Improve your Linux security: Stop unnecessary network services

Take a look at some unnecessary network services that you can shutdown to help lockdown a Linux system.

One of the attractions of Linux is its native support for a wide range of TCP/IP services, many of which are configured to run by default. Those default services, however, can expose your Linux networked workstation to external intruders.

If your workstation is connected to a TCP/IP network with active network services, you're exposing your system to all other clients on the network. If the telnet server application is active, a telnet client running on another workstation on the network can easily establish a login session on your system; it needs only the address of your system and the port or socket number of a network service running on your system.

And like other commonly used TCP/IP applications, telnet has a standard defined port number, 23, which is also the address of the running telnet server application. So any telnet client running on any remote workstation on the network can establish a login session to your workstation over port 23.

To reduce your workstation’s vulnerability to such an attack, users should first find out what networked services are running, determine which ones can be retained with minimum security risk, and stop the rest of those services. There are three places to look for active network services on your workstation: the /etc/inetd.conf file, the /etc/xinetd.conf file, and the /etc/rc.d directories.

Services run by the inetd daemon
The Linux inetd daemon is a network service utility that provides a central point of control for all Internet services running on a system. The inetd daemon listens for network ports listed in the /etc/inetd.conf file. Each line of the inetd.conf file lists one service that inetd is to listen for. When an incoming request matches a network port number specified in the file, inetd assigns the appropriate application to the incoming socket. For example, if an incoming request asks for port 21 and ftp is listed in the /etc/inetd.conf file, inetd will then connect the client to the ftp service, after which it resumes listening in on the other ports listed in its configuration file.

To find out if the inetd daemon is running on a workstation, open a terminal window and enter the following command:
ps aux | grep inetd

Figure A

The results of this command, shown in Figure A, indicate if the service is running and when it was started. Once you know the inetd daemon is running, you should enter the following command to see which network services inetd is listening for:
grep –v "^#" /etc/inetd.conf

The results of this command are also shown in Figure A. There, you can clearly see that inetd is listening for ftp, finger, and ntalk, among others.

Figure A shows the /etc/inetd.conf file as configured by the installation script that came with the Red Hat 6.1 CD. However, the file needs considerable modification to secure the system. This can be done by editing the file through a text editor, such as vi, and removing unnecessary services. For example, lines specifying older utilities, such as talk and ntalk, which allow interactive communications between you and another user on the network, should be deleted. Another older utility, finger, which runs by default over port 79 and allows a remote client to find out user information, should also be deleted. These services do not have security features required for today’s networks.

Shell  and login are RPC-based daemons that should be replaced with their more secure versions (i.e., SSH and slogin, respectively). The ftp and telnet services should also be replaced by their more secure counterparts, scp or http for ftp, and sshd for telnet. (Note that large installations should not be running http on every desktop. Instead, workstations in these installations should be accessing the Web via a separate Web server.)

Another problem is that root is entered in the user field of many services. It is recommended that services never be run as root unless absolutely necessary, and then only if they are strictly monitored. If they are not, the user field of each line should be replaced with nobody, which is preferred.

Services run by the xinetd daemon
If you find that inetd is not present on your workstation, it doesn't mean that you have no active network services. Later versions of Linux, such as Red Hat 7.0 and above, have replaced the inetd daemon with the extended Internet services daemon, xinetd. Like inetd, xinetd listens for connection requests from client applications. When it receives a connection request to a port, xinetd starts up the TCP/IP service for that port, handing over the port to the network service so the client can work with the service.

To see if xinetd is running on your system, open a terminal window and enter the same ps command listed above, replacing inetd with xinetd:
ps aux | grep xinetd

Figure B

The results of this command, shown in Figure B, indicate if the xinetd service is running and when it was started. Just like inetd, xinetd also works with a configuration file, /etc/xinetd.conf. This file can be found by entering the following command:
grep –v “^#” /etc/xinetd.conf

The results are also shown in Figure B. You'll notice that they are significantly different from the results shown in Figure A. Unlike in inetd, this command will not show you which services xinetd is listening for. To see those services, you must list the files in the /etc/xinetd.d directory, which is the equivalent of the /etc/inetd.d directory used by inetd. To do so, enter the command:
ls -l /etc/xinetd.d/*

Figure C

The results, shown in Figure C, indicate which services xinetd is listening for. To turn off a service you don’t want xinetd to run, you need to edit the file for that particular service. For example, to turn off talk, you would edit the /etc/xinetd.d/talk file using vi or another text editor, so that disable equals yes, as shown in Figure D. Note that you will need to restart xinetd for any configuration changes to take effect.

Figure D

Services not run by the inetd or xinetd daemons
While the configuration files of the inetd and xinetd daemons are useful in determining which network services have been started by these super daemons, not all network services are or should be under their control. Increasingly, network services are being configured to start independently at system startup. Their startup scripts can be found in the /etc/rc.d directory. To access this directory and view a listing, open a terminal window and enter the following commands:
cd /etc/rc.d
ls –l rc*.d

Figure E

As Figure E shows, the /etc/rc.d directory contains seven subdirectories of start scripts that are invoked by the init process as the system enters the designated runlevel. For example, upon startup, a Red Hat workstation installed with X-Windows defaults to runlevel 5; init looks in the /etc/rc.d/rc5.d directory and runs each start script it finds listed there. If you press [Ctrl][Alt][F1] as root, you will be returned to the text-based login screen, or runlevel 3, at which level init will run the scripts found in rc3.d. To identify the scripts that will run under a particular runlevel, such as 3, enter the following command:
cd rc3.d
ls -l

Figure F

Note that the partial listing of rc3.d shown in Figure F does not contain the actual scripts themselves, but symbolic links to them which are located in the /etc/r.d/init.d directory.

As with stand-alone systems connected to the Internet, the ps command should be executed upon booting your system to see which daemons have actually been started. (Note that even though a script is supposed to run at a particular runlevel, it may not if the script requires a certain configuration that doesn't exist on your system.) If you don’t want a specific service to run, you must find and delete the link to its start script from its corresponding /etc/rc*.d directory. Many Linux distributions include graphical system tools (e.g., Linuxconf or YaST) that can be used to stop unnecessary services without having to delete the scripts manually.

Determine what’s running now
After you have made changes to the inedt or xinedt configuration files and the rc.d directories, how can you be sure all unnecessary network services have been stopped? It is a good idea to run the netstat utility any time changes are made to the configuration files and upon reboot. To find out which ports are currently awaiting connections, enter netstat with the —inet and –a options, as shown in Figure G.

Figure G

Only by examining the output from the netstat command can you be sure that the changes you made have taken effect and that your system ports are not open to active services.

Editor's Picks