CTS-2301 (Unix/Linux Administration I) Project #6
Enabling Services

 

Due: by the start of class on the date shown on the syllabus

Description:

Services (file, print, remote access, database, etc.) are provided by server programs (daemons) on your host.  Some modern servers make a copy of themselves for each request to that service.  So at any given moment you may see several instances of a server daemon running, or none at all, depending on how many requests for that service are currently being handled by that server.  Running servers you don't need waste memory and CPU cycles, enough to have a user-noticeable effect on system performance.

For this project you are to disable some services (enabled by default during the installation) and to enable the following services on your classroom computer:

There are two types of servers, stand-alone servers such as web, database, and mail servers, and on-demand servers such as telnet.  The difference between these two types of services is that a stand-alone server is “always on” once enabled.  This makes for much faster responses to web page or database requests, since it takes these servers several seconds to start up each time.  A program (client or server) that is always on is called a daemon (pronounced either as “DAY-mən” or “DEE-mən”), after the Greek term for “a person's attendant spirit”.  (A demon would be an evil spirit.)

Daemons historically are enabled or disabled in sets called run-levels which are identified by a number.  Changing run-levels will turn off some servers and turn on others.  Your system has a default run-level “entered” when you boot up; for Fedora, this is run-level “5”.  (Modern systems are moving away from run-levels.)

On the other hand once services such as telnet are enabled, a server (still called a daemon) is started on-demand for each request received.  Services such as telnet and FTP can start up quickly so there is no need to have daemons running all the time.  Such services are managed by a single (always on) “super” server called “xinetd” (or “inetd” on older systems).  Note that on-demand servers can't be manually started and stopped like stand-alone servers.  All you can do is enable/disable them, so they are ready to start (or not) when the next request arrives.  This is done by configuring the “super” server. 

How you list, start, stop, enable, or disable servers or other daemons depends entirely on your host's init system.  Since the 1980s, most systems have used the “System V” (or “SysV”) init system.  This uses shell scripts and directories of symlinks to manage daemons.  The commands available to manage services include chkconfig and service on most systems.

Fedora and some other Linux distros have switched to a new init system, “systemd”.  This system uses the command systemctl to manage daemons.  Most, but not all, services as of Fedora 20 have migrated to systemd.

For details on these commands and init systems, see the class notes, man pages, and resources provided on our class website.

Make sure you keep an accurate system journal of any and all changes you make to your system!  You will need to turn this in, along with the answers to the questions asked below.

It should be noted that some students may have firewalls running on their systems that would prevent access to some services.  However the default firewall will still allow access from localhost to any service running on that host, so you can ignore any firewall issues (for now).  Also the default file and directory permissions should be fine.

However other security sub-systems may block access that you will need to manage or turn off.  These include TCP Wrappers, SE Linux, and possibly PAM.

Requirements:

Answer the following questions and perform the following tasks:

  1. Identify and disable all unused services:
    1. Run the following commands as root:
         chkconfig --list > ~/service-report.chkconfig
         systemctl --all --full --type service > ~/service-report.systemctl
      

      (You can also try “systemctl list-unit-files -t service”, which is more readable but doesn't include the service descriptions.  I prefer this command: “systemctl --all --full --type service |grep running |sed 's/ \{20\}//g'”.)

      Examine these reports.  Note that with systemd, service names all end in “.service”; however, you won't see that part of the name with other tools (such as ps or in log files.)  Which services are running in your default run-level (usually “5”)?  To see systemd managed services running in the current run level, use “grep running ~/service-report.systemctl”.  Are any of the services listed in the chkconfig output, not duplicated in the output of systemctl?  (Hint: Fedora 20 is near the end of a cut-over from System V init (using chkconfig) to systemd init (using systemctl).  So, some older services have not yet been ported to the new system.)

    2. Use the command ps -ef and compare this output to the service-report.systemctl output created in the previous step.  Determine which services that are enabled for the current run-level are actually running one or more processes.  Why are there services which are enabled that don't appear to be running now?  (Hint: a short shell script using a for loop, grep, and sed, can automate this task.  If you don't do that, you need not examine every single service; the idea is to get familiar with the tools, their output, and the concepts.)
    3. Run the GUI tool system-config-services.  This should give a brief description of each service when you click on its name.  Using command line tools, stop each service you don't think you are using.  Which services did you stop?  (The GUI tools haven't been fully updated to work with the newer systemd init system, so only make changes using the command line tools, unless you believe the tools have been updated since 4/2014.)

