EXAMPLES
These are examples from the article "Armoring Linux"
 
 
 
 
 
 
 
 
 

Example A
This is an example of the /etc/inetd.conf file. Notice how everything is commented out except for ftp and telnetd.

#
# inetd.conf    This file describes the services that will be available
#               through the INETD TCP/IP super server.  To re-configure
#               the running INETD process, edit this file, then send the
#               INETD process a SIGHUP signal.
#
# Version:      @(#)/etc/inetd.conf     3.10    05/27/93
#
# Authors:      Original taken from BSD UNIX 4.3/TAHOE.
#               Fred N. van Kempen, <waltje@uwalt.nl.mugnet.org>
#
# Modified for Debian Linux by Ian A. Murdock <imurdock@shell.portal.com>
#
# Modified for RHS Linux by Marc Ewing <marc@redhat.com>
#
# <service_name> <sock_type> <proto> <flags> <user> <server_path> <args>
#
# Echo, discard, daytime, and chargen are used primarily for testing.
#
# To re-read this file after changes, just do a 'killall -HUP inetd'
#
#echo   stream  tcp     nowait  root    internal
#echo   dgram   udp     wait    root    internal
#discard        stream  tcp     nowait  root    internal
#discard        dgram   udp     wait    root    internal
#daytime        stream  tcp     nowait  root    internal
#daytime        dgram   udp     wait    root    internal
#chargen        stream  tcp     nowait  root    internal
#chargen        dgram   udp     wait    root    internal
#
# These are standard services.
#
ftp     stream  tcp     nowait  root    /usr/sbin/tcpd  in.ftpd -l -L -i -o
telnet stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd
#gopher stream  tcp     nowait  root    /usr/sbin/tcpd  gn

# do not uncomment smtp unless you *really* know what you are doing.
# smtp is handled by the sendmail daemon now, not smtpd.  It does NOT
# run from here, it is started at boot time from /etc/rc.d/rc#.d.
#smtp   stream  tcp     nowait  root    /usr/bin/smtpd  smtpd
#nntp   stream  tcp     nowait  root    /usr/sbin/tcpd  in.nntpd
#
# Shell, login, exec and talk are BSD protocols.
#
#shell  stream  tcp     nowait  root    /usr/sbin/tcpd  in.rshd
#login  stream  tcp     nowait  root    /usr/sbin/tcpd  in.rlogind
#exec   stream  tcp     nowait  root    /usr/sbin/tcpd  in.rexecd
#talk   dgram   udp     wait    root    /usr/sbin/tcpd  in.talkd
#ntalk  dgram   udp     wait    root    /usr/sbin/tcpd  in.ntalkd
#dtalk  stream  tcp     waut    nobody  /usr/sbin/tcpd  in.dtalkd
#
# Pop and imap mail services et al
#
#pop-2   stream  tcp     nowait  root    /usr/sbin/tcpd ipop2d
#pop-3   stream  tcp     nowait  root    /usr/sbin/tcpd ipop3d
#imap    stream  tcp     nowait  root    /usr/sbin/tcpd imapd
#
# The Internet UUCP service.
#
#uucp   stream  tcp     nowait  uucp    /usr/sbin/tcpd  /usr/lib/uucp/uucico    -l
#
# Tftp service is provided primarily for booting.  Most sites
# run this only on machines acting as "boot servers." Do not uncomment
# this unless you *need* it.
#
#tftp   dgram   udp     wait    root    /usr/sbin/tcpd  in.tftpd
#bootps dgram   udp     wait    root    /usr/sbin/tcpd  bootpd
#
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers."  Many sites choose to disable
# some or all of these services to improve security.
#
# cfinger is for GNU finger, which is currently not in use in RHS Linux
#
#finger stream  tcp     nowait  root    /usr/sbin/tcpd  in.fingerd
#cfinger stream tcp     nowait  root    /usr/sbin/tcpd  in.cfingerd
#systat stream  tcp     nowait  guest   /usr/sbin/tcpd  /bin/ps -auwwx
#netstat        stream  tcp     nowait  guest   /usr/sbin/tcpd  /bin/netstat    -f inet
#
# Time service is used for clock syncronization.
#
#time   stream  tcp     nowait  nobody  /usr/sbin/tcpd  in.timed
#time   dgram   udp     wait    nobody  /usr/sbin/tcpd  in.timed
#
# Authentication
#
#auth   stream  tcp     nowait    nobody    /usr/sbin/in.identd in.identd -l -e -o
#
# End of inetd.conf
 
 
 

Example B
This is an example of the /etc/issue file.

#
#
#  WARNING:  You must have specific authorization to access
#            this machine.  Unauthorized users will be logged,
#            monitored, and then shot on sight!
#
#
 
 

Example C
This is an example of system accounts I leave in the /etc/passwd file.  Notice how the password filed contains "x" and not the encrpyted password.  Encrypted passwords are now securely stored in the /etc/shadow file as a result of the "pwconv" command.

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
mail:x:8:12:mail:/var/spool/mail:
uucp:x:10:14:uucp:/var/spool/uucp:
nobody:x:99:99:Nobody:/:
 
 
 

Example D
This is an example of /etc/ftpusers

root
bin
daemon
adm
lp
mail
uucp
nobody
 
 
 
 

Example E
 This is an example of of the /etc/securetty file.

tty1
tty2
tty3
tty4
ttyp1 -- > Note, this entry now allows a remote user to login as root.  Normarlly, you do NOT want this entry!
 
 
 
 
 
 

Example F
This is an example of the access control lists for TCP Wrappers.  The syntax is

Service: Source (IP address, network, or name): <optional> : ALLOW or DENY

Example of /etc/hosts.allow

in.telnetd: 192.168.1.0/255.255.255.0 : banners /etc/bannerfile : ALLOW
in.ftpd: 192.168.1.30 :ALLOW
imapd: ALL : spawn (/usr/local/bin/ids.sh %d %h %H %u)

Example of /etc/hosts.deny. I highly recommend you always use this as your /etc/hosts.deny file.

ALL: ALL DENY
 
 
 
 
 
 
 
 
 
 
  Example G
Go to /etc/pam.d directory, where you will find all the configuration files for different binaries that require authentication.  Most of the configuration files will have the following entry.
password   required     /lib/security/pam_pwdb.so nullok use_authtok
or
password   required     /lib/security/pam_pwdb.so shadow nullok use_authtok

All you need to do is find all the configuration files that have this entry, and add "md5" to the end, so it looks like this.
password   required     /lib/security/pam_pwdb.so nullok use_authtok md5
or
password   required     /lib/security/pam_pwdb.so shadow nullok use_authtok md5

For my RedHat 6.0 system, I had to edit this line in the following configuration files in /etc/pam.d
chfn
chsh
login
passwd
rlogin
su
xdm
 
 
 
 
 
 
 
 
 
 
 
 
 
  Example H
Below is the configuration file for IPChains. You can easily implement this on your system using the command 'ipchains-restore' as follows:

mozart #cat ipchains.cfg | ipchains-restore

The contents of the ipchains.cfg file is as follows:

:input DENY
:forward ACCEPT
:output ACCEPT
-A input -s 0.0.0.0/255.255.255.255 -d 0.0.0.0/0.0.0.0 -j DENY
-A input -s 0.0.0.0/0.0.0.0 -d 255.255.255.255/255.255.255.255 -j DENY
-A input -s 0.0.0.0/0.0.0.0 -d 224.0.0.0/255.0.0.0 -j DENY
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT ! -y
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 17 -j ACCEPT -l
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 1 -j ACCEPT -l
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -j DENY -l