The second step in hardening network services is to determine which services need to be supported. Does the server need to act as a shared drive for Windows? Is the machine a corporate web server? Do you need an e-mail server? It is likely that the server will fulfill a combination of different purposes. Requirements may change over time as new tasks are delegated to an existing server, but you should not turn on unnecessary services now. When they become necessary, you can enable them. Unless you know what you are trying to achieve, it is impossible to determine the correct balance between too much and too little access. If you are eager to get started, but are not absolutely sure which services you will need, look at the service configuration suggestions for SLES8 and Red Hat Enterprise Linux AS 3.0 in Tables 2-2 and 2-3. They will give you an idea of what services are on by default in runlevel 3 after the initial operating system install. The tables also make suggestions about some services you can turn off unless you are sure you need them.
Service | On by Default? | Turn Off? | Leave On | Purpose |
---|---|---|---|---|
freeWnn | Yes | Yes | Japanese | Japanese conversion engine |
apmd | Yes | Yes | A laptop | Monitors battery status for laptops |
arptables_jf | Yes | Yes | Automates a packet filtering firewall | |
atd | Yes | AT batch job daemon | ||
autofs | Yes | autofs daemon | ||
canna | Yes | Yes | Japanese | Canna Japanese conversion engine |
crond | Yes | Cron job service | ||
cups | Yes | Yes | Printing | CUPS printer daemon |
gpm | Yes | Yes | Cut and paste | Allows mouse on console |
hpoj | Yes | Yes | An HP OfficeJet | HP OfficeJet support |
ip6tables | Yes | ip6tables firewall | ||
iptables | Yes | iptables firewall | ||
irqbalance | Yes | Distributed interrupts across CPU | ||
isdn | Yes | Yes | ISDN | ISDN drivers |
kkeytable | Yes | Keyboard settings | ||
kudzu | Yes | Yes | Run this by hand if hardware changes | Hardware probe for configuring |
mdmonitor | Yes | Yes | RAID | Software RAID monitoring |
microcode_ctl | Yes | Applies CPU microcode | ||
netfs | Yes | Yes | NFS | Mounts and unmounts NFS, SMB, |
network | Yes | Configures network interfaces | ||
nfslock | Yes | Yes | NFS | NFS locking daemon |
pcmcia | Yes | Yes | A laptop | PCMCIA card configuration database |
portmap | Yes | Yes | NFS | DARPA port to RPC program |
random | Yes | Random number generator | ||
rawdevices | Yes | Enables raw I/O | ||
rrhnsd | Yes | Yes | A service contract | Program for querying Red Hat |
sendmail | Yes | Yes | E-mail server | SMTP server |
sgi_fam | Yes | File monitoring daemon | ||
sshd | Yes | OpenSSH SSH daemon | ||
syslog | Yes | System logging daemon | ||
xinetd | Yes | Internet daemon |
Services | On by Default? | Turn Off? | Leave On | Purpose |
---|---|---|---|---|
alsasound | Yes | Yes | Sound | Loads ALSA driver |
atd | Yes | AT batch job daemon | ||
cron | Yes | Cron job service | ||
evlog | Yes | Event logging daemon | ||
hotplug | Yes | Linux hotplugging support | ||
hwscan | Yes | Hardware scan and reconfiguration | ||
ippl | Yes | IPPL protocols logger | ||
iscsi | Yes | Yes | Remote SCSI | Access to remote SCSI devices |
joystick | Yes | Yes | A joystick | Joystick drivers |
kbd | Yes | No | Keyboard settings | |
ldirectord | Yes | Yes | A cluster | Linux Director daemon for clustering |
microcode | Yes | Updates Intel CPU microcode | ||
network | Yes | Configures network interfaces and routing | ||
nscd | Yes | Name service caching daemon | ||
portmap | Yes | DARPA port to RPC program number mapper | ||
postfix | Yes | Postfix mail transfer agent | ||
random | Yes | Random number generator | ||
rawdevices | Yes | Enables raw I/O | ||
rpmconfigcheck | Yes | rpm config file scan | ||
smbfs | Yes | Imports remote SMB/CIFS file systems | ||
splash_early | Yes | Kills animation after network start | ||
splash_late | Yes | Starts animation before shutdown | ||
sshd | Yes | OpenSSH SSH daemon | ||
SuSEfirewall2_final | Yes | |||
SuSEfirewall2_init | Yes | |||
syslog | Yes | System logging daemon |
Table 2-2 lists the services that are running by default in Red Hat Enterprise Linux AS 3.0 at runlevel 3. As you scan the table, look for services that are not necessary on the server. For example, if your server is not a mail server, you should be sure to turn off Sendmail. Mail is one of the most likely network services to be targeted by hackers. This is partly because it is widely deployed and partly because it is a critical infrastructure component that administrators are reluctant to upgrade or patch, even though many vulnerabilities have been discovered and are widely recognized.