      (Note that on non-Red Hat systems, you may not have these commands available.  However there will always be some equivalent commands.  “ntsysv” may be found instead on some systems.)

      (Hint: if you are uncertain about some service, try finding a man page for it.  Don't worry about breaking anything; if you turn off some necessary service, you can always turn it back on, or simply reboot.)

    4. Stopping the service now won't prevent the system from restarting it at the next boot.  (That's a good thing when testing and learning, and you turn off some important service!)  For each service you turned off, disable the service from the current run-level, so that it won't start at the next boot.
    5. What would be the commands to stop the pcscd (smart-card) service from the command line, using both chkconfig and systemctl?  Which should you use on your Fedora system?
    6. What is the exact command you would use to disable the bluetooth service from run-level 3, using the Linux command line tool chkconfig?  (Note, this question may be theoretical, as you may not have that service running, or it may not be a “SysV” service.)
    7. How could you disable the SysV isdn service from run-level 3 using standard Unix/Linux command line utilities such as rm and ln, and not using any GUI tools or command-line tools such as chkconfig?
    8. There are many different init systems in use today.  Some Linux systems use “upstart”, Macintosh uses “launchd”, and Unix systems use still others (or System V).  Solaris since version 10 uses a different init system.  What is the command used to disable and stop some service foo on Solaris 10 (or newer)?
    9. Generate a new systemctl service report, saving the result in a different file.  Now use the diff command to compare these two reports.  Whenever you make changes to services, you can generate a new report, and compare it to the previous one.  The diff output is useful to include in your system journal.  What changes are shown by diff?
  2. Enable Apache (httpd) web service:
    1. Manually start the web server and verify it started successfully.  How did you do this?  (Hint:  In Fedora, this is a “native” service, not a “SysV” one.  You must determine or guess the service name for the daemon.)
    2. You must check the Apache log files in /etc/httpd/logs/error_log and the system central log file in /var/log/messages, and examine the output of a ps -ef listing.  What Apache related message(s) did you see in the logs?  What Apache related processes are now running?
    3. Fire up a web browser on your system, and point to the URL http://localhost/What do you see from this URL?  (Make sure you have the correct URL, including the trailing slash!)
    4. Using the appropriate command line tool for this service (systemd or System V), enable Apache to start automatically at boot time.  Exactly what command did you use?
  3. Enable telnet network service:
    1. See if you have installed a telnet server.  You can check with “rpm -q telnet-server”.  If not, install it (the quick and easy way: “yum install telnet-server”).  Note that updating this will likely install xinetd as well.
    2. On Fedora, no on-demand services are installed by default.  Neither is the Internet-server xinetd (even though some files exist in the directory /etc/xinetd.d).  Re-run system-config-servicesWhat has changed now that there are on-demand services installed?
    3. If you examine the files in the directory /etc/init.d you won't find any script to control the telnet service.  Why not?  Where will you find the configuration file for telnet?  (Hint:  This is an on-demand, SysV service.)
    4. Using vi, edit the appropriate file(s) in /etc/xinetd.d to enable this service.  What file(s) did you edit and what change(s) did you make?  (Hint: see man xinetd and man xinetd.conf.)

      Note that the telnet-server package for Fedora 20 uses a new configuration mechanism for some on-demand services, including telnet.  The telnet-server package doesn't install any files in /etc/xinetd.d/ any longer.  To complete this project, as root create a file /etc/xinetd.d/telnet with the following contents:

      # default: off
      # description: The telnet server serves telnet sessions; it uses \
      #       unencrypted username/password pairs for authentication.
      service telnet
      {
              flags           = REUSE
              socket_type     = stream        
              wait            = no
              user            = root
              server          = /usr/sbin/in.telnetd
              log_on_failure  += USERID
              disable         = yes
      }
      

      Then edit the file as directed above.

