Secure your system

From LXF Wiki

Part 1 Find out what services you’re running

(Fig 1) Examining open ports on my laptop with lsof.

The most direct way to check which services are running on your machine is to explicitly query the open TCP and UDP ports, which you can do with the command lsof -i. Fig 1, right, shows a sample of the output, taken on my laptop, and I must confess that I don’t know what all that stuff on the screen is for. OK, I know that ‘portmap’ is the RPC portmapper and is used for services like NFS and NIS; I know that ‘master’ is the postfix mail transfer agent; and I know that ‘cupsd’ is something to do with printing. But surely those httpd2 (Apache) processes aren’t supposed to be there? Figuring out the purpose of these mystery daemons can be a challenge. Check if there’s a manual page, or try looking at the process hierarchy. For example, pstree shows that the hp and hpijs in Fig 1 are descendents of cupsd and therefore presumably related to printing. Here’s the relevant fragment of output:

$pstree | head
     |       |                             |-sh---gs-+-hpijs
     |       |                                       |-sh---cat

There is probably little harm in running unnecessary services, but there’s always the possibility that they can be used to launch an attack. Buffer overflow attacks, in which a carefully crafted (and usually very long) data stream is presented to a server, can result in the server executing arbitrary code on behalf of an attacker. Such attacks are common, and rather depressingly are often successful.

For example, a buffer overflow vulnerability in the ProFTPd server allowed malicious users to gain root access to the machine by downloading a carefully crafted file in ASCII mode. This vulnerability was reported in September 2003 and is long since fixed; however, vulnerabilities have recently been reported in Skype, Adobe Reader, the Linux kernel and many other components.

By turning off services you don’t need, you significantly reduce your susceptibility to such attacks. The open source community is generally pretty quick to fix vulnerabilities discovered in their products, but of course that only helps you if you actually install the fixed version. In fact, the vast majority of attacks on computers are against vulnerabilities for which a patch is already available. That’s why it’s a good idea to subscribe to your Linux distributor’s update service, such as Red Hat’s Up2date, and check for updates on a regular basis. By “regular” I do not mean that you should do it every three months (every three days might be nearer the mark). Attackers will not considerately defer their attack until you’ve applied your quarterly updates.