NOTE: CentOS Enterprise Linux is built from the Red Hat Enterprise Linux source code. Other than logo and name changes CentOS Enterprise Linux is compatible with the equivalent Red Hat version. This document applies equally to both Red Hat and CentOS Enterprise Linux.
While user access to administrative controls is an important
issue for system administrators within an organization, keeping
tabs on which network services are active is of paramount
importance to anyone who administers and operates a Linux
Many services under Red Hat Enterprise Linux behave as network
servers. If a network service is running on a machine, then a
server application called a daemon is
listening for connections on one or more network ports. Each of
these servers should be treated as potential avenue of attack.
Network services can pose many risks for Linux systems. Below is
a list of some of the primary issues:
Denial of Service Attacks (DoS) —
By flooding a service with requests, a denial of service attack can
bring a system to a screeching halt as it tries to log and answer
Script Vulnerability Attacks — If
a server is using scripts to execute server-side actions, as Web
servers commonly do, a cracker can mount an attack on improperly
written scripts. These script vulnerability attacks can lead to a
buffer overflow condition or allow the attacker to alter files on
Buffer Overflow Attacks — Services
which connect to ports numbered 0 through 1023 must run as an
administrative user. If the application has an exploitable buffer
overflow, an attacker could gain access to the system as the user
running the daemon. Because exploitable buffer overflows exist,
crackers use automated tools to identify systems with
vulnerabilities, and once they have gained access, they use
automated rootkits to maintain their access to the system.
The threat of buffer overflow vulnerabilities is mitigated in
Red Hat Enterprise Linux by ExecShield, an
executable memory segmentation and protection technology supported
by x86-compatible uni- and multi-processor kernels. ExecShield
reduces the risk of buffer overflow by separating virtual memory
into executable and non-executable segments. Any program code that
tries to execute outside of the executable segment (such as
malicious code injected from a buffer overflow exploit) triggers a
segmentation fault and terminates.
Execshield also includes support for No
eXecute (NX) technology on
AMD64 platforms and eXecute Disable
(XD) technology on Itanium and
Intel® EM64T systems. These
technologies work in conjunction with ExecShield to prevent
malicious code from running in the executable portion of virtual
memory with a granularity of 4kb of executable code, lowering the
risk of attack from stealthy buffer overflow exploits.
For more information about ExecShield and NX or XD technologies,
refer to the whitepaper entitled New Security
Enhancements in Red Hat Enterprise Linux v.3, Update 3,
available at the following URL:
To limit exposure to attacks over the network, all services that
are unused should be turned off.
To enhance security, most network services installed with Red
Hat Enterprise Linux are turned off by default. There are, however,
some notable exceptions:
cupsd — The default print server
for Red Hat Enterprise Linux.
lpd — An alternate print
xinetd — A super server that
controls connections to a host of subordinate servers, such as
vsftpd and telnet.
sendmail — The Sendmail mail
transport agent is enabled by default, but only listens for
connections from the localhost.
sshd — The OpenSSH server, which
is a secure replacement for Telnet.
When determining whether to leave these services running, it is
best to use common sense and err on the side of caution. For
example, if a printer is not available, do not leave cupsd running. The same is true for portmap. If you do not mount NFSv3 volumes or use
NIS (the ypbind service), then portmap should be disabled.
Red Hat Enterprise Linux ships with three programs designed to
switch services on or off. They are the Services Configuration Tool (system-config-services), ntsysv, and chkconfig.
For information on using these tools, refer to the chapter titled
Controlling Access to Services in the
Red Hat Enterprise Linux System Administration
Figure 4-3. Services Configuration Tool
If unsure of the purpose for a particular service, the Services Configuration Tool has a description
field, illustrated in Figure 4-3, that may
be of some use.
But checking which network services are available to start at
boot time is not enough. Good system administrators should also
check which ports are open and listening. Refer to Section 5.8 Verifying Which Ports Are
Listening for more on this subject.
Potentially, any network service is insecure. This is why
turning unused services off is so important. Exploits for services
are revealed and patched routinely, making it very important to
keep packages associated with any network service updated. Refer to
Chapter 3 Security
Updates for more information about this issue.
Some network protocols are inherently more insecure than others.
These include any services which do the following things:
Pass Usernames and Passwords Over a Network
Unencrypted — Many older protocols, such as Telnet and
FTP, do not encrypt the authentication session and should be
avoided whenever possible.
Pass Sensitive Data Over a Network
Unencrypted — Many protocols pass data over the network
unencrypted. These protocols include Telnet, FTP, HTTP, and SMTP.
Many network file systems, such as NFS and SMB, also pass
information over the network unencrypted. It is the user's
responsibility when using these protocols to limit what type of
data is transmitted.
Also, remote memory dump services, like netdump, pass the contents of memory over the
network unencrypted. Memory dumps can contain passwords or, even
worse, database entries and other sensitive information.
Other services like finger and
rwhod reveal information about users of
Examples of inherently insecure services includes the
All remote login and shell programs (rlogin, rsh, and telnet) should be avoided in favor of SSH. (refer to
Section 4.7 Security
Enhanced Communication Tools for more information about
FTP is not as inherently dangerous to the security of the system
as remote shells, but FTP servers must be carefully configured and
monitored to avoid problems. Refer to Section 5.6 Securing FTP for more
information on securing FTP servers.
Services which should be carefully implemented and behind a
More information on securing network services is available in
Chapter 5 Server Security.
The next section discusses tools available to set up a simple