Chapter 20. Controlling Access to
Services
Maintaining security on your system is extremely important, and
one approach for this task is to manage access to system services
carefully. Your system may need to provide open access to
particular services (for example, httpd if
you are running a Web server). However, if you do not need to
provide a service, you should turn it off to minimize your exposure
to possible bug exploits.
There are several different methods for managing access to
system services. Decide which method of management to use based on
the service, your system's configuration, and your level of Linux
expertise.
The easiest way to deny access to a service is to turn it off.
Both the services managed by xinetd and
the services in the /etc/rc.d/init.d
hierarchy (also known as SysV services) can be configured to start
or stop using three different applications:
-
Services Configuration Tool — a
graphical application that displays a description of each service,
displays whether each service is started at boot time (for
runlevels 3, 4, and 5), and allows services to be started, stopped,
and restarted.
-
ntsysv — a text-based
application that allows you to configure which services are started
at boot time for each runlevel. Non-xinetd
services can not be started, stopped, or restarted using this
program.
-
chkconfig — a command line
utility that allows you to turn services on and off for the
different runlevels. Non-xinetd services
can not be started, stopped, or restarted using this utility.
You may find that these tools are easier to use than the
alternatives — editing the numerous symbolic links located in
the directories below /etc/rc.d by hand
or editing the xinetd configuration files
in /etc/xinetd.d.
Another way to manage access to system services is by using
iptables to configure an IP firewall. If
you are a new Linux user, please realize that iptables may not be the best solution for you.
Setting up iptables can be complicated and
is best tackled by experienced Linux system administrators.
On the other hand, the benefit of using iptables is flexibility. For example, if you need a
customized solution which provides certain hosts access to certain
services, iptables can provide it for you.
Refer to the Red Hat Enterprise Linux
Reference Guide and the Red Hat Enterprise
Linux Security Guide for more information about iptables.
Alternatively, if you are looking for a utility to set general
access rules for your home machine, and/or if you are new to Linux,
try the Security Level Configuration
Tool (system-config-securitylevel),
which allows you to select the security level for your system,
similar to the Firewall Configuration
screen in the installation program.
Refer to Chapter 19 Basic
Firewall Configuration for more information. If you need
more specific firewall rules, refer to the iptables chapter in the Red Hat
Enterprise Linux Reference Guide.
Before you can configure access to services, you must understand
Linux runlevels. A runlevel is a state, or mode, that is defined by the services listed in the
directory /etc/rc.d/rc<x>.d, where <x> is the number of the runlevel.
The following runlevels exist:
-
0 — Halt
-
1 — Single-user mode
-
2 — Not used (user-definable)
-
3 — Full multi-user mode
-
4 — Not used (user-definable)
-
5 — Full multi-user mode (with an X-based login
screen)
-
6 — Reboot
If you use a text login screen, you are operating in runlevel 3.
If you use a graphical login screen, you are operating in runlevel
5.
The default runlevel can be changed by modifying the /etc/inittab file, which contains a line near the
top of the file similar to the following:
Change the number in this line to the desired runlevel. The
change does not take effect until you reboot the system.
To change the runlevel immediately, use the command telinit followed by the runlevel number. You must be
root to use this command. The telinit
command does not change the /etc/inittab
file; it only changes the runlevel currently running. When the
system is rebooted, it continues to boot the runlevel as specified
in /etc/inittab.
