Notes

IT Auditor Recommendations on Locking down Vulnerable Unix Services

One of the primary goals of Unix security is to deactivate services or daemons that are unnecessary for normal system operation. In this article we provide a brief survey of the Unix services that should be disabled on most Unix servers. Experience in the field has proven these services are vulnerable to attack.



By removing vulnerable services, threats against Unix servers can be significantly reduced. This is a top priority for IT security professionals and IT auditors. Guidance is thankfully available on the services that are usually necessary and the services that are usually not necessary and should be removed.



To identify active services and the port numbers that are associated with them we suggest using the Internet Assigned Numbers Authority (IANA). aseanbiotechnology.info Ports and services are standardized and documented in the IANA online database of well-known ports (superseding the previous RFC 1700). The database is accessible at the URL provided in the reference section below.



These standardized ports and services are independent of the Unix vendor or version. Each service has its own port number and type of protocol (TCP/UDP), which are activated by the Unix /etc/inet/services files. The specific configuration characteristics of each service are defined in the /etc/inet/inetd.conf file. Administrators should have access to Unix files and ownership rights. There is no reason to grant access to the world.



It is recommended that you create a secure baseline for services in the CIS Solaris Benchmark. This baseline will allow monitoring for potential vulnerabilities and deviations. The baseline is also beneficial to system administrators, security professionals and auditors.



Our sources for the services listed below are the Center for Internet Security (CIS) Benchmark, the US Department of Defense Security Technical Implementation Guide (STIG) and our own expert IT auditing experience. The list is not exhaustive and does not cover every possible Unix service as there could be thousands of them. The criteria of an organization will determine which services are required. We suggest that you carefully analyze the services for active and inactive status.



Telnet is the virtual terminal service. It is only required to connect directly to the server. Otherwise, it's not necessary. File Transfer Protocol. FTP commands and actual data transfers are both used. Only on an FTP server is it necessary. It is not necessary when the FTP server does not have it. -Trivial File Transfer Protocol (TFTP). It is required only to TFTP boot servers. It is not required for boot servers that use TFTP. Remote services -rlogin/rsh/rcp are only required if the server is to accept inbound requests. These services aren't required and are considered to be vulnerable. -rexec remote service is necessary only if system must receive inbound 'exec' request. This service is insecure and is not recommended. -DHCP is used to dynamically assigning IP addresses and other information about networks. It is required only for a DHCP server. It is not necessary for servers running DHCP. SMTP is required to transfer messages from one system to another. It is only necessary to receive mail from other systems. It is not necessary for systems that receive mail from other systems. -Domain Name System (DNS) name resolution service. This service is only necessary when the server's DNS primary or secondary servers are involved. This service is not mandatory for DNS clients. Network Filesytem can be used to access remote file systems. It is only utilized when the system is an NFS server. It is not required if the system is an NFS server. The Network Information Service (NIS/NIS+) server is used to perform authentication via networks. It is only necessary to be used by systems acting as NIS servers for the local site. Otherwise it is unnecessary. "Route" is only used if the system is an internet router. It is rarely needed.



References: Unix - Security Technical Implementation Guide (STIG). Version 5. 2005. US Defense Information Systems Agency. US Department of Defense. http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf



Solaris Benchmark v2.1.3 (Solaris 10). The Center for Internet Security (CIS). 2007. http://www.cisecurity.org



Internet Assigned Numbers Authority (IANA) http://www.iana.org/assignments/port-numbers



Looking for certified IT auditors at affordable rates. Continental Audit Services is your provider to manage security risks, reduce risk and ensure compliance with the regulations. IT best practices are applied to every major operating systems databases, databases, and other technologies. Visit www.continentalaudit.com.


Homepage: https://aseanbiotechnology.info/