Table 2-3 shows the services baseline for SLES8.
In addition to the services installed and turned on by default, many other services are available for enabling. Do not configure these services unless you know that they are needed. However, if these services are already installed and enabled, you should investigate each service to see if it is required for that specific server. The first bit of information you will need to know is what each service is used for. Table 2-4 lists many Linux services and their purposes. Use this information, additional information provided by the man pages on these services, and your knowledge of what role a specific server plays to determine if a specific service is necessary. Use caution; it may not be immediately obvious if a service is needed. Its role on the server may be to support some other necessary service or component. The section Step 3: Determine Services Dependencies can help you determine if this is the case. Before you disable or remove any service, thoroughly investigate it.
Service | Purpose |
---|---|
freeWnn | Japanese conversion engine |
acct | Process accounting |
adsl | Starts Roaring Penguin ADSL |
aep1000 | AEP coprocessor driver |
alsasound | Loads ALSA driver |
amd | Automount daemon for NFS |
apache | Loads Apache HTTP daemon |
apmd | Monitors battery status for laptops |
argus | Starts Argus |
arpwatch | Starts arpwatch daemon |
arptables_jf | Automates a packet filtering firewall with arptables |
atalk | AppleTalk TCP/IP daemons |
atd | AT batch job daemon |
autofs | autofs daemon |
avgate | Anti-Virus Mail Gateway Service |
bcm5820 | Hardware cryptographic accelerator support |
bgpd | BGP routing daemon |
Canna | Canna Japanese conversion engine |
cipe | CIPE tunnel |
cron | Cron job service |
crond | Cron job service |
cups | CUPS printer daemon |
dc_client | Distcache, a distributed SSL session cache client proxy |
dc_server | Distcache, a distributed SSL session cache server |
dhcpd | DHCP server |
dhcrelay | DHCP relaying across network segments |
evlog | Event logging daemon |
fam | File access monitoring |
fbset | Frame buffer setup |
gpm | Allows mouse on console |
heartbeat | Starts heartbeat HA services |
hotplug | Linux hotplugging support |
hpoj | HP OfficeJet support |
httpd | Apache HTTP server |
hwscan | Hardware scan and Reconfiguration |
inetd | Internet daemon |
inn | InterNetNews server |
innd | InterNetNews server |
ippl | IPPL protocols logger |
ip6tables | ip6tables firewall |
iptables | iptables firewall |
ipsec | Encrypted and authenticated communication |
ipvsadm | Virtual server administration |
ipxmount | Access to Novell network via IPX |
ipxrip | IPX routing daemon |
ircd | Internet Relay Chat daemon |
irda | Infrared Data Association support for infrared communication |
irqbalance | Distributed interrupts across CPU on multiprocessor systems |
iscsi | Access to remote SCSI devices |
isdn | ISDN drivers |
joystick | Joystick drivers |
kadmin | Kerberos 5 server |
kdc | Kerberos 5 server |
kbd | Keyboard settings |
keytable | Keyboard settings |
kprop | Kerberos 5 service |
krb524 | Kerberos 5 credential converter |
krb5kdc | Kerberos 5 service |
ksysguardd | Remote monitor daemon for ksysguard |
kudzu | Hardware probe for configuring new hardware |
ldap | Open LDAP2 server |
ldirectord | Linux Director daemon for clustering |
lisa | LAN browser daemon |
mailman | The mailman mailing list program |
mdmonitor | Software RAID monitoring |
microcode | Update Intel CPU microcode |
microcode_ctl | Applies CPU microcode |
mon | Heartbeat HA services |
mrtd | Multithreaded routing toolkit daemon |
