Most generally , a network service is a combination of a program and a network protocol, which together allow remote networked machines to access some sort of functionality on a server machine. Web servers, FTP servers, print servers, terminal access servers, and other such capabilities are, by this general definition, network services. If one were to turn off all network services on a machine, a fairly good argument could be made that it would be secure from network attacks. Unfortunately, the Unix way of doing some things results in some useful capabilities being provided by a machine to itself via the network. For example, in a normal installation a Unix machine prints, even to printers connected directly to itself, by way of the network. Denying all network services would therefore result in a machine that was not particularly useful. Instead, picking which network services are important to keep and securing them against attack is a necessity.
Network services are typically started through one of two mechanisms. Either they are standalone services that are started by a startup script in /System/Library/StartupItems or /Library/StartupItems , or they are started by yet another network service, inetd , which watches for network connections attempting to access particular services and starts the appropriate software to accommodate them.
Standalone services that are started by a startup script are running all the time, no matter how often they are used. They control their own configurations, and so the user that runs the service may also vary. On the other hand, services that run from inetd do not run all the time. They run only when they are needed, and are started by inetd , often with the permissions of inetd . A given service, though, may also have its own configuration. Running these services through a superserver also enables you to consolidate server processes.
This chapter covers the starting of general network services, and how those started from inetd may be partially protected by the correct configuration of inetd , or its replacement, xinetd . Specific security measures for individual services are covered in the chapters later in this book.