The best protection against vulnerable software is running less software. How do I find out which services are enabled at Boot under CentOS / RHEL / Fedora Linux? How do I disable software which is not needed?
Open terminal and login as root user.
Type the following command to list all services which are enabled at boot:
#chkconfig --list | grep $(runlevel | awk '{ print $2}'):on
Sample output:
acpid 0:off 1:off 2:off 3:on 4:on 5:on 6:off anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off dkms_autoinstaller 0:off 1:off 2:on 3:on 4:on 5:on 6:off haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off hidd 0:off 1:off 2:on 3:on 4:on 5:on 6:off irqbalance 0:off 1:off 2:on 3:on 4:on 5:on 6:off kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off lighttpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off lm_sensors 0:off 1:off 2:on 3:on 4:on 5:on 6:off lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off mcstrans 0:off 1:off 2:on 3:on 4:on 5:on 6:off mdmonitor 0:off 1:off 2:on 3:on 4:on 5:on 6:off messagebus 0:off 1:off 2:off 3:on 4:on 5:on 6:off microcode_ctl 0:off 1:off 2:on 3:on 4:on 5:on 6:off mysqld 0:off 1:off 2:on 3:on 4:on 5:on 6:off named 0:off 1:off 2:on 3:on 4:on 5:on 6:off netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off ntpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off pcscd 0:off 1:off 2:on 3:on 4:on 5:on 6:off psacct 0:off 1:off 2:on 3:on 4:on 5:on 6:off readahead_early 0:off 1:off 2:on 3:on 4:on 5:on 6:off restorecond 0:off 1:off 2:on 3:on 4:on 5:on 6:off rhnsd 0:off 1:off 2:on 3:on 4:on 5:on 6:off rpcgssd 0:off 1:off 2:off 3:on 4:on 5:on 6:off rpcidmapd 0:off 1:off 2:off 3:on 4:on 5:on 6:off sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off setroubleshoot 0:off 1:off 2:off 3:on 4:on 5:on 6:off smartd 0:off 1:off 2:on 3:on 4:on 5:on 6:off snmpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off stor_agent 0:off 1:off 2:off 3:on 4:off 5:on 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off sysstat 0:off 1:off 2:on 3:on 4:off 5:on 6:off vmware 0:off 1:off 2:on 3:on 4:off 5:on 6:off xfs 0:off 1:off 2:on 3:on 4:on 5:on 6:off xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off yum-updatesd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
The first column of above output is the name of a service which is currently enabled at boot. You need to review each service.
Task: Disable service
To stop service, enter:
# service {service-name} stop
# service vmware stop
To disable service, enter:
# chkconfig {service-name} off
# chkconfig vmware off
You can also use ntsysv command to manage all services.
A note about outdated insecure service
All of the following services must be disabled to improve server security:
- Inetd and Xinetd (inetd xinetd) – Use direct services configured via SysV and daemons.
- Telnet (telnet-server) – Use ssh
- Rlogin, Rsh, and Rcp ( rsh-server ) – Use ssh and scp.
- NIS (ypserv) : Use OpenLDAP or Fedora directory server.
- TFTP (tftp-server) : Use SFTP or SSH.
To delete all of the service enter:
# yum erase inetd xinetd ypserv tftp-server telnet-server rsh-serve
A note about Debian / Ubuntu Linux
Please see my comment below, to find out which services are enabled at boot under Debian / Ubuntu Linux and disable software which is not needed.
9 comment
What about debian systems? How is this done?
To list all boot time enabled services use the following costume shell code (type at command prompt):
R=$(runlevel | awk '{ print $2}') for s in /etc/rc${R}.d/*; do basename $s | grep '^S' | sed 's/S[0-9].//g' ;doneSample output:
To turn off service use T-GUI tools like rcconf or simply type:
update-rc.d -f {service-name} remove
For example, remove apache2, enter:update-rc.d {service-name} stop 20 2 3 4 5 .
Use rcconf tool to view enabled services. See the following posts for more info about Debian / Ubuntu services:
HTH
in debian systems you can use aptitude
search via packages with /
and install or uninstall them by + or –
For gentoo use the rc-update command:
# rc-update showto show actual daemons starting on boot/default runlevel.
To add new services on default runlevel just type
rc-update add defaultor
# man rc-updatefor more info on how to use it.
ERRATA: the above comment obviously lacks something.
To add a new service starting at the default runlevel type
rc-update add my-init-script default(I put my-init-script between angle brackets, and the board tried to interpret it as an html tag)
Matteo,
Thanks for sharing Gentoo specific info.
For Ubuntu, it has to be noted the update-rc.d man-page says update-rc.d should not be used to manually manipulated list of services to start. Instead, it is advised to manually edit the simlinks directly (found at /etc/rc{runlevel}.d) or to use an editor like sysv-rc-conf.
on Ubuntu you can use sysv-rc-conf not only as editor:
root@hostname:/# sysv-rc-conf –help
Usage:
sysv-rc-conf [ *options* ]
sysv-rc-conf –list [ *service* ]
sysv-rc-conf [ –level *levels* ] *service*
On Redhat or most of redhat based linux :
# setup
and then select “System Services”
That should take care everything………..
Happy Linuxing …….