Summary of common AIX system services

inetd/bootps

inetd

/etc/inetd.conf

bootp services to diskless clients

• Necessary for Network Installation Management (NIM) and remote booting of systems
• Works concurrently with tftp
• Disable in most cases

inetd/chargen

inetd

/etc/inetd.conf

character generator (testing only)

• Available as a TCP and UDP service
• Provides opportunity for Denial of Service attacks
• Disable unless you are testing your network

inetd/cmsd

inetd

/etc/inetd.conf

calendar service (as used by CDE)

• Runs as root, therefore a security concern
• Disable unless you require this service with CDE
• Disable on back room database servers

inetd/comsat

inetd

/etc/inetd.conf

Notifies incoming electronic mail

• Runs as root, therefore a security concern
• Seldom required
• Disable

inetd/daytime

inetd

/etc/inetd.conf

obsolete time service (testing only)

• Runs as root
• Available as a TCP and UDP service
• Provides opportunity for a Denial of Service PING attacks
• Service is obsolete and used for testing only
• Disable

inetd/discard

inetd

/etc/inetd.conf

/dev/null service (testing only)

• Available as TCP and UDP service
• Used in Denial of Service Attacks
• Service is obsolete and used for testing only
• Disable

inetd/dtspc

inetd

/etc/inetd.conf

CDE Subprocess Control

• This service is started automatically by the inetd daemon in response to a CDE client requesting a process to be started on the daemon's host. This makes it vulnerable to attacks
• Disable on back room servers with no CDE
• CDE might be able to function without this service
• Disable unless absolutely needed

inetd/echo

inetd

etc/inetd.conf

echo service (testing only)

• Available as UDP and TCP service
• Could be used in Denial of Service or Smurf attacks
• Used to echo at someone else to get through a firewall or start a datastorm
• Disable

inetd/exec

inetd

/etc/inetd.conf

remote execution service

• Runs as root user
• Requires that you enter a user ID and password, which are passed unprotected
• This service is highly susceptible to being snooped
• Disable

inetd/finger

inetd

/etc/inetd.conf

finger peeking at users

• Runs as root user
• Gives out information about your systems and users
• Disable

inetd/ftp

inetd

/etc/inetd.conf

file transfer protocol

• Runs as root user
• User id and password are transferred unprotected, thus allowing them to be snooped
• Disable this service and use a public domain secure shell suite

inetd/imap2

inetd

/etc/inetd.conf

Internet Mail Access Protocol

• Ensure that you are using the latest version of this server
• Only necessary if you are running a mail server. Otherwise, disable
• User ID and password are passed unprotected

inetd/klogin

inetd

/etc/inetd.conf

Kerberos login

• Enabled if your site uses Kerberos authentication

inetd/kshell

inetd

/etc/inetd.conf

Kerberos shell

• Enabled if your site uses Kerberos authentication

inetd/login

inetd

/etc/inetd.conf

rlogin service

• Susceptible to IP spoofing, DNS spoofing
• Data, including User IDs and passwords, is passed unprotected
• Runs as root user
• Use a secure shell instead of this service

inetd/netstat

inetd

/etc/inetd.conf

reporting of current network status

• Could potentially give network information to hackers if run on your system
• Disable

inetd/ntalk

inetd

/etc/inetd.conf

Allows users to talk with each other

• Runs as root user
• Not required on production or back room servers
• Disable unless absolutely needed

inetd/pcnfsd

inetd

/etc/inetd.conf

PC NFS file services

• Disable service if not currently in use
• If you need a service similar to this, consider Samba, as the pcnfsd daemon predates Microsoft's release of SMB specifications

inetd/pop3

inetd

/etc/linetd.conf

Post Office Protocol

• User IDs and passwords are sent unprotected
• Only needed if your system is a mail server and you have clients who are using applications that only support POP3
• If your clients use IMAP, use that instead, or use the POP3s service. This service has a Secure Socket Layer (SSL) tunnel
• Disable if you are not running a mail server or have clients who need POP services

inetd/rexd

inetd

/etc/inetd.conf

remote execution

• Runs as root user
• Peers with the on command
• Disable service
• Use rshand rshd instead

inetd/quotad

inetd

/etc/inetd.conf

reports of file quotas (for NFS clients)

