Manualshelf

User`s guide

ManualsBrandsProtogate ManualsComputer equipmentFreeway 3112
11121314151617181920
Protogate Freeway Security Features User’s Guide (SFUG) Chapter 6. Hardening a Freeway
6.2. Unnecessary Services
One of the simplest ways to enhance security on a Freeway is to turn off (disallow) all services which are not
required. Access methods such as telnet and rlogin are never required on any Freeway, since users can always login
via the secure shell (SSH), which provides all of the same capabilities as telnet or rlogin, but is more secure.
telnet and rlogin can be disallowed with firewall rules, as shown in
Figure 6-1, but they should also be prevented
from running at the daemon level, in case the firewall rules are changed or the firewall is disabled.
Figure 6-2
illustrates how to disable telnet and rlogin at the daemon level. It works by commenting out the telnet and
login lines in /etc/inetd.conf, so that those daemons are never run, even if a client tries to connect on their TCP/IP
ports (23 is the TCP/IP port for telnet, and 513 is the TCP/IP port for rlogin).
Figure 6-2. Turning Off Unnecessary Services
# For security: Turn telnet and rlogin off in inetd.conf, too
if [ -f /read_only_mounts ]; then
mount -u -o rw / 2>/dev/null
fi
mv /ro/etc/inetd.conf /ro/etc/inetd.conf.prev
sed -e "s/^t/#t/g" /ro/etc/inetd.conf.prev |sed -e "s/^l/#l/g" > /ro/etc/inetd.conf
if [ -f /read_only_mounts ]; then
mount -u -o ro / 2>/dev/null
fi
6.3. Disallow Direct Root Login
The root or shell accounts should not be accessible directly to users logging in across the net. Users who want to use
root or shell privileges should first login under their own account, then use the su command to acquire root/shell
privileges. This ensures that auditing works correctly, since the audit records for all actions that users take with root
privileges will still be recorded under their original login account name.
Figure 6-3 shows how to disable direct root (or shell) account logins from across the net. It also creates a sample
banner, to warn users who login that they are logging in to an "authorized-users-only" system.
Figure 6-3. Disallowing Direct Root Logins
# For security: Disallow direct root or shell login via ssh
if /usr/bin/grep -- "^[^#]
*
PermitRootLogin no" /ro/etc/ssh/sshd_config >/dev/null; then
echo "SSH already disallows root/shell login -- will not modify again."
else
if [ -f /read_only_mounts ]; then
mount -u -o rw / 2>/dev/null
fi
echo "PermitRootLogin no" > /ro/etc/ssh/sshd_config
echo "Banner /etc/motd" >> /ro/etc/ssh/sshd_config
echo "Subsystem sftp /usr/libexec/sftp-server" >> /ro/etc/ssh/sshd_config
Protogate DC-908-3004A 19