| inetd/bootps |
inetd |
/etc/inetd.conf |
bootp services to diskless clients |
- Necessary for Network Installation Management (NIM) and remote
booting of systems
- Works concurrently with tftp
- Disable in most cases
|
| inetd/chargen |
inetd |
/etc/inetd.conf |
character generator (testing only) |
- Available as a TCP and UDP service
- Provides opportunity for Denial of Service attacks
- Disable unless you are testing your network
|
| inetd/cmsd |
inetd |
/etc/inetd.conf |
calendar service (as used by CDE) |
- Runs as root, therefore a security concern
- Disable unless you require this service with CDE
- Disable on back room database servers
|
| inetd/comsat |
inetd |
/etc/inetd.conf |
Notifies incoming electronic mail |
- Runs as root, therefore a security concern
- Seldom required
- Disable
|
| inetd/daytime |
inetd |
/etc/inetd.conf |
obsolete time service (testing only) |
- Runs as root
- Available as a TCP and UDP service
- Provides opportunity for a Denial of Service PING attacks
- Service is obsolete and used for testing only
- Disable
|
| inetd/discard |
inetd |
/etc/inetd.conf |
/dev/null service (testing only) |
- Available as TCP and UDP service
- Used in Denial of Service Attacks
- Service is obsolete and used for testing only
- Disable
|
| inetd/dtspc |
inetd |
/etc/inetd.conf |
CDE Subprocess Control |
- This service is started automatically by the inetd daemon
in response to a CDE client requesting a process to be started on
the daemon's host. This makes it vulnerable to attacks
- Disable on back room servers with no CDE
- CDE might be able to function without this service
- Disable unless absolutely needed
|
| inetd/echo |
inetd |
etc/inetd.conf |
echo service (testing only) |
- Available as UDP and TCP service
- Could be used in Denial of Service or Smurf attacks
- Used to echo at someone else to get through a firewall or start
a datastorm
- Disable
|
| inetd/exec |
inetd |
/etc/inetd.conf |
remote execution service |
- Runs as root user
- Requires that you enter a user ID and password, which are passed
unprotected
- This service is highly susceptible to being snooped
- Disable
|
| inetd/finger |
inetd |
/etc/inetd.conf |
finger peeking at users |
- Runs as root user
- Gives out information about your systems and users
- Disable
|
| inetd/ftp |
inetd |
/etc/inetd.conf |
file transfer protocol |
- Runs as root user
- User id and password are transferred unprotected, thus allowing
them to be snooped
- Disable this service and use a public domain secure shell suite
|
| inetd/imap2 |
inetd |
/etc/inetd.conf |
Internet Mail Access Protocol |
- Ensure that you are using the latest version of this server
- Only necessary if you are running a mail server. Otherwise, disable
- User ID and password are passed unprotected
|
| inetd/klogin |
inetd |
/etc/inetd.conf |
Kerberos login |
- Enabled if your site uses Kerberos authentication
|
| inetd/kshell |
inetd |
/etc/inetd.conf |
Kerberos shell |
- Enabled if your site uses Kerberos authentication
|
| inetd/login |
inetd |
/etc/inetd.conf |
rlogin service |
- Susceptible to IP spoofing, DNS spoofing
- Data, including User IDs and passwords, is passed unprotected
- Runs as root user
- Use a secure shell instead of this service
|
| inetd/netstat |
inetd |
/etc/inetd.conf |
reporting of current network status |
- Could potentially give network information to hackers if run on
your system
- Disable
|
| inetd/ntalk |
inetd |
/etc/inetd.conf |
Allows users to talk with each other |
- Runs as root user
- Not required on production or back room servers
- Disable unless absolutely needed
|
| inetd/pcnfsd |
inetd |
/etc/inetd.conf |
PC NFS file services |
- Disable service if not currently in use
- If you need a service similar to this, consider Samba, as the
pcnfsd daemon predates Microsoft's release of SMB specifications
|
| inetd/pop3 |
inetd |
/etc/linetd.conf |
Post Office Protocol |
- User IDs and passwords are sent unprotected
- Only needed if your system is a mail server and you have clients
who are using applications that only support POP3
- If your clients use IMAP, use that instead, or use the POP3s service.
