HPE Community
Operating System - HP-UX
1819805 Members
3088 Online
109607 Solutions
New Discussion юеВ

Securing /etc/services...needed ? Or it's only used as a reference.

 
SOLVED
Go to solution
Daniel Simard
Frequent Advisor

тАО05-30-2003 07:15 AM

тАО05-30-2003 07:15 AM

Securing /etc/services...needed ? Or it's only used as a reference.

 
Si tu n'as pas ce que tu aimes, aimes ce que tu as.
0 Kudos
Reply
9 REPLIES 9
James R. Ferguson
Acclaimed Contributor

тАО05-30-2003 07:22 AM

тАО05-30-2003 07:22 AM

Solution

Re: Securing /etc/services...needed ? Or it's only used as a reference.

Hi Daniel:


There's nothing to secure here. The file maps official service names and port numbers. The presence or absence of an entry doesn't prevent me from using a port number for my private application. If I did, however, I would prevent the intended service (process) from running since the port would be inuse.

Regards!

...JRF...
Reply
Bruno Vidal
Respected Contributor

тАО05-30-2003 07:25 AM

тАО05-30-2003 07:25 AM

Re: Securing /etc/services...needed ? Or it's only used as a reference.

Hi,
By default when doing security, if you don't know what it do, remove it. Lots's of inputs in /etc/services comes from the old ages of UNIX (who still use fingerd). So I think you don't have to really cares of because it is more for informations than anythings else, it is better to remove the service from inetd.conf.

Cheers.
Reply
A. Clay Stephenson
Acclaimed Contributor

тАО05-30-2003 07:29 AM

тАО05-30-2003 07:29 AM

Re: Securing /etc/services...needed ? Or it's only used as a reference.

PLaying with /etc/services is really a waste of time from a security point of view. The file only serves as a mapping function between names us dumb humans like and the numerical port vales.

All that really happens is that a call to getservbyname() passing in the service name (e.g. "telnet") and a protocol (e.g. tcp) and a numerical value is returned. If the getservbyname() fails then a default numerical value is used. The attacker is almost certainly going to use the port number directly.

As an example, you could remove the telnet 23/tcp entry from /etc/services and still be able to telnet into the box. Only when the SERVICE (in /etc/inetd.conf) is disabled will telnet be disabled.
If it ain't broke, I can fix that.
Reply
Daniel Simard
Frequent Advisor

тАО05-30-2003 09:29 AM

тАО05-30-2003 09:29 AM

Re: Securing /etc/services...needed ? Or it's only used as a reference.

Clay,
Can you confirm your statement about remming out the telnet service in /etc/services and still being able to telnet to the box ? Cause I've tried it and it does in fact need to be there in order to telnet in the box.

There might be another reason for this though.

This is why I don't want to disable 99% of the services and then seeing stuff happen.

Si tu n'as pas ce que tu aimes, aimes ce que tu as.
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

тАО05-30-2003 09:39 AM

тАО05-30-2003 09:39 AM

Re: Securing /etc/services...needed ? Or it's only used as a reference.

I suppose I should have been a little more specific. In the case of telnet, removing the /etc/services entry will APPEAR to give you greater security because the service name lookup will fail BUT after removing (or commenting out the service name), try this:

telnet myhost 23

When you supply a portnumber, telnet wil instantly connect eventhough the service is not defined. That's why playing with /etc/services is a complete waste of time; at best, it will offer the illusion of security but will provide absolutely no defense against a real attack.
If it ain't broke, I can fix that.
Reply
Daniel Simard
Frequent Advisor

тАО05-30-2003 09:44 AM

тАО05-30-2003 09:44 AM

Re: Securing /etc/services...needed ? Or it's only used as a reference.

Sorry! I've done further testing and you are Right. Commenting out the telnet line does not prevent anybody from telneting. Thanks !!!

I would assume that for all the other services, it would be the same thing. (doesn't matter if it's commented out or not.)
Si tu n'as pas ce que tu aimes, aimes ce que tu as.
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

тАО05-30-2003 10:17 AM

тАО05-30-2003 10:17 AM

Re: Securing /etc/services...needed ? Or it's only used as a reference.

Yes, the same applies to all the services entries but there is actually a drawback to editing the /etc/services file (or map) and deleting entries. The well known ports are certainly well known to hackers whether or not they or in the services file (or map) BUT when you edit the file (or map) and remove entries simply because you don't know what it does, you stand a rather good chance of breaking something. Typically, additional entries are made so that so custom service does not have a default port but relies upon the portname entry.
If it ain't broke, I can fix that.
Reply
Sridhar Bhaskarla
Honored Contributor

тАО05-30-2003 10:43 AM

тАО05-30-2003 10:43 AM

Re: Securing /etc/services...needed ? Or it's only used as a reference.

Hi,

Just to know what you broke by commenting out telnet in /etc/services, try to telnet to another box from the same machine. You should get "unknown service" error.

As mentioned, /etc/services is not really what you want to touch but /etc/inetd.conf to disable|control inetd related services. If you want to have these services but would like to restrict them to selected machines, use /var/adm/inetd.sec file.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Reply
Suhas_2
Regular Advisor

тАО05-31-2003 05:58 AM

тАО05-31-2003 05:58 AM

Re: Securing /etc/services...needed ? Or it's only used as a reference.

Hi Dan,
To increase the security of your system, I think you should target /etc/inetd.conf and not /etc/services.
The /etc/services is typically used by getservent() system call " to read the next line of network services database". Disabling anything in /etc/services would prevent your system from knowing the ports to communicate with other systems, but the other systems would still be able to use the services available on your box.

Just to share, what I do at my place, we enable only ftp and telnet (basic unix services )via /etc/inetd.conf as part of initial system set-up. Later on as we go on installing applications like "IBM mqueue", "BMC best1 6.5", etc.. newer entries would appear in /etc/inetd.conf.

Hope this helps'
Suhas
Never say "Die"
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.