Disable or Uninstall Unused/Non-Secure Services

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
21 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
21
Video Transcription
00:00
>> Hey there cybrarians,
00:00
>> and welcome back
00:00
>> to the Linux Plus course here at Cybrary.
00:00
>> I'm your instructor, Rob Gels.
00:00
In today's lesson we're going to cover
00:00
disabling or removing non-secure services.
00:00
Upon completion of this lesson,
00:00
you're going to be able to understand the need
00:00
>> to remove these unused or non-secure services.
00:00
>> We're going to see how we can identify
00:00
these non-secure services
00:00
and maybe remove them
00:00
>> or modify them to ensure that they're not being used.
00:00
>> Linux has a lot of legacy applications
00:00
>> and there are just some administrators
00:00
>> that are really used to using them
00:00
>> and they don't want to part ways with them.
00:00
Kind of the, if it ain't broke, don't fix it,
00:00
I've used it for years and I like it,
00:00
so I'm going to keep using it.
00:00
But a lot of legacy applications in Linux do
00:00
allow for non-secure data transfer.
00:00
Although it's a lot less frequent than it used to be,
00:00
some distributions still have
00:00
these legacy applications installed.
00:00
In general, we should always limit
00:00
any and all services to just what we need.
00:00
Because if there's more services
00:00
running than what we need
00:00
>> it gives us a larger attack surface on
00:00
>> our system, and we don't want that.
00:00
That's just more gates that we have to guard.
00:00
We're going to cover a few legacy applications
00:00
that we should absolutely watch out for,
00:00
but always keep in mind
00:00
less applications, smaller attack surface.
00:00
Now right off the bat, we're going to talk about
00:00
File Transfer Protocol or FTP.
00:00
FTP, just as FTP itself is not used anymore
00:00
>> because it's sent data
00:00
>> over the network in plain text.
00:00
>> We're not just talking about
00:00
transferring data like files and things like that.
00:00
Sometimes with FTP you have to authenticate,
00:00
you have to send your username and password,
00:00
and that user account information
00:00
also got sent in plain text. Not a good deal.
00:00
What was done now
00:00
is these were replaced by secure protocols.
00:00
But first of all, let's talk about this,
00:00
FTP uses ports 21 and 22,
00:00
both of those are used together.
00:00
Both ports on FTP,
00:00
and we'll still go back to that in a second.
00:00
FTP, like I said, has been replaced by SFTP or FTPS.
00:00
SFTP is just FTP over SSH,
00:00
it uses port 22.
00:00
Tunnels through port 22 for SSH,
00:00
and that's generally the recommended way to do it.
00:00
It's probably the easiest way to do it.
00:00
Another option is FTPS,
00:00
which is setting up an FTP server using TLS,
00:00
using certificates, and so on and so forth.
00:00
You can set that up on a lot of different ports.
00:00
Now, you can check whether
00:00
FTP is running in your system a few ways.
00:00
There is fault port that you're going to look
00:00
for for FTP is 21.
00:00
Now why do I say 21 and not 22?
00:00
Well, because you could have FTP
00:00
running and you could also have SSH running,
00:00
and port 22 would give you a
00:00
false positive because you would think,
00:00
I have FTP running because port 22 turn on.
00:00
No, port 22 is used for both FTP and SSH,
00:00
but port 21 is only used for FTP,
00:00
so look for port 21.
00:00
We could do that on netstat-tuna, TCP, UDP.
00:00
We're looking at everything,
00:00
and then we can do a grep for the 21
00:00
>> and we'll see if that port is in use,
00:00
>> or see that it's established or it's listening.
00:00
We can also do a pgrep,
00:00
look at the process table.
00:00
We do a pgrep for ftpd and
00:00
see if there's an ftpd running,
00:00
a process running for that.
00:00
Then finally, we could do a nice trick with systemctl.
00:00
We can do systemctl list-units.
00:00
That's going to give us all the unit file types.
00:00
Then we could actually specify we want the type service,
00:00
and then we can also grep for ftp there.
00:00
Now, another application that
00:00
we're not really using any more is Telnet.
00:00
Telnet was the original remote terminal application.
00:00
If you remember back in Module 16,
00:00
we talked about TTY in teletype.
00:00
Well, telnet is the Teletype Network Protocol.
00:00
Unfortunately it also sends data
00:00
across the network in plain text.
00:00
Now remember, telnet uses port 23.
00:00
When we talk about remote terminal applications,
00:00
the one we've talked about the most recently is SSH.
00:00
SSH did replace telnet,
00:00
so port 22 not 23 anymore.
00:00
But we can still check and see whether telnet
00:00
is running on our system in
00:00
the same way as we talked about.
00:00
We can use the netstat trick and grep for port 23.
00:00
Then we'll see telnet's running,
00:00
we could do a pgrep for telnet,
00:00
and we could also use the systemctl trick to list
00:00
our units for the type of
00:00
service and then grep for telnet.
00:00
Now the name or finger application was
00:00
used to find users on the Linux system.
00:00
Unfortunately this command is compromised,
00:00
no longer available,
00:00
and it also sent information unencrypted.
00:00
Kind of a theme here, right everyone?
00:00
All these applications
00:00
are sending data unencrypted.
00:00
That's why we don't use them anymore,
00:00
that's why they're not around.
00:00
But finger did use port 79,
00:00
and the who command or pinky both replaced finger.
00:00
Just like we saw previously you could use a netstat,
00:00
you could take a look at the process table
00:00
to see if finger is running or look for port 79.
00:00
Now the last thing we're going to touch on here
00:00
briefly is mail services.
00:00
Mail services aren't a legacy app,
00:00
but it can open your system to attack
00:00
>> if it's not using these processes,
00:00
>> these applications to send or receive email.
00:00
You should either disable
00:00
or uninstall those applications.
00:00
Two common mail application types
00:00
are sendmail and postfix,
00:00
both of those use SMTP.
00:00
SMTP uses port 25, therefore,
00:00
if you want to check whether or not
00:00
either these applications are running on your system,
00:00
you can use netstat and grep for port 25.
00:00
You could use pgrep for sendmail or pgrep for postfix,
00:00
and then you could use the systemctl trick
00:00
>> to get the type service
00:00
>> and grep for sendmail or postfix there as well.
00:00
>> With that we reach the end this lesson,
00:00
and in this lesson we covered the need to
00:00
remove these non-secure and unused services,
00:00
watch out for it,
00:00
>> if they're there uninstalling
00:00
>> or limit their use to as rarely as possible.
00:00
>> Then we talked about some of the common non-secure
00:00
or unused services that should be disabled or removed,
00:00
such as FTP, Telnet, Finger, and Mail services
00:00
>> if they're not in use.
00:00
>> Thanks so much for being here and I look
00:00
forward to seeing you in the next lesson.
Up Next