Chapter 20. Controlling Access to Services
Maintaining security on your system is extremely important, and one
approach for this task is to manage access to system services carefully.
Your system may need to provide open access to particular services (for
example, httpd if you are running a Web server).
However, if you do not need to provide a service, you should turn it off
to minimize your exposure to possible bug exploits.
There are several different methods for managing access to system
services. Decide which method of management to use based on the
service, your system's configuration, and your level of Linux expertise.
The easiest way to deny access to a service is to turn it off. Both the
services managed by xinetd and the services in the
/etc/rc.d/init.d hierarchy (also known as SysV
services) can be configured to start or stop using three different
applications:
Services Configuration Tool — a graphical application
that displays a description of each service, displays whether each
service is started at boot time (for runlevels 3, 4, and 5), and
allows services to be started, stopped, and restarted.
ntsysv — a text-based application
that allows you to configure which services are started at boot time
for each runlevel. Non-xinetd services can not be
started, stopped, or restarted using this program.
chkconfig — a command line utility that
allows you to turn services on and off for the different
runlevels. Non-xinetd services can not be started,
stopped, or restarted using this utility.
You may find that these tools are easier to use than the alternatives
— editing the numerous symbolic links located in the directories
below /etc/rc.d by hand or editing the
xinetd configuration files in
/etc/xinetd.d.
Another way to manage access to system services is by using
iptables to configure an IP firewall. If you are a new
Linux user, please realize that iptables may not be the
best solution for you. Setting up iptables can be
complicated and is best tackled by experienced Linux system
administrators.
On the other hand, the benefit of using iptables is
flexibility. For example, if you need a customized solution which
provides certain hosts access to certain services,
iptables can provide it for you. Refer to the
Red Hat Enterprise Linux Reference Guide and the Red Hat Enterprise Linux Security Guide for more
information about iptables.
Alternatively, if you are looking for a utility to set general access
rules for your home machine, and/or if you are new to Linux, try the
Security Level Configuration Tool
(system-config-securitylevel), which allows you to
select the security level for your system, similar to the
Firewall Configuration screen in the installation
program.
Refer to Chapter 19 Basic Firewall Configuration for more information.
If you need more specific firewall rules, refer to the
iptables chapter in the
Red Hat Enterprise Linux Reference Guide.
Before you can configure access to services, you must understand Linux
runlevels. A runlevel is a state, or mode, that
is defined by the services listed in the directory
/etc/rc.d/rc<x>.d,
where <x> is the number of the
runlevel.
The following runlevels exist:
0 — Halt
1 — Single-user mode
2 — Not used (user-definable)
3 — Full multi-user mode
4 — Not used (user-definable)
5 — Full multi-user mode (with an X-based login screen)
6 — Reboot
If you use a text login screen, you are operating in runlevel 3. If you
use a graphical login screen, you are operating in runlevel 5.
The default runlevel can be changed by modifying the
/etc/inittab file, which contains a line near the top
of the file similar to the following:
Change the number in this line to the desired runlevel. The change does
not take effect until you reboot the system.
To change the runlevel immediately, use the command
telinit followed by the runlevel number. You must be
root to use this command. The telinit command does
not change the /etc/inittab file; it only changes
the runlevel currently running. When the system is rebooted, it
continues to boot the runlevel as specified in
/etc/inittab.
