Unsecured Services ?

[cmanL]

I have read that the FTP , Telnet , r-services and sendmail can be insecure. Since I don't use any of these can I simply uninstall these programs without problems? If not how do I disable these? Thanks for any information...

[jpollard]

If you look, they are already disabled.

And by default, they are not installed. These are provided, but are kerberos aware in that they support encrypted communications, and positive authentication using Kerberos credentials. But they can be used in an insecure manner.

The package name is "krb5-appl-servers", and is not installed by default.

Sendmail is only as insecure as email is. As a server all it can do is deliver mail (local and remote). As a client all it can do is send mail.

[cmanL]

Thank you for your response! I'm not totally sure how to check if these services are disabled ( I'm pretty new to Linux system administration ). From what I've learned so far I can check for running services using the chkconfig --list command to see what is currently running and use this command to stop any unwanted services. As far as disabling these services I am usually referred to the /etc/xinetd.d to change various shell script variables ( my xinetd.d folder only contains a file named rsync , not any of the files ever mentioned for revision to disable any service ). I also have looked at the System -> Administration -> services program ( system-config-services ) to determine what services are available ( is this a good way to check and disable unwanted services ). Thanks for any information on this topic !

[jpollard]

In F15/16/17/18... it is "systemctl check-units". If it isn't shown as "active running" then it is not running/listening

[marko]

Quote:

Originally Posted by jpollard

In F15/16/17/18... it is "systemctl check-units". If it isn't shown as "active running" then it is not running/listening

Isn't it:

Quote:

systemctl list-units

??

with check-units I get:

Quote:

systemctl check-units
Unknown operation check-units

I find "systemadm" to be a nice front end, with it you can alphabetically sort the columns, select what
systemctl type to view (services, targets, devices, etc) and opt out of seeing the inactive ones or include them.
Just install package systemd-gtk and run "systemadm"

[stevea]

Quote:

Originally Posted by jpollard

If you look, they are already disabled.

And by default, they are not installed. ...

I'm pretty certain that sendmail IS installed and enabled by default for a lot of the DVD default install configs.

[jpollard]

On my system it runs as root:

Code:

# systemctl list-units
UNIT                      LOAD   ACTIVE SUB       JOB DESCRIPTION
proc-sys...misc.automount loaded active running       Arbitrary Executable File 
sys-devi...d-card1.device loaded active plugged       RV630/M76 audio device [Ra
sys-devi...d-card0.device loaded active plugged       82801I (ICH9 Family) HD Au
sys-devi...et-p5p1.device loaded active plugged       82573E Gigabit Ethernet Co
sys-devi...et-p6p1.device loaded active plugged       82573L Gigabit Ethernet Co
sys-devi...dd-sdd1.device loaded active plugged       MAXTOR_6L060J3
sys-devi...ock-sdd.device loaded active plugged       MAXTOR_6L060J3
sys-devi...ock-sr0.device loaded active plugged       PIONEER_DVD-RW_DVR-116D
sys-devi...da-sda1.device loaded active plugged       SAMSUNG_HD250HJ
sys-devi...da-sda2.device loaded active plugged       SAMSUNG_HD250HJ
sys-devi...da-sda3.device loaded active plugged       SAMSUNG_HD250HJ
sys-devi...da-sda4.device loaded active plugged       SAMSUNG_HD250HJ
sys-devi...da-sda5.device loaded active plugged       SAMSUNG_HD250HJ
sys-devi...ock-sda.device loaded active plugged       SAMSUNG_HD250HJ
sys-devi...db-sdb1.device loaded active plugged       WDC_WD20EARS-00MVWB0
sys-devi...db-sdb2.device loaded active plugged       WDC_WD20EARS-00MVWB0
sys-devi...ock-sdb.device loaded active plugged       WDC_WD20EARS-00MVWB0
sys-devi...dc-sdc1.device loaded active plugged       SAMSUNG_HD250HJ
sys-devi...ock-sdc.device loaded active plugged       SAMSUNG_HD250HJ
sys-devi...y-ttyS2.device loaded active plugged       /sys/devices/platform/seri
sys-devi...y-ttyS3.device loaded active plugged       /sys/devices/platform/seri
sys-devi...y-ttyS0.device loaded active plugged       /sys/devices/pnp0/00:09/tt
sys-devi...y-ttyS1.device loaded active plugged       /sys/devices/pnp0/00:0a/tt
sys-devi...-virbr0.device loaded active plugged       /sys/devices/virtual/net/v
sys-devi...\x2dnic.device loaded active plugged       /sys/devices/virtual/net/v
sys-devi...t-vnet0.device loaded active plugged       /sys/devices/virtual/net/v
sys-devi...ty-tty0.device loaded active plugged       /sys/devices/virtual/tty/t
sys-devi...ty-tty1.device loaded active plugged       /sys/devices/virtual/tty/t
sys-devi...y-tty10.device loaded active plugged       /sys/devices/virtual/tty/t
sys-devi...y-tty11.device loaded active plugged       /sys/devices/virtual/tty/t
sys-devi...y-tty12.device loaded active plugged       /sys/devices/virtual/tty/t
sys-devi...ty-tty2.device loaded active plugged       /sys/devices/virtual/tty/t
sys-devi...ty-tty3.device loaded active plugged       /sys/devices/virtual/tty/t
sys-devi...ty-tty4.device loaded active plugged       /sys/devices/virtual/tty/t
sys-devi...ty-tty5.device loaded active plugged       /sys/devices/virtual/tty/t
sys-devi...ty-tty6.device loaded active plugged       /sys/devices/virtual/tty/t
sys-devi...ty-tty7.device loaded active plugged       /sys/devices/virtual/tty/t
sys-devi...ty-tty8.device loaded active plugged       /sys/devices/virtual/tty/t
sys-devi...ty-tty9.device loaded active plugged       /sys/devices/virtual/tty/t
sys-modu...onfigfs.device loaded active plugged       /sys/module/configfs
sys-module-fuse.device    loaded active plugged       /sys/module/fuse
-.mount                   loaded active mounted       /
boot.mount                loaded active mounted       /boot
dev-hugepages.mount       loaded active mounted       Huge Pages File System
dev-mqueue.mount          loaded active mounted       POSIX Message Queue File S
home-jesse-.gvfs.mount    loaded active mounted       /home/jesse/.gvfs
home-sys.mount            loaded active mounted       /home/sys
home.mount                loaded active mounted       /home
media.mount               loaded active mounted       Media Directory
proc-fs-nfsd.mount        loaded active mounted       RPC Pipe File System
....

It lists everything known and gives the status along with a brief description of what the service is.

[droidhacker]

The default configuration for sendmail only listens on localhost (127.0.0.1). No threat unless it is listening on the naked web, which in addition, is protected by iptables. Finally, sendmail really can't do much except deliver email -- it isn't as if its going to hand remote control over to china.

FTP is definitely NOT running by default, you would have to both install AND ENABLE it, i.e., "yum -y install vsftpd; systemctl enable vsftpd.service". Again, however, it is also protected by iptables.

r-services and telnet, all part of xinetd, is no longer installed by default, but again, protected by iptables, AND, its services are disabled by default, EVEN IF xinetd.service is enabled!!!!

Basically, you need to take calculated actions in order for ANY of those listed services to become a threat.