3.5. 运行最少服务需求

服务就是程序, 如 ftp 服务器和 web 服务. 因为它们必需 侦听 连接请求, 并响应服务, 这样外部计算机就可以和您的计算机建立连接. 服务器有时候是非常脆弱的(即, 可能在遭受一次攻击后瘫痪), 因此存在安全风险.

您不应该在您的机器安装不需要的服务. 每个安装的服务都可能在您的计算机上产生新的,或许不明显(或不知道)的安全漏洞.

As you may already know, when you install a given service the default behavior is to activate it. In a default Debian installation, with no services installed, the number of running services is quite low and the number of network-oriented services is even lower. In a default Debian 3.1 standard installation you will end up with OpenSSH, Exim (depending on how you configured it) and the RPC portmapper available as network services[4]. If you did not go through a standard installation but selected an expert installation you can end up with no active network services. The RPC portmapper is installed by default because it is needed for many services, for example NFS, to run on a given system. However, it can be easily removed, see 第 5.13 节 “增强 RPC 服务的安全性” for more information on how to secure or disable RPC services.

当您在 Debian GNU/Linux 系统中安装一个新的网络相关的服务(守护进程), 有两种方式将其激活: 通过 inetd 超级守护进程(即在 /etc/inetd.conf 中加入一行)或 通过一个独立的程序将自身与您的网络接口绑定. 独立程序由 /etc/init.d 目录下的文件控制, 通过 SysV 机制在启动时使用 /etc/rc?.d/* 下的连接来启用相应的服务 (更多信息参阅 /usr/share/doc/sysvinit/README.runlevels.gz).

If you want to keep some services but use them rarely, use the update-* commands, e.g. update-inetd and update-rc.d to remove them from the startup process. For more information on how to disable network services read 第 3.5.1 节 “禁用守护进程服务”. If you want to change the default behaviour of starting up services on installation of their associated packages[5] use policy-rc.d, please read /usr/share/doc/sysv-rc/README.policy-rc.d.gz for more information.

invoke-rc.d support is mandatory in Debian, which means that for Debian 4.0 etch and later releases you can write a policy-rc.d file that forbids starting new daemons before you configure them. Although no such scripts are packaged yet, they are quite simple to write. See policyrcd-script-zg2.

3.5.1. 禁用守护进程服务

Disabling a daemon service is quite simple. You either remove the package providing the program for that service or you remove or rename the startup links under /etc/rc${runlevel}.d/. If you rename them make sure they do not begin with ‘S’ so that they don’t get started by /etc/init.d/rc. Do not remove all the available links or the package management system will regenerate them on package upgrades, make sure you leave at least one link (typically a ‘K’, i.e. kill, link). For more information read http://www.debian.org/doc/manuals/reference/ch-system.en.html#s-custombootscripts section of the Debian Reference (Chapter 2 - Debian fundamentals).

You can remove these links manually or using update-rc.d (see update-rc.d(8)). For example, you can disable a service from executing in the multi-user runlevels by doing:

  1. # update-rc.d name stop XX 2 3 4 5 .

Where XX is a number that determines when the stop action for that service will be executed. Please note that, if you are not using file-rc, update-rc.d -f `service` remove will not work properly, since all links are removed, upon re-installation or upgrade of the package these links will be re-generated (probably not what you wanted). If you think this is not intuitive you are probably right (see http://bugs.debian.org/67095). From the manpage:

  1. If any files /etc/rcrunlevel.d/[SK]??name already exist then
  2. update-rc.d does nothing. This is so that the system administrator
  3. can rearrange the links, provided that they leave at least one
  4. link remaining, without having their configuration overwritten.

如果您使用 file-rc 则关于服务启动的所有信息由一个共同的配置文件处理和维护, 既使软件包从系统中删除.

You can use the TUI (Text User Interface) provided by sysv-rc-conf to do all these changes easily (sysv-rc-conf works both for file-rc and normal System V runlevels). You will also find similar GUIs for desktop systems. You can also use the command line interface of sysv-rc-conf:

  1. # sysv-rc-conf foobar off

The advantage of using this utility is that the rc.d links are returned to the status they had before the ‘off’ call if you re-enable the service with:

  1. # sysv-rc-conf foobar on

Other (less recommended) methods of disabling services are:

  • Removing the /etc/init.d/`service_name` script and removing the startup links using:

    1. # update-rc.d name remove
  • Move the script file (/etc/init.d/`service_name` ) to another name (for example /etc/init.d/OFF.`service_name` ). This will leave dangling symlinks under /etc/rc${runlevel}.d/ and will generate error messages when booting up the system.

  • Remove the execute permission from the /etc/init.d/`service_name` file. That will also generate error messages when booting.

  • Edit the /etc/init.d/`service_name` script to have it stop immediately once it is executed (by adding an exit 0 line at the beginning or commenting out the start-stop-daemon part in it). If you do this, you will not be able to use the script to startup the service manually later on.

Nevertheless, the files under /etc/init.d are configuration files and should not get overwritten due to package upgrades if you have made local changes to them.

Unlike other (UNIX) operating systems, services in Debian cannot be disabled by modifying files in /etc/default/`service_name` .

FIXME: Add more information on handling daemons using file-rc.

3.5.2. 禁用 inetd 服务

现在, 您应当检查一下是否真的需要 inetd 守护进程. inetd 一直是对内核不足的一个补偿, 但是那些问题已经在最新的内核中得到了解决. 可能会因为 inetd 而存在拒绝服务(它将会极大的增加机器的负载), 并且很多人喜欢直接使用守护进程而不是通过 inetd 加载. 如果您仍然想使用 inetd 类的服务, 请使用更加结构化的 inet 守护进程 如 xinetdrlinetdrlinetd.

You should stop all unneeded Inetd services on your system, like echo, chargen, discard, daytime, time, talk, ntalk and r-services (rsh, rlogin and rcp) which are considered HIGHLY insecure (use ssh instead).

您可以通过直接编辑/etc/inetd.conf 来禁用服务, 但 Debian 提供一个更好的选择: update-inetd(当您要启用服务的时候会更方便). 您可以通过执行下边的命令来改变文件设置并重起守护进程以删除 telnet 服务(这样 telnet 就被禁用了):

  1. /usr/sbin/update-inetd --disable telnet

如果您想保留一项服务, 但又不想让其监听您的主机的所有IP地址, 那么您可以使用 inetd 的非归档特性 (服务名称用 service@ip 代替)或者使用其他的 inetd 守护进程如 xinetd.


[4] The footprint in Debian 3.0 and earlier releases wasn’t as tight, since some inetd services were enabled by default. Also standard installations of Debian 2.2 installed the NFS server as well as the telnet server.

[5] This is desirable if you are setting up a development chroot, for example.