[luau] turning off radhat services
MonMotha
monmotha at indy.rr.com
Mon Mar 31 16:48:01 PST 2003
tburns at despammed.com wrote:
> Warren has a nice page at <http://www.mplug.org/phpwiki/index.php/DisablingLinuxServices> about what services to turn off after you install redhat. Unfortunately it is obsolete (says to use linuxconf, which is no longer part of the distro). I've been googling around trying to update it myself, but I'm in a bit over my head. If you guys give me a sanity check, I'll go ahead & update the page.
>
> I'm assuming we'd use chkconfig instead of linuxconf (or maybe ntsysv?).
>
> Here's some of the services chkconfig lists on one of my systems, with comments and questions. Some of this was cribbed from posts to comp.os.linux.questions.
>
> keytable Loads keyboard map. on
>
agree
> atd related to crond, on.
>
Runs things once at specified times, agree
> syslog for system logging, on.
Always needed, agree
>
> gpm Console mouse handler. If you never do console, you may not need it.
>
> sendmail for sending mail, not needed if you always use your ISP's smtp server. off.
Usually you can leave it off, but you may need to run it in smart host mode and
tell sendmail to not listen on port 25 if you have apps that call sendmail to
send mail; many console mail apps do this.
>
> kudzu recognizes hardware at startup. Is there a way to turn it off later? Is that a good idea?
You can certainly turn it off. Me being the redhat automation hater that I am,
I usually do. Many people may find it useful however.
>
> netfs supposed to automount nfs and smbfs shares, on if you want?
Would seem to be a redhatism
>
> network networking. on.
Given
>
> random has to do with random number generation, on.
This probably seeds /dev/random. Just let it be started at startup (to seed)
and stopped at shutdown (To save the seed) as usual.
>
> rawdevices no idea, on.
no clue here either, almost certainly a redhatism
>
> apmd Advanced power management daemon. For laptops and Green machines.
>
>
> ipchains iptables firewall stuff, one or other on. Actually my system has both on, a problem?
I have no clue how redhat handles this. I know their stock firewall at least as
of 8.x was ipchains based. iptables and ipchains are mutually incompatible though.
>
> crond handles background/timed job scheduling. on.
I think redhat systems have housekeeping chores they need to run, so you
probably need to leave it on. Cron daemons (especially vixie, which redhat
uses) have been security problems in the past, but have gotten better recently.
>
> anacron Runs cron jobs that were lost during downtime. Useful on laptops and machines that aren't up all the time
Whatever
>
> lpd on if you have a printer, otherwise off.
This does run as root, so it cna be a security problem; however, it should be
able to drop privs once started. I don't know if redhat's does this or not.
Leave it off if you can.
>
> ntpd network time protocol daemon, has been a security hole, probably off.
This should be able to drop privilages if coded properly, but leave it off if
you don't need it. This is only needed if you want to be a time SERVER, not to
sync your time.
>
> portmap required for samba or NFS, I forget.
NFS. This is a historic "get you rooted" thing, so disable it if at all possible.
>
> xfs X Font Server. If you're running a standalone system Running X Window
> System, you may need it.
agree
>
>
> xinetd long story, off probably.
You'll probably end up running something that needs inetd, but leave it off if
you can
>
> rhnsd red hat network, on if you use it.
whatever
>
> autofs no idea
Probably the automounter
>
> nfs old style unix file sharing (network file system). On if you use it.
agree
>
> nfslock see nfs?
Probably handles file locks on nfs, but I have no clue
>
> nscd no idea
No clue
>
> identd Identifies you to IRC servers, from what I can tell. Known security problem; disable if you don't IRC.
I know oidentd (though I think redhat may use a different identd) can drop privs
once run. THis isn't as much of a security problem as it is an information leak.
>
> radvd no idea
IPv6 Stateless autoconfig. If you're not using ipv6 or are using static
addressing with ipv6, you can disable this.
>
> snmpd Simple Network Management Protocol. For big networks of many
> machines. Disable.
Just disable it.
>
> snmptrapd see snmpd.
ditto
>
> isdn no idea
Probably ISDN services. If you don't have ISDN, leave it off.
>
> sshd on! secure shell.
Enable this if you want remote access to your machine, which you probably do as
it's so useful.
>
> vncserver no idea
The VNC X server presumably. Probably best to leave off.
>
> yppasswdd ypserv ypxfrd samba?
yppasswd and such are used in NIS I do believe, leave off unless you use NIS
>
> winbind no idea
No clue
>
> smb samba - on if you use it.
>
> arpwatch Keeps track of ethernet/ip pairings and logs activites. Safe to disable,
> you will know when/if you want/need it.
Never needed it personally and I do quite a bit of networking
>
>
> xinetd based services:
> chargen-udp: off
Known trivila DoS, leave off.
> chargen: off
Not needed, but at least difficult to DoS with on TCP
> daytime-udp: off
Daytime's ancient
> daytime: off
ditto
> echo-udp: off
Used with chargen for a DoS, leave off.
> echo: off
See chargen TCP
> services: off
services? pretty generic...
> servers: off
ditto
> time-udp: off
this would probably be NTP. See NTPd above.
> time: off
See above
> sgi_fam: on
No clue
> rsh: off
Off, shell without authentication is BAD
> talk: off
> kotalk: off
> ktalk: off
Don't need them unless you like talk :P)
> finger: off
Don't poke me! Information leak, but otherwise trivial
> rexec: off
> rlogin: off
See rsh
> ntalk: off
See the other talks
> telnet: off
Passwords in plaintext? bad...
> rsync: off
UNless you use it as a server
> wu-ftpd: off
Known security problem in the past. I prefer ProFTPd
>
> all xinetd services seem to be off on this box, except sgi-fam, whatever that is.
>
> Send comments and I'll try to put them into the page. Or I guess you guys could edit it directly.
>
> Dave
--MonMotha
More information about the LUAU
mailing list