Step 2: Determine Required Services


The second step in hardening network services is to determine which services need to be supported. Does the server need to act as a shared drive for Windows? Is the machine a corporate web server? Do you need an e-mail server? It is likely that the server will fulfill a combination of different purposes. Requirements may change over time as new tasks are delegated to an existing server, but you should not turn on unnecessary services now. When they become necessary, you can enable them. Unless you know what you are trying to achieve, it is impossible to determine the correct balance between too much and too little access. If you are eager to get started, but are not absolutely sure which services you will need, look at the service configuration suggestions for SLES8 and Red Hat Enterprise Linux AS 3.0 in Tables 2-2 and 2-3. They will give you an idea of what services are on by default in runlevel 3 after the initial operating system install. The tables also make suggestions about some services you can turn off unless you are sure you need them.

Table 2-2: Red Hat Enterprise Linux AS 3.0 Services Baseline

Service

On by Default?

Turn Off?

Leave On
When Using

Purpose

freeWnn

Yes

Yes

Japanese

Japanese conversion engine

apmd

Yes

Yes

A laptop

Monitors battery status for laptops

arptables_jf

Yes

Yes

 

Automates a packet filtering firewall
with arptables

atd

Yes

   

AT batch job daemon

autofs

Yes

   

autofs daemon

canna

Yes

Yes

Japanese

Canna Japanese conversion engine

crond

Yes

   

Cron job service

cups

Yes

Yes

Printing

CUPS printer daemon

gpm

Yes

Yes

Cut and paste
on the console

Allows mouse on console

hpoj

Yes

Yes

An HP OfficeJet

HP OfficeJet support

ip6tables

Yes

   

ip6tables firewall

iptables

Yes

   

iptables firewall

irqbalance

Yes

   

Distributed interrupts across CPU
on multiprocessor systems

isdn

Yes

Yes

ISDN

ISDN drivers

kkeytable

Yes

   

Keyboard settings

kudzu

Yes

Yes

Run this by hand if hardware changes

Hardware probe for configuring
new hardware

mdmonitor

Yes

Yes

RAID

Software RAID monitoring

microcode_ctl

Yes

   

Applies CPU microcode

netfs

Yes

Yes

NFS

Mounts and unmounts NFS, SMB,
and NCP file systems

network

Yes

   

Configures network interfaces
and routing

nfslock

Yes

Yes

NFS

NFS locking daemon

pcmcia

Yes

Yes

A laptop

PCMCIA card configuration database

portmap

Yes

Yes

NFS

DARPA port to RPC program
number mapper

random

Yes

   

Random number generator

rawdevices

Yes

   

Enables raw I/O

rrhnsd

Yes

Yes

A service contract

Program for querying Red Hat
network for updates

sendmail

Yes

Yes

E-mail server

SMTP server

sgi_fam

Yes

   

File monitoring daemon

sshd

Yes

   

OpenSSH SSH daemon

syslog

Yes

   

System logging daemon

xinetd

Yes

   

Internet daemon

Table 2-3: SLES8 Services Baseline

Services

On by Default?

Turn Off?

Leave On
When Using

Purpose

alsasound

Yes

Yes

Sound

Loads ALSA driver

atd

Yes

   

AT batch job daemon

cron

Yes

   

Cron job service

evlog

Yes

   

Event logging daemon

hotplug

Yes

   

Linux hotplugging support

hwscan

Yes

   

Hardware scan and reconfiguration

ippl

Yes

   

IPPL protocols logger

iscsi

Yes

Yes

Remote SCSI
devices

Access to remote SCSI devices

joystick

Yes

Yes

A joystick

Joystick drivers

kbd

Yes

No

 

Keyboard settings

ldirectord

Yes

Yes

A cluster

Linux Director daemon for clustering

microcode

Yes

   

Updates Intel CPU microcode

network

Yes

   

Configures network interfaces and routing

nscd

Yes

   

Name service caching daemon

portmap

Yes

   

DARPA port to RPC program number mapper

postfix

Yes

   

Postfix mail transfer agent

random

Yes

   

Random number generator

rawdevices

Yes

   