This service has a Secure Socket Layer (SSL) tunnel
- Disable if you are not running a mail server or have clients who
need POP services
|
| inetd/rexd |
inetd |
/etc/inetd.conf |
remote execution |
- Runs as root user
- Peers with the on command
- Disable service
- Use rshand rshd instead
|
| inetd/quotad |
inetd |
/etc/inetd.conf |
reports of file quotas (for NFS clients) |
- Only needed if you are running NFS file services
- Disable this service unless required to provide an answer for
the quota command
- If you need to use this service, keep all patches and fixes for
this service up to date
|
| inetd/rstatd |
inetd |
/etc/inetd.conf |
Kernel Statistics Server |
- If you need to monitor systems, use SNMP and disable this service
- Required for use of the rup command
|
| inetd/rusersd |
inetd |
/etc/inetd.conf |
info about user logged in |
- This is not an essential service. Disable
- Runs as root user
- Gives out a list of current users on your system and peers with
rusers
|
| inetd/rwalld |
inetd |
/etc/inetd.conf |
write to all users |
- Runs as root user
- If your systems have interactive users, you might need to keep
this service
- If your systems are production or database servers, this is not
needed
- Disable
|
| inetd/shell |
inetd |
/etc/inetd.conf |
rsh service |
- Disable this service if possible. Use Secure Shell instead
- If you must use this service, use the TCP Wrapper to stop spoofing
and limit exposures
- Required for theXhier software ditribution program
|
| inetd/sprayd |
inetd |
/etc/inetd.conf |
RPC spray tests |
- Runs as root user
- Might be required for diagnosis of NFS network problems
- Disable if you are not running NFS
|
| inetd/systat |
inetd |
/etc/inted.conf |
"ps -ef" status report |
- Allows for remote sites to see the process status on your system
- This service is disabled by default. You must check periodically
to ensure that the service has not been enabled
|
| inetd/talk |
inetd |
/etc/inetd.conf |
establish split screen between 2 users on the
net |
- Not a required service
- Used with the talk command
- Provides UDP service at Port 517
- Disable unless you need multiple interactive chat sessions for UNIX user
|
| inetd/ntalk |
inetd |
/etc/inetd.conf |
"new talk" establish split screen between 2
users on the net |
- Not a required service
- Used with the talk command
- Provides UDP service at Port 517
- Disable unless you need multiple interactive chat sessions for UNIX user
|
| inetd/telnet |
inetd |
/etc/inetd.conf |
telnet service |
- Supports remote login sessions, but the password and ID are passed
unprotected
- If possible, disable this service and use Secure Shell for remote
access instead
|
| inetd/tftp |
inetd |
/etc/inetd.conf |
trivial file transfer |
- Provides UDP service at port 69
- Runs as root user and might be compromised
- Used by NIM
- Disable unless you are using NIM or have to boot a diskless workstation
|
| inetd/time |
inetd |
/etc/inetd.conf |
obsolete time service |
- Internal function of inetd that is used by rdate command.
- Available as TCP and UDP service
- Sometimes used to synchronize clocks at boot time
- Service is outdated. Use ntpdate instead
- Disable this only after you have tested your systems (boot/reboot)
with this service disabled and have observed no problems
|
| inetd/ttdbserver |
inetd |
/etc/inetd.conf |
tool-talk database server (for CDE) |
- The rpc.ttdbserverd runs as root user and might be compromised
- Stated as a required service for CDE, but CDE is able to work
without it
- Should not be run on back room servers or any systems where security
is a concern
|
| inetd/uucp |
inetd |
/etc/inetd.conf |
UUCP network |
- Disable unless you have an application that uses UUCP
|
| inittab/dt |
init |
/etc/rc.dt script in the /etc/inittab |
desktop login to CDE environment |
- Starts the X11 server on the console
- Supports the X11 Display Manager Control Protocol (xdcmp) so that
other X11 stations can log into the same machine
- Service should be used on personal workstations only. Avoid using
it for back room systems
|
| inittab/dt_nogb |
init |
/etc/inittab |
desktop login to CDE environment (NO graphic
boot) |
- No graphical display until the system is up fully
- Same concerns as inittab/dt
|
| inittab/httpdlite |
init |
/etc/inittab |
web server for the docsearch command |
- Default web server for the docsearch engine
- Disable unless your machine is a documentation server
|
| inittab/i4ls |
init |
/etc/inittab |
license manager servers |
- Enable for development machines
- Disable for production machines
- Enable for back room database machines that have license requirements
