Kali Network Service Policies
Kali Linux deals with network
services differently than most other distributions. Most importantly,
Kali does not enable any externally-listening services by default with
the goal of minimizing exposure when in a default state.
Default Disallow Policy
Kali Linux will disallow network
services to persist across reboots by default. The following example can
be seen when attempting to install a tool which would by default would
start a network proxy service on TCP port 3142:
root@kali:~# apt-get install apt-cacher-ng
...
Setting up apt-cacher-ng (0.7.11-1) ...
update-rc.d: We have no instructions for the apt-cacher-ng init script.
update-rc.d: It looks like a network service, we disable it.
...
root@kali:~#
...
Setting up apt-cacher-ng (0.7.11-1) ...
update-rc.d: We have no instructions for the apt-cacher-ng init script.
update-rc.d: It looks like a network service, we disable it.
...
root@kali:~#
Notice how the update-rc.d script disallowed persistence of the apt-cacher-ng daemon by default.
Service boot persistence
In certain situations, we’ll actually
want certain services to persist over reboots. To allow for this, we can
enable a service to persist through reboots using the update-rc.d
script as follows:
root@kali:~# update-rc.d apt-cacher-ng enable
update-rc.d: using dependency based boot sequencing
update-rc.d: using dependency based boot sequencing
Service whitelists and blacklists
Service whitelists and blacklists can be found in the /usr/sbin/update-rc.d file. Through this file you can explicitly allow or deny services to automatically boot in their default state.
root@kali:~# tail -95 /usr/sbin/update-rc.d |more
}
__DATA__
#
# List of blacklisted init scripts
#
apache2 disabled
avahi-daemon disabled
bluetooth disabled
cups disabled
dictd disabled
ssh disabled
...
#
# List of whitelisted init scripts
#
acpid enabled
acpi-fakekey enabled
acpi-support enabled
alsa-utils enabled
anacron enabled
...
}
__DATA__
#
# List of blacklisted init scripts
#
apache2 disabled
avahi-daemon disabled
bluetooth disabled
cups disabled
dictd disabled
ssh disabled
...
#
# List of whitelisted init scripts
#
acpid enabled
acpi-fakekey enabled
acpi-support enabled
alsa-utils enabled
anacron enabled
...