Servicios y Demonios

Mantener la seguridad de su sistema es extremadamente importante y una forma de acercarse a esta tarea es administrar el acceso a los servicios del sistema cuidadosamente. Su sistema puede que necesite suministrar acceso abierto a servicios concretos (por ejempo, httpd si está ejecutando un servidor web). Sin embargo, si no necesita suministrar un servicio usted debería quitarlo para minimizar la exposición a posibles aprovechamientos de errores.

Este capítulo cubre la configuración de los servicios a ser ejecutados cuando se arranca el sistema y suministra información sobre como arrancar, parar y reiniciar los servicios desde a línea de comandos usando la utilidad systemctl.

Mantener el sistema seguro

Cuando usted permite acceso para nuevos servicios, recuerde que siempre que tanto el cortafuegos como SELinux necesitan ser configurados también. Uno de los errores mas comunes que se cometen cuando se configura un nuevo servicio es el descuido en implementar la necesaria configuración de cortafuegos y de políticas de SELinux para permitir su acceso. Para más información vea Fedora 26 Guía de Seguridad.

Configurando Servicios

Para permitirle configurar que servicios son iniciados en el momento del arranque, Fedora se envía con la herramienta e línea de comando systemctl.

No utilice las utilidades ntsysv y chkconfig

Aunque todavía es posible usar las utilidades ntsysv y chkconfig que tienen scripts de inicio instalados en el directorio /etc/rc.d/init.d/, le aconsejamos que utilice la utilidad systemctl.

Habilitando el servicio irqbalance

Para asegurar un óptimo rendimiento sobre arquitectura POWER, se recomienda que el servicio irqbalance esté habilitado. En la mayoría de los casos, este servicio está instalado y configurado para correr durante la instalación Fedora 26. Para verificar que irqbalance está corriendo teclee lo siguiente en el símbolo del sistema:

systemctl status irqbalance.service
Habilitando el Servicio

Para configurar que un servicio sea arrancado automáticamente en el momento del inicio, use el comando systemctl de la siguiente forma:

systemctl enable service_name.service

El servicio será iniciado la próxima vez que arranque el sistema. Para información sobre como iniciar el servicio inmediatamente, vea Corriendo el Servicio.

Example 1. Habilitando el servicio httpd

Imagine que quiere correr el Servidor Apache HTTP en su sistema. Siempre que tenga instalado el paquete httpd, puede habilitar el servicio httpd tecleando lo siguiente en el símbolo del sistema como root:

~]# systemctl enable httpd.service
Deshabilitando el Servicio

Para deshabilitar el inicio de un servicio en el momento del arranque, use el comando systemctl de la siguiente forma:

systemctl disable service_name.service

La próxima vez que usted arranque el sistema, el servicio no será iniciado. Para información sobre como para el servicio inmediatamente, vea Parando el Servicio.

Example 2. Deshabilitado el servicio telnet

Con el objetivo de securizar el sistema se aconseja a los usuarios deshabilitar protocolos de conexión inseguros como Telnet. Puede asegurarse de que el servicio telnet está deshabilitado corriendo el siguiente comando como root:

~]# systemctl disable telnet.service

Running Services

The systemctl utility also allows you to determine the status of a particular service, as well as to start, stop, or restart a service.

Do not use the service utility

Although it is still possible to use the service utility to manage services that have init scripts installed in the /etc/rc.d/init.d/ directory, it is advised that you use the systemctl utility.

Checking the Service Status

To determine the status of a particular service, use the systemctl command in the following form:

systemctl status service_name.service

This command provides detailed information on the service’s status. However, if you merely need to verify that a service is running, you can use the systemctl command in the following form instead:

systemctl is-active service_name.service
Example 3. Checking the status of the httpd service

Enabling the httpd service illustrated how to enable starting the httpd service at boot time. Imagine that the system has been restarted and you need to verify that the service is really running. You can do so by typing the following at a shell prompt:

~]$ systemctl is-active httpd.service
active

You can also display detailed information about the service by running the following command:

~]$ systemctl status httpd.service
httpd.service - LSB: start and stop Apache HTTP Server
          Loaded: loaded (/etc/rc.d/init.d/httpd)
          Active: active (running) since Mon, 23 May 2011 21:38:57 +0200; 27s ago
         Process: 2997 ExecStart=/etc/rc.d/init.d/httpd start (code=exited, status=0/SUCCESS)
        Main PID: 3002 (httpd)
          CGroup: name=systemd:/system/httpd.service
                  ├ 3002 /usr/sbin/httpd
                  ├ 3004 /usr/sbin/httpd
                  ├ 3005 /usr/sbin/httpd
                  ├ 3006 /usr/sbin/httpd
                  ├ 3007 /usr/sbin/httpd
                  ├ 3008 /usr/sbin/httpd
                  ├ 3009 /usr/sbin/httpd
                  ├ 3010 /usr/sbin/httpd
                  └ 3011 /usr/sbin/httpd

To display a list of all active system services, use the following command:

systemctl list-units --type=service

This command provides a tabular output with each line consisting of the following columns:

  • UNIT — A systemd unit name. In this case, a service name.

  • LOAD — Information whether the systemd unit was properly loaded.

  • ACTIVE — A high-level unit activation state.

  • SUB — A low-level unit activation state.

  • JOB — A pending job for the unit.

  • DESCRIPTION — A brief description of the unit.

Example 4. Listing all active services

You can list all active services by using the following command:

~]$ systemctl list-units --type=service
UNIT                      LOAD   ACTIVE SUB     JOB DESCRIPTION
abrt-ccpp.service         loaded active exited      LSB: Installs coredump handler which saves segfault data
abrt-oops.service         loaded active running     LSB: Watches system log for oops messages, creates ABRT dump directories for each oops
abrtd.service             loaded active running     ABRT Automated Bug Reporting Tool
accounts-daemon.service   loaded active running     Accounts Service
atd.service               loaded active running     Job spooling tools
[output truncated]

In the example above, the abrtd service is loaded, active, and running, and it does not have any pending jobs.

Running the Service

To run a service, use the systemctl command in the following form:

systemctl start service_name.service

This will start the service in the current session. To configure the service to be started at boot time, refer to Enabling the Service.

Example 5. Running the httpd service

Enabling the httpd service illustrated how to run the httpd service at boot time. You can start the service immediately by typing the following at a shell prompt as root:

~]# systemctl start httpd.service
Stopping the Service

To stop a service, use the systemctl command in the following form:

systemctl stop service_name.service

This will stop the service in the current session. To disable starting the service at boot time, refer to Enabling the Service.

Example 6. Stopping the telnet service

Disabling the telnet service illustrated how to disable starting the telnet service at boot time. You can stop the service immediately by running the following command as root:

~]# systemctl stop telnet.service
Restarting the Service

To restart a service, use the systemctl command in the following form:

systemctl restart service_name.service
Example 7. Restarting the sshd service

For any changes in the /etc/ssh/sshd_config configuration file to take effect, it is required that you restart the sshd service. You can do so by typing the following at a shell prompt as root:

~]# systemctl restart sshd.service

Recursos Adicionales

Installed Documentation
  • systemctl(1) — The manual page for the systemctl utility.

Related Books
Fedora 26 Security Guide

A guide to securing Fedora. It contains valuable information on how to set up the firewall, as well as the configuration of SELinux.