Hack63.Increase Security by Disabling Unnecessary Services

Hack 63. Increase Security by Disabling Unnecessary Services

Many network services that may be enabled by default are both unnecessary and insecure. Take the minimalist approach and enable only what you need.

Though today's systems are powerful and have gobs of memory, optimizing the processes they start by default is a good idea for two primary reasons. First, regardless of how much memory you have, why waste it by running things that you don't need or use? Secondly, and more importantly, every service you run on your system is a point of exposure, a potential cracking opportunity for the enlightened or lucky intruder or script kiddie.

There are three standard places from which system services can be started on a Linux system. The first is /etc/inittab. The second is scripts in the /etc/rc.d/rc?. d directories (/etc/init.d/rc?.d on SUSE and other more LSB-compliant Linux distributions). The third is by the Internet daemon, which is usually inetd or xinetd. This hack explores the basic Linux startup process, shows where and how services are started, and explains easy ways of disabling superfluous services to minimize the places where your systems can be attacked.

7.2.1. Examining /etc/inittab

Changes to /etc/inittab itself are rarely necessary, but this file is the key to most of the startup processes on systems such as Linux that use what is known as the "Sys V init" mechanism (this startup mechanism was first implemented on AT&T's System V Unix systems). The /etc/inittab file initiates the standard sequence of startup scripts, as described in the next section. The commands that start the initialization sequence for each runlevel are contained in the following entries from /etc/inittab. These run the scripts in the runlevel control directory associated with each runlevel:

 l0:0:wait:/etc/rc.d/rc 0 l1:1:wait:/etc/rc.d/rc 1 l2:2:wait:/etc/rc.d/rc 2 l3:3:wait:/etc/rc.d/rc 3 l4:4:wait:/etc/rc.d/rc 4 l5:5:wait:/etc/rc.d/rc 5 l6:6:wait:/etc/rc.d/rc 6 

When the init process (the seminal process on Linux and Unix systems) encounters these entries, it runs the startup scripts in the directory associated with its target runlevel in numerical order, as discussed in the next section.

7.2.2. Optimizing Per-Runlevel Startup Scripts

As shown in the previous section, there are usually seven rc?.d directories, numbered 0 through 6 that are found in the /etc/init.d or the /etc/rc.d directory, depending on your Linux distribution. The numbers correspond to the Linux runlevels. A description of each runlevel, appropriate for the age and type of Linux distribution that you're using, can be found in the init man page. (Thanks a lot, Debian!) Common runlevels for most Linux distributions are 3 (multi-user text) and 5 (multi-user graphical).

The directory for each runlevel contains symbolic links to the actual scripts that start and stop various services, which reside in /etc/rc.d/init.d or /etc/init.d. Links that begin with S will be started when entering that runlevel, while links that begin with K will be stopped (or killed) when leaving that runlevel. The numbers after the S or K determine the order in which the scripts are executed, in ascending order.

The easiest way to disable a service is to remove the S script that is associated with it, but I tend to make a directory called DISABLED in each runlevel directory and move the symlinks to start and kill scripts that I don't want to run there. This enables me to see what services were previously started or terminated when entering and leaving each runlevel, should I discover that some important service is no longer functioning correctly at a specified runlevel.

7.2.3. Streamlining Services Run by the Internet Daemon

One of the startup scripts in the directory for each runlevel starts the Internet daemon, which is inetd on older Linux distributions or xinetd on most newer Linux distributions. The Internet daemon starts specified services in response to incoming requests and eliminates the need for your system to permanently run daemons that are accessed only infrequently. If your distribution is still using inetd and you want to disable specific services, edit /etc/inetd.conf and comment out the line related to the service you wish to disable. To disable services managed by xinetd, cd to the directory /etc/xinetd.conf, which is the directory that contains its service control scripts, and edit the file associated with the service you no longer want to provide. To disable a specific service, set the disabled entry in each stanza in its control file to yes. After making changes to /etc/inetd.conf or any of the control files in /etc/xinetd.conf, you'll need to send a HUP signal to inetd or xinetd to cause it to restart and re-read its configuration information:

 # kill HUP  PID  

Many Linux distributions provide tools that simplify managing rc scripts and xinetd configuration. For example, Red Hat Linux provides chkconfig, while SUSE Linux provides this functionality within its YaST administration tool.

Of course, the specific services each system requires depends on what you're using it for. However, if you're setting up an out-of-the-box Linux distribution, you will often want to deactivate default services such as a web server, an FTP server, a TFTP server, NFS support, and so on.

7.2.4. Summary

Running extra services on your systems consumes system resources and provides opportunities for malicious users to attempt to compromise your systems. Following the suggestions in this hack can help you increase the performance and security of the systems that you or the company you work for depend upon.

Lance Tost