Summary of common AIX system services

The following table lists the more common system services within AIX®. Use this table to recognize a starting point for securing your system.

Before you secure your system, back up all your original configuration files, especially the following:

• /etc/inetd.conf
• /etc/inittab
• /etc/rc.nfs
• /etc/rc.tcpip

Service	Daemon	Started by	Function	Comments
inetd/bootps	inetd	/etc/inetd.conf	bootp services to diskless clients	Necessary for Network Installation Management (NIM) and remote booting of systems Works concurrently with tftp Disable in most cases
inetd/chargen	inetd	/etc/inetd.conf	character generator (testing only)	Available as a TCP and UDP service Provides opportunity for Denial of Service attacks Disable unless you are testing your network
inetd/cmsd	inetd	/etc/inetd.conf	calendar service (as used by CDE)	Runs as root, therefore a security concern Disable unless you require this service with CDE Disable on back room database servers
inetd/comsat	inetd	/etc/inetd.conf	Notifies incoming electronic mail	Runs as root, therefore a security concern Seldom required Disable
inetd/daytime	inetd	/etc/inetd.conf	obsolete time service (testing only)	Runs as root Available as a TCP and UDP service Provides opportunity for a Denial of Service PING attacks Service is obsolete and used for testing only Disable
inetd/discard	inetd	/etc/inetd.conf	/dev/null service (testing only)	Available as TCP and UDP service Used in Denial of Service Attacks Service is obsolete and used for testing only Disable
inetd/dtspc	inetd	/etc/inetd.conf	CDE Subprocess Control	This service is started automatically by the inetd daemon in response to a CDE client requesting a process to be started on the daemon's host. This makes it vulnerable to attacks Disable on back room servers with no CDE CDE might be able to function without this service Disable unless absolutely needed
inetd/echo	inetd	etc/inetd.conf	echo service (testing only)	Available as UDP and TCP service Could be used in Denial of Service or Smurf attacks Used to echo at someone else to get through a firewall or start a datastorm Disable
inetd/exec	inetd	/etc/inetd.conf	remote execution service	Runs as root user Requires that you enter a user ID and password, which are passed unprotected This service is highly susceptible to being snooped Disable
inetd/finger	inetd	/etc/inetd.conf	finger peeking at users	Runs as root user Gives out information about your systems and users Disable
inetd/ftp	inetd	/etc/inetd.conf	file transfer protocol	Runs as root user User id and password are transferred unprotected, thus allowing them to be snooped Disable this service and use a public domain secure shell suite
inetd/imap2	inetd	/etc/inetd.conf	Internet Mail Access Protocol	Ensure that you are using the latest version of this server Only necessary if you are running a mail server. Otherwise, disable User ID and password are passed unprotected
inetd/klogin	inetd	/etc/inetd.conf	Kerberos login	Enabled if your site uses Kerberos authentication
inetd/kshell	inetd	/etc/inetd.conf	Kerberos shell	Enabled if your site uses Kerberos authentication
inetd/login	inetd	/etc/inetd.conf	rlogin service	Susceptible to IP spoofing, DNS spoofing Data, including User IDs and passwords, is passed unprotected Runs as root user Use a secure shell instead of this service
inetd/netstat	inetd	/etc/inetd.conf	reporting of current network status	Could potentially give network information to hackers if run on your system Disable
inetd/ntalk	inetd	/etc/inetd.conf	Allows users to talk with each other	Runs as root user Not required on production or back room servers Disable unless absolutely needed
inetd/pcnfsd	inetd	/etc/inetd.conf	PC NFS file services	Disable service if not currently in use If you need a service similar to this, consider Samba, as the pcnfsd daemon predates Microsoft's release of SMB specifications
inetd/pop3	inetd	/etc/linetd.conf	Post Office Protocol	User IDs and passwords are sent unprotected Only needed if your system is a mail server and you have clients who are using applications that only support POP3 If your clients use IMAP, use that instead, or use the POP3s service. This service has a Secure Socket Layer (SSL) tunnel Disable if you are not running a mail server or have clients who need POP services
