Manage Learn to apply best practices and optimize your operations.

Working with Linux: Disable service to improve network security

Linux security expert Jay Beale offers a code-by-code instructional walk-through to help system administrators disable Linux services.

How do I stop services in Linux? I tried putting a "#" before the services to be stopped in my inetd.conf file, but the services still exist when I scan the server.

inetd (and later xinetd) was created to be a network daemon "superserver" -- you configure it to listen on a number of ports and to launch a particular program whenever it receives a connection on a particular port. It hands off the connection to this program and continues listening for more connections. Each port gets its own line in /etc/inetd.conf, like this:

pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d

The first column lists the port, either numerically or as a reference into the /etc/services table. In this case, the /etc/services file says that the pop-3 port is port 110. If you want to tell inetd to stop listening on a given port, you can just comment out (or even delete) that port's line, and then tell inetd to reread the file.

Here's the process, outlined step by step:

  1. Comment out the network service's line in /etc/inetd.conf by prepending a hash mark. In the case of the pop-3 example above, the line would now read:

#pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d

  1. Instruct inetd to reread its configuration file by passing it a HUP (hang up) signal. First, find out its process id (PID) with the ps command, like this:

# ps -ef | grep inetd root 24850 1 0 07:13 ? 00:00:00 inetd

The PID is in the second column. Use the kill command to pass the HUP signal to inetd:

# kill -HUP 24850

Of course, most modern Linux distributions have moved from inetd to a new replacement, xinetd, which uses a separate configuration file for each port. The one for POP3 might be /etc/xinetd.d/ipop3 and look like this:

# default: off
#description: The POP3 service allows remote users to ...
service pop3
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/ipop3d
log_on_success += HOST DURATION
log_on_failure += HOST

You can instruct xinetd to stop listening on the POP3 port by changing the "disable = no" line in that file to "disable = yes" or even by deleting the file altogether. Then, you'll need to pass the HUP signal to xinetd, just as you did with inetd:

# ps -ef | grep xinetd
root 790 1 0 07:13 ? 00:00:00 xinetd

The PID is in the second column. Use the kill command to pass the HUP signal to xinetd:

# kill -HUP 790

Your network service audit isn't really complete unless you examine and, where possible, deactivate the other network-listening programs. Start by running the netstat command with the -p option, which shows what programs are listening on what ports. Here's a sample of listening TCP ports:

# netstat -vatp | grep LISTEN

tcp 0 0 *:netbios-ssn *.* LISTEN 3099/smbd
tcp 0 0 *:sunrpc *.* LISTEN 3116/portmap
tcp 0 0 *:http *.* LISTEN 3132/httpd
tcp 0 0 *:https *.* LISTEN 3132/httpd

This tells us that smbd (Samba) is listening on port NetBIOS-SSN (139) and that portmap is listening on SunRPC (111). If your netstat doesn't support this "-p" option, you can use Lsof to map ports to programs. Now, you can deactivate network programs that you don't need whatever facility your distribution provides. On Red Hat, we'd use chkconfig to turn off Samba for the next reboot:

# chkconfig smb off

After this, you should do the same audit for listening UDP ports after this.

About the author: Jay Beale is the lead developer of the Bastille Linux project, which creates a hardening script for five Linux distributions, HP-UX and Mac OS X.

This was last published in August 2003

Dig Deeper on Alternative operating system security