ServerBuddies Support Blog

Detect and close network ports that are not needed.

To get a list of listening network ports (TCP and UDP sockets), you can run the following command:

# netstat -tulp

Using nmap

# nmap -sTU [remote_host]

If you remove the UDP port scan (without the option “-U”), then nmap will finish the port scan immediately. If you run it on the local machine it will also complete very fast.

Also note that nmap might not show all listening network sockets if a firewall is being used to block ports.

Another method to list all of the TCP and UDP sockets to which programs are listening is lsof:

# lsof -i -n | egrep ‘COMMAND|LISTEN|UDP’

One of the most important tasks is to remove any network services from the system startup process that are not needed.

On Red Hat systems you can list all services which are started at bootup using the following command:

To permanently disable e.g. the runlevel service nfs, run:

To immediately disable the runlevel service nfs, run:

Removing Unnecessary Software Packages (RPMs)

It is a good practice not to have development packages, desktop software packages (e.g. X Server) etc. installed on production servers. Other packages like FTP and Telnet daemons should not be installed as well unless there is a justified business reason for it (SSH/SCP/SFTP should be used instead).

One of the first action items should be to create a Linux image that only contains RPMs needed by the applications, and needed for maintenance and troubleshooting purposes.

A good approach is to start with a minimum list of RPMs and then add packages as needed. It may be time-consuming but worth the efforts.

To get a list of all installed RPMs you can use the following command:

If you want to know more about a particular RPM, run:

To check for and report potential conflicts and dependencies for deleting a RPM, run:

A very important step in securing a Linux system is to determine the primary function or role of the Linux server.

Nikto web server assessment tool

nikto - web server security scanner

Nikto is a web server assessment tool. It is designed to find various default and insecure files, configurations and programs on any type of web server.

Requirements

Any system which supports a basic PERL installation should allow Nikto to run. It has been extensively tested on. For SSL support the Net::SSLeay PERL module must be installed (which in turn requires OpenSSL on the Unix platform).

The nmap scanner can also be used, if desired. In some cases using nmap will slow down Nikto execution, as it must call an external program. For scanning many ports across one or more servers, using nmap will be faster than using Nikto’s internal PERL scanning.

Download

Unpack the download file:

Basic Testing

The most basic Nikto scan requires simply a host to target, since port 80 is assumed if none is specified. The host can either be an IP or a hostname of a machine, and is specified using the -h (-host) option. This will scan the IP 192.168.0.1 on TCP port 80:

To check on a different port, specify the port number with the -p (-port) option. This will scan the IP 192.168.0.1 on TCP port 443:

Hosts, ports and protocols may also be specified by using a full URL syntax, and it will be scanned:

There is no need to specify that port 443 may be SSL, as Nikto will first test regular HTTP and if that fails, HTTPS. If you are sure it is an SSL server, specifying -s (-ssl) will speed up the test.

Scanning Hosts with Nmap for vulnerability assessment.

Using Nmap

Nmap can be run from a shell prompt by typing the nmap command followed by the hostname or IP address of the machine to scan.

Administrators can use Nmap on a network to find host systems and open ports on those systems.

Nmap is a popular tool included in Red Hat Enterprise Linux that can be used to determine the layout of a network. Nmap has been available for many years and is probably the most often used tool when gathering information. An excellent man page is included that provides a de-
tailed description of its options and usage.

Nmap is a competent first step in vulnerability assessment. You can map out all the hosts within your network and even pass an option that allows Nmap to attempt to identify the operating system running on a particular host.

For more information about using Nmap, refer to the official homepage at the following URL: http://www.insecure.org/

The iptables services must be turned off to use the ip6tables service.

The first step in using ip6tables is to start the ip6tables service. This can be done with the command:

The introduction of the next-generation Internet Protocol, called IPv6, expands beyond the 32-bit address limit of IPv4 (or IP). IPv6 supports 128-bit addresses and, as such, carrier networks that are IPv6 aware are able to address a larger number of routable addresses than IPv4.

To make ip6tables start by default whenever the system is booted, change the runlevel status on the service using chkconfig.

The syntax is identical to iptables in every aspect except that ip6tables supports 128-bit addresses. For example, SSH connections on a IPv6-aware network server can be enabled with the following rule.

Reference -

http://www.ipv6.org/
http://www.netfilter.org/
http://www.tldp.org/

A list of common services and their port numbers can be found in /etc/services