Linux Default Services Which Are Enabled at Boot

by on January 6, 2010 · 2 comments· LAST UPDATED January 6, 2010

in , ,

Can you provide a guidance on default CentOS / Fedora / RHEL / Redhat enterprise Linux services which are enabled at boot time by a default? Can you provide set of recommendations for all default services and which to keep for performance and security and which to turn off?

You need to minimize software to minimize vulnerability. This provides the best possible protection against vulnerable software.

Determine Which Services Are Enabled At Boot

Type the following command:
# service --status-all
# chkconfig --list | grep '3:on'

Sample outputs:

acpid          	0:off	1:off	2:on	3:on	4:on	5:on	6:off
anacron        	0:off	1:off	2:on	3:on	4:on	5:on	6:off
atd            	0:off	1:off	2:off	3:on	4:on	5:on	6:off
auditd         	0:off	1:off	2:on	3:on	4:on	5:on	6:off
cpuspeed       	0:off	1:on	2:on	3:on	4:on	5:on	6:off
crond          	0:off	1:off	2:on	3:on	4:on	5:on	6:off
dkms_autoinstaller	0:off	1:off	2:on	3:on	4:on	5:on	6:off
haldaemon      	0:off	1:off	2:off	3:on	4:on	5:on	6:off
ip6tables      	0:off	1:off	2:on	3:on	4:on	5:on	6:off
irqbalance     	0:off	1:off	2:on	3:on	4:on	5:on	6:off
kudzu          	0:off	1:off	2:off	3:on	4:on	5:on	6:off
lm_sensors     	0:off	1:off	2:on	3:on	4:on	5:on	6:off
mcstrans       	0:off	1:off	2:on	3:on	4:on	5:on	6:off
messagebus     	0:off	1:off	2:off	3:on	4:on	5:on	6:off
microcode_ctl  	0:off	1:off	2:on	3:on	4:on	5:on	6:off
netfs          	0:off	1:off	2:off	3:on	4:on	5:on	6:off
network        	0:off	1:off	2:on	3:on	4:on	5:on	6:off
ntpd           	0:off	1:off	2:on	3:on	4:on	5:on	6:off
rawdevices     	0:off	1:off	2:off	3:on	4:on	5:on	6:off
readahead_early	0:off	1:off	2:on	3:on	4:on	5:on	6:off
restorecond    	0:off	1:off	2:on	3:on	4:on	5:on	6:off
sendmail       	0:off	1:off	2:on	3:on	4:on	5:on	6:off
setroubleshoot 	0:off	1:off	2:off	3:on	4:on	5:on	6:off
smartd         	0:off	1:off	2:on	3:on	4:on	5:on	6:off
snmpd          	0:off	1:off	2:on	3:on	4:on	5:on	6:off
sshd           	0:off	1:off	2:on	3:on	4:on	5:on	6:off
syslog         	0:off	1:off	2:on	3:on	4:on	5:on	6:off
sysstat        	0:off	1:off	2:on	3:on	4:on	5:on	6:off
yum-updatesd   	0:off	1:off	2:on	3:on	4:on	5:on	6:off

The first column is the name of service which is enabled at boot. It can be disabled using the chkconfig command or ntsysv command:

chkconfig serviceName off
service serviceName stop

OR
ntsysv

Service Status

All services can be in any one of the following status at a time:

  1. Disabled : Disable the service if possible (e.g., NFS and portmap) .
  2. Enabled : Leave the service enabled (e.g. Power management, and Networking etc ).
  3. Configure: This is essential service and you need to configure so that server works correctly. The service must be configured properly for security and performance (e.g., various servers, Iptables, SELinux, and IP6tables etc).
  4. Remove: This is not status but you can delete the service (e.g., rsh, vsftpd, X Servers or any other unwanted insecure services).

