Services are everywhere.
Examples:
| Technology | Service |
|---|---|
| Web Server | Nginx |
| Web Server | Apache |
| Database | MySQL |
| Database | PostgreSQL |
| SSH | sshd |
| Logging | rsyslog |
| Monitoring | Prometheus |
Unlike interactive applications, these programs often operate in the background without direct user interaction.
Linux manages these long-running applications through services.
If services stop functioning:
- Websites become unavailable
- Databases become inaccessible
- Authentication may fail
- Monitoring may stop
- Security controls may fail
What Is a Service?
A service is a program that runs in the background and performs a specific function.
Examples:
Nginx
MySQL
OpenSSH
Docker
Unlike normal applications:
| Application | Service |
|---|---|
| User launches it | Operating system launches it |
| Often interactive | Usually non-interactive |
| Runs while user needs it | Often runs continuously |
| Closes when user exits | Continues running |
Services are designed to provide functionality to other users, applications, or systems.
Services and Processes
A service is not a special type of executable.
A service is ultimately one or more processes.
Example:
Nginx Service
↓
nginx Processes
MySQL Service
↓
mysqld Process
The service defines:
- What should run
- How it should run
- When it should start
- How it should recover
The operating system then manages the associated processes.
Service Lifecycle
Services typically move through several states.
Examples:
| State | Meaning |
|---|---|
| Running | Service is active |
| Stopped | Service is inactive |
| Starting | Service is launching |
| Stopping | Service is shutting down |
| Failed | Service encountered an error |
Understanding service state is important during troubleshooting and investigations.
systemd
Most modern Linux distributions use:
systemd
as their service manager.
Examples:
- Ubuntu
- Debian
- Kali
- Rocky Linux
- CentOS Stream
- Fedora
systemd is responsible for:
- Starting services
- Stopping services
- Monitoring services
- Managing dependencies
- Recording service logs
It is one of the most important components of a modern Linux system.
systemctl
Operators commonly interact with systemd through:
systemctl
Examples:
systemctl status nginx
Displays service status.
systemctl start nginx
Starts a service.
systemctl stop nginx
Stops a service.
systemctl restart nginx
Restarts a service.
systemctl enable nginx
Configures the service to start automatically during boot.
systemctl disable nginx
Prevents automatic startup.
Service Startup
Not all services start automatically.
Examples:
| Service | Startup Behavior |
|---|---|
| SSH | Usually automatic |
| Database | Usually automatic |
| Custom Application | Depends on configuration |
A service configured to start during boot is commonly described as:
Enabled
This means the operating system attempts to start it automatically.
Service Accounts
Many services run as dedicated users.
Examples:
| Service | Common User |
|---|---|
| Apache | www-data |
| Nginx | www-data |
| MySQL | mysql |
| PostgreSQL | postgres |
This supports the principle of least privilege.
Instead of running as root, services often operate using restricted accounts.
Why Service Accounts Matter
Imagine a vulnerable web server.
Scenario A:
Web Server
↓
Runs as root
Compromise may lead directly to full system control.
Scenario B:
Web Server
↓
Runs as www-data
Compromise is often significantly more limited.
This is one of the most important security controls in Linux.
Service Configuration
Services commonly rely on configuration files.
Examples:
/etc/nginx/
/etc/ssh/
/etc/mysql/
Configuration files often define:
- Listening ports
- Authentication methods
- Logging behavior
- Service-specific settings
Operators frequently inspect these locations during investigations.
Service Logs
Services generate logs.
Examples:
/var/log/nginx/
/var/log/apache2/
/var/log/mysql/
Logs often reveal:
- Startup failures
- Authentication events
- Configuration problems
- Unexpected activity
Many investigations involve reviewing service logs.
Services and Persistence
Services can also be abused.
Attackers may:
- Create malicious services
- Modify existing services
- Replace service binaries
- Alter service configuration
Because services often start automatically, they are commonly used as persistence mechanisms.
This topic will be explored later during Persistence and Incident Response sections.
Operator Perspective
When approaching an unfamiliar Linux system, Operators commonly ask:
Inventory
- What services exist?
- Which services are running?
- Which services are enabled?
Security
- Which services are exposed?
- Which services run as root?
- Which services run as dedicated accounts?
Investigations
- Did a service fail?
- Was a service modified?
- Were new services created?
Persistence
- Does a suspicious service exist?
- Was an existing service altered?
Services frequently provide valuable investigative and operational insight.
Key Takeaways
- Services are background applications managed by the operating system.
- Services are ultimately implemented through processes.
- Most modern Linux systems use systemd.
- systemctl is commonly used to manage services.
- Services may be running, stopped, starting, stopping, or failed.
- Services may start automatically during boot.
- Services often run using dedicated service accounts.
- Service logs provide valuable evidence during investigations.
- Services are frequently involved in persistence and privilege escalation scenarios.
Understanding services is essential for administration, troubleshooting, security investigations, and offensive operations.
The next lesson explores automated task execution through cron jobs and timers.