Manualshelf

User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE
41424344454647484950
Available Network Services
35
Distributed Denial of Service Attack (DDoS) — A type of DoS attack which uses multiple
compromised machines (often numbering in the thousands or more) to direct a co-ordinated attack
on a service, flooding it with requests and making it unusable.
Script Vulnerability Attacks — If a server is using scripts to execute server-side actions, as Web
servers commonly do, a cracker can attack improperly written scripts. These script vulnerability
attacks can lead to a buffer overflow condition or allow the attacker to alter files on the system.
Buffer Overflow Attacks — Services that connect to ports numbered 0 through 1023 must run as
an administrative user. If the application has an exploitable buffer overflow, an attacker could gain
access to the system as the user running the daemon. Because exploitable buffer overflows exist,
crackers use automated tools to identify systems with vulnerabilities, and once they have gained
access, they use automated rootkits to maintain their access to the system.
Note
The threat of buffer overflow vulnerabilities is mitigated in Red Hat Enterprise Linux by
ExecShield, an executable memory segmentation and protection technology supported by x86-
compatible uni- and multi-processor kernels. ExecShield reduces the risk of buffer overflow by
separating virtual memory into executable and non-executable segments. Any program code that
tries to execute outside of the executable segment (such as malicious code injected from a buffer
overflow exploit) triggers a segmentation fault and terminates.
Execshield also includes support for No eXecute (NX) technology on AMD64 platforms and
eXecute Disable (XD) technology on Itanium and Intel® 64 systems. These technologies work
in conjunction with ExecShield to prevent malicious code from running in the executable portion
of virtual memory with a granularity of 4KB of executable code, lowering the risk of attack from
stealthy buffer overflow exploits.
Important
To limit exposure to attacks over the network, all services that are unused should be turned off.
2.1.5.2. Identifying and Configuring Services
To enhance security, most network services installed with Red Hat Enterprise Linux are turned off by
default. There are, however, some notable exceptions:
cupsd — The default print server for Red Hat Enterprise Linux.
lpd — An alternative print server.
xinetd — A super server that controls connections to a range of subordinate servers, such as
gssftp and telnet.
sendmail — The Sendmail Mail Transport Agent (MTA) is enabled by default, but only listens for
connections from the localhost.
sshd — The OpenSSH server, which is a secure replacement for Telnet.
When determining whether to leave these services running, it is best to use common sense and err
on the side of caution. For example, if a printer is not available, do not leave cupsd running. The