Example
A
This is an example of the /etc/inetd.conf
file. Notice how everything is commented out except for ftp and telnetd.
#
# inetd.conf
This file describes the services that will be available
#
through the INETD TCP/IP super server. To re-configure
#
the running INETD process, edit this file, then send the
#
INETD process a SIGHUP signal.
#
# Version:
@(#)/etc/inetd.conf 3.10 05/27/93
#
# Authors:
Original taken from BSD UNIX 4.3/TAHOE.
#
Fred N. van Kempen, <waltje@uwalt.nl.mugnet.org>
#
# Modified for Debian
Linux by Ian A. Murdock <imurdock@shell.portal.com>
#
# Modified for RHS Linux
by Marc Ewing <marc@redhat.com>
#
# <service_name>
<sock_type> <proto> <flags> <user> <server_path> <args>
#
# Echo, discard, daytime,
and chargen are used primarily for testing.
#
# To re-read this file
after changes, just do a 'killall -HUP inetd'
#
#echo stream
tcp nowait root internal
#echo dgram
udp wait root
internal
#discard
stream tcp nowait root
internal
#discard
dgram udp wait root
internal
#daytime
stream tcp nowait root
internal
#daytime
dgram udp wait root
internal
#chargen
stream tcp nowait root
internal
#chargen
dgram udp wait root
internal
#
# These are standard
services.
#
ftp
stream tcp nowait root
/usr/sbin/tcpd in.ftpd -l -L -i -o
telnet stream
tcp nowait root /usr/sbin/tcpd
in.telnetd
#gopher stream
tcp nowait root /usr/sbin/tcpd
gn
# do not uncomment smtp
unless you *really* know what you are doing.
# smtp is handled by
the sendmail daemon now, not smtpd. It does NOT
# run from here, it
is started at boot time from /etc/rc.d/rc#.d.
#smtp stream
tcp nowait root /usr/bin/smtpd
smtpd
#nntp stream
tcp nowait root /usr/sbin/tcpd
in.nntpd
#
# Shell, login, exec
and talk are BSD protocols.
#
#shell stream
tcp nowait root /usr/sbin/tcpd
in.rshd
#login stream
tcp nowait root /usr/sbin/tcpd
in.rlogind
#exec stream
tcp nowait root /usr/sbin/tcpd
in.rexecd
#talk dgram
udp wait root
/usr/sbin/tcpd in.talkd
#ntalk dgram
udp wait root
/usr/sbin/tcpd in.ntalkd
#dtalk stream
tcp waut nobody /usr/sbin/tcpd
in.dtalkd
#
# Pop and imap mail
services et al
#
#pop-2 stream
tcp nowait root /usr/sbin/tcpd
ipop2d
#pop-3 stream
tcp nowait root /usr/sbin/tcpd
ipop3d
#imap
stream tcp nowait root
/usr/sbin/tcpd imapd
#
# The Internet UUCP
service.
#
#uucp stream
tcp nowait uucp /usr/sbin/tcpd
/usr/lib/uucp/uucico -l
#
# Tftp service is provided
primarily for booting. Most sites
# run this only on machines
acting as "boot servers." Do not uncomment
# this unless you *need*
it.
#
#tftp dgram
udp wait root
/usr/sbin/tcpd in.tftpd
#bootps dgram
udp wait root
/usr/sbin/tcpd bootpd
#
# Finger, systat and
netstat give out user information which may be
# valuable to potential
"system crackers." Many sites choose to disable
# some or all of these
services to improve security.
#
# cfinger is for GNU
finger, which is currently not in use in RHS Linux
#
#finger stream
tcp nowait root /usr/sbin/tcpd
in.fingerd
#cfinger stream tcp
nowait root /usr/sbin/tcpd in.cfingerd
#systat stream
tcp nowait guest /usr/sbin/tcpd
/bin/ps -auwwx
#netstat
stream tcp nowait guest
/usr/sbin/tcpd /bin/netstat -f inet
#
# Time service is used
for clock syncronization.
#
#time stream
tcp nowait nobody /usr/sbin/tcpd
in.timed
#time dgram
udp wait nobody /usr/sbin/tcpd
in.timed
#
# Authentication
#
#auth stream
tcp nowait nobody
/usr/sbin/in.identd in.identd -l -e -o
#
# End of inetd.conf
Example
B
This is an example of the /etc/issue
file.
#
#
# WARNING:
You must have specific authorization to access
#
this machine. Unauthorized users will be logged,
#
monitored, and then shot on sight!
#
#
Example
C
This is an example of system accounts
I leave in the /etc/passwd file. Notice how the password filed contains
"x" and not the encrpyted password. Encrypted passwords are now securely
stored in the /etc/shadow file as a result of the "pwconv" command.
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
mail:x:8:12:mail:/var/spool/mail:
uucp:x:10:14:uucp:/var/spool/uucp:
nobody:x:99:99:Nobody:/:
Example
D
This is an example of /etc/ftpusers
root
bin
daemon
adm
lp
mail
uucp
nobody
Example
E
This is an example of of the
/etc/securetty file.
tty1
tty2
tty3
tty4
ttyp1 -- > Note, this
entry now allows a remote user to login as root. Normarlly, you do
NOT want this entry!
Example
F
This is an example of the access control
lists for TCP Wrappers. The syntax is
Service: Source (IP address, network, or name): <optional> : ALLOW or DENY
Example of /etc/hosts.allow
in.telnetd: 192.168.1.0/255.255.255.0
: banners /etc/bannerfile : ALLOW
in.ftpd: 192.168.1.30
:ALLOW
imapd: ALL : spawn (/usr/local/bin/ids.sh
%d %h %H %u)
Example of /etc/hosts.deny. I highly recommend you always use this as your /etc/hosts.deny file.
ALL: ALL DENY
Example G
Go to /etc/pam.d directory, where
you will find all the configuration files for different binaries that require
authentication. Most
of the configuration files will have the following entry.
password required
/lib/security/pam_pwdb.so nullok use_authtok
or
password required
/lib/security/pam_pwdb.so shadow nullok use_authtok
All you need to do is find all the
configuration files that have this entry, and add "md5" to the end, so
it looks like this.
password required
/lib/security/pam_pwdb.so nullok use_authtok md5
or
password required
/lib/security/pam_pwdb.so shadow nullok use_authtok md5
For my RedHat 6.0 system, I had
to edit this line in the following configuration files in /etc/pam.d
chfn
chsh
login
passwd
rlogin
su
xdm