| inetd/bootps | inetd | /etc/inetd.conf | bootp services to diskless clients |
- Necessary for Network Installation Management (NIM) and remote booting of systems
- Works concurrently with tftp
- Disable in most cases
|
| inetd/chargen | inetd | /etc/inetd.conf | character generator (testing only) |
- Available as a TCP and UDP service
- Provides opportunity for Denial of Service attacks
- Disable unless you are testing your network
|
| inetd/cmsd | inetd | /etc/inetd.conf | calendar service (as used by CDE) |
- Runs as root, therefore a security concern
- Disable unless you require this service with CDE
- Disable on back room database servers
|
| inetd/comsat | inetd | /etc/inetd.conf | Notifies incoming electronic mail |
- Runs as root, therefore a security concern
- Seldom required
- Disable
|
| inetd/daytime | inetd | /etc/inetd.conf | obsolete time service (testing only) |
- Runs as root
- Available as a TCP and UDP service
- Provides opportunity for a Denial of Service PING attacks
- Service is obsolete and used for testing only
- Disable
|
| inetd/discard | inetd | /etc/inetd.conf | /dev/null service (testing only) |
- Available as TCP and UDP service
- Used in Denial of Service Attacks
- Service is obsolete and used for testing only
- Disable
|
| inetd/dtspc | inetd | /etc/inetd.conf | CDE Subprocess Control |
- This service is started automatically by the inetd daemon in response to a CDE client requesting a process to be started on the daemon's host. This makes it vulnerable to attacks
- Disable on back room servers with no CDE
- CDE might be able to function without this service
- Disable unless absolutely needed
|
| inetd/echo | inetd | etc/inetd.conf | echo service (testing only) |
- Available as UDP and TCP service
- Could be used in Denial of Service or Smurf attacks
- Used to echo at someone else to get through a firewall or start a datastorm
- Disable
|
| inetd/exec | inetd | /etc/inetd.conf | remote execution service |
- Runs as root user
- Requires that you enter a user ID and password, which are passed unprotected
- This service is highly susceptible to being snooped
- Disable
|
| inetd/finger | inetd | /etc/inetd.conf | finger peeking at users |
- Runs as root user
- Gives out information about your systems and users
- Disable
|
| inetd/ftp | inetd | /etc/inetd.conf | file transfer protocol |
- Runs as root user
- User id and password are transferred unprotected, thus allowing them to be snooped
- Disable this service and use a public domain secure shell suite
|
| inetd/imap2 | inetd | /etc/inetd.conf | Internet Mail Access Protocol |
- Ensure that you are using the latest version of this server
- Only necessary if you are running a mail server. Otherwise, disable
- User ID and password are passed unprotected
|
| inetd/klogin | inetd | /etc/inetd.conf | Kerberos login |
- Enabled if your site uses Kerberos authentication
|
| inetd/kshell | inetd | /etc/inetd.conf | Kerberos shell |
- Enabled if your site uses Kerberos authentication
|
| inetd/login | inetd | /etc/inetd.conf | rlogin service |
- Susceptible to IP spoofing, DNS spoofing
- Data, including User IDs and passwords, is passed unprotected
- Runs as root user
- Use a secure shell instead of this service
|
| inetd/netstat | inetd | /etc/inetd.conf | reporting of current network status |
- Could potentially give network information to hackers if run on your system
- Disable
|
| inetd/ntalk | inetd | /etc/inetd.conf | Allows users to talk with each other |
- Runs as root user
- Not required on production or back room servers
- Disable unless absolutely needed
|
| inetd/pcnfsd | inetd | /etc/inetd.conf | PC NFS file services |
- Disable service if not currently in use
- If you need a service similar to this, consider Samba, as the pcnfsd daemon predates Microsoft's release of SMB specifications
|
| inetd/pop3 | inetd | /etc/linetd.conf | Post Office Protocol |
- User IDs and passwords are sent unprotected
- Only needed if your system is a mail server and you have clients who are using applications that only support POP3
- If your clients use IMAP, use that instead, or use the POP3s service. This service has a Secure Socket Layer (SSL) tunnel
- Disable if you are not running a mail server or have clients who need POP services
|
| inetd/rexd | inetd | /etc/inetd.conf | remote execution |
- Runs as root user
- Peers with the on command
- Disable service
- Use rshand rshd instead
|
| inetd/quotad | inetd | /etc/inetd.conf | reports of file quotas (for NFS clients) |
