[buug] /etc/service
Rick Moen
rick at linuxmafia.com
Sun Aug 6 00:01:23 PDT 2000
begin Zeke Krahlin quotation:
> Another tip from my FreeNetCubs board. Does it sound like a good
> security measure, or too much on the brute-force side?
Neither. It's a sign that somebody has no idea what the function of the
/etc/services (not "/etc/service") file is, and is fooling around with
his system without reading relevant documentation.
> (I know Stoddard recommends a similar method for "/etc/indetd.conf".)
_That_ is a different matter entirely. Zeke, at the risk of being a bit
rude: Please tell your friends that they cannot expect to improve their
systems by acting on the basis of spurious analogies, without
understanding what the heck they're doing. Obviously, somebody thought,
hey, this file is called "services"! Let's comment things out, and that
should have the effect of disabling services. This is cargo-cult system
administration, Zeke!
Here's a better idea: Don't touch root-owned system files without
having some idea what the hell you're doing! Let me say that again:
Don't touch root-owned system files without having some idea what the
hell you're doing!
Right. Let's say you wanted to understand /etc/services. What does the
manpage say?
services is a plain ASCII file providing a mapping between
friendly textual names for internet services, and their
underlying assigned port numbers and protocol types.
In other words, /etc/services is a lookup table that (e.g) lets you
(and sundry programs) use the word "telnet" instead of "23" to identify
the TCP port on which that service lives. And the fact that there's a
line that maps the word "smtp" to TCP port 25 is what allows me to
hold discussions with my copy of Exim (my system mailer) by typing
telnet linuxmafia.com smtp
...instead of having to remember what numerical port the SMTP protocol
uses, and thus having to type
telnet linuxmafia.com 25
So, it should be readily apparent that you will accomplish nothing
worthwhile -- nada, zip, rien du tout -- by commenting out lines of this
lookup table. All you're doing is shooting yourself in the foot, and
making your system less usable. What you are _not_ doing is adding to
security in any way, since the numerical ports either have services
running on them or not, depending on other system configuration details
entirely.
--
Cheers, "Open your present...."
Rick Moen "No, you open your present...."
rick (at) linuxmafia.com Kaczinski Christmas.
-- Unabomber Haiku Contest, CyberLaw mailing list
More information about the buug
mailing list