Sometimes a particular service requires one or more other daemons to be running (a daemon is a process that runs without an associated console). For instance, the samb a service needs these three daemons to be running: smbd , nmbd , and winbindd . This can pose a problem when some daemons are not running or not configured. In their effort to make a server as functional as possible, most distributions are likely to have all possible services running and operational out of the box. After the initial operating system installation, you need to shut down some of the unnecessary services. A properly hardened server runs only the necessary services. The rationale is that any bit of code may have vulnerabilities; if the service is not running, no one can take advantage of it. The question is, how do you know which services are necessary? A difficult way to determine this might be to turn off each service one at a time, and then check to see if everything you need is still working. This approach is both tedious and impractical . Tables 2-2 and 2-3 list the default services that are running and guidelines for determining which ones you might not need.
However, many other services exist, and there are many interdependencies between services, and between services and other components . Simple trial and error will not be the most productive approach. The best way to configure services is to learn which services are necessary and turn off the rest. The definition of what services are necessary, as you have seen, may vary from server to server.
Once you have determined that a specific service is necessary, you may be able to determine if another service is also required by seeing if it is required by the ones that you know are necessary. This is the process of checking to see if a service has prerequisites or dependencies. To find the dependencies, check the man page with the man command. Type man servicename , such as man sendmail . The man page will list any requirements a service has. If you are not sure what man page to look at, try using man s keyword capability, as follows :
man -k keyword
For example, the command
man k sendmail
would show you all the man pages that contain information pertaining to sendmail.
You should also refer to the See Also section at the end of the man page and investigate these other sources of service information.
Tip | Under SLES8, the Runlevel Editor program that is described in the next section will warn you if you attempt to turn on a service but neglect to start services it depends on. |
Tables 2-5 and 2-6 list common Linux services and their dependencies. The services are listed down the first column, and the services they require are listed across the top.
Service | >Required Services | |||||||
---|---|---|---|---|---|---|---|---|
network | syslog | route | quota | zebra | nmb | ypserv | inetd | |
acct | Yes | Yes | ||||||
adsl | Yes | Yes | ||||||
apache | Yes | |||||||
Arpwatch | Yes | Yes | ||||||
Atalk | Yes | |||||||
Autofs | Yes | Yes | ||||||
Bgpd | Yes | Yes | ||||||
cipe | Yes | |||||||
cron | Yes | Yes | ||||||
Cups | Yes | Yes | ||||||
Dhcpd | Yes | |||||||
dhcrelay | Yes | |||||||
Evlog | Yes | |||||||
fam | Yes | Yes | ||||||
gpm | Yes | Yes | ||||||
Heartbeat | Yes | Yes | ||||||
hotplug | Yes | Yes | ||||||
Httpd | Yes | |||||||
Inetd | Yes | Yes | ||||||
innd | Yes | |||||||
ippl | Yes | |||||||
Ipsec | Yes | Yes | Yes | |||||
ipvsadm | Yes | |||||||
Ipxmount | Yes | Yes | ||||||
Ipxrip | Yes | Yes | ||||||
ircd | Yes | Yes | Yes | |||||
Irqbalance | ||||||||
Iscsi | Yes | Yes | ||||||
kdc | Yes | |||||||
ksysguardd | Yes | |||||||
lisa | Yes | Yes | ||||||
mailman | Yes | Yes | ||||||
mon | Yes | Yes | ||||||
Mrtd | Yes | |||||||
Mysql | Yes | |||||||
Nagios | Yes | Yes | ||||||
Named | Yes | Yes | ||||||
Nessusd | Yes | |||||||
nfs | Yes | Yes | ||||||
nfslock | Yes | Yes | ||||||
Nfsserver | Yes | Yes | ||||||
nmd | Yes | Yes | ||||||
ntop | Yes | |||||||
new | Yes | Yes | ||||||
ospf6d | Yes | Yes | ||||||
Ospfd | Yes | Yes | ||||||
Pcscd | Yes | Yes | ||||||
Pkcipe | Yes | |||||||
portmap | Yes | Yes | ||||||
Postfix | Yes | Yes | ||||||
postgres | Yes | |||||||
Powertweakd | Yess | Yes | ||||||
pptd | Yes | Yes | ||||||
Quota | Yes | Yes | ||||||
Quotad | Yes | Yes | Yes | |||||
radiusd | Yes | Yes | ||||||
Radvd | Yes | Yes | ||||||
ripd | Yes | Yes | ||||||
Ripngd | Yes | Yes | ||||||
Rpasswdd | Yes | Yes | ||||||
Rstatd | Yes | |||||||
Rsyncd | Yes | Yes | ||||||
rusersd | Yes | |||||||
Rwhod | Yes | |||||||
Scanlogd | Yes | Yes | ||||||
Sendmail | Yes | |||||||
smb | Yes | Yes | Yes | |||||
Smbfs | Yes | Yes | Yes | |||||
smpppd | Yes | Yes | ||||||
Snmpd | Yes | |||||||
Snmptrapd | Yes | |||||||
Snort | Yes | |||||||
Squid | Yes | |||||||
Syslog | Yes | |||||||
vtun | Yes | Yes | ||||||
Winbindd | Yes | Yes | Yes | |||||
Wwwoffle | Yes | Yes | ||||||
xfs | Yes | |||||||
Xinetd | Yes | |||||||
Xnlpd | Yes | Yes | ||||||
Ypbind | Yes | Yes | ||||||
yppasswdd | Yes | Yes | Yes | |||||
ypserv | Yes | Yes | ||||||
Ypxfrd | Yes | Yes | Yes | |||||
Zebra | Yes |
Service | Required Services | ||||||||
---|---|---|---|---|---|---|---|---|---|
ldap | portmap | sshd | hotplug | alsasound | cron | nfslock | cipe | z90crypt | |
slurpd | Yes | Yes | |||||||
Ipsec | Yes | ||||||||
nsf | Yes | ||||||||
nsflock | Yes | ||||||||
nfsserver | Yes | Yes | |||||||
quota | Yes | ||||||||
quotad | Yes | ||||||||
ypbind | Yes | ||||||||
yppasswdd | Yes | ||||||||
ypserv | Yes | ||||||||
ypxfrd | Yes | ||||||||
ircd | Yes | ||||||||
Cups | Yes | ||||||||
Joystick | Yes | ||||||||
mailman | |||||||||
Pkcipe | Yes | ||||||||
Pkcsslotd | Yes |
Finding service dependencies is not difficult in Linux distributions that are compliant with the Linux Standard Base (LSB) version 1.3. Both Red Hat Enterprise Linux AS 3.0 and SLES8 are LSB 1.3 compliant. LSB requires that the headers in the scripts that start and stop services contain a field showing exactly what each service is dependant upon. For instance, the script that starts the ypserver /etc/rc.d/ypserv contains a line like Required-Start: portmap . This means that the ypserver requires the portmap service in order to run correctly. When portmap is started by the init script and the start argument, the information specified in the portmap script s Provides header is considered present. This fulfills the ypserver s requirement, and ypserver is then eligible to run. The converse is also true, if the init script is run with the stop argument, the facilities described in the Provides header are considered no longer present. For these reasons it is important that startup scripts contain all the correct header information. Do not delete or alter header information from the scripts without a good reason, especially in the section that is delimited by the following lines:
### BEGIN INIT INFO ### END INIT INFO
If you are interested in the rest of the fields in the script header, you are encouraged to check out the LSB specification at http://www.linuxbase.org. This is also a way to get exposed to the other useful information contained in the headers of the init scripts.