From the talk given by Jon Carnes (and Ed Hill) to TriLUG, on August 10, 2000
How to limit processes from starting automagically when you boot your Linux server.
Login as root and use the ps command to see which processes and services are currently running on your Linux box.
ps aux |more
This will show you the currently running processes. In general the processes that start with a "k" are started by the kernel and should be left alone. An example of one is klogd.
More than likely (if this is a stock install) you will see a lot of items running that you don't really need or want. A common example is smtp (or sendmail).
You are not going to run NFS on a machine that is exposed to the internet (well not if you want to keep control of your box!). Yet many stock Linux installs will automatically load various services used by NFS. Examples of such services are portmap, statd, and ypbind… all of which have many, many known exploits.
When your linux box starts up, it runs through a series of scripts which automatically start various processes on your box. All of the processes and services that are started are beneficial, but some have vulnerabilities and should not be run on a machine that is going to attach to the internet. And as Mike says: Why waste your resources running something that you're not going to use?!? If you're not using it, turn it off.
If your box starts in Run Level 3 (see below… where we talk about /etc/inittab), which is standard for a server, then the services which will be started can be found in the directory:
/etc/rc.d/rc3.d/
Lets take a look at a not-so hypothetical rc3.d directory from a Red Hat 6.2 install. Here are the files found in the directory, with a comment next to each one…
|
* = only run this if you are going configure it properly and keep it up-to-date | ||
| *** = insecure, do not run if you do not need | ||
| ***** = Very insecure, don't run if attached to the internet | ||
| K05innd | * internet news daemon | |
| K10pulse | Ok, used by clustered machines to tell each other they are up | |
| K11portmap | ***** Needed for remote connect protocols like NFS | |
| K15linuxconf | *** No need to run on a home system, has known exploits | |
| K16apmd | Ok, laptop power management - not a laptop, so its turned off | |
| K20rstatd | * Remotely accessible kernel stats. Anything that starts with an 'r' is generally bad in my book, because the 'r' means remote access | |
| K20rusersd | *** Advertises information about currently logged in users | |
| K20rwalld | *** Write messages to currently logged in users | |
| K20rwhod | *** Sets up database used by rwho and ruptime | |
| K25squid | OK, a caching program for internet data, not using it, so off it goes | |
| K35identd | * Ident protocol server (huh? - just turn it off!) | |
| K35dhcpd | Ok, DHCP server - all my ip addresses are static, so this is off | |
| K45named | *** DNS service, only run if you are going to keep it up to date | |
| K50snmpd | *** Simple Network Message Protocol daemon | |
| K55routed | *** Not necessary on your home network | |
| K60mars-new | * Netware file and print server | |
| K60nfslock | *** part of NFS, loads file locking for local NFS drives | |
| K61ldap | Ok, LDAP X.500 protocol daemon, I'm not using ldap… | |
| K65yppasswdd | *** part of NIS, propagates password changes across servers | |
| K80nscd | OK, caching daemon used with NIS or NIS+ | |
| K80sendmail | ***** Only run this if you are going to keep it up to date | |
| K85httpd | * run Apache web server on box | |
| K85nfsfs | *** part of NFS, loads NFS file systems | |
| K87ypbind | *** part of NFS, binds to NFS server | |
| K95smb | * run samba server so windows boxes can see files on server | |
| K96pcmcia | OK to run, starts up PCMCIA services, but this box is not a laptop | |
| S01kerneld | kernel daemon | |
| S05kudzu | looks for new equipment and attempts to auto-configure it | |
| S10network | launches Network script, sets up network connections | |
| S18autofs | starts automounter filesystem (automatically mount CD-Roms, etc) | |
| S20random | setup Random number generator | |
| S30syslog | start the system log | |
| S40atd | run pre-scheduled commands | |
| S40crond | run programs scheduled by crontab | |
| S50inet | run common services such as ftp and telnet on request | |
| S60lpd | advertises printer services | |
| S75keytable | loads keytable | |
| S85gpm | loads mouse control | |
| S90xfs | X-font server | |
| S91xntpd | Sets system time using known time servers, must be latest version | |
| S92ipchains | set up ip masquerading and block unwanted traffic | |
| S99local | launches script /etc/rc.d/rc.local | |
Each one of the above files is in the directory /etc/rc.d/rc3.d/ is actually a link to a script which either starts, stops, or restarts a process.
If the link starts with a "K" the script it links to is run, and the process is stopped.
If the link starts with an "S" the script it links to is run, and the process is started.
The numbers after the letters (01 through 99) indicate the order in which the processes are run (or stopped).
Run level 3 is the default unless you are using X on boot, then run level 5 is the default. The services automatically started for run level 5 can be found in the directory
/etc/rc.d/rc5.d/
To stop a service, instead of have it start, rename the link to begin with a "K" rather than an "S". You might suspect that I have already renamed many of the links on this box, and you would be right! I renamed the links that started any insecure or unused process so that those processes would not be started automatically (in Run Level 3).
In the above example for run level 3, you could prevent inetd from starting automatically at boot, by renaming the "S50inet" link to "K50inet"
mv /etc/rc.d/rc3.d/S50inet /etc/rc.d/rc3.d/K50inet
Since inetd was started on boot, it is currently still running (it just won't be started next time you boot). To kill it now, you run the inetd script located in /etc/rc.d/init.d/ and tell it to stop the process.