- Provides support for compilers, database software, or any other
licensed products
|
| inittab/imqss |
init |
/etc/inittab |
search engine for "docsearch" |
- Part of the default web server for the docsearch engine
- Disable unless your machine is a documentation server
|
| inittab/lpd |
init |
/etc/inittab |
BSD line printer interface |
- Accepts print jobs from other systems
- You can disable this service and still send jobs to the print
server
- Disable this after you confirm that printing is not affected
|
| inittab/nfs |
init |
/etc/inittab |
Network File System/Net Information Services |
- NFS and NIS services based which were built on UDP/RPC
- Authentication is minimal
- Disable this for back room machines
|
| inittab/piobe |
init |
/etc/inittab |
printer IO Back End (for printing) |
- Handles the scheduling, spooling and printing of jobs submitted
by the qdaemon daemon
- Disable if you are not printing from your system because you are
sending print job to a server
|
| inittab/qdaemon |
init |
/etc/inittab |
queue daemon (for printing |
- Submits print jobs to the piobe daemon
- If you are not printing from your system, then disable
|
| inittab/uprintfd |
init |
/etc/inittab |
kernel messages |
- Generally not required
- Disable
|
| inittab/writesrv |
init |
/etc/inittab |
writing notes to ttys |
- Only used by interactive UNIX workstation
users
- Disable this service for servers, back room databases, and development
machines
- Enable this service for workstations
|
| inittab/xdm |
init |
/etc/inittab |
traditional X11 Display Management |
- Do not run on back room production or database servers
- Do not run on development systems unless X11 display management
is needed
- Acceptable to run on workstations if graphics are needed
|
| rc.nfs/automountd |
|
/etc/rc.nfs |
automatic file systems |
- If you use NFS, enable this for workstations
- Do not use the automounter for development or back room servers
|
| rc.nfs/biod |
|
/etc/rc.nfs |
Block IO Daemon (required for NFS server) |
- Enabled for NFS server only
- If not an NFS server, then disable this along with nfsd and rpc.mountd
|
| rc.nfs/keyserv |
|
/etc/rc.nfs |
Secure RPC Key server |
- Manages the keys required for secure RPC
- Disable this if you are not using NFS and NIS
|
| rc.nfs/nfsd |
|
/etc/rc.nfs |
NFS Services (required for NFS Server) |
- Authentication is weak
- Can lend itself to stack frame crashing
- Enable if on NFS file servers
- If you disable this, then disable biod, nfsd, and rpc.mountd as
well
|
| rc.nfs/rpc.lockd |
|
/etc/rc.nfs |
NFS file locks |
- Disable if you are not using NFS
- Disable this if you are not using file locks across the network
- lockd daemon is mentioned in the SANS Top Ten Security
Threats
|
| rc.nfs/rpc.mountd |
|
/etc/rc.nfs |
NFS file mounts (required for NFS Server) |
- Authentication is weak
- Can lend itself to stack frame crashing
- Should be enabled only on NFS file servers
- If you disable this, then disable biod and nfsd as
well
|
| rc.nfs/rpc.statd |
|
/etc/rc.nfs |
NFS file locks (to recover them) |
- Implements file locks across NFS
- Disable unless you are using NFS
|
| rc.nfs/rpc.yppasswdd |
|
/etc/rc.nfs |
NIS password daemon (for NIS master) |
- Used to manipulate the local password file
- Only required when the machine in question is the NIS master;
disable in all other cases
|
| rc.nfs/ypupdated |
|
/etc/rc.nfs |
NIS Update daemon (for NIS worker) |
- Receives NIS database maps pushed from the NIS Master
- Only required when the machine in question is a NIS worker to a Master NIS Server
|
| rc.tcpip/autoconf6 |
|
/etc/rc.tcpip |
IPv6 interfaces |
- Disable unless you are running IP Version 6
|
| rc.tcpip/dhcpcd |
|
/etc/rc.tcpip |
Dynamic Host Configure Protocol (client ) |
- Back room servers should not rely on DHCP. Disable this service
- If your host is not using DHCP, disable
|
| rc.tcpip/dhcprd |
|
/etc/rc.tcpip |
Dynamic Host Configure Protocol (relay |
- Grabs DHCP broadcasts and sends them to a server on another network
- Duplicate of a service found on routers
- Disable this if you are not using DHCP or rely on passing information
between networks
|
| rc.tcpip/dhcpsd |
|
/etc/rc.tcpip |
Dynamic Host Configure Protocol (server |
- Answers DHCP requests from clients at boot time; gives client
information, such as IP name, number, netmask, router, and broadcast
address
- Disable this if you are not using DHCP
- Disabled on production and back room servers along with hosts
not using DHCP
|
| rc.tcpip/dpid2 |
|
/etc/rc.tcpip |
outdated SNMP service |
- Disable unless you need SNMP
|
| rc.tcpip/gated |
|
/etc.rc.tcpip |
gated routing between interfaces |
