Chapter 7. Controlling Access to Services
Maintaining security on your system is extremely important, and one approach for this task is to manage access to system services carefully. Your system may need to provide open access to particular services (for example, httpd
if you are running a web server). However, if you do not need to provide a service, you should turn it off to minimize your exposure to possible bug exploits.
This chapter explains the concept of runlevels, and describes how to set the default one. It also covers the setup of the services to be run in each of them using three different utilities: the Service Configuration graphical application, the ntsysv text user interface, and the chkconfig command line tool. Finally, it describes how to start, stop, and restart the services on a command line using the service command.
When you allow access for new services, always remember that both the firewall and
SELinux need to be configured as well. One of the most common mistakes committed when configuring a new service is neglecting to implement the necessary firewall configuration and SELinux policies to allow access for it. Refer to the Red Hat Enterprise Linux
Security Guide (see
Section 7.4, “Additional Resources”) for more information.
7.1. Configuring the Default Runlevel
A runlevel is a state, or mode, defined by services that are meant to be run when this runlevel is selected. Seven numbered runlevels exist (indexed from 0):
Table 7.1. Runlevels in Red Hat Enterprise Linux
Runlevel |
Description |
0 |
Used to halt the system. This runlevel is reserved and cannot be changed. |
1 |
Used to run in a single-user mode. This runlevel is reserved and cannot be changed. |
2 |
Not used by default. You are free to define it yourself. |
3 |
Used to run in a full multi-user mode with a command line user interface. |
4 |
Not used by default. You are free to define it yourself. |
5 |
Used to run in a full multi-user mode with a graphical user interface. |
6 |
Used to reboot the system. This runlevel is reserved and cannot be changed. |
To check in which runlevel you are operating, type the following:
~]$ runlevel
N 5
The runlevel
command displays previous and current runlevel. In this case it is number 5, which means the system is running in a full multi-user mode with a graphical user interface.
The default runlevel can be changed by modifying the /etc/inittab
file, which contains a line near the end of the file similar to the following:
id:5:initdefault:
In order to edit this file, you must have superuser privileges. To obtain them, log in as root by typing the following command:
~]$ su -
Password:
Now open the file in a text editor such as vi or nano:
~]# nano /etc/inittab
Then change the number in this line to the desired value and exit the editor. Note that the change does not take effect until you reboot the system.