mysql | MySQL database server |
nagios | Network monitor |
named | Domain Name Server |
nessusd | Allow security scans from this host |
netdump | Initialize netconsole and netcrashdump facility |
netdump-server | Server to send oops data and memory dumps over the network |
netfs | Mount and unmount NFS, SMB, and NCP file systems |
network | Configure network interfaces and routing |
nfs | Imports remote network file systems |
nfslock | NFS locking daemon |
nfsserver | Kernel-based NFS daemon |
nmd | Samba NetBIOS naming service over IP |
nscd | Name service caching daemon |
ntop | Monitor network usage |
ntpd | Network time protocol daemon |
nwe | Starts the nwe-server (marsnwe) |
ospf6d | OSPF IPv6 routing daemon |
ospfd | OSPF routing daemon |
pcmcia | PCMCIA card configuration database |
pcscd | pcscd daemon |
pkcipe | CIPE public key server |
pkcsslotd | pkcsslotd daemon |
portmap | DARPA port to RPC program number mapper |
postfix | Postfix mail transfer agent |
postgresl | PostgreSQL daemon |
powertweakd | Performance tuning utility |
pptpd | PoPToP PPTP daemon |
psacct | Process accounting |
pxe | Preboot execution environment for network booting other machines |
quota | Turns quota on |
quotad | Starts quota daemon |
radiusd | Authentication, authorization, and accounting server |
radvd | Router advertisement daemon |
random | Random number generator |
rarpd | Server for reverse address resolution request |
raw | Raw devices for raw I/O |
rawdevices | Enables raw I/O |
rhnsd | Queries Red Hat network for updates |
rinetd | Internet redirection server |
ripd | RIP routing daemon |
ripngd | RIPNG routing daemon |
rpmconfigcheck | rpm config file scan |
rpasswdd | Secure remote password updates |
rstatd | Network status monitor RPC protocol server |
rsyncd | rsync daemon |
rusersd | Checks who is logged on other machines |
rwhod | Gets a list of users logged on a remote machine |
saslauthd | SASL authentication server |
scanlogd | scanlogd portscanner daemon |
sendmail | Sendmail mail transfer agent |
setserial | Initializes serial ports |
sgi_fam | File monitoring daemon |
slurpd | OpenLDAP2 server |
smartd | Self-monitoring and reporting technology daemon |
smb | Samba SMB/CIFS file and print server |
smbfs | Imports remote SMB/CIFS file systems |
smpppd | Internet dial-up connections daemon |
snmpd | University of California at Davis Simple Network Management Protocol |
snmptrapd | Receives and logs SNMP trap messages |
snort | Packet sniffer/logger |
spamassassin | Mail filter to identify spam |
splash | Splash screen setup |
splash_early | Kills animation after network start |
splash_late | Starts animation before shutdown |
squid | SQUID web cache daemon |
sshd | OpenSSH SSH daemon |
SuSEfirewall2_final | Sets all the firewalling rules. Phase 3 of 3 of SuSEfirewall setup. |
SuSEfirewall2_init | Does some basic setup and is Phase 1 of 3 of the SuSEfirewall initialization. |
SuSEfirewall2_setup | Does some basic setup and is Phase 2 of 3 of the SuSEfirewall initialization. |
syslog/syslogd | System logging daemon |
tux | Threaded kernel-based HTTP server |
vncserver | Virtual network computing server |
vtun | VPN daemon |
vsftpd | Very Safe FTP daemon |
winbindd | NSS daemon for name resolution from NT servers |
wwwoffle | Proxy server |
xdm | X display manager |
xfs | X font server |
xinetd | Internet daemon |
xntpd | Time protocol daemon |
ypbind | Finds server for NIS domains |
yppasswdd | Allows NIS users to change passwords |
ypserv | Distributes NIS maps |
ypxfrd | Faster NIS maps transfers |
zebra | Routing manager daemon |