> i'm trying to make my system as secure as possible, in light of recent > news of networks getting broken. the first thing i did was to turn off > services spawned by the inet daemon that i don't use. currently the > following are the only ones running - i didn't turn them off since i > don't know exactly what they do:
good. > discard > daytime turn both of these off, they are useless and potentially dangerous. > time unless something is using rdate to set it's time off of your computer, turn this off. > saft ?? What is this used for? is this like ftp? i have no idea what this is, and it isn't even in my debian inetd.conf so i'm not sure where it came from. look for what the daemon is called (the last argument on the line from inetd.conf which starts with saft) and read the man page. if there is no man page for it do this: # dpkg -S daemonname that will tell you which package it came from, then go into /usr/share/doc/package name and decide if you need it or not. most likely you do not. > cvspserver ?? is this safe to turn off? you don't need this unless you are doing source code work on your box and allowing other people to download that source via cvs (you would know if you were :-). > i dont quite know what discard, daytime, and time do is it safe to turn > these guys off? i run nntp - does nntp rely on daytime and time? you run a news server? are you sure you don't mean a news client? regardless it doesn't rely on either daytime, discard or time. > in general is it better to use tcpserver than the inet daemon. i run i've stayed away from qmail in general so i'm not really sure. my inclination would be to say stick with inetd until there is a feature in tcpserver that you really need, since inetd is pretty simple and more people will be able to help you with it ... but there may be compelling reasons to use tcpserver that i'm not aware of. > qmail which uses tcpserver and i'm planning to have sshd be spawned by > tcpserver. i've read the tcpserver is better than inet - does anyone > have any opinion on this? are there any draw backs to removing the inet > daemon completely? if i can turn off the services i've listed above i > would not have any use for inet. if nothing is running from inetd (common if you don't run telnet or ftp). > has anyone have any experience with SRP - Secure Remote Password. is i assume you read the slashdot article to hear abou srp? if not go look it up there (it was a few days ago, it should still be in the "older stuff" section). i've never used srp so no comment. > this similar to ssh. i've also looked at FreeS/WAN and it looks like a > very good solution to network security. is anyone using this now and > how is it working for you? while reading about FreeS/WAN i also came > across DNSSEC - DNS Security - featured in Bind-8.2.2p5, which i am > using. exactly what is this feature and how do i take advantage of it? frees/wan is a great solution if you need to have secure encrypted *IP* tunnles between computers (like what a vpn does). if all you want to do is ssh between boxes, you have no need of it. i talked to the frees/wan guys at the BOF at LISA this year and it seemed quite impressive and there were a lot of very positive and large scale testimonials from people. i'm quite excited about playing with it... but unless you have a need for it, don't bother. as far as dnssec goes, don't worry about it. so long as you are running the latest bind you should be safe from the vast majority of attacks. dnssec is at this point still mostly a theoritical solution to a problem which hasn't been implemented by many people. ... it sounds to me like you're doing an admirable thing, trying to secure your box and learn how it all works. but don't be mislead, just because something is a security product, doesn't mean installing it will make your system more secure. in fact a badly installed or maintained "security product" can actually seriously degrade your performance. what you need to do is learn about the system you have. that will probably mean breaking things every once in a while. look at the processes running on your box, make sure that you know what they all do. if you don't need them find out where they start and turn them off one by one (and be ready for things to break if you guess wrong about needing them with a tested boot floppy). go through your /bin, /sbin, /usr/bin and /usr/sbin directories look at all the programs there, find out what they do by reading the man pages. go through the /etc directory and figure out what all the files in there do. remember that "dpkg -S filename" will tell you which package a file came from so you can figure out where the docs for it are. the most secure system will be the simplest one. the more complexity you add the more room for holes and config mistakes there will be. read. read. read. adam.