/etc/rc.d/init.d/inet stop
Note that the file /etc/rc.d/rc3.d/K50inet links to the file /etc/rc.d/init.d/inet (which is a script used to start, stop or restart inetd).
Now that inetd is stopped, no one can ftp or telnet into your box - or use any of a number of different connection services which are all controlled by inetd.
We'll leave inetd off for now, and talk a bit later about what it does, and why leaving it off is a good thing. Right now, we need to explain…
Note from the future (Aug 2003): use the "chkconfig" utility to turn on/off services for various levels. As an example you could check on the xinet server service (which has replaced inetd) by running
Run Levels start at 0 and go to 6. Each level has a predefined use.
Run level 0 is used when your computer is shutting down to halt - and run level 6 is used when your computer is shutting down for reboot. You don't actually "run" in these levels, but they help you define the right order for shutting down services and for handling any special shutdown situations.
A computer at Run Level 1 is said to be in Single user mode. No network drivers are loaded, and a minimal number of processes are started. This level is used mainly to troubleshoot your box.
Run Level 3 is defined as a basic server (no X windows). When your machine boots to Run Level 3 it loads the network scripts and any services that should be available via the network.
Run Level 5 is similar to 3 but includes X windows functionality. When you boot to this level, your machine will automatically attempt to start up X windows, and it will attempt to display a graphical login.
The links in /etc/rc.d/rc5.d/ should look very much the same as those for Run Level 3 as they have almost the same functionality. However, the links in /etc/rc.d/rc1.d will almost all start with a "K". In fact the only two that start with an "S" (on my box) are:
S00single
S20random
When you move to Run Level 1 ( /sbin/telinit 1 ), most processes are killed, but your drives and partitions remain mounted.
If you have any problems with your X configuration, you might want to move your computer to Run Level 1 and work on the problem from there. Dropping to Run Level 1 would cause any automatically started X windows services to be stopped.
When your computer starts up, its default Run Level is normally either 3 (regular server) or 5 (server w/ X windows). In a way, your computer's default Run Level defines what level of functionality you want it to have.
The default Run Level is defined in the file /etc/inittab
/etc/inittab:
# Default runlevel. The runlevels used by RHS are:
# 0 - halt (Do NOT set
initdefault to this)
# 1 - Single user mode
# 2 - Multiuser, without NFS
(The same as 3, if you do not have networking)
# 3 - Full multiuser
mode
# 4 - unused
# 5 - X11
# 6 - reboot (Do NOT set initdefault to
this)
#
id:3:initdefault:
<… snip …>
The first non-commented line indicates that this servers default is Run Level 3, which it defines as "full multiuser mode".
When this server comes up, it will look in the directory /etc/rc.d/rc3.d/ and will start and stop processes as determined by the file links in that directory. The processes started automatically are now (since we edited the directory) all safe to run on a server that is attached to the internet.
What is /etc/inetd.conf (or /etc/xinetd.d/..).
Now lets go back and talk about inetd. <and explain why you turned it off... and are going to leave it turned off>
Inetd is pretty cool. The daemon listens on multiple ports and launches other daemons like ftp, telnet, finger, etc.. (whenever someone attempts to communicate with the computer on one of the ports that inetd listens on). In other words, inetd kicks off other processes on demand. That means that your computer only runs the processes that are currently needed.
The inetd daemon is controlled by the file /etc/inetd.conf.
The xinetd daemon is controlled by the file /etc/xinetd.conf, and generally by files contained in the directory /etc/xinetd.d/...
It launches common services like ftp, telnet, finger, etc. Opening the configuration file you can see that a lot of services come already commented out. Feel free to comment out any that you do not need.
One trick that I am fond of doing is to change the port that telnet uses. Taking a look at the file /etc/inetd.conf…
#
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
# telnet
stream tcp nowait root /usr/sbin/tcpd in.telnetd
525 stream tcp nowait root
/usr/sbin/tcpd in.telnetd
#
In the above example, I've left ftp alone but I've commented out the old telnet entry by putting a # sign in front of it - then I've added a new entry which launches the telnet daemon when someone attempts to attach on port 525. If I telnet to this box, I have to tell my telnet client to use port 525 (instead of the well known port 23). Telnet clients are generally very flexible and will use any port you ask for.
Note: remember to activate the changes to your inetd. If inetd is a currently running process, you can activate the changes by typing:
or you can use the more modern:/etc/rc.d/init.d/inet restart
service xinetd restart
===
The real truth is that you do not need any of the processes that are typically started by inetd. Secure Shell replaces all of those old services. You should disable inetd, then download and install the latest and greatest packages from OpenSSH
http://www.openssh.com/
ssh takes the place of telnet and rlogin
scp takes the place of ftp
The Win32 clients for SSH can be found at:
http://www.chiark.greenend.org.uk/~sgtatham/putty/
You can also tunnel most connection protocols via Secure Shell (such as X connections). This adds a tremendous layer of security to your installs, and allows you to open up your machines for use across the internet.