I always disable most of the services witch are activated by a default Centos 5.3 instalation.
To disable them, run the following commands:
chkconfig anacron off
chkconfig apmd off
chkconfig atd off
chkconfig autofs off
chkconfig cpuspeed off
chkconfig cups off
chkconfig cups-config-daemon off
chkconfig gpm off
chkconfig isdn off
chkconfig netfs off
chkconfig nfslock off
chkconfig openibd off
chkconfig pcmcia off
chkconfig portmap off
chkconfig rawdevices off
chkconfig readahead_early off
chkconfig rpcgssd off
chkconfig rpcidmapd off
chkconfig smartd off
chkconfig xfs off
chkconfig ip6tables off
chkconfig avahi-daemon off
chkconfig firstboot off
chkconfig yum-updatesd off
chkconfig mcstrans off
chkconfig pcscd off
chkconfig bluetooth off
chkconfig hidd off
And you might consider disable this:
chkconfig sendmail off
chkconfig xinetd off
chkconfig acpid off
chkconfig microcode_ctl off
chkconfig irqbalance off
chkconfig haldaemon off
chkconfig messagebus off
chkconfig mdmonitor off
Is this a machine which is designed to run all the time, such as a server or a workstation which is left on at night? If so:
# yum erase anacron
The anacron subsystem is designed to provide cron functionality for machines which may be shut down during the normal times that system cron jobs run, frequently in the middle of the night. Laptops and workstations which are shut down at night should keep anacron enabled, so that standard system cron jobs will run when the machine boots.
However, on machines which do not need this additional functionality, anacron represents another piece of privileged software which could contain vulnerabilities. Therefore, it should be removed when possible to reduce system risk.
apmd – Advanced Power Management Subsystem
If the system is capable of ACPI support, or if power management is not necessary, disable this service:
# chkconfig apmd off
APM is being replaced by ACPI and should be considered deprecated. As such, it can be disabled if ACPI is sup- ported by your hardware and kernel. If the file /proc/acpi/info exists and contains ACPI version information, then APM can safely be disabled without loss of functionality.
autofs – Automounter
If the autofs service is not needed to dynamically mount NFS filesystems or removable media, disable the service:
# chkconfig autofs off
The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use.
Even if NFS is required, it is almost always possible to configure filesystem mounts statically by editing /etc/ fstab rather than relying on the automounter.
The Avahi daemon implements the DNS Service Discovery and Multicast DNS protocols, which provide service and host discovery on a network. It allows a system to automatically identify resources on the network, such as printers or web servers. This capability is also known as mDNSresponder and is a major part of Zeroconf networking. By default, it is enabled.
Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Disabling it is particularly important to reduce the system’s vulnerability to such attacks.
Edit the files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables (if IPv6 is in use). In each file, locate and delete the line:
-A RH-Firewall-1-INPUT -p udp –dport 5353 -d 220.127.116.11 -j ACCEPT
By default, inbound connections to Avahi’s port are allowed. If the Avahi server is not being used, this exception should be removed from the firewall configuration. See Section 2.5.5 for more information about the Iptables firewall.
bluetooth and hidd
If the system requires no Bluetooth devices, disable this service
# chkconfig bluetooth off
If the system has no Bluetooth input devices (e.g. keyboard or mouse), disable this service:
# chkconfig hidd off
Add the following to /etc/modprobe.conf to prevent the loading of the Bluetooth module:
alias net-pf-31 off
cups and cupsd
Do you need the ability to print from this machine or to allow others to print to it? If not:
# chkconfig cups off
firstboot – Installation Helper Service
Firstboot is a daemon specific to the Red Hat installation process. It handles “one-time” configuration following successful installation of the operating system. As such, there is no reason for this service to remain enabled.
Disable firstboot by issuing the command:
# chkconfig firstboot off
gpm – Console Mouse Service
GPM is the service that controls the text console mouse pointer. (The X Windows mouse pointer is unaffected by this service.)
