The number of services that should be listening for connections from the network depends on the type of system (i.e. workstation or server) and its mission (i.e. production web server, anonymous ftp server, development workstation etc.). However, the most secure stance for any given system is to only enable services that are required for the system to fulfill its mission and restrict access to only those whose job description requires it.
The command-line tool chkconfig can be used to show the current configuration state for all run-level services. Two graphical front-end tools may be used to investigate status of services:
[root@localhost]# /sbin/chkconfig --list grep -e "\(:.*on\xinetd based\)"
keytable 0:off 1:on 2:on 3:on 4:on 5:on 6:off
syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
...
xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
netfs 0:off 1:off 2:on 3:on 4:on 5:on 6:off
xinetd based services:
wu-ftpd: on
Some or all of the services described below may appear in the output from the previous chkconfig command.
The list of services that should be run for every system is short. They are summarized in the table below:
|
Service
|
What it does (see /etc/init.d/servicename) |
|---|---|
|
keytable |
Loads keyboard map for the system |
|
syslog |
Activates daemon that other daemons use for logging messages |
|
network |
Starts network interfaces |
|
random |
Increases quality of random number generation (important for applications encrypting network data) |
|
|
Enables cron daemon used for scheduling jobs |
|
anacron |
|
|
iptables |
Loads the iptables host-based firewall (if configured “ see section 2.2.3) |
|
ntpd |
Controls system clock synchronization |
Adds mouse support for the console mode text-based applications. If this is a workstation and X-Windows is installed, then this service should be off and the rpm package ( gpm ) can safely be removed. If this is a server without X-Windows and mouse support is desired at the console, this service should be on.
The sshd service encrypts all network communication and provides interactive shell and file transfer access for remote users. Note that the sshd service is NOT required by local users when making outbound connections from this system to another system with the ssh or scp commands. If users will need to access the system remotely, the sshd service should be configured ON so it will start when the system boots.
The kudzu service enables automatic detection and configuration of system hardware changes. If configured to start, it will probe the system for hardware changes every time the system boots. If hardware changes occur only infrequently, then the service should be off. Note that kudzu can be manually started
[root@localhost]# /etc/init.d/kudzu start
The xinetd service manages the operation and start-up of many familiar services (see
The telnet service provides remote shell access to a system without verifying the identity of the originating host or encrypting the data sent across the network. The service is
The wu-ftpd provides file transfer protocol service for remote users to transfer files to the system without verifying the identity of the originating host or encrypting the data sent across the network. The service is inherently insecure and, in general, should not be used for connections across the Internet. The primary exception is anonymous ftp servers commonly used for distribution of software source code and patches. Unless the system is an ftp server, wu-ftpd should be off and the rpm packages (wu-ftpd and anonftp) can safely be removed.
All of these services originating from BSD UNIX support weak IP based authentication and transmit data across the network as clear text (
i.e.
unencrypted). Note that this includes
The snmpd service is used to communicate with network management software. If there is no need for the system to cooperate with centralized network monitoring applications, the service should be off and the rpm package (snmpd) can safely be removed.
If the service is on, be sure to review the /etc/snmpd/snmpd.conf file. Settings in the file control who has access to the snmpd agent and what level of information the agent will provide. See the snmpd.conf(5) man page for more information.
The tftp service enables file transfers without any authentication credentials. The most common use of this protocol is by network devices that need to download configuration files from the network during their boot sequence. Unless the system is a boot server, tftp should be off and the rpm package (tftp-server) can safely be removed.
Any service that is not needed should be
[root@localhost]# /etc/init.d/
servicename
stop
[root@localhost]# /sbin/chkconfig --level 0123456
servicename
off
In the commands, replace servicename with the name of a service shown in the leftmost column of the list output above (e.g. netfs or wuftpd). Repeat the command for each service.
The rpm package corresponding to the service should be removed using the command:
[root@localhost]# /bin/rpm -e packagename
In the command, replace packagename with the name of the rpm package to which the service belongs.
The package owning a given file can be determined with the following command:
[root@localhost]# rpm --qf /etc/init.d/servicename
Repeat Step 2.5.1 and verify that the list of services that are configured to be on matches the list expected for the system.
Access control to services compiled with TCP wrappers support is implemented by the /etc/hosts.allow and /etc/hosts.deny files. When a connection attempt is made, the hosts.allow file is checked. If a line is matched, the connection is allowed. Then the
If configured as described below, TCP wrappers will display a warning banner to any user attempting to connect to a service it
[root@localhost]# /bin/mkdir -p /etc/banners
[root@localhost]# /bin/echo "Use of this system is restricted to authorized users" > /etc/banners/
prototype
[root@localhost]# cd /etc/banners ; /usr/bin/make -f /usr/share/doc/tcp_wrappers-7.6/Banners.Makefile
In order to implement the security best practice stance of deny everything except what is explicitly allowed, issue the following command.
[root@localhost]# echo 'ALL: ALL: spawn (/bin/echo -e '/bin/date'"\n%c attempted connection to %s
and was denied" \
> /bin/mail -s "Connection attempt to %s" root) &' > /etc/hosts.deny
Any connection attempt not listed in the hosts.allow file will be denied, a message will be logged to the syslog auth facility, and an email will be sent to root.
Edit the hosts.allow file and add a line for each service to which access should be allowed. A few examples are shown below (See the man pages for hosts.allow for more detail).
ALL: LOCAL : banners /etc/banners # All services from local clients (hostnames with no ".")
sshd: 10.1.1.0/255.255.254.0 : banners /etc/banners # SSH connections from host IP addresses
between 10.1.1.0 and 10.1.2.0
If xinetd has been disabled or removed (typically the case for workstations), this step should be
The xinetd service provides access control to the services that it manages. There should be one file in the /etc/xinetd.d directory for each service. To control access to a service, find the file with the service name and add the following line somewhere between the start and end
only_from = 10.1.1.0/23 # allow connections from host IP addresses between 10.1.1.0 and 10.1.2.0
Server systems that do not usually have operators working from the console should not run the X Windows service. Issue the following command to configure the system to boot to run level 3 (multi-user mode with no X) instead of run level 5 (multi-user mode with X) and save the original /etc/inittab as /etc/inittab.bak
[root@localhost]# /usr/bin/perl -p -i.bak -e 's/id:5:init/id:3:init/' /etc/inittab