To reduce the avenues of possible exploitation available to attackers, the best methodology is to shut down any and all unrequired network services. This pertains not only to daemons that run on startup from init.d, but also to processes spawned as a result of a connection to inetd or xinetd. Entirely too many services and network listeners are enabled by default on all operating systems, not just in Linux. However, Linux certainly has its fair share.
On a default install (excluding patches), some services are very likely to have critical vulnerabilities that could allow the system to be exploited right out of the box. While patching is obviously a good strategy, it is only a matter of time before the next critical vulnerability is detected and the service is once again considered vulnerable. Therefore, if it is not needed, remove it. Not only does this action simplify future patching endeavors and dramatically improve security through providing defense-in-depth, it can free up system resources.
Beyond disabling, however, you should completely remove all components of unnecessary services from the system. This is because the dormant services, or their components or libraries, could possibly be used for privilege escalation or for granting further access if a box is partially compromised and attackers are hunting for tools.
In order to identify listening ports and running processes that can be disabled, utilities like ps and netstat are useful. Try the following examples.
The following command lists all processes for all users:
The following command lists all open ports and associated processes:
Once unnecessary services or open ports have been identified (and verified), they can usually be disabled by removing links to their startup script in the inittab or removing their entry in inetd or xinetd. This will prevent them from being re-spawned when the system is rebooted.
Once sufficient time has passed to verify that they are truly unneeded, the services should be uninstalled from the system. Delete their respective files (in cases where they were installed using source code) or use the rpm -e package_name command (in cases where they were installed via the rpm command). These are obviously not the only two options, as different Linux distributions have various package managers and ways of adding and removing software.
Was this article helpful?
Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.