< Day Day Up > |
Uninstalling what's not necessary
If you have a large hard drive, you may not think too much about installing everything from the Red Hat Linux 9 installation CDs. Compared to the larger hard drives available, 5GB of software may not seem all that demanding.
However, extra software means extra vulnerabilities. You might not use every service that you have installed. Unused services are almost open doors for a cracker looking for a path into your system. There are two ways you can approach this issue: You can uninstall what you don't need, or you can deactivate a service that's installed. But first, let's take a look at the services that might be installed.
Checking installed services
In Red Hat Linux, network services are associated with two different directories. Major services are activated with scripts in the /etc/rc.d/init.d directory. Other network services can be found in the /etc/xinetd.d directory. From the command line, you can list the files in these directories. Figure 11 illustrates a system with far too many services installed.
Figure 11: Too many services on a Red Hat Linux computer.
Believe it or not, this list is the result of the installation selections I made earlier in this chapter. For example, even though I did not select the Web Server package group, the Apache script, httpd, was still installed.
| Note | Red Hat often installs "extra" software. Earlier in this chapter, I chose to install Red Hat Linux with the default Server Configuration Tools package group. This group includes redhat-config-httpd, which is a GUI tool that configures Apache. Thus, Red Hat assumed I forgot to include the Apache Web server in the installation list and "conveniently" added that software to the installed operating system. |
Before you make a judgment on whether to uninstall or deactivate a service, you might want to understand the services. I've listed the services from Figure 11 in Table 3. This is not a comprehensive list; it's based on the typical installation described earlier in this chapter. Be aware that only some of the scripts and services in the noted directories are network related. Don't uninstall or deactivate any of the non-network-related services unless you know what you're doing.
|
|
|
|---|---|---|
anacron | Configures regular, scheduled, administrative jobs. Keep this package installed. | anacron |
apmd | Controls Advanced Power Management (APM) features; Linux does not currently support the Microsoft-developed Advanced Configuration and Power Interface (ACPI). You should keep this installed. | apmd |
atd | Supports the one-time scheduling of a specific job, such as processing a large database in the middle of the night. You should keep this installed. | at |
autofs | Allows Linux to automatically mount partitions, CDs, and more. Must be installed. | autofs |
crond | Closely associated with anacron. Keep this package installed. | vixie-cron |
cups | Supports the default Red Hat Linux print service of the same name. Don't uninstall unless you don't need to print anything locally or remotely from this computer. | cups |
firstboot | Starts the First Boot utility described earlier in this chapter. | firstboot |
functions | Contains the basic Linux boot scripts. Must be installed. | initscripts |
gpm | Provides mouse support at text-based interfaces. Expected by most Linux users. | gpm |
halt | Stops all Linux processes. Keep this installed. | initscripts |
httpd | Controls the Apache Web server. Uninstall it if you don't need it. | httpd |
iptables | Controls the default firewall. Uninstall it if you don't need it. | iptables |
irda | Supports infrared connections. Uninstall it if you don't need it. | irda-utils |
isdn | Supports connections through ISDN interfaces. Uninstall it if you don't need it. | isdn4k-utils |
kdcrotate | Provides library support for for Kerberos 5 authentication. Uninstall it if you don't need it. | krb5-libs |
keytable | Required for keyboards. Don't uninstall. | kbd |
killall | Stops a group of processes associated with a specific name. Don't uninstall. | initscripts |
kudzu | Starts the Red Hat hardware detection utility. Don't uninstall. | kudzu |
named | Controls the Linux DNS server. Uninstall it if you don't need it. | bind |
netfs | Mounts network filesystems. Don't uninstall. | initscripts |
network | Controls network configuration. Keep this installed. | initscripts |
nfs | Supports sharing between Linux and Unix computers using NFS. Uninstall if you don't plan to use NFS. | nfs-utils |
nfslock | Supports locks on files on shared NFS directories. Uninstall it if you don't plan to use NFS. | nfs-utils |
nscd | Caches hostname lookups. | ncsd |
ntpd | Synchronizes the computer clock with a central time server. It's important to synchronize the time on your network. | ntp |
pcmcia | Supports PCMCIA/PC Card hardware most commonly associated with notebook computers. | kernel-pcmcia-cs |
portmap | Supports more secure network connections. | portmap |
random | Controls random number generation. Used by encryption schemes and more. Don't uninstall. | initscripts |
rawdevices | Required by certain applications. | initscripts |
rhnsd | Allows connections by the Red Hat Update Agent to the Red Hat Network. | up2date |
saslauthd | Supports authentication using the Simple Authentication and Security Layer (SASL). | cyrus-sasl |
sendmail | Controls a popular e-mail server. Uninstall it if you don't plan to use an e-mail server on your computer. | sendmail |
single | Moves Linux into single-user mode, which is similar to Microsoft Windows' safe mode without networking. Do not uninstall. | initscripts |
smb | Controls Samba, which allows Linux computers to communicate on a Microsoft Windows-style network. Key for this book. Keep this installed. | samba |
snmpd | Controls utilities related to the Simple Network Management Protocol (SNMP), important for diagnosing network problems. Do not uninstall. | net-snmp |
snmptrapd | Supports SNMP. Do not uninstall. | net-snmp |
sshd | Controls the Secure Shell (SSH) service, which supports encrypted connections to remote computers. This is an excellent tool, which you should keep. | openssh-server |
syslog | Controls utilities that support logging. Log information in /var/log is essential for the Linux system administrator. Do not uninstall. | sysklogd |
winbind | Supports access to a Microsoft Windows database of user names and passwords. Important for this book. Keep this installed. | samba-common |
xfs | Controls the X Font Server, closely associated with the X Window package group. | Xfree86-xfs |
xinetd | Configures the extended Internet services daemon, which controls a number of other network services described later. | xinetd |
ypbind | Allows connections as an NIS client. Uninstall it if you don't plan to use this method of creating a common password database. | ypbind |
If you want to uninstall one of the services listed in Table 3, make a note of the name of the associated RPM package. You'll see in a moment how to use the rpm command and RPM package name to uninstall Apache.
