Chapter 19. Controlling Access to Services
Maintaining security on your system is extremely important, and one approach for this task is to manage access to system services carefully. Your system may need to provide open access to particular services (for example,
httpdif you are running a Web server). However, if you do not need to provide a service, you should turn it off to minimize your exposure to possible bug exploits.
There are several different methods for managing access to system services. Decide which method of management to use based on the service, your system's configuration, and your level of Linux expertise.
The easiest way to deny access to a service is to turn it off. Both the services managed by
xinetdand the services in the
/etc/rc.d/init.dhierarchy (also known as SysV services) can be configured to start or stop using three different applications:
- Services Configuration Tool — a graphical application that displays a description of each service, displays whether each service is started at boot time (for runlevels 3, 4, and 5), and allows services to be started, stopped, and restarted.
- ntsysv — a text-based application that allows you to configure which services are started at boot time for each runlevel. Non-
xinetdservices can not be started, stopped, or restarted using this program.
chkconfig— a command line utility that allows you to turn services on and off for the different runlevels. Non-
xinetdservices can not be started, stopped, or restarted using this utility.
You may find that these tools are easier to use than the alternatives — editing the numerous symbolic links located in the directories below
/etc/rc.dby hand or editing the
xinetdconfiguration files in
Another way to manage access to system services is by using
iptablesto configure an IP firewall. If you are a new Linux user, please realize that
iptablesmay not be the best solution for you. Setting up
iptablescan be complicated and is best tackled by experienced Linux system administrators.
On the other hand, the benefit of using
iptablesis flexibility. For example, if you need a customized solution which provides certain hosts access to certain services,
iptablescan provide it for you. Refer to the Reference Guide and the Security Guide for more information about
Alternatively, if you are looking for a utility to set general access rules for your home machine, and/or if you are new to Linux, try the Security Level Configuration Tool (
system-config-securitylevel), which allows you to select the security level for your system, similar to the Firewall Configuration screen in the installation program.
If you need more specific firewall rules, refer to the
iptableschapter in the Reference Guide.
Before you can configure access to services, you must understand Linux runlevels. A runlevel is a state, or mode, that is defined by the services listed in the directory
/etc/rc.d/rc<x>.d, where <x> is the number of the runlevel.
The following runlevels exist:
- 0 — Halt
- 1 — Single-user mode
- 2 — Not used (user-definable)
- 3 — Full multi-user mode
- 4 — Not used (user-definable)
- 5 — Full multi-user mode (with an X-based login screen)
- 6 — Reboot
If you use a text login screen, you are operating in runlevel 3. If you use a graphical login screen, you are operating in runlevel 5.
The default runlevel can be changed by modifying the
/etc/inittabfile, which contains a line near the top of the file similar to the following:
Change the number in this line to the desired runlevel. The change does not take effect until you reboot the system.
To change the runlevel immediately, use the command
telinitfollowed by the runlevel number. You must be root to use this command. The
telinitcommand does not change the
/etc/inittabfile; it only changes the runlevel currently running. When the system is rebooted, it continues to boot the runlevel as specified in