      (The new systemd way to enable/disable and to start/stop telnet is to run a command such as “systemctl enable telnet.socket”.)

    5. In order to have your changes take effect, restart the xinetd service.  Exactly what command(s) did you use?
    6. Run the command ps -ef and examine the output.  What do you see related to telnet?  Compare this answer with your answer from question in part A.2 above.  Does the output agree with what you expected to see?
    7. Verify telnet now works.  How did you do this?
    8. The modern xinetd server uses TCP Wrappers to control access policies.  Edit (or create) the file /etc/hosts.deny to contain this line:
              ALL: ALL

      Verify telnet is no longer working.  Then examine the system log file.  What error message(s) was produced by the telnet attempt to this security-blocked service?

    9. Edit (or create) /etc/hosts.allow to permit telnet access only, and only from the local network (in our classroom that would be 10.142.255.0/24; that is, IP address 10.142.255.0 with a mask of 255.255.255.0) or from localhost (or 127.0.0.1 and [::1]).  (Note, “telnet localhost” will default to IPv6 on modern systems.  It may be simpler to test using an IP address such as 127.0.0.1, rather than a hostname such as localhost.)  Verify telnet is working again.  What changes did you make?  (Hints:  In the hosts.allow file you need to use the filename (or pathname) of the telnet daemon.  The actual name of the telnet server (daemon) can be seen by examining the /etc/xinetd.d/telnet file.  Also see the man page for the hosts.allow file.)
    10. Having changed the configuration of TCP Wrappers, other services may no longer be working (email, web access, etc.).  Verify all your desired services are still working.  If any have stopped working, you can assume it is due to your changes to TCP Wrappers.  (Or you can examine the system log files to be certain!)  If necessary, re-configure TCP Wrappers /etc/hosts.allow file to allow ALL services from localhost.  What changes (if any) did you have to make?
  4. Enable anonymous FTP service:

    At one time FTP was a very vital service on the Internet.  Today a lot of files can be found and downloaded using HTTP from a web page.  But FTP hasn't gone away.

    FTP has low security, as everything is send across the network in plain text (unencrypted) form.  For upload configurations, web sites, and work documents, the secure variant sFTP (secure FTP) is preferred.  However anonymous FTP is still useful and used.

    For this part we will enable vsftpd (the very secure FTP daemon).  This server can be configured to either run stand-alone or on-demand.  For this project we will enable vsftpd to run as a stand-alone service (which is the default).

    1. If necessary, install the vsftpd server on your system.
    2. Change the FTP user home directory from “/var/ftp” to “/var/ftp/pub”.  Verify that directory exists (and has appropriate permissions).  This user's home directory is (by default) the location of the anonymous FTP site.
    3. Add some simple text file to /var/ftp/pub (so you can test your anonymous FTP site):
         echo 'it works' > /var/ftp/pub/foo.txt
         chmod a+r /var/ftp/pub/foo.txt
      

      (Make sure the file is readable by everyone.)

    4. If desired, you can edit /etc/vsftpd/vsftpd.conf to change the default behavior of the FTP server.  For example, you can add:
         ftpd_banner=Welcome to the Kaos.coop FTP service!
      
      See the comments in that file, and the man page for vsftpd.conf to see what can be changed.  Make a backup copy of the original first!  What changes did you make?  (Use diff command to show.)
    5. Determine if vsftpd is a native or a SysV service, and start the vsftpd service using the appropriate command line utility.  Exactly what did you do for this step?  Check logs for any errors.  What log messages were generated (and in which log files)?
    6. From your non-root account, and from your home directory, try to connect to the anonymous FTP server:
          [auser@localhost ~]$ ftp localhost
      

      Use username “anonymous” or “ftp” for the anonymous user.  By default, any password you enter will be accepted, but you must enter something.

      If this fails to work, what could be blocking access?  (Hint:  Maybe something you did earlier, in part C, blocks access to services?  Also keep in mind, on a modern system the name “localhost” refers to the IPv6 address of “::1”, not “127.0.0.1”.)  What did you do (the exact steps) to allow access to this service (if blocked)?  (Show a diff listing to indicate the changes you made.)