inetd/rexd	inetd	/etc/inetd.conf	remote execution	Runs as root user Peers with the on command Disable service Use rshand rshd instead
inetd/quotad	inetd	/etc/inetd.conf	reports of file quotas (for NFS clients)	Only needed if you are running NFS file services Disable this service unless required to provide an answer for the quota command If you need to use this service, keep all patches and fixes for this service up to date
inetd/rstatd	inetd	/etc/inetd.conf	Kernel Statistics Server	If you need to monitor systems, use SNMP and disable this service Required for use of the rup command
inetd/rusersd	inetd	/etc/inetd.conf	info about user logged in	This is not an essential service. Disable Runs as root user Gives out a list of current users on your system and peers with rusers
inetd/rwalld	inetd	/etc/inetd.conf	write to all users	Runs as root user If your systems have interactive users, you might need to keep this service If your systems are production or database servers, this is not needed Disable
inetd/shell	inetd	/etc/inetd.conf	rsh service	Disable this service if possible. Use Secure Shell instead If you must use this service, use the TCP Wrapper to stop spoofing and limit exposures Required for theXhier software ditribution program
inetd/sprayd	inetd	/etc/inetd.conf	RPC spray tests	Runs as root user Might be required for diagnosis of NFS network problems Disable if you are not running NFS
inetd/systat	inetd	/etc/inted.conf	"ps -ef" status report	Allows for remote sites to see the process status on your system This service is disabled by default. You must check periodically to ensure that the service has not been enabled
inetd/talk	inetd	/etc/inetd.conf	establish split screen between 2 users on the net	Not a required service Used with the talk command Provides UDP service at Port 517 Disable unless you need multiple interactive chat sessions for UNIX user
inetd/ntalk	inetd	/etc/inetd.conf	"new talk" establish split screen between 2 users on the net	Not a required service Used with the talk command Provides UDP service at Port 517 Disable unless you need multiple interactive chat sessions for UNIX user
inetd/telnet	inetd	/etc/inetd.conf	telnet service	Supports remote login sessions, but the password and ID are passed unprotected If possible, disable this service and use Secure Shell for remote access instead
inetd/tftp	inetd	/etc/inetd.conf	trivial file transfer	Provides UDP service at port 69 Runs as root user and might be compromised Used by NIM Disable unless you are using NIM or have to boot a diskless workstation
inetd/time	inetd	/etc/inetd.conf	obsolete time service	Internal function of inetd that is used by rdate command. Available as TCP and UDP service Sometimes used to synchronize clocks at boot time Service is outdated. Use ntpdate instead Disable this only after you have tested your systems (boot/reboot) with this service disabled and have observed no problems
inetd/ttdbserver	inetd	/etc/inetd.conf	tool-talk database server (for CDE)	The rpc.ttdbserverd runs as root user and might be compromised Stated as a required service for CDE, but CDE is able to work without it Should not be run on back room servers or any systems where security is a concern
inetd/uucp	inetd	/etc/inetd.conf	UUCP network	Disable unless you have an application that uses UUCP
inittab/dt	init	/etc/rc.dt script in the /etc/inittab	desktop login to CDE environment	Starts the X11 server on the console Supports the X11 Display Manager Control Protocol (xdcmp) so that other X11 stations can log into the same machine Service should be used on personal workstations only. Avoid using it for back room systems
inittab/dt_nogb	init	/etc/inittab	desktop login to CDE environment (NO graphic boot)	No graphical display until the system is up fully Same concerns as inittab/dt
inittab/httpdlite	init	/etc/inittab	web server for the docsearch command	Default web server for the docsearch engine Disable unless your machine is a documentation server
inittab/i4ls	init	/etc/inittab	license manager servers	Enable for development machines Disable for production machines Enable for back room database machines that have license requirements Provides support for compilers, database software, or any other licensed products
