Re: [techtalk] Tightening Security
Heya -- I accidentally killed the original message, but someone had made the point that /etc/services just dictates what port a given service is listening on, and that disabling that port binding hasn't a thing to do with whether the service is running at the time. That's inetd. Absolutely right. The reason that I had heard cited for commenting out the line in /etc/services as well as making sure the service wasn't being offered in inetd.conf (or rc.inet2 or wherever) was to ensure that in case of a partial system compromise, the hacker installing a new service would have to take the additional step of editing /etc/services to get any new program they install to have a port assignment, rather than the well-known port already working for it. I haven't ever actually had this happen personally, so I can't comment on how effective it is. Anyone else tried it? Did it do any good? Cheers, Raven = "You down with entropy? Yeah, you know me! (x3) Who's down with entropy? Every last homey!" -- the Mighty Stephen Hawking, "Entropy" http://www.mchawking.com __ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices! http://auctions.yahoo.com/ ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Tightening Security
James - I thought that too, but according to the man page for inetd.conf, the first column of a service listing in inetd.conf has to be the correct name from /etc/services. With xinetd, you can specify that the service you want to run is unlisted, ie missing from /etc/services, and it will run. Services with their own constant daemons (like httpd) aren't specified in /etc/inetd.conf, anyway. it's mostly transient connection programs, i think... --mandi On Wed, 21 Feb 2001, James A. Sutherland wrote: > On Wed, 21 Feb 2001, Raven Alder wrote: > > > Heya -- > > > > I accidentally killed the original message, but someone had made > > the point that /etc/services just dictates what port a given service is > > listening on, and that disabling that port binding hasn't a thing to do > > with whether the service is running at the time. That's inetd. > > Absolutely right. > > > > The reason that I had heard cited for commenting out the line in > > /etc/services as well as making sure the service wasn't being offered > > in inetd.conf (or rc.inet2 or wherever) was to ensure that in case of a > > partial system compromise, the hacker installing a new service would > > have to take the additional step of editing /etc/services to get any > > new program they install to have a port assignment, rather than the > > well-known port already working for it. > > Oh dear... unlikely to work for most things. I know Apache defaults to > port 80 anyway, without ever touching /etc/services; I suspect other > daemons will be the same. > > > I haven't ever actually had this happen personally, so I can't > > comment on how effective it is. Anyone else tried it? Did it do any > > good? > > It's a waste of time. What it WILL achieve is that things like netstat > won't give you protocol names - instead of connections to/from "http" > you'll see connections to "80", for example. > > > James. > > > ___ > techtalk mailing list > [EMAIL PROTECTED] > http://www.linux.org.uk/mailman/listinfo/techtalk > > ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
Re: [techtalk] Tightening Security
On Wed, 21 Feb 2001, Raven Alder wrote: > Heya -- > > I accidentally killed the original message, but someone had made > the point that /etc/services just dictates what port a given service is > listening on, and that disabling that port binding hasn't a thing to do > with whether the service is running at the time. That's inetd. > Absolutely right. > > The reason that I had heard cited for commenting out the line in > /etc/services as well as making sure the service wasn't being offered > in inetd.conf (or rc.inet2 or wherever) was to ensure that in case of a > partial system compromise, the hacker installing a new service would > have to take the additional step of editing /etc/services to get any > new program they install to have a port assignment, rather than the > well-known port already working for it. Oh dear... unlikely to work for most things. I know Apache defaults to port 80 anyway, without ever touching /etc/services; I suspect other daemons will be the same. > I haven't ever actually had this happen personally, so I can't > comment on how effective it is. Anyone else tried it? Did it do any > good? It's a waste of time. What it WILL achieve is that things like netstat won't give you protocol names - instead of connections to/from "http" you'll see connections to "80", for example. James. ___ techtalk mailing list [EMAIL PROTECTED] http://www.linux.org.uk/mailman/listinfo/techtalk