- Only needed if you are running NFS file services
- Disable this service unless required to provide an answer for the quota command
- If you need to use this service, keep all patches and fixes for this service up to date
|
| inetd/rstatd | inetd | /etc/inetd.conf | Kernel Statistics Server |
- If you need to monitor systems, use SNMP and disable this service
- Required for use of the rup command
|
| inetd/rusersd | inetd | /etc/inetd.conf | info about user logged in |
- This is not an essential service. Disable
- Runs as root user
- Gives out a list of current users on your system and peers with rusers
|
| inetd/rwalld | inetd | /etc/inetd.conf | write to all users |
- Runs as root user
- If your systems have interactive users, you might need to keep this service
- If your systems are production or database servers, this is not needed
- Disable
|
| inetd/shell | inetd | /etc/inetd.conf | rsh service |
- Disable this service if possible. Use Secure Shell instead
- If you must use this service, use the TCP Wrapper to stop spoofing and limit exposures
- Required for theXhier software ditribution program
|
| inetd/sprayd | inetd | /etc/inetd.conf | RPC spray tests |
- Runs as root user
- Might be required for diagnosis of NFS network problems
- Disable if you are not running NFS
|
| inetd/systat | inetd | /etc/inted.conf | "ps -ef" status report |
- Allows for remote sites to see the process status on your system
- This service is disabled by default. You must check periodically to ensure that the service has not been enabled
|
| inetd/talk | inetd | /etc/inetd.conf | establish split screen between 2 users on the net |
- Not a required service
- Used with the talk command
- Provides UDP service at Port 517
- Disable unless you need multiple interactive chat sessions for UNIX user
|
| inetd/ntalk | inetd | /etc/inetd.conf | "new talk" establish split screen between 2 users on the net |
- Not a required service
- Used with the talk command
- Provides UDP service at Port 517
- Disable unless you need multiple interactive chat sessions for UNIX user
|
| inetd/telnet | inetd | /etc/inetd.conf | telnet service |
- Supports remote login sessions, but the password and ID are passed unprotected
- If possible, disable this service and use Secure Shell for remote access instead
|
| inetd/tftp | inetd | /etc/inetd.conf | trivial file transfer |
- Provides UDP service at port 69
- Runs as root user and might be compromised
- Used by NIM
- Disable unless you are using NIM or have to boot a diskless workstation
|
| inetd/time | inetd | /etc/inetd.conf | obsolete time service |
- Internal function of inetd that is used by rdate command.
- Available as TCP and UDP service
- Sometimes used to synchronize clocks at boot time
- Service is outdated. Use ntpdate instead
- Disable this only after you have tested your systems (boot/reboot) with this service disabled and have observed no problems
|
| inetd/ttdbserver | inetd | /etc/inetd.conf | tool-talk database server (for CDE) |
- The rpc.ttdbserverd runs as root user and might be compromised
- Stated as a required service for CDE, but CDE is able to work without it
- Should not be run on back room servers or any systems where security is a concern
|
| inetd/uucp | inetd | /etc/inetd.conf | UUCP network |
- Disable unless you have an application that uses UUCP
|
| inittab/dt | init | /etc/rc.dt script in the /etc/inittab | desktop login to CDE environment |
- Starts the X11 server on the console
- Supports the X11 Display Manager Control Protocol (xdcmp) so that other X11 stations can log into the same machine
- Service should be used on personal workstations only. Avoid using it for back room systems
|
| inittab/dt_nogb | init | /etc/inittab | desktop login to CDE environment (NO graphic boot) |
- No graphical display until the system is up fully
- Same concerns as inittab/dt
|
| inittab/httpdlite | init | /etc/inittab | web server for the docsearch command |
- Default web server for the docsearch engine
- Disable unless your machine is a documentation server
|
| inittab/i4ls | init | /etc/inittab | license manager servers |
- Enable for development machines
- Disable for production machines
- Enable for back room database machines that have license requirements
- Provides support for compilers, database software, or any other licensed products
|
| inittab/imqss | init | /etc/inittab | search engine for "docsearch" |
- Part of the default web server for the docsearch engine
- Disable unless your machine is a documentation server
|
