Controlling Access To Services - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

Chapter 16.

Controlling Access to Services

Maintaining security on your system is extremely important, and one approach for this task is to
manage access to system services carefully. Your system may need to provide open access to
particular services (for example, httpd if you are running a Web server). However, if you do not need
to provide a service, you should turn it off to minimize your exposure to possible bug exploits.
There are several different methods for managing access to system services. Choose which method
of management to use based on the service, your system's configuration, and your level of Linux
expertise.
The easiest way to deny access to a service is to turn it off. Both the services managed by xinetd
and the services in the /etc/rc.d/init.d hierarchy (also known as SysV services) can be
configured to start or stop using three different applications:
Services Configuration Tool
This is a graphical application that displays a description of each service, displays whether
each service is started at boot time (for runlevels 3, 4, and 5), and allows services to be started,
stopped, and restarted.
ntsysv
This is a text-based application that allows you to configure which services are started at boot
time for each runlevel. Non-xinetd services can not be started, stopped, or restarted using this
program.
chkconfig
This is a command line utility that allows you to turn services on and off for the different runlevels.
Non-xinetd services can not be started, stopped, or restarted using this utility.
You may find that these tools are easier to use than the alternatives — editing the numerous symbolic
links located in the directories below /etc/rc.d by hand or editing the xinetd configuration files in
/etc/xinetd.d.
Another way to manage access to system services is by using iptables to configure an IP firewall.
If you are a new Linux user, note that iptables may not be the best solution for you. Setting up
iptables can be complicated, and is best tackled by experienced Linux system administrators.
On the other hand, the benefit of using iptables is flexibility. For example, if you need a customized
solution which provides certain hosts access to certain services, iptables can provide it for you.
Section 43.8.1, "Netfilter and IPTables"
Refer to
information about iptables.
Alternatively, if you are looking for a utility to set general access rules for your home machine,
and/or if you are new to Linux, try the Security Level Configuration Tool (system-config-
securitylevel), which allows you to select the security level for your system, similar to the Firewall
Configuration screen in the installation program.
Section 43.8, "Firewalls"
Refer to
Important
When you allow access for new services, always remember that both the firewall and
SELinux need to be configured as well. One of the most common mistakes committed
Section 43.8.3, "Using IPTables"
and
for more information.
for more
195