inittab/imqss	init	/etc/inittab	search engine for "docsearch"	Part of the default web server for the docsearch engine Disable unless your machine is a documentation server
inittab/lpd	init	/etc/inittab	BSD line printer interface	Accepts print jobs from other systems You can disable this service and still send jobs to the print server Disable this after you confirm that printing is not affected
inittab/nfs	init	/etc/inittab	Network File System/Net Information Services	NFS and NIS services based which were built on UDP/RPC Authentication is minimal Disable this for back room machines
inittab/piobe	init	/etc/inittab	printer IO Back End (for printing)	Handles the scheduling, spooling and printing of jobs submitted by the qdaemon daemon Disable if you are not printing from your system because you are sending print job to a server
inittab/qdaemon	init	/etc/inittab	queue daemon (for printing	Submits print jobs to the piobe daemon If you are not printing from your system, then disable
inittab/uprintfd	init	/etc/inittab	kernel messages	Generally not required Disable
inittab/writesrv	init	/etc/inittab	writing notes to ttys	Only used by interactive UNIX workstation users Disable this service for servers, back room databases, and development machines Enable this service for workstations
inittab/xdm	init	/etc/inittab	traditional X11 Display Management	Do not run on back room production or database servers Do not run on development systems unless X11 display management is needed Acceptable to run on workstations if graphics are needed
rc.nfs/automountd		/etc/rc.nfs	automatic file systems	If you use NFS, enable this for workstations Do not use the automounter for development or back room servers
rc.nfs/biod		/etc/rc.nfs	Block IO Daemon (required for NFS server)	Enabled for NFS server only If not an NFS server, then disable this along with nfsd and rpc.mountd
rc.nfs/keyserv		/etc/rc.nfs	Secure RPC Key server	Manages the keys required for secure RPC Disable this if you are not using NFS and NIS
rc.nfs/nfsd		/etc/rc.nfs	NFS Services (required for NFS Server)	Authentication is weak Can lend itself to stack frame crashing Enable if on NFS file servers If you disable this, then disable biod, nfsd, and rpc.mountd as well
rc.nfs/rpc.lockd		/etc/rc.nfs	NFS file locks	Disable if you are not using NFS Disable this if you are not using file locks across the network lockd daemon is mentioned in the SANS Top Ten Security Threats
rc.nfs/rpc.mountd		/etc/rc.nfs	NFS file mounts (required for NFS Server)	Authentication is weak Can lend itself to stack frame crashing Should be enabled only on NFS file servers If you disable this, then disable biod and nfsd as well
rc.nfs/rpc.statd		/etc/rc.nfs	NFS file locks (to recover them)	Implements file locks across NFS Disable unless you are using NFS
rc.nfs/rpc.yppasswdd		/etc/rc.nfs	NIS password daemon (for NIS master)	Used to manipulate the local password file Only required when the machine in question is the NIS master; disable in all other cases
rc.nfs/ypupdated		/etc/rc.nfs	NIS Update daemon (for NIS slave)	Receives NIS database maps pushed from the NIS Master Only required when the machine in question is a NIS slave to a Master NIS Server
rc.tcpip/autoconf6		/etc/rc.tcpip	IPv6 interfaces	Disable unless you are running IP Version 6
rc.tcpip/dhcpcd		/etc/rc.tcpip	Dynamic Host Configure Protocol (client )	Back room servers should not rely on DHCP. Disable this service If your host is not using DHCP, disable
rc.tcpip/dhcprd		/etc/rc.tcpip	Dynamic Host Configure Protocol (relay	Grabs DHCP broadcasts and sends them to a server on another network Duplicate of a service found on routers Disable this if you are not using DHCP or rely on passing information between networks
rc.tcpip/dhcpsd		/etc/rc.tcpip	Dynamic Host Configure Protocol (server	Answers DHCP requests from clients at boot time; gives client information, such as IP name, number, netmask, router, and broadcast address Disable this if you are not using DHCP Disabled on production and back room servers along with hosts not using DHCP
rc.tcpip/dpid2		/etc/rc.tcpip	outdated SNMP service	Disable unless you need SNMP
rc.tcpip/gated		/etc.rc.tcpip	gated routing between interfaces	Emulates router function Disable this service and use RIP or a router instead