| inittab/lpd | init | /etc/inittab | BSD line printer interface |
- Accepts print jobs from other systems
- You can disable this service and still send jobs to the print server
- Disable this after you confirm that printing is not affected
|
| inittab/nfs | init | /etc/inittab | Network File System/Net Information Services |
- NFS and NIS services based which were built on UDP/RPC
- Authentication is minimal
- Disable this for back room machines
|
| inittab/piobe | init | /etc/inittab | printer IO Back End (for printing) |
- Handles the scheduling, spooling and printing of jobs submitted by the qdaemon daemon
- Disable if you are not printing from your system because you are sending print job to a server
|
| inittab/qdaemon | init | /etc/inittab | queue daemon (for printing |
- Submits print jobs to the piobe daemon
- If you are not printing from your system, then disable
|
| inittab/uprintfd | init | /etc/inittab | kernel messages |
- Generally not required
- Disable
|
| inittab/writesrv | init | /etc/inittab | writing notes to ttys |
- Only used by interactive UNIX workstation users
- Disable this service for servers, back room databases, and development machines
- Enable this service for workstations
|
| inittab/xdm | init | /etc/inittab | traditional X11 Display Management |
- Do not run on back room production or database servers
- Do not run on development systems unless X11 display management is needed
- Acceptable to run on workstations if graphics are needed
|
| rc.nfs/automountd | | /etc/rc.nfs | automatic file systems |
- If you use NFS, enable this for workstations
- Do not use the automounter for development or back room servers
|
| rc.nfs/biod | | /etc/rc.nfs | Block IO Daemon (required for NFS server) |
- Enabled for NFS server only
- If not an NFS server, then disable this along with nfsd and rpc.mountd
|
| rc.nfs/keyserv | | /etc/rc.nfs | Secure RPC Key server |
- Manages the keys required for secure RPC
- Disable this if you are not using NFS and NIS
|
| rc.nfs/nfsd | | /etc/rc.nfs | NFS Services (required for NFS Server) |
- Authentication is weak
- Can lend itself to stack frame crashing
- Enable if on NFS file servers
- If you disable this, then disable biod, nfsd, and rpc.mountd as well
|
| rc.nfs/rpc.lockd | | /etc/rc.nfs | NFS file locks |
- Disable if you are not using NFS
- Disable this if you are not using file locks across the network
- lockd daemon is mentioned in the SANS Top Ten Security Threats
|
| rc.nfs/rpc.mountd | | /etc/rc.nfs | NFS file mounts (required for NFS Server) |
- Authentication is weak
- Can lend itself to stack frame crashing
- Should be enabled only on NFS file servers
- If you disable this, then disable biod and nfsd as well
|
| rc.nfs/rpc.statd | | /etc/rc.nfs | NFS file locks (to recover them) |
- Implements file locks across NFS
- Disable unless you are using NFS
|
| rc.nfs/rpc.yppasswdd | | /etc/rc.nfs | NIS password daemon (for NIS master) |
- Used to manipulate the local password file
- Only required when the machine in question is the NIS master; disable in all other cases
|
| rc.nfs/ypupdated | | /etc/rc.nfs | NIS Update daemon (for NIS slave) |
- Receives NIS database maps pushed from the NIS Master
- Only required when the machine in question is a NIS slave to a Master NIS Server
|
| rc.tcpip/autoconf6 | | /etc/rc.tcpip | IPv6 interfaces |
- Disable unless you are running IP Version 6
|
| rc.tcpip/dhcpcd | | /etc/rc.tcpip | Dynamic Host Configure Protocol (client ) |
- Back room servers should not rely on DHCP. Disable this service
- If your host is not using DHCP, disable
|
| rc.tcpip/dhcprd | | /etc/rc.tcpip | Dynamic Host Configure Protocol (relay |
- Grabs DHCP broadcasts and sends them to a server on another network
- Duplicate of a service found on routers
- Disable this if you are not using DHCP or rely on passing information between networks
|
| rc.tcpip/dhcpsd | | /etc/rc.tcpip | Dynamic Host Configure Protocol (server |
- Answers DHCP requests from clients at boot time; gives client information, such as IP name, number, netmask, router, and broadcast address
- Disable this if you are not using DHCP
- Disabled on production and back room servers along with hosts not using DHCP
|
| rc.tcpip/dpid2 | | /etc/rc.tcpip | outdated SNMP service |
- Disable unless you need SNMP
|
| rc.tcpip/gated | | /etc.rc.tcpip | gated routing between interfaces |
- Emulates router function
- Disable this service and use RIP or a router instead
|
| rc.tcpip/inetd | | /etc/rc.tcpip | inetd services |
- A thoroughly secured system should have this disabled, but is often not practical