• Only needed if you are running NFS file services
• Disable this service unless required to provide an answer for the quota command
• If you need to use this service, keep all patches and fixes for this service up to date

inetd/rstatd

inetd

/etc/inetd.conf

Kernel Statistics Server

• If you need to monitor systems, use SNMP and disable this service
• Required for use of the rup command

inetd/rusersd

inetd

/etc/inetd.conf

info about user logged in

• This is not an essential service. Disable
• Runs as root user
• Gives out a list of current users on your system and peers with rusers

inetd/rwalld

inetd

/etc/inetd.conf

write to all users

• Runs as root user
• If your systems have interactive users, you might need to keep this service
• If your systems are production or database servers, this is not needed
• Disable

inetd/shell

inetd

/etc/inetd.conf

rsh service

• Disable this service if possible. Use Secure Shell instead
• If you must use this service, use the TCP Wrapper to stop spoofing and limit exposures
• Required for theXhier software ditribution program

inetd/sprayd

inetd

/etc/inetd.conf

RPC spray tests

• Runs as root user
• Might be required for diagnosis of NFS network problems
• Disable if you are not running NFS

inetd/systat

inetd

/etc/inted.conf

"ps -ef" status report

• Allows for remote sites to see the process status on your system
• This service is disabled by default. You must check periodically to ensure that the service has not been enabled

inetd/talk

inetd

/etc/inetd.conf

establish split screen between 2 users on the net

• Not a required service
• Used with the talk command
• Provides UDP service at Port 517
• Disable unless you need multiple interactive chat sessions for UNIX user

inetd/ntalk

inetd

/etc/inetd.conf

"new talk" establish split screen between 2 users on the net

• Not a required service
• Used with the talk command
• Provides UDP service at Port 517
• Disable unless you need multiple interactive chat sessions for UNIX user

inetd/telnet

inetd

/etc/inetd.conf

telnet service

• Supports remote login sessions, but the password and ID are passed unprotected
• If possible, disable this service and use Secure Shell for remote access instead

inetd/tftp

inetd

/etc/inetd.conf

trivial file transfer

• Provides UDP service at port 69
• Runs as root user and might be compromised
• Used by NIM
• Disable unless you are using NIM or have to boot a diskless workstation

inetd/time

inetd

/etc/inetd.conf

obsolete time service

• Internal function of inetd that is used by rdate command.
• Available as TCP and UDP service
• Sometimes used to synchronize clocks at boot time
• Service is outdated. Use ntpdate instead
• Disable this only after you have tested your systems (boot/reboot) with this service disabled and have observed no problems

inetd/ttdbserver

inetd

/etc/inetd.conf

tool-talk database server (for CDE)

• The rpc.ttdbserverd runs as root user and might be compromised
• Stated as a required service for CDE, but CDE is able to work without it
• Should not be run on back room servers or any systems where security is a concern

inetd/uucp

inetd

/etc/inetd.conf

UUCP network

• Disable unless you have an application that uses UUCP

inittab/dt

init

/etc/rc.dt script in the /etc/inittab

desktop login to CDE environment

• Starts the X11 server on the console
• Supports the X11 Display Manager Control Protocol (xdcmp) so that other X11 stations can log into the same machine
• Service should be used on personal workstations only. Avoid using it for back room systems

inittab/dt_nogb

init

/etc/inittab

desktop login to CDE environment (NO graphic boot)

• No graphical display until the system is up fully
• Same concerns as inittab/dt

inittab/httpdlite

init

/etc/inittab

web server for the docsearch command

• Default web server for the docsearch engine
• Disable unless your machine is a documentation server

inittab/i4ls

init

/etc/inittab

license manager servers

• Enable for development machines
• Disable for production machines
• Enable for back room database machines that have license requirements
• Provides support for compilers, database software, or any other licensed products

inittab/imqss

init

/etc/inittab

search engine for "docsearch"

