Network Security: Disabling Services

network securityI thought it might be a good idea to do a series of articles on network security, and to kick it off I’m going to cover disabling unnecessary services. This article assumes your network is running Linux, at least for services.

As a Linux administrator you will want to know and define the following elements:

  • The role of the server (web, database, proxy, etc.)
  • Services that are required to perform a specific server role (e.g. Apache)
  • Ports required to be opened (e.g. port 80 for HTTP)

All the other services should be disabled and all other ports should be closed. When these tasks are performed, the server becomes a specialized server to play only the designated role.

To ensure network security by hardening a server, you must first disable any unnecessary services and ports. The process involves removing any unnecessary services, such as rlogin, and locking down unnecessary Transmission Control Protocol or User Datagram Protocol (TCP/UDP) ports. Once these services and ports are secure, you must then regularly maintain the system.

Network Security: Controlling Services

Different Linux distributions have different front ends to control services. For example, in Red Hat Linux, you can enable and disable services by navigating to System -> Administration -> Services and opening the Service Configuration utility. From there, you may select or deselect the services, start, stop or restart them and edit the run level of individual services. Although most modern Linux distros have enhanced their GUIs to cover most of the administrative tasks, it is important for admins to know how to perform the tasks without a GUI.

Linux has greater network security than most operating systems; even so, the Linux kernel is being constantly updated and there are undoubtedly many security vulnerabilities that have not yet been discovered. Most Linux services are not vulnerable to this exploits; however, an administrator can reduce the risk by removing unnecessary services. Virtually every Linux distribution includes many services, so it makes sense that administrators customize the system to meet their or their company’s needs, as removing unnecessary services also removes risk and thus improves network security.

No matter what distribution of Linux you are using, the /etc/inetd.d or /etc/xinetd.d directory (for some newer releases, including Red Hat). This is the default configuration file for the inetd (or xinetd) daemon. This files in this directory enable you to specify the daemons to start by default and supply the arguments that correspond to the desired style of functioning for each daemon. It controls many services, include File Transfer Protocol (FTP) and Telnet. It determines what services are available to the system what services are available to the system. inetd or xinetd is a super server listening for incoming network activity for a range of services. It determines the actual nature of the service being requested and launches the appropriate server.

The /etc/inetd.conf (or /etc/xinetd.conf) directs requests for services to the /etc/inetd.d (or /etc/xinetd.d) directory. Each service has a configuration in this directory. If a service is commented out in its specified configuration file, the service is unavailable. Because inetd/xinted is so powerful, for optimal network security only the root should be able to configure its services.

Network Security: Disabling Telnet, FTP and rlogin

While most admins find in convenient to log in remotely their Linux/Unix machines over a network for administrative purposes, in a high-network security environment, only physical access may be permitted for administering a server. In this case, you should disable the Telnet interactive login utility. Because of security vulnerabilities in FTP, you should disable it as well, and use SFTP (Secure FTP) if necessary. To accomplish these two objectives, do the following:

  • Edit the /etc/inetd.d/telnet (or xinetd.d/telnet) file by opening the file, using vi or the editor of your choice
  • Comment out the service telnet line by adding a number sign (#) before service telnet
  • Write and quit the file
  • Restart inetd or xinetd by entering:
    /etc/rc.d/init.d/inetd restart
    or for xinetd:
    /etc/rc.d/xinit.d/xinetd restart
  • Attempt to log onto the system using Telnet. You should fail.
  • Diable the FTP service using the same method.
  • Attempt to access the system via FTP. You should fail.

The remote login (rlogin) service is enabled by default in the /etc/inetd.d/rlogin (or /etc/xinetd.d/rlogin) file. Rlogin has security vulnerabilities because it can bypass the password prompts to access a system remotely. There are two services associated with rlogin: login and RSH (remote shell). To disable these services you have to open the rlogin file and comment out the service login line, and then open the rsh file and comment out the service shell line. Restart xinetd to ensure your system is no longer offering these services. Disabling these three services will go a long way towards improving network security on your Linux server.

External links:

inetd at Wikipedia

© 2013 David Zientara. All rights reserved. Privacy Policy