لطفا منتظر باشید ...
9.3 Administering Services by Using the Server Settings Menu
Services
are generally processes that wait for a request to perform an
operation or provide information and then do so. The Server Settings
menu provides menu items that let you administer certain services.
The menu also provides the Service Configuration tool that lets you
start and stop services and configure which services run at various
runlevels. Red Hat
Linux supports seven
runlevels:
0
Runlevel 0 is associated with a system shutdown.
1
Runlevel 1 is associated with the state known as single-user mode. It
is generally used to troubleshoot or configure the system from a
state that does not provide network services. It vaguely resembles
Windows safe mode.
2
Runlevel 2 is associated with a state that provides access to the
network but does not provide network services to remote hosts. Like
runlevel 1, it's primarily used for troubleshooting
and configuration.
3
Runlevel 3 is a normal system operating mode. It features a
text-based login prompt.
4
Runlevel 4 is reserved; that is, it is not used.
5
Runlevel 5 is a normal system operating mode. It features a graphical
login screen.
6
Runlevel 6 is associated with a system reboot.
Runlevels 3 and 5 are normal system operating modes. Other modes are
used transiently (levels 0, 6), for troubleshooting (levels 1, 2), or
not used at all (level 4). When you associate a service with a
runlevel, the service is automatically started whenever the runlevel
is entered. You can set the current
runlevel
by issuing the command:
init n
where n is the number of the desired runlevel.
However, it's seldom necessary to change the
runlevel of a running system. You should do so judiciously, since
services may be abruptly terminated during transition from one
runlevel to another.
To launch the Service Configuration tool, select Server
Settings
Services from the GNOME or KDE menu.Figure 9-28 shows the appearance of the tool. Note
that it reports the current runlevel. It also reports the runlevel to
which changes apply, called the editing
runlevel.
Figure 9-28. The Service Configuration tool
To learn about the function of a server, select the
server's name. A description of the server may
appear in the bottom pane of the Service Configuration window. Figure 9-28 features such a description. Not all services
feature such descriptions.
9.3.1 Associating Services with Runlevels
To associate a service with a
runlevel, select the runlevel by using the Edit Runlevel menu. You
can edit only for runlevels 3, 4, and 5. Despite the fact that
runlevel 4 is not used, it's common to associate
with level 4 any services associated with level 3. However, you need
not do so.
Once you've selected the desired runlevel, you can
specify the services that should run when that runlevel is active. To
specify that a service should run, enable the associated checkbox. To
specify that a service should not run, disable the associated
checkbox.
Your changes to a runlevel are not automatically saved. To save them,
click the Save button on the toolbar of the Service Configuration
tool.
9.3.2 Starting and Stopping Services
Suppose that the current runlevel is
3 and that a particular service is running. If you use the Service
Configuration tool to specify that the service should no longer run
in runlevel 3, the system does not immediately terminate the service.
Similarly, the system does not immediately start a service newly
specified to run in the current runlevel. Instead, the status of the
service is changed the next time the specified runlevel is entered.
However, you can use the Service Configuration to immediately start
or stop a service. To do so, select the service and click the Start
or Start button on the Service Configuration toolbar. You can also
restart a service, which stops and then restarts the service.
Restarting a service is useful when you've manually
modified the service's configuration file, since
restarting the service causes it to re-read the configuration file.
9.3.3 Hardening Your System
Many attackers
target services. Therefore, a useful step in hardening a
systemthat is, protecting it against attackis disabling
or removing unneeded services. To disable a service, simply ensure
that the service is not associated with runlevels 3 or 5. However,
it's better yet to remove the service from the
system. That way, an attacker will find it more difficult to enable
the service.
Of course, you must not disable or remove a service
that's needed on the system. So, you need to know
something about a system before you tamper with it. You can discover
the services for which your system is configured by examining the
files in
/etc/init.d.
Each service is represented by a file in that directory.
To learn about a service, first determine the name of the associated
RPM package. To do so, issue the command:
rpm -qf /etc/init.d/service
where service is the name of a service. For
example, issuing the command:
rpm -qf /etc/init.d/anacron
tells you that the anacron service is associated with the anacron
package. Often, the name of service and the name of the associated
package are the same. However, this isn't always the
case.
Once you know the name of the associated package, you can learn about
the service by issuing the command:
rpm -qi package
where package is the name of the package.To disable a service, you can use the Service Configuration tool. To
remove a service, you can issue the command:
rpm -e package
where package is the name of the package.
Occasionally, it's not possible to remove a package
because another package requires it. In such a case, you can remove
both packages or settle for merely disabling the unremovable package.
Table 9-1 identifies several services that are
seldom needed that are nevertheless installed by default in some
installation configurations. Unless you have a particular need for
them, you should disable or remove them from your system. Doing so is
particularly important if your system is continuously connected to
the Internet. However, even
intermittently connected systems, such as those using dialup modems,
are vulnerable to attack.
Service | When needed |
|---|---|
aep1000 | Used with hardware cryptographic devices |
bcm5820 | Used with hardware cryptographic devices |
httpd | The Apache web server |
irda | Used with infrared devices and peripherals |
isdn | Used for ISDN connections |
kdcrotate | Used with Kerberos authentication |
named | Used to provide DNS services (see Chapter 11) |
nfs | Used with NSF (Network File Sharing) |
nfslock | Used with NSF |
pcmcia | Used with PCMCIA hardware, such as that common on laptops |
portmap | Used with NSF and some other facilities |
postfix | An alternative mail server that can be used in place of sendmail |
sgi_fam | A file monitoring service (requires xinetd service) |
snmpd | Used with SNMP (Simple Network Management Protocol) |
snmptrapd | Used with SNMP |
squid | A web and FTP proxy server |
tux | A fast web server that works alongside Apache |
winbind | Used with Windows file sharing |
xinetd | Used to host other servers, such as sgi_fam |
ypbind | Used with NIS (Network Information Services) |
