Can you provide a guidance on default CentOS / Fedora / RHEL / Redhat enterprise Linux services which are enabled at boot time by a default? Can you provide set of recommendations for all default services and which to keep for performance and security and which to turn off?
You need to
acpid 0:off1:off2:on3:on4:on5:on6:off anacron 0:off1:off2:on3:on4:on5:on6:off atd 0:off1:off2:off3:on4:on5:on6:off auditd 0:off1:off2:on3:on4:on5:on6:off cpuspeed 0:off1:on2:on3:on4:on5:on6:off crond 0:off1:off2:on3:on4:on5:on6:off dkms_autoinstaller0:off1:off2:on3:on4:on5:on6:off haldaemon 0:off1:off2:off3:on4:on5:on6:off ip6tables 0:off1:off2:on3:on4:on5:on6:off irqbalance 0:off1:off2:on3:on4:on5:on6:off kudzu 0:off1:off2:off3:on4:on5:on6:off lm_sensors 0:off1:off2:on3:on4:on5:on6:off mcstrans 0:off1:off2:on3:on4:on5:on6:off messagebus 0:off1:off2:off3:on4:on5:on6:off microcode_ctl 0:off1:off2:on3:on4:on5:on6:off netfs 0:off1:off2:off3:on4:on5:on6:off network 0:off1:off2:on3:on4:on5:on6:off ntpd 0:off1:off2:on3:on4:on5:on6:off rawdevices 0:off1:off2:off3:on4:on5:on6:off readahead_early0:off1:off2:on3:on4:on5:on6:off restorecond 0:off1:off2:on3:on4:on5:on6:off sendmail 0:off1:off2:on3:on4:on5:on6:off setroubleshoot 0:off1:off2:off3:on4:on5:on6:off smartd 0:off1:off2:on3:on4:on5:on6:off snmpd 0:off1:off2:on3:on4:on5:on6:off sshd 0:off1:off2:on3:on4:on5:on6:off syslog 0:off1:off2:on3:on4:on5:on6:off sysstat 0:off1:off2:on3:on4:on5:on6:off yum-updatesd 0:off1:off2:on3:on4:on5:on6:off
chkconfig serviceName off service serviceName stop
All services can be in any one of the following status at a time:
- Disabled : Disable the service if possible (e.g., NFS and portmap) .
- Enabled : Leave the service enabled (e.g. Power management, and Networking etc ).
- Configure: This is essential service and you need to configure so that server works correctly. The service must be configured properly for security and performance (e.g., various servers, Iptables, SELinux, and IP6tables etc).
- Remove: This is not status but you can delete the service (e.g., rsh, vsftpd, X Servers or any other unwanted insecure services).
Recommend Actions on Default Services
|acpid||Advanced Configuration and Power Interface event daemon||Enable|
|anacron||Anacron is like cron, but it does not assume that the machine is running continuously. Hence, it can be used on machines that arenâ€™t running 24 hours a day, to control daily, weekly, and monthly jobs that are usually controlled by cron.||Disable on servers|
|apmd||Advanced Power Management Subsystem (old system). If the server is capable of ACPI support, disable this service||Disable if possible|
|auditd||The Linux Auditing System||Enable and configure|
|atd||atd runs jobs queued by at||Enable and configure|
|autofs||The automount(8) program is used to manage mount points for autofs, the inlined Linux automounter. You can mount NFS, USB, DVD/CD, and CIFS via /etc/fstab.||Disable|
|avahi-daemon and avahi-dnsconfd||The Avahi mDNS/DNS-SD daemon implementing Apple’s ZeroConf architecture (also known as “Rendezvous” or “Bonjour”).||Disable|
|bluetooth and hidd||Bluetooth services for service discovery, authentication, Human Interface Devices (hidd), etc||Disable|
|cpuspeed||This service monitors the systemâ€™s idle percentage and reduces or raises the CPUsâ€™ clock speeds and voltages accordingly to minimize power consumption when idle and maximize performance when needed||Enable|
|crond||Service to execute scheduled commands via crond daemon.||Enable and configure|
|cups||Common unix printing system service||Disable if possible|
|dc_client & dc_client||Startup script for the Distcache SSL Session Cache Client and server proxy. Disable if you do not need cache proxy.||Disable if possible|
|dnsmasq||the DNS caching server. Enable if your ISP or remote DNS caching server is pretty slow.||Enable|
|pcscd||The PC/SC smart card sevice is a resource manager for the PC/SC lite and Musclecard frameworks. It coordinatescommunications with smart card readers, smart cards, and cryptographic tokens that are connected to the system.If Smart Cards are not in use on the system, disable this service:||Disable|
|readahead_early and readahead_later||This sevice provide one-time caching of files belonging to a few boot services. It does not provide any boosting. Just disable it.||Disable|
|restorecond||This service restores the correct security context for SELinux.||Enable|
|rhnsd||This service handles the task of connecting periodically to the RHN servers to check for updates, notifications and perform system monitoring tasks according to the service level that your server is subscribed for. Disable this service and use yum-updatesd service.||Disable|
|sendmail||Use to start sendmail server.||Enable and configure|
|smartd||Self Monitoring and Reporting Technology (SMART) Daemon for hard disks.||Enable and configure|
|setroubleshoot||This service starts the SELinux Troubleshooting daemon. It will send notification tothe desktop user of SELinux access denied messages in a user-friendly fashion.||Disable|
|sshd||The openssh server. If you need remote login enable it. You must enable this on all servers so that you can login and configure everything.||Enable|
|syslog||Syslog is the facility by which many other Linux daemons use to log messages to various system log files. It is a good idea to always run syslog.||Enable|
|xfs||X Windows font server. Disable it on servers.||Disable|
|yum-updatesd||Update notification daemon for system packages.||Enable|
Remove Outdated Insecure Services
Is there a mission-critical reason for users to access the system via the insecure protocols such as ftp, NIS and telnet? The following services are obsolete services and must be deleted for security:
- inetd and xinetd : This is not installed by default. But, it it is installed just delete it. Consider switching to more secure services which provide the needed functionality.
- telnet-server : Delete insecure telnet remote login, use OpenSSH server and ssh client to get back into the server.
- rsh-server : Delete insecure rlogin, rsh, or rcp commands. Use scp and ssh commands from the OpenSSH.
- ypserv & ypbind : Remote outdated NIS, consider using OpenLDAP or Fedora / Redhat directory server.
- tftp-server : Remove outdated and insecure TFTP server software.
Configure Required Services
Other services need to be installed and configr as and when required:
- httpd: The Apache web server.
- php-cgi: The php server.
- bind9 (named): The DNS server.
- ntpd : The time network based time client/server.
- snmpd : The net-snmp server.
- squid : The squid proxy and web caching server.
How Do I Turn On or Off Services?
Use the ntsysv application which is a simple interface for configuring runlevel services which are also configurable through chkconfig command:
# chkconfig serviceName off