- Disabling this will disable remote shell services which are required for some mail and web servers
|
| rc.tcpip/mrouted | | /etc/rc.tcpip | multi-cast routing |
- Emulates router function of sending multi-cast packets between network segments
- Disable this service. Use a router instead
|
| rc.tcpip/names | | /etc/rc.tcpip | DNS name server |
- Use this only if your machine is a DNS name server
- Disable for workstation, development and production machines
|
| rc.tcpip/ndp-host | | /etc/rc.tcpip | IPv6 host |
- Disable unless you use IP Version 6
|
| rc.tcpip/ndp-router | | /etc/rc.tcpip | IPv6 routing |
- Disable this unless you use IP Version 6. Consider using a router instead of IP Version 6
|
| rc.tcpip/portmap | | /etc/rc.tcpip | RPC services |
- Required service
- RPC servers register with portmap daemon. Clients who need to locate RPC services ask the portmap daemon to tell them where a particular service is located
- Disable only if you have managed to reduce RPC service so that the only one remaining is portmap
|
| rc.tcpip/routed | | /etc/rc.tcpip | RIP routing between interfaces |
- Emulates router function
- Disable if you have a router for packets between networks
|
| rc.tcpip/rwhod | | /etc/rc.tcpip | Remote "who" daemon |
- Collects and broadcasts data to peer servers on the same network
- Disable this service
|
| rc.tcpip/sendmail | | /etc/rc.tcpip | mail services |
- Runs as root user
- Disable this service unless the machine is used as a mail server
- If disabled, then do one of the following:
- Place an entry in crontab to clear the queue. Use the /usr/lib/sendmail -q command
- Configure DNS services so that the mail for your server is delivered to some other system
|
| rc.tcpip/snmpd | | /etc/rc.tcpip | Simple Network Management Protocol |
- Disable if you are not monitoring the system via SNMP tools
- SNMP may be required on critical servers
|
| rc.tcpip/syslogd | | /etc/rc.tcpip | system log of events |
- Disabling this service is not recommended
- Prone to denial of service attacks
- Required in any system
|
| rc.tcpip/timed | | /etc/rc.tcpip | Old Time Daemon |
- Disable this service and use xntp instead
|
| rc.tcpip/xntpd | | /etc/rc.tcpip | New Time Daemon |
- Keeps clocks on systems in sync
- Disable this service.
- Configure other systems as time servers and let other systems synchronize to them with a cron job that calls ntpdate
|
| dt login | | /usr/dt/config/Xaccess | unrestricted CDE |
- If you are not providing CDE login to a group of X11 stations, you can restrict dtlogin to the console.
|
| anonymous FTP service | | user rmuser -p <username> | anonymous ftp |
- Anonymous FTP ability prevents you from tracing FTP usage to a specific user
- Remove user ftp if that user account exists, as follows: rmuser -p ftp
- Further security can be obtained by populating the /etc/ftpusers file with a list of those who should not be able to ftp to your system
|
| anonymous FTP writes | | | anonymous ftp uploads |
- No file should belong to ftp.
- FTP anonymous uploads allow the potential for misbehaving code to be placed on your system.
- Put the names of those users you want to disallow into the /etc/ftpusers file
- Some examples of system-created users you might want to disallow from anonymously uploading via FTP to your system are: root, daemon, bin.sys, admin.uucp, guest, nobody, lpd, nuucp, ladp
- Change the owner and group rights to the ftpusers files as follows: chown root:system /etc/ftpusers
- Change the permissions to the ftpusers files to a stricter setting as follows: chmod 644 /etc/ftpusers
|
| ftp.restrict | | | ftp to system accounts |
- No user from the outside should be allowed to replace root files using ftpusers file
|
| root.access | | /etc/security/user | rlogin/telnet to root account |
- Set the rlogin option in the etc/security/user file to false
- Anyone logging in as root should first log in under their own name and then su to root; this provides an audit trail
|
| snmpd.readWrite | | /etc/snmpd.conf | SNMP readWrite communities |
- If you are not using SNMP, disable the SNMP daemon.
- Disable community private and community system in the /etc/snmpd.conf file
- Restrict 'public' community to those IP addresses that are monitoring your system
|
| syslog.conf | | | configure syslogd |
- If you have not configured /etc/syslog.conf, then disable this daemon
- If you are using syslog.conf to log system messages, then keep enabled
|
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
