Controlling Access to Services

Maintaining security on your Red Hat Linux system is extremely important. One way to manage security on your system is to carefully manage access to system services. Your system may need to provide open access to particular services (for example, httpd if you're running a Web server). However, if you don't need to provide a service, you should turn it off — this will minimize your exposure to any possible bug exploits.

There are several different methods for managing access to system services. You'll need to decide which of them you'd like to use, based on the service, your system's configuration and your level of Linux expertise.

The easiest way to deny access to a service is to simply turn it off. Both the services managed by xinetd (which we'll talk about more later in this section) and the services in the /etc/rc.d hierarchy can be configured to start or stop using either the ntsysv utility or using chkconfig. You may find that these tools are easier to use than the alternatives — editing the numerous symbolic links located in the directories below /etc/rc.d by hand or editing the xinetd configuration files in /etc/xinetd.d.

ntsysv provides a simple interface for activating or deactivating services. You can use ntsysv to turn an xinetd-managed service on or off. You can also use ntsysv to start or stop a service in the /etc/rc.d hierarchy; in which case, the ntsysv command without options configures your current runlevel. If you want to configure a different runlevel, use something like ntsysv --levels 016. (In this example, you'd be setting the services for runlevels 0, 1 and 6.)

The ntsysv interface works like the text-mode installation program. Use the up and down arrows to navigate up and down the list. The space bar selects/un-selects services and is also used to "press" the Ok and Cancel buttons. To move between the list of services and the Ok and Cancel buttons, use the Tab key. An * signifies that a service is set to on. The F1 key will pop up a short description of each service.

chkconfig can also be used to activate and deactivate services. If you use the chkconfig --list command, you'll see a list of system services and whether they are started (on) or stopped (off) in runlevels 0-6 (at the end of the list, you'll see a section for the services managed by xinetd, which we'll discuss later in this section).

You can also use chkconfig to find out whether a specific service is running. For example, the following command checks for the finger daemon:

$ chkconfig --list finger
finger          on

As shown above, finger is on in the current runlevel.

If you use chkconfig --list to query a service in /etc/rc.d, you'll see the service's settings for each runlevel, like the following:

$ /sbin/chkconfig --list anacron
anacron         0:off   1:off   2:on    3:on    4:on    5:on    6:off

More importantly, chkconfig can be used to set a service to be started (or not) in a specific runlevel. For example, if we wanted to turn nscd off in runlevels 3, 4, and 5, we'd use a command like this:

chkconfig --level 345 nscd off

See the chkconfig man page for more information on how to use it.

Another way of controlling access to Internet services is using xinetd, a secure replacement for inetd. xinetd conserves system resources, provides access control and logging, and can be used to start special-purpose servers. xinetd can be used to provide access only to particular hosts, to deny access to particular hosts, to only provide access to a service at certain times, to limit the rate of incoming connections and/or the load created by connections, etc.

xinetd runs constantly, and listens on all of the ports for the services it manages. When a connection request arrives for one of its managed services, xinetd starts up the appropriate server for that service.

The configuration file for xinetd is /etc/xinetd.conf, but you'll notice upon inspection of the file that it just contains a few defaults and an instruction to include the /etc/xinetd.d directory. The files within the /etc/xinetd.d directory contain the configuration options for each service managed by xinetd, so you'll need to edit these files to configure xinetd.

See the xinetd (8) man page and the xinetd.conf (8) man page for specific instructions on how to set up the files in /etc/xinetd.d. The xinetd Web page, located at http://www.xinetd.org/, is another good source of information.

Many UNIX system administrators are accustomed to using TCP wrappers to manage access to certain network services. Any network services managed by xinetd (as well as any program with built-in support for libwrap) can use TCP wrappers to manage access. xinetd can use the /etc/hosts.allow and /etc/hosts.deny files to configure access to system services. If you'd like to use TCP wrappers, see the hosts_access (5) man pages for more detailed information.

Another way to manage access to system services is by using ipchains to configure an IP firewall. If you're a new Linux user, please realize that ipchains may not be the best solution for you. Setting up ipchains can be complicated and is best tackled by experienced UNIX/Linux system administrators.

On the other hand, the benefit of using ipchains is flexibility. For example, if you need a customized solution which provides access to certain services to certain hosts, ipchains can provide it for you. See the Linux IPCHAINS-HOWTO at http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html for more information about ipchains. The Linux IPCHAINS-HOWTO is also available on the Documentation CD.

Alternatively, if you're looking for a utility which will set general access rules for your home machine, and/or if you are new to Linux, you should try the gnome-lokkit utility. gnome-lokkit is a GUI utility which will ask you questions about how you want to use your machine. Based on your answers, gnome-lokkit will then configure a simple firewall for you.