Home arrow Security arrow Page 10 - Unix Host Security: Hacks 1-10

Prevent Services from Binding to an Interface Hack #9 - Security

Security isn't a noun, it's a verb; not a product, but a process. Today, learn the hacks involved in reducing the risks involved in offering services on a Unix-based system. This the first part of chapter one in Network Security Hacks, by Andrew Lockhart (ISBN 0-596-00643-8, O'Reilly & Associates, 2004).

TABLE OF CONTENTS:
  1. Unix Host Security: Hacks 1-10
  2. Secure Mount Points Hack #1
  3. Scan for SUID and SGID Programs Hack #2
  4. Scan For World- and Group-Writable Directories Hack #3
  5. Create Flexible Permissions Hierarchies w/ith POSIX ACLs Hack #4
  6. Protect Your Logs from Tampering Hack #5
  7. Delegate Administrative Roles Hack #6
  8. Automate Cryptographic Signature Verification Hack #7
  9. Check for Listening Services Hack #8
  10. Prevent Services from Binding to an Interface Hack #9
  11. Restrict Services with Sandboxed Environments Hack #10
By: O'Reilly Media
Rating: starstarstarstarstar / 37
May 04, 2004

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement


Keep services from listening on a port instead of firewalling them.

Sometimes you might want to limit a service to listen on only a specific interface. For instance, Apache [Hack #50] can be configured to listen on a specific interface as opposed to all available interfaces. You can do this by using the Listen directive in your configuration file and specifying the IP address of the interface:

Listen 192.168.0.23:80

If you use VirtualHost entries, you can specify interfaces to bind to on a pervirtual-host basis:


<VirtualHost 192.168.0.23>
...
</VirtualHost>

You may even have services that are listening on a TCP port but donít need to be. Database servers such as MySQL are often used in conjunction with Apache, and are frequently set up to coexist on the same server when used in this way. Connections that come from the same machine that MySQL is installed on use a domain socket in the filesystem for communications. Therefore, you donít need to have MySQL listening on a TCP socket. To do this, you can either use the --skip-networking command-line option when starting MySQL or specify it in the [mysqld] section of your my.cnf file:

[mysqld]
...
skip-networking
...

Another program that youíll often find listening on a port is your X11 server, which listens on TCP port 6000 by default. This port is traditionally used to enable remote clients to connect to your X11 server so they can draw their windows and accept keyboard and mouse input; however, with the advent of SSH and X11 forwarding, this really isnít needed anymore. With X11 forwarding enabled in ssh, any client that needs to connect to your X11 server will be tunneled through your SSH connection and will bypass the listening TCP port when connecting to your X11 server. To get your X Windows server to stop listening on this port, all you need to do is add -nolisten tcp to the command that is used to start the server. This can be tricky, though ó figuring out which file controls how the server is started can be a daunting task. Usually, you can find what youíre looking for in /etc/X11.

If youíre using gdm, open your gdm.conf and look for a line similar to this one:

command=/usr/X11R6/bin/X

Then just add -nolisten tcp to the end of the line.

If youíre using xdm, look for a file called Xservers and make sure it contains a line similar to this:

:0 local /usr/X11R6/bin/X -nolisten tcp

Alternatively, if youíre not using a managed display and instead youíre using startx or a similar command to start your X11 server, you can just add -nolisten tcp to the end of your startx command. To be sure that it is passed to the X server process, start it after an extra set of hyphens:

$ startx -- -nolisten tcp

Once you start X, fire up a terminal and see what is listening using lsof or netstat [Hack #8]. You should no longer see anything bound to port 6000. 

Buy the book!If you've enjoyed what you've seen here, or to get more information, click on the "Buy the book!" graphic. Pick up a copy today!

Visit the O'Reilly Network http://www.oreillynet.com for more online content.



 
 
>>> More Security Articles          >>> More By O'Reilly Media
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

SECURITY ARTICLES

- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- Whatís behind the curtain? Part II

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: