Identifying and disabling extraneous services

From LQWiki
Jump to: navigation, search

It is always unwise to run extraneous services on your system. Not only does it expose you to potential remote vulnerabilities needlessly, it encourages a lax attitude of permissiveness toward security.

Identifying extraneous services

As root execute the command lsof -i to get a list of current network socket usage. Service names followed by (LISTEN) are services exposed to the network.

Services under inetd or xinetd

By default your system will probably have network services available under inetd or xinetd. These are generally minor services that are standard fare for UNIX-like systems. You generally will not need many or all of these services.

Some of these generally unneeded services are:

echo

Returns a duplicate of any data sent to it.

chargen

Returns a repeating fill character sequence.

discard

Discards any data received. Similar to redirection to /dev/null.

daytime

Returns the system time and date.

time

Returns the system time as a binary value.

If you do not need services running under inetd or xinetd, you should disable them. If you need none of these services, then you should disable inetd and xinetd themselves as well.

Disabling services under inetd or xinetd is usually as simple as commenting out the unneeded service in the configuration file, usually /etc/inetd.conf or /etc/xinetd.conf respectively, and then restarting the inetd or xinetd service.

inetd and xinetd are usually started in your system initialization. If you need none of the services running under inetd or xinetd and wish to altogether disable either, usually this can be accomplished by editing your system initialization.