Enables raw I/O

rpmconfigcheck

Yes

   

rpm config file scan

smbfs

Yes

   

Imports remote SMB/CIFS file systems

splash_early

Yes

   

Kills animation after network start

splash_late

Yes

   

Starts animation before shutdown

sshd

Yes

   

OpenSSH SSH daemon

SuSEfirewall2_final

Yes

     

SuSEfirewall2_init

Yes

     

syslog

Yes

   

System logging daemon

Red Hat Enterprise Linux AS 3.0 Services Baseline

Table 2-2 lists the services that are running by default in Red Hat Enterprise Linux AS 3.0 at runlevel 3. As you scan the table, look for services that are not necessary on the server. For example, if your server is not a mail server, you should be sure to turn off Sendmail. Mail is one of the most likely network services to be targeted by hackers. This is partly because it is widely deployed and partly because it is a critical infrastructure component that administrators are reluctant to upgrade or patch, even though many vulnerabilities have been discovered and are widely recognized.

SLES8 Services Baseline

Table 2-3 shows the services baseline for SLES8.

Consider Additional Services

In addition to the services installed and turned on by default, many other services are available for enabling. Do not configure these services unless you know that they are needed. However, if these services are already installed and enabled, you should investigate each service to see if it is required for that specific server. The first bit of information you will need to know is what each service is used for. Table 2-4 lists many Linux services and their purposes. Use this information, additional information provided by the man pages on these services, and your knowledge of what role a specific server plays to determine if a specific service is necessary. Use caution; it may not be immediately obvious if a service is needed. Its role on the server may be to support some other necessary service or component. The section Step 3: Determine Services Dependencies can help you determine if this is the case. Before you disable or remove any service, thoroughly investigate it.

Table 2-4: Services and Their Purposes

Service

Purpose

freeWnn

Japanese conversion engine

acct

Process accounting

adsl

Starts Roaring Penguin ADSL

aep1000

AEP coprocessor driver

alsasound

Loads ALSA driver

amd

Automount daemon for NFS

apache

Loads Apache HTTP daemon

apmd

Monitors battery status for laptops

argus

Starts Argus

arpwatch

Starts arpwatch daemon

arptables_jf

Automates a packet filtering firewall with arptables

atalk

AppleTalk TCP/IP daemons

atd

AT batch job daemon

autofs

autofs daemon

avgate

Anti-Virus Mail Gateway Service

bcm5820

Hardware cryptographic accelerator support

bgpd

BGP routing daemon

Canna

Canna Japanese conversion engine

cipe

CIPE tunnel

cron

Cron job service

crond

Cron job service

cups

CUPS printer daemon

dc_client

Distcache, a distributed SSL session cache client proxy

dc_server

Distcache, a distributed SSL session cache server

dhcpd

DHCP server

dhcrelay

DHCP relaying across network segments

evlog

Event logging daemon

fam

File access monitoring

fbset

Frame buffer setup

gpm

Allows mouse on console

heartbeat

Starts heartbeat HA services

hotplug

Linux hotplugging support

hpoj

HP OfficeJet support

httpd

Apache HTTP server

hwscan

Hardware scan and Reconfiguration

inetd

Internet daemon

inn

InterNetNews server

innd

InterNetNews server

ippl

IPPL protocols logger

ip6tables

ip6tables firewall

iptables

iptables firewall

ipsec

Encrypted and authenticated communication

ipvsadm

Virtual server administration

ipxmount

Access to Novell network via IPX

ipxrip

IPX routing daemon

ircd

Internet Relay Chat daemon

irda

Infrared Data Association support for infrared communication

irqbalance

Distributed interrupts across CPU on multiprocessor systems

iscsi

Access to remote SCSI devices

isdn

ISDN drivers

joystick

Joystick drivers

kadmin

Kerberos 5 server

kdc

Kerberos 5 server

kbd

Keyboard settings

keytable

Keyboard settings

kprop

Kerberos 5 service

krb524

Kerberos 5 credential converter

krb5kdc

Kerberos 5 service

ksysguardd

Remote monitor daemon for ksysguard

kudzu

Hardware probe for configuring new hardware

ldap

Open LDAP2 server

ldirectord

Linux Director daemon for clustering

lisa

LAN browser daemon

mailman

The mailman mailing list program

mdmonitor

Software RAID monitoring

microcode

Update Intel CPU microcode

microcode_ctl

Applies CPU microcode

mon

Heartbeat HA services

mrtd

Multithreaded routing toolkit daemon

mysql

MySQL database server

nagios

Network monitor

named

Domain Name Server

nessusd

Allow security scans from this host

netdump

Initialize netconsole and netcrashdump facility

netdump-server

Server to send oops data and memory dumps over the network

netfs

Mount and unmount NFS, SMB, and NCP file systems

network

Configure network interfaces and routing

nfs

Imports remote network file systems

nfslock

NFS locking daemon

nfsserver

Kernel-based NFS daemon

nmd

Samba NetBIOS naming service over IP

nscd

Name service caching daemon

ntop

Monitor network usage

ntpd

Network time protocol daemon

nwe

Starts the nwe-server (marsnwe)

ospf6d

OSPF IPv6 routing daemon

ospfd

OSPF routing daemon

pcmcia

PCMCIA card configuration database

pcscd

pcscd daemon

pkcipe

CIPE public key server

pkcsslotd

pkcsslotd daemon

portmap

DARPA port to RPC program number mapper

postfix

Postfix mail transfer agent

postgresl

PostgreSQL daemon

powertweakd

Performance tuning utility

pptpd

PoPToP PPTP daemon

psacct

Process accounting

pxe

Preboot execution environment for network booting other machines

quota

Turns quota on

quotad

Starts quota daemon

radiusd

Authentication, authorization, and accounting server

radvd

Router advertisement daemon

random

Random number generator

rarpd

Server for reverse address resolution request

raw

Raw devices for raw I/O

rawdevices

Enables raw I/O

rhnsd

Queries Red Hat network for updates

rinetd

Internet redirection server

ripd

RIP routing daemon

ripngd

RIPNG routing daemon

rpmconfigcheck

rpm config file scan

rpasswdd

Secure remote password updates

rstatd

Network status monitor RPC protocol server

rsyncd

rsync daemon

rusersd

Checks who is logged on other machines

rwhod

Gets a list of users logged on a remote machine

saslauthd

SASL authentication server

scanlogd

scanlogd portscanner daemon

sendmail

Sendmail mail transfer agent

setserial

Initializes serial ports

sgi_fam

File monitoring daemon

slurpd

OpenLDAP2 server

smartd

Self-monitoring and reporting technology daemon

smb

Samba SMB/CIFS file and print server

smbfs

Imports remote SMB/CIFS file systems

smpppd

Internet dial-up connections daemon

snmpd

University of California at Davis Simple Network Management Protocol

snmptrapd

Receives and logs SNMP trap messages

snort

Packet sniffer/logger

spamassassin

Mail filter to identify spam

splash

Splash screen setup

splash_early

Kills animation after network start

splash_late

Starts animation before shutdown

squid

SQUID web cache daemon

sshd

OpenSSH SSH daemon

SuSEfirewall2_final

Sets all the firewalling rules. Phase 3 of 3 of SuSEfirewall setup.

SuSEfirewall2_init

Does some basic setup and is Phase 1 of 3 of the SuSEfirewall initialization.

SuSEfirewall2_setup

Does some basic setup and is Phase 2 of 3 of the SuSEfirewall initialization.

syslog/syslogd

System logging daemon

tux

Threaded kernel-based HTTP server

vncserver

Virtual network computing server

vtun

VPN daemon

vsftpd

Very Safe FTP daemon

winbindd

NSS daemon for name resolution from NT servers

wwwoffle

Proxy server

xdm

X display manager

xfs

X font server

xinetd

Internet daemon

xntpd

Time protocol daemon

ypbind

Finds server for NIS domains

yppasswdd

Allows NIS users to change passwords

ypserv

Distributes NIS maps

ypxfrd

Faster NIS maps transfers

zebra

Routing manager daemon




Hardening Linux
Hardening Linux
ISBN: 0072254971
EAN: 2147483647
Year: 2004
Pages: 113

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net