[techtalk] Tightening Security

Mandi mandi at linuxchick.org
Wed Feb 21 13:00:09 EST 2001 

James - 

I thought that too, but according to the man page for inetd.conf, the
first column of a service listing in inetd.conf has to be the correct name
from /etc/services.

With xinetd, you can specify that the service you want to run is unlisted,
ie missing from /etc/services, and it will run.

Services with their own constant daemons (like httpd) aren't specified in
/etc/inetd.conf, anyway.  it's mostly transient connection programs, i
think...

--mandi


On Wed, 21 Feb 2001, James A. Sutherland wrote:

> On Wed, 21 Feb 2001, Raven Alder wrote:
> 
> > Heya --
> >
> >      I accidentally killed the original message, but someone had made
> > the point that /etc/services just dictates what port a given service is
> > listening on, and that disabling that port binding hasn't a thing to do
> > with whether the service is running at the time.  That's inetd.
> > Absolutely right.
> >
> >      The reason that I had heard cited for commenting out the line in
> > /etc/services as well as making sure the service wasn't being offered
> > in inetd.conf (or rc.inet2 or wherever) was to ensure that in case of a
> > partial system compromise, the hacker installing a new service would
> > have to take the additional step of editing /etc/services to get any
> > new program they install to have a port assignment, rather than the
> > well-known port already working for it.
> 
> Oh dear... unlikely to work for most things. I know Apache defaults to
> port 80 anyway, without ever touching /etc/services; I suspect other
> daemons will be the same.
> 
> >      I haven't ever actually had this happen personally, so I can't
> > comment on how effective it is.  Anyone else tried it?  Did it do any
> > good?
> 
> It's a waste of time. What it WILL achieve is that things like netstat
> won't give you protocol names - instead of connections to/from "http"
> you'll see connections to "80", for example.
> 
> 
> James.
> 
> 
> _______________________________________________
> techtalk mailing list
> techtalk at linuxchix.org
> http://www.linux.org.uk/mailman/listinfo/techtalk
> 
>

More information about the Techtalk mailing list