IT Auditor Recommendations on Locking down Vulnerable Unix Services

A major objective in Unix security is to disable services or daemons that aren't needed for normal system operation. This article will give an outline of Unix services that should not be disabled on Unix servers. The experience of the industry has shown these services are vulnerable to attacks.

It is possible to minimize the threat to Unix servers by deactivating vulnerable services. This is a priority for IT security professionals and IT auditors. It is possible to obtain advice on which services are required and which ones should be shut down.

The Internet Assigned Numbers Authority is advised to determine active services and port numbers. The IANA online database of well known ports has been updated to replace the RFC 1700. The database is accessible via the URL provided in the reference section below.

These standardized ports, services and versions are independent of Unix version or vendor. Each service has its own port number and protocol type (TCP/UDP) and is activated via the Unix /etc/inet/services files. The /etc/inet/inetd.conf files contains the specific configuration characteristics for each service. The Unix file permissions and the ownership of these important files should be restricted to administrators only. There is no reason to allow access to everyone in the world.

In the CIS Solaris Benchmark, it is recommended to establish a secure baseline of system services. game servers an a lot of fun This baseline can be used to monitor for potential vulnerabilities and deviations. This is beneficial for system administrators, security professionals, and auditors.

Our sources for the services shown below are the Center for Internet Security (CIS) Benchmark, the US Department of Defense Security Technical Implementation Guide (STIG) and our own professional IT audit experience. This list does not include all Unix service since there could be thousands. The decision on which services are required is company specific. In the following paragraphs We suggest a careful examination of the services in order to determine whether they are active or inactive status.

Telnet is the virtual terminal service. It is only required to connect to the server itself. It is not necessary in the event that you do not wish to. File Transfer Protocol. Two ports are used : FTP commands and the actual data transfer. Only on an FTP server is it required. It is not required when the FTP server does not have it. -Trivial File Transfer Protocol (TFTP). It is only required to TFTP boot servers. Otherwise, it's unnecessary. Remote services -rlogin/rsh/rcp are only required if the server is to handle inbound requests. These services are not required and are considered vulnerable. If the system must receive inbound "exec" requests, -rexec remote is not necessary. This is a risky service and generally not necessary. -DHCP is used for dynamically assigning IP addresses and other network information. It is only needed for a DHCP-server. Otherwise it is unnecessary. SMTP is needed to move messages from one system to the next. It is only necessary to receive mail from other systems. It is not necessary when the system has to receive mail from other systems. -Domain Name System (DNS) name resolution service. This service is only necessary if the server is a DNS primary or secondary server. This service is not mandatory for DNS clients. Network Filesytem is used to connect to remote files systems. It is only used in the case of systems that have an NFS server. Otherwise it is unnecessary. Network Information Service (NIS/NIS+ server) is used to perform authentication via network. It is only required for systems that function as NIS servers for the local site. It is not required on other systems. -'Route' is used only when the system is an internet router. It is usually not needed.

References: Unix - Security Technical Implementation Guide (STIG). Version 5. 2005. US Defense Information Systems Agency. US Department of Defense. http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf

Solaris Benchmark v2.1.3 (Solaris 10). The Center for Internet Security (CIS). 2007. http://www.cisecurity.org

Internet Assigned Numbers Authority (IANA) http://www.iana.org/assignments/port-numbers

Are you in search of certified IT auditors with reasonable prices. Continental Audit Services is your source to manage risks, improve security, and comply with regulations. IT best practices are applied to all major operating systems databases, databases, and other technologies. Visit www.continentalaudit.com.