Notes
Notes - notes.io |
IT Auditor Recommendations for Locking Down Vulnerable Unix Services
One of the primary goals of Unix security is to block services or daemons that are not needed for normal system operations. This article will give a brief overview of Unix services that should not be disabled on Unix servers. These services are susceptible to attacks according to industry experience.
By removing vulnerable services, threats against Unix servers can be greatly reduced. IT security professionals and IT auditors generally make this a high priority. It is possible to obtain advice on which services are the most necessary and which services should be disabled.
https://zehngamescanada.com/
To identify active services and the port numbers that are associated with them we suggest using the Internet Assigned Numbers Authority (IANA). The IANA online database of well-known ports has been updated to replace RFC 1700. This database is accessible through the URL given in the reference section.
These standardized services, ports, and versions are independent of Unix version or vendor. Each service has the port number and protocol type (TCP/UDP) that is activated via the Unix /etc/inet/services file. The /etc/inet/inetd.conf files contains the specific configuration characteristics for each service. The Unix file permissions and ownership of these critical files should be restricted to administrators only. There is no reason for granting 'world' access.
It is recommended to create a secure baseline for services that are part of the CIS Solaris Benchmark. This baseline can be used to monitor for potential vulnerabilities and deviations. The baseline can also be useful to security professionals, system administrators and auditors.
The Center for Internet Security (CIS), the US Department of Defense Security Technical Implementation Guide, (STIG) and our expert IT auditing experience are our sources for the services that are listed below. This list does not include every Unix service since there could be thousands. The decision of which services are necessary is organization specific. We recommend that you carefully examine the services to determine their active and inactive status.
Telnet is the terminal virtual service. It is necessary only to connect to the server itself. Otherwise, it's not necessary. File Transfer Protocol. Two ports are used - FTP commands and the actual data transfer. Only on an FTP server is it necessary. In other circumstances, it is not needed. -Trivial File Transfer Protocol (TFTP). It is only necessary to TFTP boot servers. It is not required for boot servers using TFTP. Remote services like -rlogin/rsh/rcp are required only if the server has to receive inbound requests. These are vulnerable services and usually are not required. -rexec remote service is necessary only if the system needs to receive inbound 'exec' requests. This service is vulnerable and not recommended. -DHCP is used to dynamically assign IP addresses and other network information. It is necessary only to be used on the DHCP server. It is not required for servers that use DHCP. -SMTP is needed to transfer emails from one system to another. It is only necessary in the event that the system has to receive mail from other systems. It is not required if the system must receive mail from other systems. -Domain Name System (DNS) name resolution service. This service is only required if the server's DNS primary or secondary servers are involved. This service is not mandatory for DNS clients. Network Filesytem can be used to access remote files systems. It is only utilized in the case of systems that have an NFS server. It is not necessary to use it if the system is an NFS server. Network Information Service (NIS/NIS+ server) is used to perform authentication via network. It is only required for systems that act as NIS servers for the local site. It is not required for other systems. -'Route' is used only when the system is an internet router. It is almost always unnecessary.
References: Unix - Security Technical Implementation Guide (STIG). Version 5. 2005. US Defense Information Systems Agency. US Department of Defense. http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf
Solaris Benchmark v2.1.3 (Solaris 10). The Center for Internet Security (CIS). 2007. http://www.cisecurity.org
Internet Assigned Numbers Authority (IANA) http://www.iana.org/assignments/port-numbers
Looking for certified IT auditors at affordable rates. Continental Audit Services, is your provider to control risks, enhance security and adhere to regulations. IT best practices are implemented to all major operating system, databases, and other technologies. Visit www.continentalaudit.com.
Homepage: https://zehngamescanada.com/
One of the primary goals of Unix security is to block services or daemons that are not needed for normal system operations. This article will give a brief overview of Unix services that should not be disabled on Unix servers. These services are susceptible to attacks according to industry experience.
By removing vulnerable services, threats against Unix servers can be greatly reduced. IT security professionals and IT auditors generally make this a high priority. It is possible to obtain advice on which services are the most necessary and which services should be disabled.
https://zehngamescanada.com/
To identify active services and the port numbers that are associated with them we suggest using the Internet Assigned Numbers Authority (IANA). The IANA online database of well-known ports has been updated to replace RFC 1700. This database is accessible through the URL given in the reference section.
