About quailsquid9

Description

IT Auditor Recommendations on Locking down Vulnerable Unix Services

A major objective in Unix security is to block services or daemons that aren't needed for normal system operations. This article will provide a brief overview of Unix services that should not be disabled on Unix servers. The experience of the industry has shown that these services are susceptible to attack.


It is possible to lessen the risk to Unix servers by removing vulnerable services. IT security professionals and IT auditors generally consider this a high priority. It is possible to receive information on which services are most necessary and which services should be shut down.


The Internet Assigned Numbers Authority is advised to determine active services and port numbers. Services and ports have been standardized and documented in the IANA online database of well-known ports (superseding the previous RFC 1700). This database is available at the URL provided in the reference section below.


These standardized services and ports are independent of the Unix vendor or version. Each service is assigned the port number and protocol type (TCP/UDP) that is activated by the Unix /etc/inet/services file. The specific characteristics of configuration for each service are set in the /etc/inet/inetd.conf file. Administrators should have access to Unix files and ownership rights. There is no reason for giving access to the world.


It is recommended that you create a safe baseline of services that are part of the CIS Solaris Benchmark. This makes it possible to monitor for deviations and potential vulnerabilities. Blogging This is beneficial for system administrators, security professionals, and auditors.


Our sources for the services listed below are the Center for Internet Security (CIS) Benchmark, the US Department of Defense Security Technical Implementation Guide (STIG) and our professional IT audit experience. This list does not include every Unix service since there could be thousands. The decision of which services are required is company specific to the organization. We suggest that you carefully analyze the services for active and inactive status.


Telnet refers to the virtual terminal service. It is only required to connect to the server itself. It is not required if you do not want to. File Transfer Protocol. Two ports are utilized - FTP commands and actual data transfer. It is necessary only on an FTP server. In other circumstances, it is not needed. -Trivial File Transfer Protocol (TFTP). It is only required to TFTP boot servers. Otherwise, it's not necessary. Remote services like -rlogin/rsh/rcp are required only if the server has to receive inbound requests. These services aren't required and are considered to be vulnerable. If the system must receive inbound "exec" requests the -rexec remote option is not necessary. This is a risky service and is generally not required. -DHCP is used for dynamically assigning IP addresses and other information about networks. It is required only for the DHCP server. Otherwise it is unnecessary. -SMTP is needed to transfer emails from one system to another. It is only required to receive mail from other systems. It is not required when the system has to receive mail from other systems. -Domain Name System (DNS) name resolution service. This service is only needed in the case of a DNS primary or secondary server. It is not necessary for DNS clients. -Network Filesytem is used to access remote file systems. It is only utilized in the case of an NFS server. It is not required if the system is an NFS server. Network Information Service (NIS/NIS+ server) is used to provide network-based authentication. It is only needed for systems that act as NIS servers for local sites. Otherwise, it's not needed. If the system is a router, the term 'Route' will be utilized. It is almost never necessary.


References: Unix - Security Technical Implementation Guide (STIG). Version 5. 2005. US Defense Information Systems Agency. US Department of Defense. http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf


Solaris Benchmark v2.1.3 Solaris 10 The Center for Internet Security (CIS). 2007. http://www.cisecurity.org


Internet Assigned Numbers Authority (IANA) http://www.iana.org/assignments/port-numbers


Looking for certified IT auditors at affordable rates. Continental Audit Services, is your provider to control risks, improve security and comply with regulations. IT best practices are applied to every major operating system databases, databases, and other technologies. Visit www.continentalaudit.com.