Chapter 5. Controlling Access to Services

Maintaining security on your Red Hat Linux system is extremely important. One way to manage security on your system is to carefully manage access to system services. Your system may need to provide open access to particular services (for example, httpd if you're running a Web server). However, if you don't need to provide a service, you should turn it off — this will minimize your exposure to any possible bug exploits.

There are several different methods for managing access to system services. You'll need to decide which of them you'd like to use, based on the service, your system's configuration and your level of Linux expertise.

The easiest way to deny access to a service is to simply turn it off. Both the services managed by xinetd (which we'll talk about more later in this section) and the services in the /etc/rc.d hierarchy can be configured to start or stop using either the ntsysv utility or using chkconfig. You may find that these tools are easier to use than the alternatives — editing the numerous symbolic links located in the directories below /etc/rc.d by hand or editing the xinetd configuration files in /etc/xinetd.d.

The ntsysv utility provides a simple interface for activating or deactivating services. You can use ntsysv to turn an xinetd-managed service on or off. You can also use ntsysv to start or stop a service in the /etc/rc.d hierarchy; in that case, the ntsysv command (without options) configures your current runlevel. If you want to configure a different runlevel, use something like ntsysv --levels 016. (In this example, you'd be setting the services for runlevels 0, 1 and 6.)

The ntsysv interface works like the text-mode installation program. Use the up and down arrows to navigate up and down the list. The space bar selects/unselects services and is also used to "press" the Ok and Cancel buttons. To move between the list of services and the Ok and Cancel buttons, use the [Tab] key. An * signifies that a service is set to on. The [F1] key will pop up a short description of each service.

The chkconfig command can also be used to activate and deactivate services. If you use the chkconfig --list command, you'll see a list of system services and whether they are started (on) or stopped (off) in runlevels 0-6 (at the end of the list, you'll see a section for the services managed by xinetd, which we'll discuss later in this section).

If you use chkconfig --list to query a service managed by xinetd, you'll see whether the xinetd service is enabled (on) or disabled (off). For example, the following command shows that finger is enabled as an xinetd service:

$ chkconfig --list finger
finger          on

As shown above, if xinetd is running, finger is enabled.

If you use chkconfig --list to query a service in /etc/rc.d, you'll see the service's settings for each runlevel, like the following:

$ /sbin/chkconfig --list anacron
anacron         0:off   1:off   2:on    3:on    4:on    5:on    6:off

More importantly, chkconfig can be used to set a service to be started (or not) in a specific runlevel. For example, if we wanted to turn nscd off in runlevels 3, 4, and 5, we'd use a command like this:

chkconfig --level 345 nscd off

See the chkconfig man page for more information on how to use it.

Activating Changes

Changes do not take effect immediately after using ntsysv or chkconfig. You must stop or start the individual service with the command service daemon stop. In the previous example, replace daemon with the name of the service you want to stop; for example, httpd. Replace stop with start or restart to start or restart the service. If you want to start or stop a service which is managed by xinetd, use the command service xinetd restart.

To control access to Internet services, you can use xinetd, a secure replacement for inetd. The xinetd daemon conserves system resources, provides access control and logging, and can be used to start special-purpose servers. xinetd can be used to provide or access only to particular hosts, to deny access to particular hosts, to only provide access to a service at certain times, to limit the rate of incoming connections and/or the load created by connections, etc.

xinetd runs constantly and listens on all of the ports for the services it manages. When a connection request arrives for one of its managed services, xinetd starts up the appropriate server for that service.

The configuration file for xinetd is /etc/xinetd.conf, but you'll notice upon inspection of the file that it just contains a few defaults and an instruction to include the /etc/xinetd.d directory. To enable or disable a xinetd service, edit its configuration file in the /etc/xinetd.d directory. If the disable attribute is set to yes, the service is disabled. If the disable attribute is set to no, the service is enabled. If you edit any of the xinetd configuration files or change its enabled status using ntsysv or chkconfig, you must restart xinetd with the command service xinetd restart before the changes will take effect.

Many UNIX system administrators are accustomed to using TCP wrappers to manage access to certain network services. Any network services managed by xinetd (as well as any program with built-in support for libwrap) can use TCP wrappers to manage access. xinetd can use the /etc/hosts.allow and /etc/hosts.deny files to configure access to system services. If you'd like to use TCP wrappers, see the hosts_access (5) man pages for more detailed information.

Another way to manage access to system services is by using ipchains to configure an IP firewall. If you're a new Linux user, please realize that ipchains may not be the best solution for you. Setting up ipchains can be complicated and is best tackled by experienced UNIX/Linux system administrators.

On the other hand, the benefit of using ipchains is flexibility. For example, if you need a customized solution which provides access to certain services to certain hosts, ipchains can provide it for you. See the Linux IPCHAINS-HOWTO at http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html for more information about ipchains. The Linux IPCHAINS-HOWTO is also available on the Documentation CD.

Alternatively, if you're looking for a utility which will set general access rules for your home machine, and/or if you are new to Linux, you should try the gnome-lokkit utility. gnome-lokkit is a GUI utility which will ask you questions about how you want to use your machine. Based on your answers, gnome-lokkit will then configure a simple firewall for you.