Insecure Services - Red Hat ENTERPRISE LINUX 4 - SECURITY GUIDE Manual

Hide thumbs Also See for ENTERPRISE LINUX 4 - SECURITY GUIDE:

Manual (410 pages)

System administration manual (400 pages)

Administration manual (200 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

page of 136

/ 136
Contents
Table of Contents
Bookmarks

Table of Contents

• lpd — An alternate print server.

• xinetd — A super server that controls connections to a host of subordinate servers, such as

vsftpd and telnet.

• sendmail — The Sendmail mail transport agent is enabled by default, but only listens for

connections from the localhost.

• sshd — The OpenSSH server, which is a secure replacement for Telnet.

When determining whether to leave these services running, it is best to use common sense and err

on the side of caution. For example, if a printer is not available, do not leave cupsd running. The

same is true for portmap. If you do not mount NFSv3 volumes or use NIS (the ypbind service), then

portmap should be disabled.

Red Hat Enterprise Linux ships with three programs designed to switch services on or off. They

are the Services Configuration Tool (system-config-services), ntsysv, and chkconfig.

For information on using these tools, refer to the chapter titled Controlling Access to Services in the

System Administrators Guide.

Figure 4.3. Services Configuration Tool

If unsure of the purpose for a particular service, the Services Configuration Tool has a description

Figure 4.3, "Services Configuration

field, illustrated in

But checking which network services are available to start at boot time is not enough. Good system

administrators should also check which ports are open and listening. Refer to

Which Ports Are Listening"

4.5.3. Insecure Services

Potentially, any network service is insecure. This is why turning unused services off is so important.

Exploits for services are revealed and patched routinely, making it very important to keep packages

associated with any network service updated. Refer to

information about this issue.

Some network protocols are inherently more insecure than others. These include any services which

do the following things:

• Pass Usernames and Passwords Over a Network Unencrypted — Many older protocols, such

as Telnet and FTP, do not encrypt the authentication session and should be avoided whenever

possible.

• Pass Sensitive Data Over a Network Unencrypted — Many protocols pass data over the network

unencrypted. These protocols include Telnet, FTP, HTTP, and SMTP. Many network file systems,

such as NFS and SMB, also pass information over the network unencrypted. It is the user's

responsibility when using these protocols to limit what type of data is transmitted.

Also, remote memory dump services, like netdump, pass the contents of memory over the network

unencrypted. Memory dumps can contain passwords or, even worse, database entries and other

sensitive information.

Other services like finger and rwhod reveal information about users of the system.

for more on this subject.

Tool", that may be of some use.

Chapter 3, Security Updates

Insecure Services

Section 5.8, "Verifying

for more

Table of Contents

Insecure Services - Red Hat ENTERPRISE LINUX 4 - SECURITY GUIDE Manual

4.5.3. Insecure Services

Related Manuals for Red Hat ENTERPRISE LINUX 4 - SECURITY GUIDE

Related Content for Red Hat ENTERPRISE LINUX 4 - SECURITY GUIDE

Table of Contents