Fine tune your server to provide only the services you really want to serve
When you build a server, you are creating a system that should perform its intended function as quickly and efficiently as possible. Just as a paint mixer has no real business being included as an espresso machine attachment, extraneous services can take up resources and, in some cases, cause a real mess that is completely unrelated to what you wanted the server to do in the first place. This is not to say that Linux is incapable of serving as both a top-notch paint mixer and making a good cup of coffee simultaneously — just be sure that this is exactly what you intend before turning your server loose on the world (or rather, turning the world loose on your server).
When building a server, you should continually ask yourself: what do I really need this machine to do? Do I really need FTP services on my web server? Should NFS be running on my DNS server, even if no shares are exported? Do I need the automounter to run if I mount all of my volumes statically?
To get an idea of what your server is up to, simply run a
. If nobody is logged in, this will generally
tell you what your server is currently running. You should also see
what programs for which your
is accepting connections, with either a
grep -v ^#
or (more to the point)
. The first command will show all
uncommented lines in your
while the second (when run as root) will show all of the sockets that
are in the LISTEN state, and the programs that are listening on each
port. Ideally, you should be able to reduce the output of a
ps ax to a page of information or less (barring
preforking servers like httpd, of course).
Here are some notorious (and typically unnecessary) services that are enabled by default in many distributions:
These are all part of the NFS subsystem. Are you running an NFS server? Do you need to mount remote NFS shares? Unless you answered yes to either of these questions, you don't need these daemons running. Reclaim the resources that they're taking up and eliminate the potential security risk.
The automounter can be handy to bring up network (or local) filesystems on demand, eliminating the need for root privileges when accessing them. This is especially handy on client desktop machines, where a user needs to use removable media (such as CDs or floppies) or to access network resources. But on a dedicated server, the automounter is probably unnecessary. Unless your machine is providing console access or remote network shares, you can kill the automounter (and set up all of your mounts statically, in /etc/fstab).
Are you running a name server? You don't need named running if you only need to resolve network names; that's what /etc/resolv.conf and the bind libraries are for. Unless you're running name services for other machines, or are running a caching DNS server (see [Hack #78]), then named isn't needed.
Do you ever print to this machine? Chances are, if it's serving Internet resources, it shouldn't be accepting print requests anyway. Remove the printer daemon if you aren't planning on using it.
Do you really need to run any services from
inetd? If you have ssh
running in standalone mode, and are only running standalone daemons
(such as Apache, BIND, MySQL, or ProFTPD) then
inetd may be superfluous. In the very least,
review which services are being accepted with the
grep -v ^#
/etc/inetd.conf. If you find that every service can be
safely commented out, then why run the daemon? Remove it from the
boot process (either by removing it from the system
rc's or with a simple
The remote login, execution, and file transfer functionality of these venerable daemons has largely been supplanted by ssh and scp, their cryptographically secure and tremendously flexible counterparts. Unless you have a really good reason to keep them around, it's a good idea to eliminate support for these on your system. If you really need to support ftp connections, you might try the mod_sql plugin for proftpd (see [Hack #85]).
The finger and comsat services made sense in the days of an open Internet, where users were curious but generally well-intentioned. In these days of stealth portscans and remote buffer overflow exploits, running extraneous services that give away information about your server is generally considered a bad idea. The chargen and echo ports were once good for testing network connectivity, but are now too inviting for a random miscreant to fiddle with (and perhaps connect to each other to drive up server load quickly and inexpensively).
Finally, the identd service was once a meaningful and important source of information, providing remote servers with an idea of which users were connecting to their machines. Unfortunately, in these days of local root exploits and desktop Linux machines, installing an identd that (perish the thought!) actually lies about who is connected has become so common that most sites ignore the author information anyway. Since identd is a notoriously shaky source of information, why leave it enabled at all?
To eliminate unnecessary services, first shut them down (either by
service stop in
/etc/rc.d/init.d/, removing them from
/etc/inetd.conf, or by
killing them manually). Then to be sure that
they don't start again the next time the machine
reboots, remove their entry from /etc/rc.d/*.
Once you have your system trimmed down to only the services you
intend to serve, reboot the machine and check the process table
If you absolutely need to run insecure services on your machine, then you should use tcp wrappers or local firewalling to limit access to only the machines that absolutely need it.