Recommend Actions on Default Services

ServiceDescriptionAction
acpidAdvanced Configuration and Power Interface event daemonEnable
anacronAnacron is like cron, but it does not assume that the machine is running continuously. Hence, it can be used on machines that aren’t running 24 hours a day, to control daily, weekly, and monthly jobs that are usually controlled by cron.Disable on servers
apmdAdvanced Power Management Subsystem (old system). If the server is capable of ACPI support, disable this serviceDisable if possible
auditdThe Linux Auditing SystemEnable and configure
atdatd runs jobs queued by atEnable and configure
autofsThe automount(8) program is used to manage mount points for autofs, the inlined Linux automounter. You can mount NFS, USB, DVD/CD, and CIFS via /etc/fstab.Disable
avahi-daemon and avahi-dnsconfdThe Avahi mDNS/DNS-SD daemon implementing Apple's ZeroConf architecture (also known as "Rendezvous" or "Bonjour").Disable
bluetooth and hiddBluetooth services for service discovery, authentication, Human Interface Devices (hidd), etcDisable
cpuspeedThis service monitors the system’s idle percentage and reduces or raises the CPUs’ clock speeds and voltages accordingly to minimize power consumption when idle and maximize performance when neededEnable
crondService to execute scheduled commands via crond daemon.Enable and configure
cupsCommon unix printing system serviceDisable if possible
dc_client & dc_clientStartup script for the Distcache SSL Session Cache Client and server proxy. Disable if you do not need cache proxy.Disable if possible
dnsmasqthe DNS caching server. Enable if your ISP or remote DNS caching server is pretty slow.Enable
dkmdkms_autoinstallersdkms is a framework which allows kernel modules to be dynamically built for each kernel on your system in a simplified and organized fashion.Disable if possible
firstbootRHLE specific service. It does a few configuration following successful installation of the operating system.Disable
gpmA cut and paste utility and mouse server service for virtual consoles.Disable
haldaemonThis service is used for collecting and maintaing information about hardware from several sources. This is only used for X and desktop apps. Disable it on servers.Disable
hplipA service for non-PostScript HP printer. Disable it on servers.Disable
irdaIrDA(TM) (Infrared Data Association) is an industry standard for wireless, infrared communication between devices. IrDA speeds range from 9600 bps to 4 Mbps, and IrDA can be used by many modern devices including laptops, LAN adapters, PDAs, printers, and mobile phones.Disable if possible
iscsi & iscsidiscsi service logs into iSCSI targets needed at system startup (i.e. iscsi client). iscsid will start and stop iSCSI daemon. Use this if you've iscsi based storage.Disable if possible
iptables & ip6tablesIPv4 and IPv6 firewall service.Enable and configure
irqbalanceThe irqbalance service will distribute interrupts across the cpus on a multiprocessor system with the purpose of spreading the load.Enable
isdnProvides the Internet connectivity using an ISDN modem.Disable if not using an ISDN modem.
kdumpKernel crash dump analyzer. This service is useful for kernel hackers and device driver development or testing new kernel feature. Dsable the service on production boxes.Disable
kudzuRHEL specific hardware detection service. This is required on desktop or laptop where end users can add a new hardware but not on servers.Disable
lm_sensorslm_sensors is used for monitoring motherboard sensor values.Disable
lvm2-monitorStarts and stops dmeventd monitoring for lvm2. If you are not using LVM2 (Linux volume manager) based storage disable it.Disable
mcstransStarts the SELinux Context Translation System daemon. This is site specific SELinux requirements.Disable if possible
mdmonitorsoftware RAID monitoring and management service. If you are not using software RAID disable it. This is not required for hardware RAID setup as they comes with their own programs.Disable if possible
messagebusThis service broadcasts notifications of system events and other messages (D-bus). Turn it on for bluetooth, X Windows and desktop systems.Disable
microcode ctlScript to apply cpu microcode for Intel IA32 processor. If you are not using Intel IA32 processor disable it.Disable
netfs, nfslock, rpcgssd, rpcidmapd, and portmapMount and configure Linux network network filesystems (NFS). If you are not using NFS client/server technology disable it.Disable if possible
networkA service to activates/deactivates all network interfaces configured to start at boot time.Enable
pcscdThe PC/SC smart card sevice is a resource manager for the PC/SC lite and Musclecard frameworks. It coordinatescommunications with smart card readers, smart cards, and cryptographic tokens that are connected to the system.If Smart Cards are not in use on the system, disable this service:Disable
readahead_early and readahead_laterThis sevice provide one-time caching of files belonging to a few boot services. It does not provide any boosting. Just disable it.Disable
restorecondThis service restores the correct security context for SELinux.Enable
rhnsdThis service handles the task of connecting periodically to the RHN servers to check for updates, notifications and perform system monitoring tasks according to the service level that your server is subscribed for. Disable this service and use yum-updatesd service.Disable
sendmailUse to start sendmail server.Enable and configure
smartdSelf Monitoring and Reporting Technology (SMART) Daemon for hard disks.Enable and configure
setroubleshootThis service starts the SELinux Troubleshooting daemon. It will send notification tothe desktop user of SELinux access denied messages in a user-friendly fashion.Disable
sshdThe openssh server. If you need remote login enable it. You must enable this on all servers so that you can login and configure everything.Enable
syslogSyslog is the facility by which many other Linux daemons use to log messages to various system log files. It is a good idea to always run syslog.Enable
xfsX Windows font server. Disable it on servers.Disable
yum-updatesdUpdate notification daemon for system packages.Enable

Remove Outdated Insecure Services

Is there a mission-critical reason for users to access the system via the insecure protocols such as ftp, NIS and telnet? The following services are obsolete services and must be deleted for security:

  1. inetd and xinetd : This is not installed by default. But, it it is installed just delete it. Consider switching to more secure services which provide the needed functionality.
  2. telnet-server : Delete insecure telnet remote login, use OpenSSH server and ssh client to get back into the server.
  3. rsh-server : Delete insecure rlogin, rsh, or rcp commands. Use scp and ssh commands from the OpenSSH.
  4. ypserv & ypbind : Remote outdated NIS, consider using OpenLDAP or Fedora / Redhat directory server.
  5. tftp-server : Remove outdated and insecure TFTP server software.

Configure Required Services

Other services need to be installed and configr as and when required:

  1. httpd: The Apache web server.
  2. php-cgi: The php server.
  3. bind9 (named): The DNS server.
  4. ntpd : The time network based time client/server.
  5. snmpd : The net-snmp server.
  6. squid : The squid proxy and web caching server.

How Do I Turn On or Off Services?

Use the ntsysv application which is a simple interface for configuring runlevel services which are also configurable through chkconfig command:
# ntsysv
OR
# chkconfig serviceName off

Linux Guidance on Default Services

Fig.01: ntsysv in action

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 2 comments… read them below or add one }

1 neriukas January 10, 2011 at 7:09 pm

messagebus must be enabled, then i stoped it, my desktop was gone :D

Reply

2 kneekoo January 16, 2011 at 10:04 am

@neriukas: Well the description says: “Turn it on for bluetooth, X Windows and desktop systems.”

@Vivek Gite: What about these other services?
- keyboard-setup
- portmap
- procps
- rsyslog
- bootlogs
- console-setup
- udev
- x11-common

I have them on a non-gui Debian Squeeze machine.

Reply

Leave a Comment

Tagged as: ,

Previous Faq:

Next Faq: