Protect portmap With iptables
The portmap service is a dynamic port assignment daemon for RPC services such as NIS and NFS. It has weak authentication mechanisms and has the ability to assign a wide range of ports for the services it controls. For these reasons, it is difficult to secure.
Securing portmap only affects NFSv2 and NFSv3 implementations, since NFSv4 no longer requires it. If you plan to implement an NFSv2 or NFSv3 server, then portmap is required, and the following section applies.
Below are two example iptables commands. The first allows TCP connections to the port 111 (used by the portmap service) from the 192.168.0.0/24 network. The second allows TCP connections to the same port from the localhost.
Example:
iptables -A INPUT -p tcp -s! 192.168.0.0/24 –dport 111 -j DROP
iptables -A INPUT -p tcp -s 127.0.0.1 –dport 111 -j ACCEPT
To similarly limit UDP traffic, use the following command.
iptables -A INPUT -p udp -s! 192.168.0.0/24 –dport 111 -j DROP
Shared Libraries
Shared libraries are units of code, such as glibc, which are used by a number of applications and services. Applications utilizing a shared library typically load the shared code when the application is initialized, so any applications using the updated library must be halted and relaunched.
To determine which running applications link against a particular library, use the lsof command as in the following example:
Example
$ lsof /lib/libnsl.so.1
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
dbus-laun 3337 jyothis mem REG 8,2 79612 1882725 /lib/libnsl-2.9.so
dbus-daem 3338 jyothis mem REG 8,2 79612 1882725 /lib/libnsl-2.9.so
xscreensa 3343 jyothis mem REG 8,2 79612 1882725 /lib/libnsl-2.9.so
xfce4-ses 3347 jyothis mem REG 8,2 79612 1882725 /lib/libnsl-2.9.so
Verifying Signed Packages using GNU Privacy Guard
GPG stands for GNU Privacy Guard, or GnuPG, a free software package used for ensuring the authenticity of distributed files. For example, a private key (secret key) locks the package while the public key unlocks and verifies the package. If the public key distributed by OS does not match the private key during RPM verification, the package may have been altered and therefore cannot be trusted.
Assuming the disc is mounted in /mnt/cdrom, use the following command to import it into the keyring (a database of trusted keys on the system)
rpm –import /mnt/cdrom/RPM-GPG-KEY
To verify all the downloaded packages at once, issue the following command:
rpm -K /tmp/updates/*.rpm
For each package, if the GPG key verifies successfully, the command returns gpg OK.
To find out what a particular driver/module does, the modinfo command can be used in many cases:
root@:~# modinfo -d i915
Intel Graphics
modinfo — program to show information about a Linux Kernel module
root@:~# modinfo -d soundcore
Core sound module
modinfo extracts information from the Linux Kernel modules given on the command line. If the module name is not a filename, then the /lib/modules/version directory is searched, as done by modprobe(8).
root@:~# modinfo -d ext3
Second Extended Filesystem with journaling extensions
To set parameters during module loads, you can add entries to /etc/modprobe.conf on RHEL or /etc/modprobe.conf.local on SLES.
Retrieving Hardware Information
To retrieve information on system’s hardware like vendor, manufacturer, product, S/N, etc. the following command can be used:
The dmidecode command reads the information from the system BIOS, see also
There are a few other commands you might want to check out which list installed hardware components:
dmesg
lsdev
lshal
lspci
lsusb
lsscsi