- Emulates router function
- Disable this service and use RIP or a router instead
|
| rc.tcpip/inetd |
|
/etc/rc.tcpip |
inetd services |
- A thoroughly secured system should have this disabled, but is
often not practical
- Disabling this will disable remote shell services which are required
for some mail and web servers
|
| rc.tcpip/mrouted |
|
/etc/rc.tcpip |
multi-cast routing |
- Emulates router function of sending multi-cast packets between
network segments
- Disable this service. Use a router instead
|
| rc.tcpip/names |
|
/etc/rc.tcpip |
DNS name server |
- Use this only if your machine is a DNS name server
- Disable for workstation, development and production machines
|
| rc.tcpip/ndp-host |
|
/etc/rc.tcpip |
IPv6 host |
- Disable unless you use IP Version 6
|
| rc.tcpip/ndp-router |
|
/etc/rc.tcpip |
IPv6 routing |
- Disable this unless you use IP Version 6. Consider using a router
instead of IP Version 6
|
| rc.tcpip/portmap |
|
/etc/rc.tcpip |
RPC services |
- Required service
- RPC servers register with portmap daemon. Clients who need
to locate RPC services ask the portmap daemon to tell them
where a particular service is located
- Disable only if you have managed to reduce RPC service so that
the only one remaining is portmap
|
| rc.tcpip/routed |
|
/etc/rc.tcpip |
RIP routing between interfaces |
- Emulates router function
- Disable if you have a router for packets between networks
|
| rc.tcpip/rwhod |
|
/etc/rc.tcpip |
Remote "who" daemon |
- Collects and broadcasts data to peer servers on the same network
- Disable this service
|
| rc.tcpip/sendmail |
|
/etc/rc.tcpip |
mail services |
- Runs as root user
- Disable this service unless the machine is used as a mail server
- If disabled, then do one of the following:
- Place an entry in crontab to clear the queue. Use the /usr/lib/sendmail
-q command
- Configure DNS services so that the mail for your server is delivered
to some other system
|
| rc.tcpip/snmpd |
|
/etc/rc.tcpip |
Simple Network Management Protocol |
- Disable if you are not monitoring the system via SNMP tools
- SNMP may be required on critical servers
|
| rc.tcpip/syslogd |
|
/etc/rc.tcpip |
system log of events |
- Disabling this service is not recommended
- Prone to denial of service attacks
- Required in any system
|
| rc.tcpip/timed |
|
/etc/rc.tcpip |
Old Time Daemon |
- Disable this service and use xntp instead
|
| rc.tcpip/xntpd |
|
/etc/rc.tcpip |
New Time Daemon |
- Keeps clocks on systems in sync
- Disable this service.
- Configure other systems as time servers and let other systems
synchronize to them with a cron job that calls ntpdate
|
| dt login |
|
/usr/dt/config/Xaccess |
unrestricted CDE |
- If you are not providing CDE login to a group of X11 stations,
you can restrict dtlogin to the console.
|
| anonymous FTP service |
|
user rmuser -p <username> |
anonymous ftp |
- Anonymous FTP ability prevents you from tracing FTP usage to a
specific user
- Remove user ftp if that user account exists, as follows: rmuser
-p ftp
- Further security can be obtained by populating the /etc/ftpusers file
with a list of those who should not be able to ftp to your system
|
| anonymous FTP writes |
|
|
anonymous ftp uploads |
- No file should belong to ftp.
- FTP anonymous uploads allow the potential for misbehaving code
to be placed on your system.
- Put the names of those users you want to disallow into the /etc/ftpusers file
- Some examples of system-created users you might want to disallow
from anonymously uploading via FTP to your system are: root, daemon,
bin.sys, admin.uucp, guest, nobody, lpd, nuucp, ladp
- Change the owner and group rights to the ftpusers files
as follows: chown root:system /etc/ftpusers
- Change the permissions to the ftpusers files
to a stricter setting as follows: chmod 644 /etc/ftpusers
|
| ftp.restrict |
|
|
ftp to system accounts |
- No user from the outside should be allowed to replace root files
using ftpusers file
|
| root.access |
|
/etc/security/user |
rlogin/telnet to root account |
- Set the rlogin option in the etc/security/user file
to false
- Anyone logging in as root should first log in under their own
name and then su to root; this provides an audit trail
|
| snmpd.readWrite |
|
/etc/snmpd.conf |
SNMP readWrite communities |
- If you are not using SNMP, disable the SNMP daemon.
- Disable community private and community system in the /etc/snmpd.conf file
- Restrict 'public' community to those IP addresses that are monitoring
your system
|
| syslog.conf |
|
|
configure syslogd |
- If you have not configured /etc/syslog.conf,
then disable this daemon
- If you are using syslog.conf to log system
messages, then keep enabled
|