Disabling network services on RedHat Linux 6.0 and 6.1 (with GNOME)

Note: This document is not yet complete.

One of the major security risks in running a Linux system comes from the network services that are enabled by default in the RedHat distribution (and many other distributions). Many of these services are needed only for servers, not personal workstations. Disabling these services can greatly improve security against remote attacks (as opposed to attacks from local users). However, there is no such thing as a totally secure system, and it is still a good idea to be aware of security problems by reading such lists as cert-advisory and redhat-watch-list.

How to disable services

The following steps can be taken as root to disable most, but not all, network services. One should, of course, be very careful when editing these files. The section below explains what these steps do.

  1. Edit the file /etc/sysconfig/network and change the line that says NETWORKING=yes to NETWORKING=no.
  2. Edit the file /etc/rc.d/init.d/network and put a hash mark (#) at the beginning of the line [ ${NETWORKING} = "no" ] && exit 0 to comment out the line. If you use any networked filesystems, you should repeat this step for the file /etc/rc.d/init.d/netfs. If you need printing, repeat for /etc/rc.d/init.d/lpd (which leaves lpd listening on a port, so you must be sure you have the up-to-date version of lpd from the RedHat errata).
  3. For RedHat 6.0 only (since this is already done for you in RedHat 6.1): In the file /etc/X11/gdm/gdm.conf, find the section that begins with the line [xdmcp], and, within that section, change the line Enable=1 to Enable=0.
  4. Edit the file /etc/X11/gdm/gdm.conf, find the section whose first line is [servers], and change the line 0=/usr/bin/X11/X to be 0=/usr/bin/X11/X -nolisten tcp.
  5. Edit the file /usr/X11R6/bin/startx, find the line (near the end of the file) that says serverargs="$serverargs -auth $HOME/.Xauthority" , and change it to serverargs="$serverargs -auth $HOME/.Xauthority -nolisten tcp" .

How this works, and what it does

By step above:

  1. This line changes a configuration file that is read in by the startup and shutdown scripts located in /etc/rc.d. Changing NETWORKING to no disables the networking hardware startup (see next step) and also the following services:
  2. This step changes the script that initializes the networking hardware so that is no longer dependent on the setting in the previous step. This is needed so that one can access the network from the Linux machine (as opposed to the reverse). (The change to the netfs file does the same thing for the script that mounts and unmounts network (i.e., NFS, SMB, and NCP) filesystems.)
  3. This disables an unneeded service run by gdm, the program that gives the login prompt if you boot to runlevel 5 (XFree86 startup).
  4. This prevents the X server from listening on a TCP port for programs that want to use the display on the machine. This prevents running programs on a remote machine using the traditional methods (setting $DISPLAY and using xhost, etc.). However, it does not prevent using such programs through ssh. One may be better off skipping this step if ssh servers are not available on remote machines from which one wishes to run programs. However, if this step is skipped, I suspect other security measures should be taken, although I don't know the details.
  5. This does the same thing as the previous step, except for the case when X is started by startx (rather than gdm).

After these steps have been taken on my RedHat 6.1 system, the only TCP or UDP sockets listening are a bunch of user-owned TCP sockets related to communication within GNOME. Some have speculated (note date of message) that these could be a security risk, but I'm not sure of the current state. (The command netstat -ape | less will show you sockets currently listening or connected.)

Valid HTML 4.0!

(Back to Linux, David Baron)

LDB, dbaron@dbaron.org