0

I have stripped down my /etc/services file to bare minimum (according to my awareness of what is needed) for a Linux DESKTOP configuration accessing remote services and offering no services to remote clients.

Notwithstanding that, knowing I might have some blind spots, if I have modified my active copy of the /etc/security/access.conf file to show as follows:

###     Permit root login from local
+:root:LOCAL
###     Permit designated users to access from local
+:{myUserName}:LOCAL
###     Permit all local services/users to access from local
+:ALL:LOCAL
#
###     Deny access to all from any remote (no outside access for probing services/users)
-:ALL:ALL

Please note that I have removed the comment on the line in /etc/pam.d/login:

account  required       pam_access.so

  1. Does that configuration provide a foolproof mechanism which will defeat all attempts by any unspecified and unwanted external agents from gaining access to my computer thru subverting of service access ports which, even if not disabled, are with this access configuration fully secured ?

  2. Also, with that configuration in place for the DESKTOP scenario, is there any need to implement any packet filtering rules ? After all, any foreign/oustside/perpetrator access attempts should be rejected by the specified rules in "access.conf". Correct ?

  3. If I were to install a LAMP configuration on my DESKTOP, would the above-defined configuration prevent remote access to that service? If not, please make a simple statement to that effect. I've previously defined iptables rules to restrict/control access for IP traffic, but was hoping to block all outside-originating attempts via various Linux OS configuration files (this is after all a non-server host) and only implementing packet filtering for what those configuration files did not fully address.

Eric Marceau
  • 1
  • 4
  • 3
    The `/etc/services` file only maps service names to port numbers. It has no bearing on access control. Removing things from it is generally no more than a waste of time as it will have no effect on access to your system. – Michael Hampton Jan 14 '21 at 02:15
  • I thought that services were turned on based on existence of a definition in the /etc/services file, and that no file meant no service startup. – Eric Marceau Jan 14 '21 at 03:08
  • Sorry, it is only a convenience to humans, and a largely forgotten one at that. These days if you want to know what service runs on a port there are websites to tell you. – Michael Hampton Jan 14 '21 at 03:10

0 Answers0