[EMAIL PROTECTED] wrote:
Warren has a nice page at
<http://www.mplug.org/phpwiki/index.php/DisablingLinuxServices> about what services
to turn off after you install redhat. Unfortunately it is obsolete (says to use
linuxconf, which is no longer part of the distro). I've been googling around trying to
update it myself, but I'm in a bit over my head. If you guys give me a sanity check, I'll
go ahead & update the page.
I'm assuming we'd use chkconfig instead of linuxconf (or maybe ntsysv?).
Here's some of the services chkconfig lists on one of my systems, with comments
and questions. Some of this was cribbed from posts to comp.os.linux.questions.
keytable Loads keyboard map. on
agree
atd related to crond, on.
Runs things once at specified times, agree
syslog for system logging, on.
Always needed, agree
gpm Console mouse handler. If you never do console, you may not
need it.
sendmail for sending mail, not needed if you always use your ISP's smtp
server. off.
Usually you can leave it off, but you may need to run it in smart host mode and
tell sendmail to not listen on port 25 if you have apps that call sendmail to
send mail; many console mail apps do this.
kudzu recognizes hardware at startup. Is there a way to turn it off
later? Is that a good idea?
You can certainly turn it off. Me being the redhat automation hater that I am,
I usually do. Many people may find it useful however.
netfs supposed to automount nfs and smbfs shares, on if you want?
Would seem to be a redhatism
network networking. on.
Given
random has to do with random number generation, on.
This probably seeds /dev/random. Just let it be started at startup (to seed)
and stopped at shutdown (To save the seed) as usual.
rawdevices no idea, on.
no clue here either, almost certainly a redhatism
apmd Advanced power management daemon. For laptops and Green
machines.
ipchains iptables firewall stuff, one or other on. Actually my system has
both on, a problem?
I have no clue how redhat handles this. I know their stock firewall at least as
of 8.x was ipchains based. iptables and ipchains are mutually incompatible though.
crond handles background/timed job scheduling. on.
I think redhat systems have housekeeping chores they need to run, so you
probably need to leave it on. Cron daemons (especially vixie, which redhat
uses) have been security problems in the past, but have gotten better recently.
anacron Runs cron jobs that were lost during downtime. Useful on
laptops and machines that aren't up all the time
Whatever
lpd on if you have a printer, otherwise off.
This does run as root, so it cna be a security problem; however, it should be
able to drop privs once started. I don't know if redhat's does this or not.
Leave it off if you can.
ntpd network time protocol daemon, has been a security hole,
probably off.
This should be able to drop privilages if coded properly, but leave it off if
you don't need it. This is only needed if you want to be a time SERVER, not to
sync your time.
portmap required for samba or NFS, I forget.
NFS. This is a historic "get you rooted" thing, so disable it if at all
possible.
xfs X Font Server. If you're running a standalone system Running X
Window
System, you may need it.
agree
xinetd long story, off probably.
You'll probably end up running something that needs inetd, but leave it off if
you can
rhnsd red hat network, on if you use it.
whatever
autofs no idea
Probably the automounter
nfs old style unix file sharing (network file system). On if you
use it.
agree
nfslock see nfs?
Probably handles file locks on nfs, but I have no clue
nscd no idea
No clue
identd Identifies you to IRC servers, from what I can tell. Known
security problem; disable if you don't IRC.
I know oidentd (though I think redhat may use a different identd) can drop privs
once run. THis isn't as much of a security problem as it is an information leak.
radvd no idea
IPv6 Stateless autoconfig. If you're not using ipv6 or are using static
addressing with ipv6, you can disable this.
snmpd Simple Network Management Protocol. For big networks of many
machines. Disable.
Just disable it.
snmptrapd see snmpd.
ditto
isdn no idea
Probably ISDN services. If you don't have ISDN, leave it off.
sshd on! secure shell.
Enable this if you want remote access to your machine, which you probably do as
it's so useful.
vncserver no idea
The VNC X server presumably. Probably best to leave off.
yppasswdd ypserv ypxfrd samba?
yppasswd and such are used in NIS I do believe, leave off unless you use NIS
winbind no idea
No clue
smb samba - on if you use it.
arpwatch Keeps track of ethernet/ip pairings and logs activites. Safe to
disable,
you will know when/if you want/need it.
Never needed it personally and I do quite a bit of networking
xinetd based services:
chargen-udp: off
Known trivila DoS, leave off.
chargen: off
Not needed, but at least difficult to DoS with on TCP
daytime-udp: off
Daytime's ancient
daytime: off
ditto
echo-udp: off
Used with chargen for a DoS, leave off.
echo: off
See chargen TCP
services: off
services? pretty generic...
servers: off
ditto
time-udp: off
this would probably be NTP. See NTPd above.
time: off
See above
sgi_fam: on
No clue
rsh: off
Off, shell without authentication is BAD
talk: off
kotalk: off
ktalk: off
Don't need them unless you like talk :P)
finger: off
Don't poke me! Information leak, but otherwise trivial
rexec: off
rlogin: off
See rsh
ntalk: off
See the other talks
telnet: off
Passwords in plaintext? bad...
rsync: off
UNless you use it as a server
wu-ftpd: off
Known security problem in the past. I prefer ProFTPd
all xinetd services seem to be off on this box, except sgi-fam, whatever that
is.
Send comments and I'll try to put them into the page. Or I guess you guys could
edit it directly.
Dave
--MonMotha