• Part of the default web server for the docsearch engine
• Disable unless your machine is a documentation server

inittab/lpd

init

/etc/inittab

BSD line printer interface

• Accepts print jobs from other systems
• You can disable this service and still send jobs to the print server
• Disable this after you confirm that printing is not affected

inittab/nfs

init

/etc/inittab

Network File System/Net Information Services

• NFS and NIS services based which were built on UDP/RPC
• Authentication is minimal
• Disable this for back room machines

inittab/piobe

init

/etc/inittab

printer IO Back End (for printing)

• Handles the scheduling, spooling and printing of jobs submitted by the qdaemon daemon
• Disable if you are not printing from your system because you are sending print job to a server

inittab/qdaemon

init

/etc/inittab

queue daemon (for printing

• Submits print jobs to the piobe daemon
• If you are not printing from your system, then disable

inittab/uprintfd

init

/etc/inittab

kernel messages

• Generally not required
• Disable

inittab/writesrv

init

/etc/inittab

writing notes to ttys

• Only used by interactive UNIX workstation users
• Disable this service for servers, back room databases, and development machines
• Enable this service for workstations

inittab/xdm

init

/etc/inittab

traditional X11 Display Management

• Do not run on back room production or database servers
• Do not run on development systems unless X11 display management is needed
• Acceptable to run on workstations if graphics are needed

rc.nfs/automountd

/etc/rc.nfs

automatic file systems

• If you use NFS, enable this for workstations
• Do not use the automounter for development or back room servers

rc.nfs/biod

/etc/rc.nfs

Block IO Daemon (required for NFS server)

• Enabled for NFS server only
• If not an NFS server, then disable this along with nfsd and rpc.mountd

rc.nfs/keyserv

/etc/rc.nfs

Secure RPC Key server

• Manages the keys required for secure RPC
• Disable this if you are not using NFS and NIS

rc.nfs/nfsd

/etc/rc.nfs

NFS Services (required for NFS Server)

• Authentication is weak
• Can lend itself to stack frame crashing
• Enable if on NFS file servers
• If you disable this, then disable biod, nfsd, and rpc.mountd as well

rc.nfs/rpc.lockd

/etc/rc.nfs

NFS file locks

• Disable if you are not using NFS
• Disable this if you are not using file locks across the network
• lockd daemon is mentioned in the SANS Top Ten Security Threats

rc.nfs/rpc.mountd

/etc/rc.nfs

NFS file mounts (required for NFS Server)

• Authentication is weak
• Can lend itself to stack frame crashing
• Should be enabled only on NFS file servers
• If you disable this, then disable biod and nfsd as well

rc.nfs/rpc.statd

/etc/rc.nfs

NFS file locks (to recover them)

• Implements file locks across NFS
• Disable unless you are using NFS

rc.nfs/rpc.yppasswdd

/etc/rc.nfs

NIS password daemon (for NIS master)

• Used to manipulate the local password file
• Only required when the machine in question is the NIS master; disable in all other cases

rc.nfs/ypupdated

/etc/rc.nfs

NIS Update daemon (for NIS slave)

• Receives NIS database maps pushed from the NIS Master
• Only required when the machine in question is a NIS slave to a Master NIS Server

rc.tcpip/autoconf6

/etc/rc.tcpip

IPv6 interfaces

• Disable unless you are running IP Version 6

rc.tcpip/dhcpcd

/etc/rc.tcpip

Dynamic Host Configure Protocol (client )

• Back room servers should not rely on DHCP. Disable this service
• If your host is not using DHCP, disable

rc.tcpip/dhcprd

/etc/rc.tcpip

Dynamic Host Configure Protocol (relay

• Grabs DHCP broadcasts and sends them to a server on another network
• Duplicate of a service found on routers
• Disable this if you are not using DHCP or rely on passing information between networks

rc.tcpip/dhcpsd

/etc/rc.tcpip

Dynamic Host Configure Protocol (server

• Answers DHCP requests from clients at boot time; gives client information, such as IP name, number, netmask, router, and broadcast address
• Disable this if you are not using DHCP
• Disabled on production and back room servers along with hosts not using DHCP

rc.tcpip/dpid2

/etc/rc.tcpip

outdated SNMP service

• Disable unless you need SNMP

rc.tcpip/gated

/etc.rc.tcpip

gated routing between interfaces

• Emulates router function
• Disable this service and use RIP or a router instead

rc.tcpip/inetd

/etc/rc.tcpip

inetd services

• A thoroughly secured system should have this disabled, but is often not practical
• Disabling this will disable remote shell services which are required for some mail and web servers

rc.tcpip/mrouted

/etc/rc.tcpip

multi-cast routing

• Emulates router function of sending multi-cast packets between network segments
• Disable this service. Use a router instead

rc.tcpip/names

/etc/rc.tcpip

DNS name server

• Use this only if your machine is a DNS name server
• Disable for workstation, development and production machines

rc.tcpip/ndp-host

/etc/rc.tcpip

IPv6 host

• Disable unless you use IP Version 6

rc.tcpip/ndp-router

/etc/rc.tcpip

IPv6 routing

• Disable this unless you use IP Version 6. Consider using a router instead of IP Version 6

rc.tcpip/portmap

/etc/rc.tcpip

RPC services

• Required service
• RPC servers register with portmap daemon. Clients who need to locate RPC services ask the portmap daemon to tell them where a particular service is located
• Disable only if you have managed to reduce RPC service so that the only one remaining is portmap

rc.tcpip/routed

/etc/rc.tcpip

RIP routing between interfaces

• Emulates router function
• Disable if you have a router for packets between networks

rc.tcpip/rwhod

/etc/rc.tcpip

Remote "who" daemon

• Collects and broadcasts data to peer servers on the same network
• Disable this service

rc.tcpip/sendmail

/etc/rc.tcpip

mail services

• Runs as root user
• Disable this service unless the machine is used as a mail server
• If disabled, then do one of the following:
  • Place an entry in crontab to clear the queue. Use the /usr/lib/sendmail -q command
  • Configure DNS services so that the mail for your server is delivered to some other system

rc.tcpip/snmpd

/etc/rc.tcpip

Simple Network Management Protocol

• Disable if you are not monitoring the system via SNMP tools
• SNMP may be required on critical servers

rc.tcpip/syslogd

/etc/rc.tcpip

system log of events

• Disabling this service is not recommended
• Prone to denial of service attacks
• Required in any system

rc.tcpip/timed

/etc/rc.tcpip

Old Time Daemon

• Disable this service and use xntp instead

rc.tcpip/xntpd

/etc/rc.tcpip

New Time Daemon

• Keeps clocks on systems in sync
• Disable this service.
• Configure other systems as time servers and let other systems synchronize to them with a cron job that calls ntpdate

dt login

/usr/dt/config/Xaccess

unrestricted CDE

• If you are not providing CDE login to a group of X11 stations, you can restrict dtlogin to the console.

anonymous FTP service

user rmuser -p <username>

anonymous ftp

• Anonymous FTP ability prevents you from tracing FTP usage to a specific user
• Remove user ftp if that user account exists, as follows: rmuser -p ftp
• Further security can be obtained by populating the /etc/ftpusers file with a list of those who should not be able to ftp to your system

anonymous FTP writes

anonymous ftp uploads

• No file should belong to ftp.
• FTP anonymous uploads allow the potential for misbehaving code to be placed on your system.
• Put the names of those users you want to disallow into the /etc/ftpusers file
• Some examples of system-created users you might want to disallow from anonymously uploading via FTP to your system are: root, daemon, bin.sys, admin.uucp, guest, nobody, lpd, nuucp, ladp
• Change the owner and group rights to the ftpusers files as follows: chown root:system /etc/ftpusers
• Change the permissions to the ftpusers files to a stricter setting as follows: chmod 644 /etc/ftpusers

ftp.restrict

ftp to system accounts

• No user from the outside should be allowed to replace root files using ftpusers file

root.access

/etc/security/user

rlogin/telnet to root account

• Set the rlogin option in the etc/security/user file to false
• Anyone logging in as root should first log in under their own name and then su to root; this provides an audit trail

snmpd.readWrite

/etc/snmpd.conf

SNMP readWrite communities

• If you are not using SNMP, disable the SNMP daemon.
• Disable community private and community system in the /etc/snmpd.conf file
• Restrict 'public' community to those IP addresses that are monitoring your system

syslog.conf

configure syslogd

• If you have not configured /etc/syslog.conf, then disable this daemon
• If you are using syslog.conf to log system messages, then keep enabled