Although the default installation scripts that come with various Linux distribution CDs make it easy to install Linux, they also add a vast number of services to your system, which, at best, you’ll probably never use, or at worst, leave ports open to external break-ins. The more services that are running, the more ports that will be left open to intruders. So to protect your system, it’s best to turn off any unnecessary services.
Find which services are running
Before you can decide which services are unnecessary, you need to know which services are running. To find out, run netstat.
First, open a terminal window and use su to switch to root. Then enter the command # netstat –tap > listening.services, followed by the command # less listening.services.
These commands will display a list of all services that are currently running with a State of LISTEN. Also listed are the PIDs of the services and the names of the programs that started the services.
In general, if you can’t identify a service that is listed, you probably don’t need it. If it is not obvious from the netstat output what a service is, use the ps, find, grep, or locate command to find more information about the program or its specific PID. Also check /etc/services for an unfamiliar service name or port number.
System services are started by init scripts which are found in /etc/init.d/ (or for some distributions, including Red Hat, in /etc/rc.d/init.d/). Use ls on this directory to get a listing of these scripts.
Decide which services to turn off
Since I plan to use my Linux system as a stand-alone desktop with access to the Internet, I should first check to see if any of the services listed in Table A are active.
|Commonly installed services that should not be run over the Internet|
NFS (Network File System) and related services: nfsd, lockd, mountd, statd, portmapper, etc.
NFS is the standard UNIX service for sharing files across a network. It should be used only for sharing files over LANs, not the Internet. NFS should never be turned on in a standalone system.
r* services: rsh, rlogin, rexec, rcp etc.
These will be listed in netstat output without the r (rlogin will be listed as login). If needed, use ssh instead.
Use sshd instead.
Use only with a dedicated ftp server that can be monitored and secured. For other file exchange, use scp or http.
BIND (named), DNS Server package
This service is required only for systems acting as authoritative name servers for a domain. They should be restricted or placed behind a firewall when used over the Internet.
Mail Transport Agent: sendmail, exim, postfix, qmail
Such services are not needed on standalone computers that will be using an ISP’s POP server instead of directly receiving mail from Internet hosts. For receiving mail directly from other hosts on your LAN, enable these services only after firewall and access polices are in place.
For example, netstat reported that the services login and shell as currently running. As I note in Table 1, these are actually rlogin and rsh and should be turned off. The telnet and ftp daemons listed are servers that accept incoming connections to the machine. Again, because this is a stand-alone system, I should turn these services off. I can always use an ftp or telnet client when I need to download files or telnet over the Internet. The netstat command also reported that the http server is running, which is required by some distributions to access online documentation. If I intend to keep this service running, I will need to check that it is not accessible from outside the system.
A print server also is running. Print servers can hold ports open if printing is done over a network. Since my printer is physically attached to the machine, it’s safe to keep the printer daemon running. I will also keep /X, the portable network-transparent window system that collects and distributes user input for client programs. If my system were to be used as a dedicated server, /X would be unnecessary and would be turned off.
Turn off the unnecessary services
Once you have decided which services are unnecessary, you can begin turning them off. It’s a good idea to turn off one service, and then run your system for a while without the service to see if it is OK. If so, then stop another service and repeat the process until all unnecessary services are no longer running.
Users logged on as root can turn off a service by entering the path name for the service script followed by the stop option. For example, to turn off nfs, enter: # /etc/init.d/nfs stop.
Note that Red Hat versions of Linux may use the path: /etc/rc.d/init.d instead.
Even though you’ve turned off a service, it may not be turned off permanently. For example, a service may be reenabled upon system reboot. So be sure to run netstat after the next reboot, and after every system or package upgrade or new install.