesystem type, options, dump and fsck order, respectively. The options specify that this is a soft connection, i.e., if it is broken it will not re-establish, it is interruptible, and it is mounted as read-only.
2. Set the domainname first manually by typing 'domainname <domain name>' where <domain name> is the obvious. To set this permanently, edit the /etc/sysconfig/network file and add the line NISDOMAIN=<domain name>.
3. Start the ypbind daemon. Run 'ntsysv' to make sure the daemon is added to the list of at-boot services.
4. Caveats:
2. Set the domainname as above.
3. Run ypinit -m
4. Make sure the ypserv daemon is added to the services that is started at boot time. Run 'ntsysv' to do this.