What's the criteria for an unneeded service? That's a criteria that is probably going to be determined by the admin. Some mail servers use localhost to send system messages. If the admin doesn't want/need the system messages, then they should disable the server (unless they need to serve mail to other hosts). If the admin depends on these system messages, that should be all the criteria to determine that mail is a needed service on localhost.

It shouldn't be a cut/dry issue. The issue is totally dependent on the admin's needs. A firewall, unless it is a firewall that is installed on the server, won't block localhost traffic, as that traffic never makes it beyond the machine itself....hence, it is not a danger because the service is limited to communicating with the machine the service is running on, loopback device only.

That is sound advice, no doubt about it. I would just like to add that ideally you want to do *both*. I think it's very important to stress this, because some people might get the impression that simply removing unneeded services suffices with regards to security. Whether disabling services or properly firewalling them is more important is definitely debatable, and will come down to personal opinion (as you already know, judging by the "IMO" in your post). I'm sure, however, that we can agree that disabling services is not a replacement for a proper firewall setup (and vice-versa to a certain extent).

As such, it's important that an admin take care of both aspects when trying to limit network access. That way, for example, if a service is accidentally made to listen on an interface it isn't supposed to listen on, the firewall will serve as a safety net for the admin. A host-based firewall also provides several other means of protection, such as preventing someone with a non-root exploit from wreaking further havoc by starting listening processes on unprivilaged ports, using the compromised box as a bastion to launch further cyber-attacks against other boxes on the LAN, etc, etc, etc.

Very true. Disable the unneeded services AND put a firewall.

A few ideas in no logical order:

GNU/Linux gives us the ability to understand the inner parts of the OS. Tweaking and closing ports is usually very easy.
Why would you leave a service that you don't need? You disable it and when you need it again, you re-enable it.
The drawback of this, is that when something does not work it can be hard to track down what you have to re-enable again. I use rc init level for this.
My default run level has nothing I don't need. The others are untouched.
The same for the kernel, I have a custom kernel with the minimal stuffs and when I want to try new hardware/.. , I'll take the packaged kernel to be sure to have full features to see if it works. Then I'll create a new custom kernel.

It's always a trade-off between usability and security.
Depending on the context (home user,school, company,..), the need of the users is different and the sensitivity of information is not the same.
As an example in my company, only http goes out. We don't need more. Ok I would need bittorrent but my admin for unknown reasons refuses lol.
In a university I was before, all ports were opened to the outside, that was great for the users.. and for the bad guys.. we got compromised several times, but there was no sensitive information anyway.

If you look at any serious security checklist you will see two major things, which in fact are common sense!
-> Privilege. Why would you start your proxy server as user root when it doesn't need root unlimited power.
-> Services. Why would need stuffs that you don't need. Are YOU able to say that these services are 100% bug-free? Not me.
Windows has failed on these two points.

We are here talking of inbound access but do not forget about outbound access. Reverse shells exist, even vnc can be launched as reverse, which means that somebody can start vnc server on your machine and vnc server will connect to vnc client. If your firewall also blocks the outbout access, it will give more headache to the bad guys. After you've done basic hardening, make the life of the cracker harder (otherwise it's not funny for him ahah)
Monitoring bandwidth (possibly on another bastion machine) can also be good. Outbound/ Inbound. If during the night you see a peak of traffic, there's something wrong..

Also do not forget to make regular backups.
My rule:
- Do everything to not get cracked
- I will be cracked, so what should I do in this case. After compromise, it's too late. Yes this costs money for something only potential.. But sometimes less money that reinstalling or re-asking all your customers their information.

As soon as a door has been found, it's your system security that'll be checked. If you have rogue accounts or poor passwords or old kernel, etc.. , it won't take long.

Now I'll be fussy: For the people who say that leaving _unneeded_ services listening on localhost is not a risk: Well, if somebody manages to enter on your machine as a user, or use an opened service to bounce on this localhost service, he can get higher privilege or send spam or whatever.


Sleep well


ps:
dickeyp, can you scan my machine also, it's www .microsoft.com (I swear)

... microsoft.com ... I would be interested to see that scan. Maybe i'll scan it if I get bored after work. Thanks for all the advice, it is very sound. One question though. How come I can't get rid of 113? Even when it is stealthed just like the others, scans see it as closed? This is very irritating for me. Also, how do I make 10000 just available on localhost?
Its, webmin btw. Altho when you try to connect from the outside it does't let you. I would still like it to go away from the scans.

nomb

I knew it was you Mr Gates.

I agree with ya nx5000. Security at all levels.

Could you post your basic active iptables configuration?Your firewall rules should be taking care of this, so I suspect something is not right. "Closed" means the scanner did receive a reply, so the port is NOT stealthed. FYI port 113 is Ident.

I'm not familiar with Webmin, but a quick Google seems to indicate the setting is in the "Ports and Addresses" section of it's interface.

Well this is was my firewall aparently... My firewall wasn't being executed on startup...
I have now turned my firewall on. Could you please re-scan me?

nomb

Not shown: 1693 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
113/tcp closed auth


Looking much better. I'd lock down what IPs can connect on ftp and ssh though.

Man I still can't get port 113 to go away...
I host people's linux webpages for them.
What would you recomend as far as how to lock down
22 and ssh?

nomb