Chapter 14 Security

Table of Contents
14.1 Disabling Services
14.2 Host Access Control
14.3 Keeping Current

Security on any system is important; it can prevent people launching attacks from your machine, as well as protect sensitive data. This chapter is all about how to start securing your Slackware box against script kiddies, crackers and rogue hamsters alike. Bear in mind that this is only the start of securing a system; security is a process, not a state.

14.1 Disabling Services

The first step after installing Slackware should be to disable any services you don't need. Any services could potentially pose a security risk, so it is important to run as few services as possible (i.e. only those that are needed). Services are started from two main places - inetd and init scripts.

14.1.1 Services started from inetd

A lot of the daemons that come with Slackware are run from inetd(8). inetd is a daemon that listens on all of the ports used by services configured to be started by it and spawns an instance of the relevant daemon when a connection attempt is made. Daemons started from inetd can be disabled by commenting out the relevant lines in /etc/inetd.conf. To do this, open this file in your favorite editor (e.g. vi) and you should see lines similar to this:

telnet stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd

You can disable this service, and any others you don't need, by commenting them out (i.e. adding a # (hash) symbol to the beginning of the line). The above line would then become:

#telnet stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd

After inetd has been restarted, this service will be disabled. You can restart inetd with the command:

# kill -HUP $(cat /var/run/inetd.pid)

14.1.2 Services started from init scripts

The rest of the services started when the machine starts are started from the init scripts in /etc/rc.d/. These can be disabled in two different ways, the first being to remove the execute permissions on the relevant init script and the second being to comment out the relevant lines in the init scripts.

For example, SSH is started by its own init script at /etc/rc.d/rc.sshd. You can disable this using:

# chmod -x /etc/rc.d/rc.sshd

For services that don't have their own init script, you will need to comment out the relevant lines in the init scripts to disable them. For example, the portmap daemon is started by the following lines in /etc/rc.d/rc.inet2:

# This must be running in order to mount NFS volumes.
# Start the RPC portmapper:
if [ -x /sbin/rpc.portmap ]; then
  echo "Starting RPC portmapper:  /sbin/rpc.portmap"
  /sbin/rpc.portmap
fi
# Done starting the RPC portmapper.

This can be disabled by adding # symbols to the beginnings of the lines that don't already start with them, like so:

# This must be running in order to mount NFS volumes.
# Start the RPC portmapper:
#if [ -x /sbin/rpc.portmap ]; then
#  echo "Starting RPC portmapper:  /sbin/rpc.portmap"
#  /sbin/rpc.portmap
#fi
# Done starting the RPC portmapper.

These changes will only take effect after either a reboot or changing from and back to runlevel 3 or 4. You can do this by typing the following on the console (you will need to log in again after changing to runlevel 1):

# telinit 1
# telinit 3