General System Security
NOTE: If you are following our setup installation, the Xwindow interface is not installed on your server and all the files described above will not appear in the “/etc/security” directory, so don’t pay attention to the above steps.
Disabling all console access
The Linux-PAM library installed by default on your system allows the system administrator to choose how applications authenticate users, such as for console access, program and file access. In order to disable all these accesses for the users, you must comment out all lines that refer to pam_console.so in the 7etc/pam.d/” directory. This step is a continuation of the above hack “Disabling console program access”.
The following script will do the trick automatically for you. As “root” creates the disabling.sh script file (touch disabling.sh) and add the following lines inside:
# !/bin/sh
cd /etc/pam.d
for i in * ; do
sed V[A#].*pam_console.so/s/A/#/’ < $i > foo && mv foo $i
done
Make this script executable with the following command and execute it: [root@deep /]# chmod 700 disabling.sh [root@deep /]# ./disabling.sh
This will comment out all lines that refer to “pam_console.so” for all files located under 7etc/pam.d” directory. Once the script has been executed, you can remove it from your system.
The “/etc/inetd.conf” file
Inetd, called also the “super server”, will load a network program based upon a request from the network. The “inetd.conf file tells inetd which ports to listen to and what server to start for each port. The first thing to look at as soon as you put your Linux system on ANY network is what services you need to offer.
Services that you do not need to offer should be disabled and uninstalled so that you have one less thing to worry about, and attackers have one less place to look for a hole. Look at your 7etc/inetd.conf file to see what services are being offered by your inetd program. Disable what you do not need by commenting them out (by adding a # at the beginning of the line), and then sending your inetd process a SIGHUP command to update it to the current “inetd.conf file.