rc.tcpip/inetd		/etc/rc.tcpip	inetd services	A thoroughly secured system should have this disabled, but is often not practical Disabling this will disable remote shell services which are required for some mail and web servers
rc.tcpip/mrouted		/etc/rc.tcpip	multi-cast routing	Emulates router function of sending multi-cast packets between network segments Disable this service. Use a router instead
rc.tcpip/names		/etc/rc.tcpip	DNS name server	Use this only if your machine is a DNS name server Disable for workstation, development and production machines
rc.tcpip/ndp-host		/etc/rc.tcpip	IPv6 host	Disable unless you use IP Version 6
rc.tcpip/ndp-router		/etc/rc.tcpip	IPv6 routing	Disable this unless you use IP Version 6. Consider using a router instead of IP Version 6
rc.tcpip/portmap		/etc/rc.tcpip	RPC services	Required service RPC servers register with portmap daemon. Clients who need to locate RPC services ask the portmap daemon to tell them where a particular service is located Disable only if you have managed to reduce RPC service so that the only one remaining is portmap
rc.tcpip/routed		/etc/rc.tcpip	RIP routing between interfaces	Emulates router function Disable if you have a router for packets between networks
rc.tcpip/rwhod		/etc/rc.tcpip	Remote "who" daemon	Collects and broadcasts data to peer servers on the same network Disable this service
rc.tcpip/sendmail		/etc/rc.tcpip	mail services	Runs as root user Disable this service unless the machine is used as a mail server If disabled, then do one of the following: Place an entry in crontab to clear the queue. Use the /usr/lib/sendmail -q command Configure DNS services so that the mail for your server is delivered to some other system
rc.tcpip/snmpd		/etc/rc.tcpip	Simple Network Management Protocol	Disable if you are not monitoring the system via SNMP tools SNMP may be required on critical servers
rc.tcpip/syslogd		/etc/rc.tcpip	system log of events	Disabling this service is not recommended Prone to denial of service attacks Required in any system
rc.tcpip/timed		/etc/rc.tcpip	Old Time Daemon	Disable this service and use xntp instead
rc.tcpip/xntpd		/etc/rc.tcpip	New Time Daemon	Keeps clocks on systems in sync Disable this service. Configure other systems as time servers and let other systems synchronize to them with a cron job that calls ntpdate
dt login		/usr/dt/config/Xaccess	unrestricted CDE	If you are not providing CDE login to a group of X11 stations, you can restrict dtlogin to the console.
anonymous FTP service		user rmuser -p	anonymous ftp	Anonymous FTP ability prevents you from tracing FTP usage to a specific user Remove user ftp if that user account exists, as follows: rmuser -p ftp Further security can be obtained by populating the /etc/ftpusers file with a list of those who should not be able to ftp to your system
anonymous FTP writes			anonymous ftp uploads	No file should belong to ftp. FTP anonymous uploads allow the potential for misbehaving code to be placed on your system. Put the names of those users you want to disallow into the /etc/ftpusers file Some examples of system-created users you might want to disallow from anonymously uploading via FTP to your system are: root, daemon, bin.sys, admin.uucp, guest, nobody, lpd, nuucp, ladp Change the owner and group rights to the ftpusers files as follows: chown root:system /etc/ftpusers Change the permissions to the ftpusers files to a stricter setting as follows: chmod 644 /etc/ftpusers
ftp.restrict			ftp to system accounts	No user from the outside should be allowed to replace root files using ftpusers file
root.access		/etc/security/user	rlogin/telnet to root account	Set the rlogin option in the etc/security/user file to false Anyone logging in as root should first log in under their own name and then su to root; this provides an audit trail
snmpd.readWrite		/etc/snmpd.conf	SNMP readWrite communities	If you are not using SNMP, disable the SNMP daemon. Disable community private and community system in the /etc/snmpd.conf file Restrict 'public' community to those IP addresses that are monitoring your system
syslog.conf			configure syslogd	If you have not configured /etc/syslog.conf, then disable this daemon If you are using syslog.conf to log system messages, then keep enabled

Parent topic:

Security