The goal is to run as few services as possible. If the number of
ports that are open for the outside world are kept to a minimum,
this is all the better to keep an overview. If services can't be
turned off for the local network, try to at least disable them for
A rule of thumb is that if you don't recognize a particular
service, you probably won't need it anyway. Also keep in mind that
some services are not really meant to be used over the Internet.
Don't rely on what should be running, check which services
are listening on what TCP ports using the netstat command:
[[email protected] ~] netstat -l | grep tcp
tcp 0 0 *:32769 *:* LISTEN
tcp 0 0 *:32771 *:* LISTEN
tcp 0 0 *:printer *:* LISTEN
tcp 0 0 *:kerberos_master *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:6001 *:* LISTEN
tcp 0 0 *:785 *:* LISTEN
tcp 0 0 localhost.localdom:smtp *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 ::1:x11-ssh-offset *:* LISTEN
Things to avoid:
exec, rlogin and
rsh, and telnet just
to be on the safe side.
X11 on server machines.
No lp if no printer is physically attached.
No MS Windows hosts in the network, no Samba required.
Don't allow FTP unless an FTP server is required.
Don't allow NFS and NIS over the Internet, disable all related
services on a stand-alone installation.
Don't run an MTA if you're not actually on a mail server.
Stop running services using the chkconfig
command, the initscripts or by editing the (x)inetd configuration files.