Unnecessary or vulnerable networking services, also known as daemons, that are listening on open ports not only pose risks but also waste resources so, if you don't need it, weed it, then close the port.
The first thing is to find out what services are running.
Researching services with Netstat
Netstat provides network information, is installed by default (on your local PC as well as on the server), and should be properly understood to help secure a networked machine.
Let's carry out a services check, running netstat as the root superuser so we can see associated programs and adding a grep parameter to specify those services that are listening on ports:
We can see MySQL which will be listening on the internal port 3306. Apache is doing its thing, presumably on port 80, and smtp is sifting the mail. The SSH daemon – sshd – is sat nicely on a custom port, 54321. We can confirm the ports by adding the n switch:
So what about those other daemons? What are they and do we need them? First, to be clear, let's specify those services, already output above, that we're uncertain of:
And, for each, we can run through a nice, comprehensive process …
- Preparing to remove services
The thing to do is to research each and every service you have running, to scrutinize its requirement and, if in doubt, to disable it. If something breaks you can always re-enable the daemon. If you aren't going to use it, on the other hand, then uninstall the server's associated program. First, though, it's not a bad idea to take a service snapshot in case we need to revert back:
That creates a list of your services in a services.lst file in your home directory. Now then, considering those mystery services …
- Researching services
Take cupsd. One might ask, what the deuce is it? One thing we can do is to check the process using the ps utility:
Ignoring the last line that refers to our grep parameter, this highlights a configuration file, huh? Best look at that then. nano /etc/cups/cupsd.conf will do:
So there's a clue. As well as mentioning a CUPS scheduler a scan down the page suggests this is a printing tool, pretty useless on a server. Let's look at its manual page:
OK, So the program is indeed CUPS, a printing service, as suggested. Rather than simply stop the service, let's scrap it entirely. To do that, we need to find out what packages are installed and we do that with dpkg (or your Linux flavor's equivalent package manager). We could run a regular list of installed packages like this:
But because we want something specific, we can hone our search by again using the handy grep function:
So it looks like the top entry, CUPS, is the main package. We can find out more if we want to using the aptitude show [some_package] command which, among other things, says this:
OK. Ciao baby! Here's what aptitude's remove command looks like and throws up:
Nice. As well as deleting all relevant packages we're told that the printer server has been stopped. To research and delete other services and their packages, simply rinse and repeat.
What server daemons should I look for?
Pleased you asked. inetd aside, there are a bunch of ‘usual suspect' services to disable. These are commonly installed by Linux distros but serve no useful purpose to the average server, especially if it's administered using SSH and SSL, the protocols applauded, explained and setup throughout this site. Have a shiny box …
… this list is not exhaustive, however, so research any other daemons you come across yet of which you're uncertain.
Disabling services using a service manager
Before removing it entirely you can disable a service to ensure nothing breaks using a tool such as chkconfig or its more user-friendly alternative, sysv-rc-conf.
- Using sysv-rc-conf
Let's install the excitingly titled sysv-rc-conf:
Run it as root:
That brings up an at-a-glance interface of what services start when. Here's a snippet:
Use your arrow keys to navigate and the spacebar to remove the X‘s corresponding to the service you wish to disable. If you remain happy without the service, delete the program.
As always, it's a good thing to check out the manual by running man sysv-rc-conf.
- Delete unsafe services with harden-servers
The package for Debian-based Linux distributions, harden-servers, helps administrators to avoid installing dangerous daemons. It flags a conflict if installations are attempted, for example:
- where servers require plaintext passwords
- that allow non-authenticated remote access
- that leak information remotely
Installation is plain sailing:
And look at what happens if, on installing the package, harden-servers detects existing unsafe services:
We're prompted to delete sloppy services. Handsome. And if we try later to install something risky, like rsh-server, we're duly ticked off:
Closing the port
An open and unused port should be firewalled. This is explained previously for ConfigServer Firewall but for those using an iptables firewall we need a new command.
First, assuming root, List the rules for your INPUT chain that filters incoming requests:
This example shows six rules. To block the FTP port, the fourth rule, we Delete the rule like this:
Now list your rules again to check. If you deleted the wrong rule or are concerned that you might do so then you can recompile your ruleset using our original iptables implementation process.
And there we have it. For all the dire dread you may have felt, considered logically and perhaps with a decent dose of coffee, researching and properly deleting services is not that tough a nut to crack.
Nonetheless, for those services that are still propping open their respective ports, one may well ask if there's anything else we can do to help secure them? Fortunately, yes, a few security techniques remain on our agenda, the first being to consider using TCP Wrappers to Secure Ports & Services.