Okay, so you have that smokin’ Linux LAMP server up and running, and you want it to be as secure as possible. But what services should you stop (permanently) to increase security — and how do you go about it? Of course, your choice of distribution will determine how these services are stopped. Not all are created equal. But most services can be stopped using the init system.
On a Ubuntu machine, you can stop them by issuing sudo /etc/init.d/command_name stop. With a Red Hat based distribution, you can stop them (as root) with /etc/rc.d/init.d/command_name stop. Here’s a look at 10 commands you can use to stop potentially risky services and make your server more secure.
Note: This information is also available as a PDF download.
Let’s face it: Unless you really know Sendmail backwards and forwards, you shouldn’t be using it. Sendmail is known to be full of holes. So stop this from the get-go. Sendmail can be stopped with /etc/init.d/sendmail stop. Now if you do need a mail server, migrate to Postfix or another good mail daemon that is easier to secure and configure.
Now don’t get me wrong, I am a big fan of NFS. I use it a lot, but never on a production server on a WAN. There are too many well-known exploits within the NFS daemon. Stopping NFS requires the stopping of both Portmap and NFS. These are stopped with the /etc/init.d/portmap stop and /etc/init.d/nfs stop commands.
By default, this service should be off. But I have had installations where it was up and running. That is not good. Chargen is used for testing purposes, such as bandwidth testing. To disable this service, issue the command /etc/init.d/chargen stop.
This daemon binds NIS clients to an NIS domain. If you do not intend to use NIS, can this daemon. There are multiple issues this guy can bring up (image capture arbitrary overwrite, multiple remote vulnerabilities, mail memory corruption, etc.) To kill ypbind, issue the command /etc/init.d/ypbind stop.
Most admins depend upon sshd to allow them remote shell access to a machine. If you don’t need that remote access, it’s best to not have this daemon running. Although OpenSSH is quite secure, vulnerabilities do pop up. If you do need the ssh daemon running, make sure you have root access disabled and have the OpenSSH server always updated to the latest release. To stop the ssh daemon, simply issue the command /etc/init.d/sshd stop.
This strange service has one purpose: Run cron jobs that were scheduled when your system is down. First and foremost, your system is probably never down. This service is unnecessary and, like many other services, can be exploited. Shut down this service with /etc/init.d/anacron stop.
This service controls the at command which queues, examines, or deletes jobs for later execution. Most people do not use the at command, so this service should be stopped. And since anything that atd can do, cron can do, this service may as well be shut down. Shutting down atd is as simple as /etc/init.d/atd stop.
Does your server need automatic router table updates? The Linux routed system has been known for such exploits as the ability to have the trace mode turned on remotely using any arbitrary filename. Also, RIP (the protocol used by routed) does not have any built-in authentication. So unless you are using your Linux box as a router, you’re going to want to shut that down. The /etc/init.d/routed stop command will fix that problem.
This little daemon, when running, awaits snmp requests used for monitoring a system. Typically, you won’t need it unless you must remotely monitor a server. There are plenty of snmp exploits in the wild to keep you from wanting this on a machine accessible to the outside world. To kill this daemon, issue the command /etc/init.d/snmpd stop.
I admit, I do use rsync on occasion. But it’s a rare occasion and can be bettered with scp (secure copy found in secure shell). And with the many weaknesses of rsync, you are certainly better off shutting it down. With the command /etc/init.d/rsync stop, you are safe.
Safer… and quicker, too
That’s the short list of first applications to be shut down for a more secure Linux server. Now you may be asking how you can manage this without having to rerun every command after boot. Simple. If you’re using a Ubuntu-based system you can issue the command sudo update-rc.d -f APPNAME remove (where APPNAME is the name of the service to remove), which will remove the service from boot-time execution.
If you are using a Fedora-based system, you can open up the Services gui, uncheck the service you want to keep from starting, and save. Or you can use the ntsysv command curses-based application. With ntsysv, you will find the service you want to stop from booting, select it (you’ll move around with the arrow keys), hit the space bar to disable it (an asterisk marks the service enabled), and then exit the application.
And as a final note, I will mention that the fewer services you have starting at boot time, the quicker your machine will boot. So stopping unnecessary services on a Linux machine is a win-win situation.