As shown in Figure 11, there are a number of services associated with xinetd, in the /etc/xinetd.d directory. The scripts shown in that directory are fairly basic; you need not uninstall any of the associated packages. If you see additional services in that directory, read the instructions in the next section, which can help you determine whether you need the service.
Getting more information
If you've installed everything from the Red Hat Linux 9 installation CDs, you'll end up with twice the number of scripts in the /etc/rc.d/init.d directory. You should learn how to get more information on each script, so you can make your own decision about whether to uninstall or deactivate the package. Just follow these steps.
Read the script. Open the script of your choice in a text editor. You can use the text editor described earlier on the GNOME desktop by clicking Main Menu | Accessories | Text Editor. Alternatively, you can use the vi editor from the command line as described in Chapter 8, "Administration and Management." There are usually comments at the start of the file that explain its purpose.
Find the RPM package associated with the script. Assuming you've installed the rpmdb-redhat RPM discussed earlier in this chapter, it's easy to find the package name. For example, to find the package associated with the Apache (httpd) script, run the following command. Notice how I've included the full directory path to the file:
# rpm --redhatprovides /etc/rc.d/init.d/httpdIf there is a parent RPM package, you'll see it in the output. It includes the name of the package and the version number. If you've just installed Red Hat Linux 9, you'll see:
httpd-2.0.40-21Every RPM is supposed to include a description. You can find the description for the httpd package by using the following command. Note how I run this command without the revision number:
# rpm -qi httpd
Now that you know how to determine what's installed, you can make your own decisions about whether to uninstall or deactivate a service. I've noted several services in Table 3 that can be safely uninstalled or deactivated.
Uninstalling a service
If you know that you're never going to set up a Web server on the local computer, you can uninstall the associated packages. The same is true for the other services with scripts in the aforementioned directories.
It's easy to uninstall a package. For example, if you want to uninstall Apache, just run the rpm command with the name of the package (httpd):
# rpm -e httpd
But there can be problems. If other packages depend on what you're trying to uninstall, the attempt fails. But you should get a message about dependencies. An example of this is shown in Figure 12.
Figure 12: Uninstalling Apache and a dependency.
There is a simple solution. As shown in Figure 12, you can use the same command to uninstall both packages simultaneously. For the configuration shown in Figure 11, I've repeated this command pattern to uninstall the DNS (bind), sendmail, irda-utils, and isdn4k-utils RPM packages. You can repeat this command for the RPM packages of your choice.
Deactivating a service
If you're planning to use a service in the near future, you can deactivate it instead of uninstalling it. Crackers can't get in through a deactivated service. Because this is a book for Microsoft Windows administrators who are converting to Linux, I start with the GUI tool, in this case, the Service Configuration utility. Start it by clicking Main Menu | System Settings | Server Settings | Services, which opens the Service Configuration window shown in Figure 13.
Figure 13: Checking Apache status in the Service Configuration window.
In the case shown in the figure, Apache is running and is set to start the next time you boot your computer. If you want to deactivate Apache, you need to take the following steps:
Highlight the service in question and then click Stop.
Deselect the service. This ensures that Linux does not start the service the next time you boot.
Repeat the process in the other runlevels. The key Red Hat Linux runlevels are 3 and 5. To switch runlevels, click the Edit Runlevel command in the toolbar, and then select the desired runlevel.
If you make changes, be sure to save them.
Note Red Hat Linux includes seven different runlevels. The important ones for our purposes are 3 and 5. In runlevel 3, you can log in to a text console. In runlevel 5, you can log in to a graphical console as shown in Figure 5. You can configure different services to start at each runlevel.
You can also deactivate services at the command-line interface. For example, to deactivate the Apache (httpd) service at runlevels 3 and 5, run the following command:
# /sbin/chkconfig --level 35 httpd off
The chkconfig command is versatile; for example, you can read the list of active runlevels for httpd with the following command, which tells you if the service is set to be on or off at each of the seven different runlevels:
# /sbin/chkconfig --list httpd
Needless to say, it's almost as easy to make sure that a service becomes active when we boot to one of our key runlevels:
# /sbin/chkconfig --level 35 httpd on
No comments:
Post a Comment