Hack 1 Removing Unnecessary Services
 
Fine tune your server to provide only the services you really want to serve
When you build a server, you are creating
a system that should perform its intended function as
quickly and efficiently as possible. Just as a paint mixer has no
real business being included as an espresso machine attachment,
extraneous services can take up resources and, in some cases, cause a
real mess that is completely unrelated to what you wanted the server
to do in the first place. This is not to say that Linux is incapable
of serving as both a top-notch paint mixer and making a good cup of
coffee simultaneously — just be sure that this is exactly what
you intend before turning your server loose on the world (or rather,
turning the world loose on your server).
When building a server, you should continually ask yourself: what do
I really need this machine to do? Do I really need FTP services on my
web server? Should NFS be running on my DNS server, even if no shares
are exported? Do I need the automounter to run if I mount all of my
volumes statically?
To get an idea of what your server is up to, simply run a
ps ax. If nobody is logged in, this will generally
tell you what your server is currently running. You should also see
what programs for which your
inetd
is accepting connections, with either a grep -v ^#
/etc/inetd.conf or (more to the point)
netstat -lp. The first command will show all
uncommented lines in your
inetd.conf,
while the second (when run as root) will show all of the sockets that
are in the LISTEN state, and the programs that are listening on each
port. Ideally, you should be able to reduce the output of a
ps ax to a page of information or less (barring
preforking servers like httpd, of course).
Here are some notorious (and typically unnecessary) services that are
enabled by default in many distributions:
- portmap, rpc.mountd, rpc.nfsd
-
These are all part of the NFS subsystem. Are you running an NFS
server? Do you need to mount remote NFS shares? Unless you answered
yes to either of these questions, you
don't need these daemons running. Reclaim the
resources that they're taking up and eliminate the
potential security risk.
- smbd and nmbd
-
These are the Samba daemons. Do you need to export SMB
shares to Windows boxes (or other machines)? If not, then these
processes can be safely killed.
- automount
-
The automounter can be handy to bring up network (or local)
filesystems on demand, eliminating the need for root privileges when
accessing them. This is especially handy on client desktop machines,
where a user needs to use removable media (such as CDs or floppies)
or to access network resources. But on a dedicated server, the
automounter is probably unnecessary. Unless your machine is providing
console access or remote network shares, you can
kill the automounter (and set up all of your
mounts statically, in /etc/fstab).
- named
-
Are you running a name server? You don't need
named running if you only need to resolve
network names; that's what
/etc/resolv.conf and the bind libraries are for.
Unless you're running name services for other
machines, or are running a caching DNS server (see [Hack #78]), then named
isn't needed.
- lpd
-
Do you ever print to this machine? Chances are, if
it's serving Internet resources, it
shouldn't be accepting print requests anyway. Remove
the printer daemon if you aren't planning on using
it.
- inetd
-
Do you really need to run any services from
inetd? If you have ssh
running in standalone mode, and are only running standalone daemons
(such as Apache, BIND, MySQL, or ProFTPD) then
inetd may be superfluous. In the very least,
review which services are being accepted with the
grep command grep -v ^#
/etc/inetd.conf. If you find that every service can be
safely commented out, then why run the daemon? Remove it from the
boot process (either by removing it from the system
rc's or with a simple chmod -x
/usr/sbin/inetd).
- telnet, rlogin, rexec, ftp
-
The remote login, execution, and file transfer functionality of these
venerable daemons has largely been supplanted by
ssh and scp, their
cryptographically secure and tremendously flexible counterparts.
Unless you have a really good reason to keep
them around, it's a good idea to eliminate support
for these on your system. If you really need to support
ftp connections, you might try the
mod_sql plugin for proftpd
(see [Hack #85]).
- finger, comsat, chargen, echo, identd
-
The finger and comsat
services made sense in the days of an open Internet, where users were
curious but generally well-intentioned. In these days of stealth
portscans and remote buffer overflow exploits, running extraneous
services that give away information about your server is generally
considered a bad idea. The
chargen and echo ports were
once good for testing network connectivity, but are now too inviting
for a random miscreant to fiddle with (and perhaps connect to each
other to drive up server load quickly and inexpensively).
Finally, the identd service was once a
meaningful and important source of information, providing remote
servers with an idea of which users were connecting to their
machines. Unfortunately, in these days of local root exploits and
desktop Linux machines, installing an identd
that (perish the thought!) actually lies about
who is connected has become so common that most sites ignore the
author information anyway. Since identd is a
notoriously shaky source of information, why leave it enabled at all?
To eliminate unnecessary services, first shut them down (either by
running service stop in
/etc/rc.d/init.d/, removing them from
/etc/inetd.conf, or by
killing them manually). Then to be sure that
they don't start again the next time the machine
reboots, remove their entry from /etc/rc.d/*.
Once you have your system trimmed down to only the services you
intend to serve, reboot the machine and check the process table
again.
If you absolutely need to run insecure services on your machine, then
you should use tcp wrappers or local firewalling to limit access to
only the machines that absolutely need it.
1.1 See also:
|