    7. Once you get connected, try various FTP commands: help, dir, ls, pwd, get foo.txt, and to exit, byeWhat directory does pwd show as the current directory?  What files can you see?
    8. Exit FTP and try it again, this time logging in using your normal user account with that account's password.  (Don't try to log in as root!)
      Did the login succeed?  If not, one likely cause is that SE Linux is running in enforcing mode.  If you have difficulty logging in as a normal user (rather than the anonymous user), check if SE Linux is running in enforcing mode with getenforce command.  If so, then run (as root) the setenforce 0 command to switch to permissive mode.  Now try to log in again.  (In the security course you will learn how to configure SE Linux for this, but for our class it is better to switch it to permissive mode.  To make the change permanent edit the file /etc/selinux/config and set the mode from:
          SELINUX=enforcing
      to:
          SELINUX=permissive

      Note!  For security reasons modern systems won't allow you to connect as root, only as a regular user (or sometimes as an anonymous user such as for FTP).

    9. Once you are successfully logged in as a regular user, run some FTP commands again.  What is the result of the commands pwd and ls this time?
    10. To enable local users, to block others, to set up chroot protection for (some) users, you may need to edit the vsftpd.conf file.  You should start by reading the comments in that file.  If that doesn't help try reading the man page.  Remember that to access services from other hosts have security issues and may involve configuring the firewall, TCP wrappers (hosts.allow/deny), or PAM.  (None of this should be necessary for this project.) what changes, if any, did you make?
  5. Creating and installing your own service:
    1. Create a shell script named “/usr/local/bin/hellod” with the following contents:
      #!/bin/sh -
      echo 'Hello, World!'
    2. Make sure the script is readable and executable by everyone.  Run it (as non-root user) to test it.
    3. Now create a file /etc/xinetd.d/hello so your new “hello” service can be started on demand.  Your new service should listen on port number TCP/9333.  (This is a currently unassigned port, according to the master list of port number assignments by the IANA.)  The file should have the following contents:
      # default: off
      # description: Demo service that runs a shell script to say hello, world!
      
      service hello
      {
        disable      = no
        socket_type  = stream
        type         = UNLISTED
        port         = 9333
        wait         = no
        user         = nobody
        server       = /usr/local/bin/hellod
      }
    4. Now reload the xinetd service to make it read the new configuration.  Check the log file for any messages from xinetdWhat messages resulted from reloading xinetd?  If any errors were noted, fix them and repeat.  What errors (if any) were found and what did you do to resolve them?
    5. Once there are no errors, your new service should be available.  Test it out by running this command (not as root):
      nc localhost 9333

      If you don't have nc installed, you can install the nc package with yum.  “nc” is the Linux name of the “netcat” utility.  (Or you can use telnet instead of nc.)

      What was the result (output) of running this command?

      If this fails to work, what could be blocking access?  (Hint:  Maybe something you did earlier in part C blocks access to services?  Keep in mind that on a modern system, the name “localhost” refers to the IPv6 address of “::1”, not “127.0.0.1”.  You may have better luck using the numeric address instead of the name.)  What did you do (the exact steps) to allow access to this service (if blocked)?  (You can show a diff listing to indicate the changes you made.)  Once fixed retry the command.

  6. Listing available services:
    1. List all the services now available on your host.  There are a number of tools you can use for this purpose, including “lsof -i” and “netstat -lA inet”.  But lsof lists each process listening, so ports such as TCP/80 will be listed multiple times, and netstat won't list on-demand services (just the super-server xinetd).  Perhaps the simplest way is to run (as root) the command “nmap -sSU -p 0-65535 localhost”.  (You may need to install nmap using yum.)  This command may take about a minute to run.

      How many ports are open?  What are the meanings of the options to the nmap command used?  What would the option “-6” mean?

    2. What is the purpose of the “/etc/services” file?  What would happen if you commented out (or removed) the line(s) for some service, such as Telnet?  (You can always try it and see what happens.  Use the command “nc -t localhost 23” to test, as “telnet localhost” does use /etc/services to look up the port number, and so it will fail.)

To be turned in:

The answers to the questions above and the portion of your system journal describing the steps you have taken to enable these services.

You can submit your project as email to .  Please see your syllabus for more information about submitting projects.