Securing the Firewall

A firewall isn't any good if the system it is build on is left wide open to attacks. A "bad guy" could gain access to the through a non firewall service and modify it for their own needs. You need to turning off any unneeded services.

Look in your /etc/inetd.conf file. This file configures inetd also known as the "super server". It controls a bunch of the server daemons and starts them as they are requested by a packet arriving at a "well known" port.

You should turn off echo, discard, daytime, chargen, ftp, gopher, shell, login, exec, talk, ntalk, pop-2, pop-3, netstat, systat, tftp, bootp, finger, cfinger, time, swat and linuxconfig if you have one.

To turn a service off, put # as the first character of the service line. When your done, send a SIG-HUP to the process by typing "kill -HUP <pid>", where <pid> is the process number of inetd. This will make inetd re-read its configuration file (inetd.conf) and restart without taking your system down.

Test this by telneting to port 15 (netstat) on firewall. If you get any output you have not turned these services off.

telnet localhost 19

You can also create the file /etc/nologin. Put a few line of text in it like (BUZZ OFF). When this file exists, login will not allow user to logon. They will see the contents of this file and their logins refused. Only root can logon.

You can also edit the file /etc/securetty. If the user is root, then the login must be occurring on a tty listed in /etc/securetty. Failures will be logged with the syslog facility. With both of these controls in place the only way to logon to the firewall will be as root from the console.

NEVER EVER TELNET to a system and log IN AS ROOT. If you need remote root access SSH (Secure Shell). You might even turn off telnet.

If you are really paranoid you need to be using lids (Linux Intrusion Detect System). It is an intrusion detection system patch for the Linux kernel; it can protect important files from being changed. When it's in effect, no one (including root) can change the protected files or directories and their sub-directories. You have to reboot the system with a security=1 LILO setting to modify secure files. (I'd also boot into single user mode.)