4.5. Available Network Services

While user access to administrative controls is an important issue for system administrators within an organization, keeping tabs on which network services are active is of paramount importance to anyone who administers and operates a Linux system.

Many services under Red Hat Enterprise Linux behave as network servers. If a network service is running on a machine, then a server application called a daemon is listening for connections on one or more network ports. Each of these servers should be treated as potential avenue of attack.

4.5.1. Risks To Services

Network services can pose many risks for Linux systems. Below is a list of some of the primary issues:

NoteNote
 

The threat of buffer overflow vulnerabilities is mitigated in Red Hat Enterprise Linux by ExecShield, an executable memory segmentation and protection technology supported by x86-compatible uni- and multi-processor kernels. ExecShield reduces the risk of buffer overflow by separating virtual memory into executable and non-executable segments. Any program code that tries to execute outside of the executable segment (such as malicious code injected from a buffer overflow exploit) triggers a segmentation fault and terminates.

Execshield also includes support for No eXecute (NX) technology on AMD64 platforms and eXecute Disable (XD) technology on Itanium and Intel® EM64T systems. These technologies work in conjunction with ExecShield to prevent malicious code from running in the executable portion of virtual memory with a granularity of 4kb of executable code, lowering the risk of attack from stealthy buffer overflow exploits.

For more information about ExecShield and NX or XD technologies, refer to the whitepaper entitled New Security Enhancements in Red Hat Enterprise Linux v.3, Update 3, available at the following URL:

http://www.redhat.com/solutions/info/whitepapers/

To limit exposure to attacks over the network, all services that are unused should be turned off.

4.5.2. Identifying and Configuring Services

To enhance security, most network services installed with Red Hat Enterprise Linux are turned off by default. There are, however, some notable exceptions:

When determining whether to leave these services running, it is best to use common sense and err on the side of caution. For example, if a printer is not available, do not leave cupsd running. The same is true for portmap. If you do not mount NFSv3 volumes or use NIS (the ypbind service), then portmap should be disabled.

Red Hat Enterprise Linux ships with three programs designed to switch services on or off. They are the Services Configuration Tool (system-config-services), ntsysv, and chkconfig. For information on using these tools, refer to the chapter titled Controlling Access to Services in the Red Hat Enterprise Linux System Administration Guide.

Figure 4-3. Services Configuration Tool

If unsure of the purpose for a particular service, the Services Configuration Tool has a description field, illustrated in Figure 4-3, that may be of some use.

But checking which network services are available to start at boot time is not enough. Good system administrators should also check which ports are open and listening. Refer to Section 5.8 Verifying Which Ports Are Listening for more on this subject.

4.5.3. Insecure Services

Potentially, any network service is insecure. This is why turning unused services off is so important. Exploits for services are revealed and patched routinely, making it very important to keep packages associated with any network service updated. Refer to Chapter 3 Security Updates for more information about this issue.

Some network protocols are inherently more insecure than others. These include any services which do the following things:

Examples of inherently insecure services includes the following:

All remote login and shell programs (rlogin, rsh, and telnet) should be avoided in favor of SSH. (refer to Section 4.7 Security Enhanced Communication Tools for more information about sshd.)

FTP is not as inherently dangerous to the security of the system as remote shells, but FTP servers must be carefully configured and monitored to avoid problems. Refer to Section 5.6 Securing FTP for more information on securing FTP servers.

Services which should be carefully implemented and behind a firewall include:

More information on securing network services is available in Chapter 5 Server Security.

The next section discusses tools available to set up a simple firewall.

mirror server hosted at Truenetwork, Russian Federation.