Linux Administrator's Security Guide - Caldera

Caldera OpenLinux 2.2

Caldera has a graphical installation for 2.2 called “lizard”, with a number of nice features. During the installation it will force you to create a user account, hopefully this will encourage people to not constantly log in as root. As well there is an entry for “sulogin” in the /etc/inittab file, meaning you can’t just type “linux single” at the lilo boot prompt and get dumped to a command prompt as root, you must first enter root’s password. There are however several problems with the default installation that you will need to correct.

inetd.conf

The file /etc/inetd.conf which controls various Internet related services has many older, and dangerous services turned on:

echo	stream	tcp	nowait	root	internal

echo	dgram	udp	wait	root	internal

discard	stream	tcp	nowait	root	internal

discard	dgram	udp	wait	root	internal

daytime	stream	tcp	nowait	root	internal

daytime	dgram	udp	wait	root	internal

chargen	stream	tcp	nowait	root	internal

chargen	dgram	udp	wait	root	internal

gopher	stream	tcp	nowait	root	/usr/sbin/tcpd gn

shell	stream	tcp	nowait	root	/usr/sbin/tcpd in.rshd

login	stream	tcp	nowait	root	/usr/sbin/tcpd in.rlogind

exec	stream	tcp	nowait	root	/usr/sbin/tcpd in.rexecd

talk	dgram	udp	wait	nobody.tty	/usr/sbin/tcpd in.talkd

ntalk	dgram	udp	wait	nobody.tty	/usr/sbin/tcpd in.ntalkd

uucp	stream	tcp	nowait	uucp	/usr/sbin/tcpd /usr/sbin/uucico –l

These should all be commented out (place a “#” at the beginning of the line), and restart inetd with “killall –1 inetd”.

portmap

One service many people will want turn off is portmap, it is used for a variety of services, such as nfs, and has had a history of problems. Turning it off in OpenLinux is a bit of a pain however since it is started from the same script that initializes inetd. You can either remove the portmap package (“rpm –e portmap”) or you can go into /etc/rc.d/init.d/inet and edit the following:

NAME1=inetd

DAEMON1=/usr/sbin/$NAME1

NAME2=rpc.portmap

DAEMON2=/usr/sbin/$NAME2

to :

NAME1=inetd

DAEMON1=/usr/sbin/$NAME1

#NAME2=rpc.portmap

#DAEMON2=/usr/sbin/$NAME2

and:

# Bail out if neither is present

[ -x $DAEMON1 ] || [ -x $DAEMON2 ] || exit 2

to:

# Bail out if neither is present

[ -x $DAEMON1 ] || exit 2

and:

[ -x $DAEMON1 ] && ssd -S -n $NAME1 -x $DAEMON1 -- $INETD_OPTIONS

[ -x $DAEMON2 ] && ssd -S -n $NAME2 -x $DAEMON2 -- $PORTMAP_OPTIONS

to:

[ -x $DAEMON1 ] && ssd -S -n $NAME1 -x $DAEMON1 -- $INETD_OPTIONS

# [ -x $DAEMON2 ] && ssd -S -n $NAME2 -x $DAEMON2 -- $PORTMAP_OPTIONS

and then comment out this entirely:

NFS=""

cat /etc/mtab | while read dev mpoint type foo; do

[ "$type" = "nfs" ] && NFS="$mpoint $NFS"

done

if [ -n "$NFS" ]; then

echo -n "Unmounting NFS filesystems: "

POLICY=I # Ignore 'device busy' during shutdown

[ "$PROBABLY" != "halting" ] && POLICY=1 # exit on 'busy'

for mpoint in $NFS; do

SVIrun S $POLICY "$mpoint" "!$mpoint" \

umount $mpoint

done

echo "."

fi
amd

Another service installed by default in OpenLinux 2.2 is the Auto Mount Daemon (amd). It allows you to define directories and devices of nfs locations, so I can define /auto/cdrom as being /dev/cdrom, so when you “cd /auto/cdrom” the system automatically mounts /dev/cdrom as /auto/cdrom with the appropriate options (read-only, etc.). The amd service uses a semi-random port number, usually in the 600-800 range. This service is definitely very useful on a workstation, it saves the users from having to manually mount every removable media device they wish to use (cdrom and floppy being the most common). However I would not recommend on machines running as servers due to a history of problems amd has had. Turning off amd is easy, simply move the symlinks from “S30amd” to “K70amd”.

mv /etc/rc.d/rc3.d/S30amd /etc/rc.d/rc3.d/K70amd 

mv /etc/rc.d/rc5.d/S30amd /etc/rc.d/rc5.d/K70amd 
SSH

SSH rpm’s are not available for OpenLinux 2.2 (that is to say I have not found any). The SSH rpm’s for Red Hat systems fail miserably, and the source rpm’s also fail to compile, SSH does compile cleanly from source code, with no problems. You can get the SSH source code from: ftp://ftp.replay.com/pub/replay/crypto/SSH/. To start sshd you need to minimally run “/usr/local/bin/sshd” at boot time from a script, it will look for it’s config files in /etc, and should start ok. 

Novell 

Haven’t tested the Novell software yet, unknown if there are any issues.

Updates

Updates for Caldera OpenLinux 2.2 are available from: ftp://ftp.calderasystems.com/pub/openlinux/2.2/current/RPMS/.

 

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on WindowSecurity.com! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update.



Receive all the latest articles by email!

Receive Real-Time & Monthly WindowSecurity.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowSecurity.com member!

Discuss your security issues with thousands of other network security experts. Click here to join!

Community Area

Log in | Register

Solution Center

Readers' Choice

Which is your preferred network auditing solution?