These standardized services, ports, and versions are independent of Unix version or vendor. Each service has the port number and protocol type (TCP/UDP) that is activated via the Unix /etc/inet/services file. The /etc/inet/inetd.conf files contains the specific configuration characteristics for each service. The Unix file permissions and ownership of these critical files should be restricted to administrators only. There is no reason for granting 'world' access.
It is recommended to create a secure baseline for services that are part of the CIS Solaris Benchmark. This baseline can be used to monitor for potential vulnerabilities and deviations. The baseline can also be useful to security professionals, system administrators and auditors.
The Center for Internet Security (CIS), the US Department of Defense Security Technical Implementation Guide, (STIG) and our expert IT auditing experience are our sources for the services that are listed below. This list does not include every Unix service since there could be thousands. The decision of which services are necessary is organization specific. We recommend that you carefully examine the services to determine their active and inactive status.
Telnet is the terminal virtual service. It is necessary only to connect to the server itself. Otherwise, it's not necessary. File Transfer Protocol. Two ports are used - FTP commands and the actual data transfer. Only on an FTP server is it necessary. In other circumstances, it is not needed. -Trivial File Transfer Protocol (TFTP). It is only necessary to TFTP boot servers. It is not required for boot servers using TFTP. Remote services like -rlogin/rsh/rcp are required only if the server has to receive inbound requests. These are vulnerable services and usually are not required. -rexec remote service is necessary only if the system needs to receive inbound 'exec' requests. This service is vulnerable and not recommended. -DHCP is used to dynamically assign IP addresses and other network information. It is necessary only to be used on the DHCP server. It is not required for servers that use DHCP. -SMTP is needed to transfer emails from one system to another. It is only necessary in the event that the system has to receive mail from other systems. It is not required if the system must receive mail from other systems. -Domain Name System (DNS) name resolution service. This service is only required if the server's DNS primary or secondary servers are involved. This service is not mandatory for DNS clients. Network Filesytem can be used to access remote files systems. It is only utilized in the case of systems that have an NFS server. It is not necessary to use it if the system is an NFS server. Network Information Service (NIS/NIS+ server) is used to perform authentication via network. It is only required for systems that act as NIS servers for the local site. It is not required for other systems. -'Route' is used only when the system is an internet router. It is almost always unnecessary.
References: Unix - Security Technical Implementation Guide (STIG). Version 5. 2005. US Defense Information Systems Agency. US Department of Defense. http://iase.disa.mil/stigs/stig/unix-stig-v5r1.pdf
Solaris Benchmark v2.1.3 (Solaris 10). The Center for Internet Security (CIS). 2007. http://www.cisecurity.org
Internet Assigned Numbers Authority (IANA) http://www.iana.org/assignments/port-numbers
Looking for certified IT auditors at affordable rates. Continental Audit Services, is your provider to control risks, enhance security and adhere to regulations. IT best practices are implemented to all major operating system, databases, and other technologies. Visit www.continentalaudit.com.
Homepage: https://zehngamescanada.com/
|
|
Notes is a web-based application for online taking notes. You can take your notes and share with others people. If you like taking long notes, notes.io is designed for you. To date, over 8,000,000,000+ notes created and continuing...
With notes.io;
- * You can take a note from anywhere and any device with internet connection.
- * You can share the notes in social platforms (YouTube, Facebook, Twitter, instagram etc.).
- * You can quickly share your contents without website, blog and e-mail.
- * You don't need to create any Account to share a note. As you wish you can use quick, easy and best shortened notes with sms, websites, e-mail, or messaging services (WhatsApp, iMessage, Telegram, Signal).
- * Notes.io has fabulous infrastructure design for a short link and allows you to share the note as an easy and understandable link.
Fast: Notes.io is built for speed and performance. You can take a notes quickly and browse your archive.
Easy: Notes.io doesn’t require installation. Just write and share note!
Short: Notes.io’s url just 8 character. You’ll get shorten link of your note when you want to share. (Ex: notes.io/q )
Free: Notes.io works for 14 years and has been free since the day it was started.
You immediately create your first note and start sharing with the ones you wish. If you want to contact us, you can use the following communication channels;
Email: [email protected]
Twitter: http://twitter.com/notesio
Instagram: http://instagram.com/notes.io
Facebook: http://facebook.com/notesio
Regards;
Notes.io Team
