Linux Services - Security

For Linux users, disabling superfluous services is a good deal easier. There are fewer to worry about and far fewer dependencies among them. For example, Linux users can disable RPC without negative consequences, and they should do so unless they need it for NFS (Network File System) or NIS (Network Information Service). Home network users and home business users are unlikely to be using these services, so it’s almost always good to disable RPC.

Unlike Microsoft, most Linux vendors will not install many superfluous services and Web applications by default. But it is important to check the following list in case you’re running a service that you don’t need. If you’re using a major, packaged distribution, it’s likely that only a few of these services will have been enabled by default.

There are numerous ways to disable services in Linux, though these depend on the particular distribution you’re using. For this reason, it will not be practical to provide screen shots. Essentially, you want to halt the daemon, ensure that the system continues to work normally, and then disable it permanently. An easy way to do this is via a GUI admin interface, but of course these vary by distribution. Usually, there will be an admin utility allowing you to select runlevels for various components, where your services or daemon processes will be displayed and can be enabled, disabled, started, and stopped. Linux is usually very tolerant of having services disabled, but you should stop the daemon first and see how the system behaves before making a commitment. If your machine continues to function normally, you can remove it from all runlevels, and even from your /etc/init.d directory so that it can’t start again if you reboot.

Here are the main ones you should look out for:

Apache: This is a fine Web server. Most Linux distributions are filled with more packages than any person could possibly use, and sometimes, due to this embarrassment of riches, servers like Apache can be installed without the user’s realizing it. If you don’t need a Web server or don’t know how to run one securely, you should uninstall it promptly.

Berkeley Internet Name Domain (BIND): This service translates domain names to IP addresses. Unless you are operating a server, you have no use for it. Disabling it will not affect your Internet clients: your ISP will provide BIND or DNS services for you. The daemon is called named and should be disabled.

File Transfer Protocol (FTP): This is a file server. Few home users will have any use for it. The daemons are called wuftpd and proftpd; get rid of them unless you need to make FTP available and know how to secure it.

Line Printer Daemon (LPD): This service allows users to connect to a printer across a network. It is exceptionally insecure and should be disabled with prejudice.

Nessus: This is a vulnerability scanner that runs a daemon process. It’s not terribly dangerous, but there is no point leaving it running when it’s not in use, lest others connect to it. I recommend enabling and disabling the nessusd daemon from the command line and leaving it out of your runlevels.

Network Information Service (NIS): This service allows networked machines to share a common interface. It is not so much vulnerable in itself but it requires RPC, which is. Home users should not have any use for it.

Network File System (NFS): This service provides remote access to shared file systems across a network. As with NIS, it is not so much vulnerable in itself but it requires RPC, which is. Home users should not have any use for it.

Postfix: This is a fairly reliable mail server. Few home users need a mail server or know how to run one securely, so this should be disabled, but not uninstalled. Some mail clients may require it to be present, though not running.

Remote Procedure Call (RPC): Sometimes called sunrpc or portmap, this should be disabled except when NIS or NFS are in use. Any daemon with rpc or portmap in the name is a good candidate for disabling.

Rlogin: This service accepts remote logins. It is only slightly more secure than Telnet and should be disabled. Use SSH or Webmin if you need to log in to your machine remotely.

Samba: This is a file and print sharing service that offers Windows compatibility. It’s unnecessary on most home machines. Computers used primarily to contact the Internet should not be offering such services unless they have to, though Samba can be quite useful in an office if you know how to run it securely.

Secure Shell (SSH): This service accepts remote logins. You should disable the SSH daemon (sshd) unless you need to connect remotely to your computer. If you do connect remotely, SSH is the most secure method and should always be preferred to Telnet and rlogin. Disabling the SSH daemon will not cause any problems when using an SSH client.

Sendmail: This is a mail server. You probably don’t need a mail server, so uninstall it. If you do need a mail server, you should still uninstall Sendmail and replace it with Postfix, which is more secure. Some e-mail clients may require Postfix to be installed, though not running, so disabling it is better than uninstalling it.

Simple Network Management Protocol (SNMP): This service allows for configuring devices over a network. Home users should have no use for it. There are plenty of exploits against it, so disable the snmpd daemon unless you really need it.

Squid: This is a proxy server, and a fine one, but it’s a security issue if you don’t need it and don’t know how to secure it. If you don’t know what a proxy server is, then you absolutely don’t need one. Uninstall it if you find it’s been installed.

Telnet: This is a hopelessly insecure service that permits remote logins. Disable it; remove it from /etc/init.d; exorcise it.

Webmin: This is a fairly trustworthy server for remote administration. However, if you don’t need it, uninstall it. If you’re not going to use it, there’s no point making it available to others on the Internet, like malicious script kiddies.

Ypbind: This daemon supports Network Information Services (NIS). There have been exploits against it. Again, as with any service, if you don’t need it, disable it.

Power User Tip

Linux power users can prevent their X server from listening on the Net by editing the relevant configuration file. Depending on your distribution, the file might be found in one of these locations: /etc/ opt/kde3/share/config/kdm/ Xservers, / etc/X11/xdm/ Xservers, / usr/X11R6/lib/X11/xinit/xserverrc, or /etc/X11/ xinit/ xserverrc. Find the line starting with :0 local [etc...], and without altering it otherwise, add -nolisten tcp at the end. The X server’s TCP access is not considered a menace, but this will keep you safe from a new or unknown exploit.