Maintaining security on your system is extremely important, and one approach for this task is to manage access to system services carefully. Your system may need to provide open access to particular services (for example,
httpd if you are running a web server). However, if you do not need to provide a service, you should turn it off to minimize your exposure to possible bug exploits.
This chapter covers the configuration of the services to be run when a system is started, and provides information on how to start, stop, and restart the services on the command line using the systemctl utility.
시스템 보안을 유지합니다
When you allow access for new services, always remember that both the firewall and SELinux need to be configured as well. One of the most common mistakes committed when configuring a new service is neglecting to implement the necessary firewall configuration and SELinux policies to allow access for it. For more information, refer to the Fedora 27 Security Guide.
To allow you to configure which services are started at boot time, Fedora is shipped with the systemctl command line tool.
ntsysv와 chkconfig 유틸리티를 사용하지 마세요
Although it is still possible to use the ntsysv and chkconfig utilities to manage services that have init scripts installed in the
irqbalance 서비스 활성화하기
To ensure optimal performance on POWER architecture, it is recommended that the
systemctl status irqbalance.service
To configure a service to be automatically started at boot time, use the systemctl command in the following form:
systemctl enable service_name.service
The service will be started the next time you boot the system. For information on how to start the service immediately, refer to Running the Service.
Imagine you want to run the Apache HTTP Server on your system. Provided that you have the httpd package installed, you can enable the
httpd service by typing the following at a shell prompt as
~]# systemctl enable httpd.service
To disable starting a service at boot time, use the systemctl command in the following form:
systemctl disable service_name.service
The next time you boot the system, the service will not be started. For information on how to stop the service immediately, refer to Stopping the Service.
In order to secure the system, users are advised to disable insecure connection protocols such as Telnet. You can make sure that the
telnet service is disabled by running the following command as
~]# systemctl disable telnet.service
The systemctl utility also allows you to determine the status of a particular service, as well as to start, stop, or restart a service.
서비스 유틸리티를 사용하지 마세요
Although it is still possible to use the service utility to manage services that have init scripts installed in the
To determine the status of a particular service, use the systemctl command in the following form:
systemctl status service_name.service
This command provides detailed information on the service’s status. However, if you merely need to verify that a service is running, you can use the systemctl command in the following form instead:
systemctl is-active service_name.service
Enabling the httpd service illustrated how to enable starting the
httpd service at boot time. Imagine that the system has been restarted and you need to verify that the service is really running. You can do so by typing the following at a shell prompt:
~]$ systemctl is-active httpd.service 동작중
You can also display detailed information about the service by running the following command:
~]$ systemctl status httpd.service httpd.service - LSB: start and stop Apache HTTP Server Loaded: loaded (/etc/rc.d/init.d/httpd) Active: active (running) since Mon, 23 May 2011 21:38:57 +0200; 27s ago Process: 2997 ExecStart=/etc/rc.d/init.d/httpd start (code=exited, status=0/SUCCESS) Main PID: 3002 (httpd) CGroup: name=systemd:/system/httpd.service ├ 3002 /usr/sbin/httpd ├ 3004 /usr/sbin/httpd ├ 3005 /usr/sbin/httpd ├ 3006 /usr/sbin/httpd ├ 3007 /usr/sbin/httpd ├ 3008 /usr/sbin/httpd ├ 3009 /usr/sbin/httpd ├ 3010 /usr/sbin/httpd └ 3011 /usr/sbin/httpd
모든 동적 시스템 서비스의 목록을 표시하려면, 다음 명령을 사용하세요:
systemctl list-units --type=service
This command provides a tabular output with each line consisting of the following columns:
systemdunit name. In this case, a service name.
LOAD— Information whether the
systemdunit was properly loaded.
ACTIVE— A high-level unit activation state.
SUB— A low-level unit activation state.
JOB— A pending job for the unit.
DESCRIPTION— A brief description of the unit.
You can list all active services by using the following command:
~]$ systemctl list-units --type=service UNIT LOAD ACTIVE SUB JOB DESCRIPTION abrt-ccpp.service loaded active exited LSB: Installs coredump handler which saves segfault data abrt-oops.service loaded active running LSB: Watches system log for oops messages, creates ABRT dump directories for each oops abrtd.service loaded active running ABRT Automated Bug Reporting Tool accounts-daemon.service loaded active running Accounts Service atd.service loaded active running Job spooling tools [잘린 출력]
In the example above, the
abrtd service is loaded, active, and running, and it does not have any pending jobs.
서비스를 실행하려면, 다음 형식에서 systemctl 명령을 사용하세요:
systemctl start service_name.service
This will start the service in the current session. To configure the service to be started at boot time, refer to Enabling the Service.
Enabling the httpd service illustrated how to run the
httpd service at boot time. You can start the service immediately by typing the following at a shell prompt as
~]# systemctl start httpd.service
서비스를 멈추려면, 다음 형식에서 systemctl 명령을 사용하세요:
systemctl stop service_name.service
This will stop the service in the current session. To disable starting the service at boot time, refer to Enabling the Service.
Disabling the telnet service illustrated how to disable starting the
telnet service at boot time. You can stop the service immediately by running the following command as
~]# systemctl stop telnet.service
서비스를 재시작하려면, 다음 형식에서 systemctl 명령을 사용하세요:
systemctl restart service_name.service
For any changes in the
/etc/ssh/sshd_config configuration file to take effect, it is required that you restart the
sshd service. You can do so by typing the following at a shell prompt as
~]# systemctl restart sshd.service