Description | FTP is a legacy protocol. It is a |
| attacker to eavesdrop on sessions and steal passwords. This also allows an |
| attacker to take over an FTP session, using a |
| or Ettercap. It can make effective firewalling difficult because of the way FTP |
| requires many ports to stay open. Every major FTP daemon has had a long |
| history of security vulnerability. They represent one of the major successful |
| attack vectors for remote root attacks. |
Actions | In the /etc/inetd.conf file, comment out the entry for ftp. |
SecureInetd.deactivate_ident
Headline | Ensure that the inetd ident service does not run on this system. |
Default | N |
Description | The ident service implements the TCP/IP proposed standard IDENT user |
| identification protocol as specified in the RFC 1413 document. The identd |
| service operates by looking up specific TCP/IP connections and returning the |
| user name of the process owning the connection. This service can be used to |
| determine user information on a given machine in preparation for a |
| password attack like a dictionary attack. HP recommends disabling this service |
| unless compelled by application specific needs. |
Actions | In the /etc/inetd.conf file, comment out the entry for auth or ident. |
SecureInetd.deactivate_ktools
Headline | Ensure that the inetd klogin and kshell services do not run on this |
| system. |
Default | N |
Description | The kshell and klogin services use Kerberos authentication protocols. If |
| this machine is not using the Kerberos scheme, HP recommends disabling |
| these services. Any service or daemon running on the system that is not needed |
| or used should be disabled. |
Actions | In the /etc/inetd.conf file, comment out the entry for kshell and |
| klogin. |
SecureInetd.deactivate_ntalk
Headline | Ensure that the inetd ntalk service does not run on this system. |
Default | N |
Description | The ntalk service is a visual communication program that predates instant |
| messaging applications and copies lines from your terminal to another user's |
| terminal. The ntalk service is considered a light security hazard, but should |
| be disabled if not used on this machine. |
Actions | In the /etc/inetd.conf file, comment out the entry for ntalk. |
SecureInetd.deactivate_printer
Headline | Ensure the inetd printer service does not run on this system. |
Default | N |
Description | The printer service is a line printer daemon that accepts remote spool |
| requests. It uses the rlp daemon to process remote print requests and displays |
| the queue and removes jobs from the queue upon request. If this machine is |
| not used as a remote print spooler, this service should be disabled. |
Actions | In the /etc/inetd.conf file, comment out the entry for printer. |
57