Securing & Optimizing Linux, pt. 1: Services

November 13, 2003

I find that Red Hat Linux (now defunct) is fairly secure by default, but could use a bit of tweaking. This is the first of a series of notes on optimizing and improving security in Linux. Some items may be specific to Red Hat, but most of these notes will be applicable to all systems. In part 1, we look at runlevel services.

This is not intended to be an all-inclusive manual. This site is called Penguin Notes, afterall!

Be sure to turn off all services you don't need. Services in Linux are those background daemons and operations that you're usually not even aware of, such as automount, pcmcia, and ssh. The /etc/rc.d/init.d/ directory contains the specifications and startup/stop scripts for these applications (maybe slightly different in other distributions). Within the parent directory, /etc/rc.d, are a few files called rc, rc.sysinit, and rc.local. Read the top of the respective files to learn more about what they do.

There are also several directories called rcx.d, where x ranges from 0 to 6. Each of these corresponds to a run level:

0 - halt
1 - single user mode (for diagnostics)
2 - multiuser mode, no NFS mounting
3 - full multiuser mode
4 -unused (I have no idea why)
5 - startup in X-windows
6 - reboot

Within each directory are a number of soft links to the scripts in init.d. Each item begins with a letter K or S, basically for "kill" or "start", and a number. Scripts are run in alphabetic order, so the lower the number, the earlier the script is run. If the first character is anything other than an uppercase K or S, then the script won't be run.

So, getting back to the security point: by default there will likely be many services in here that you don't need. For instance, you won't need pcmcia unless you have a notebook computer. You won't need NFS unless you are serving NFS partitions. Everything that you don't need is taking up a little bit of memory and/or processor and, if it turns out to have a security flaw of any kind, may be opening you up to a lot of problems. So figure out what each one does (using the man; command and possibly the Linux Documentation Project if need be), and delete those which you don't need.

In particular keep a look out for unnecessary network protocols, such as NFS, portmap, and xinetd. Obviously these do have their uses, but if you don't know what they are, then you won't need these particular entries I assure you. If your main startup mode is at the command prompt, you'll need to remove these and other extraneous entries from /etc/rc.d/rc3.d. If you startup in X windows with a graphical login prompt, then you'll need to clean up /etc/rc.d/rc5.d. Probably best to clean up both.

You probably won't ever need runlevel 2, but to be safe you should remove unnecessary links there as well. I do not recommend messing with levels 0, 1, or 6. These will have everything necessary by default.

By the way, I'm sure there's an automated graphical utility for editing these configurations, but why bother?