10.5.2. Services

The goal is to run as few services as possible. If the number of ports that are open for the outside world are kept to a minimum, this is all the better to keep an overview. If services can't be turned off for the local network, try to at least disable them for outside connections.

A rule of thumb is that if you don't recognize a particular service, you probably won't need it anyway. Also keep in mind that some services are not really meant to be used over the Internet. Don't rely on what should be running, check which services are listening on what TCP ports using the netstat command:

[elly@mars ~] netstat -l | grep tcp
tcp     0      0 *:32769                 *:*      LISTEN
tcp     0      0 *:32771                 *:*      LISTEN
tcp     0      0 *:printer               *:*      LISTEN
tcp     0      0 *:kerberos_master       *:*      LISTEN
tcp     0      0 *:sunrpc                *:*      LISTEN
tcp     0      0 *:6001                  *:*      LISTEN
tcp     0      0 *:785                   *:*      LISTEN
tcp     0      0 localhost.localdom:smtp *:*      LISTEN
tcp     0      0 *:ftp                   *:*      LISTEN
tcp     0      0 *:ssh                   *:*      LISTEN
tcp     0      0 ::1:x11-ssh-offset      *:*      LISTEN

Things to avoid:

• exec, rlogin and rsh, and telnet just to be on the safe side.

• X11 on server machines.

• No lp if no printer is physically attached.

• No MS Windows hosts in the network, no Samba required.

• Don't allow FTP unless an FTP server is required.

• Don't allow NFS and NIS over the Internet, disable all related services on a stand-alone installation.

• Don't run an MTA if you're not actually on a mail server.

• ...

Stop running services using the chkconfig command, the initscripts or by editing the (x)inetd configuration files.