If mouse functionality in the console is not required, disable this service:
# chkconfig gpm off
Although it is preferable to run as few services as possible, the console mouse pointer can be useful for preventing administrator mistakes in runlevel 3 by enabling copy-and-paste operations.
haldaemon – HAL Daemon
The haldaemon service provides a dynamic way of managing device interfaces. It automates device configuration
and provides an API for making devices accessible to applications through the D-Bus interface.
HAL provides valuable attack surfaces to attackers as an intermediary to privileged operations and should be disabled unless necessary:
# chkconfig haldaemon off
hplip – The HP Linux Imaging and Printing (HPLIP) Toolkit
The HPLIP package is an HP printing support utility that is installed and enabled in a default installation. The HPLIP package is comprised of two separate components. The first is the main HPLIP service and the second is a smaller subcomponent called HPIJS. HPLIP is a feature-oriented network service that provides higher level printing support (such as bi-directional I/O, scanning, photo card, and toolbox functionality). HPIJS is a lower level basic printing driver that provides basic support for non-PostScript HP printers.
Since the HPIJS driver will still function without the added HPLIP service, HPLIP should be disabled unless the specific higher level functions that HPLIP provides are needed by a non-PostScript HP printer on the system.
# chkconfig hplip off
isdn – ISDN Support
The ISDN service facilitates Internet connectivity in the presence of an ISDN modem.
If an ISDN modem is not being used, disable this service:
# chkconfig isdn off
kdump – Kdump Kernel Crash Analyzer
Kdump is a new kernel crash dump analyzer. It uses kexec to boot a secondary kernel (“capture” kernel) following a system crash. The kernel dump from the system crash is loaded into the capture kernel for analysis.
Unless the system is used for kernel development or testing, disable the service:
# chkconfig kdump off
kudzu – Kudzu Hardware Probing Utility
Is there a mission-critical reason for console users to add new hardware to the system? If not:
# chkconfig kudzu off
Kudzu, Red Hat’s hardware detection program, represents an unnecessary security risk as it allows unprivileged users to perform hardware configuration without authorization. Unless this specific functionality is required, Kudzu should be disabled.
mcstrans – MCS Translation Service
Unless there is some overriding need for the convenience of category label translation, disable the MCS translation service:
# chkconfig mcstrans off
The mcstransd daemon provides the category label translation information defined in /etc/selinux/targeted/setrans.conf to client processes which request this information.
Category labelling is unlikely to be used except in sites with special requirements. Therefore, it should be disabled in order to reduce the amount of potentially vulnerable code running on the system. See Section 2.4.6 for more information about systems which use category labelling.
mdmonitor – Software RAID Monitor
The mdmonitor service is used for monitoring a software RAID (hardware RAID setups do not use this service). This service is extraneous unless software RAID is in use (which is not common).
If software RAID monitoring is not required, disable this service:
# chkconfig mdmonitor off
messagebus – D-Bus IPC Service
D-Bus is an IPC mechanism that provides a common channel for inter-process communication.
If no services which require D-Bus are in use, disable this service:
# chkconfig messagebus off
A number of default services make use of D-Bus, including X Windows, Bluetooth and Avahi. We recommends that D-Bus and all its dependencies be disabled unless there is a mission-critical need for them.
Stricter configuration of D-Bus is possible and documented in the man page dbus-daemon. D-Bus maintains two separate configuration files, located in /etc/dbus-1/, one for system-specific configuration and the other for session-specific configuration.
microcode ctl – IA32 Microcode Utility
microcode ctl is a microcode utility for use with Intel IA32 processors (Pentium Pro, PII, Celeron, PIII, Xeon, Pentium 4, etc)
If the system is not running an Intel IA32 processor, disable this service:
# chkconfig microcode ctl off
Disable All NFS Services if Possible (nfslock, rpcgssd, rpcidmapd, netfs)
If NFS is not needed, perform the following steps to disable NFS client daemons:
# chkconfig nfslock off
# chkconfig rpcgssd off
# chkconfig rpcidmapd off
The nfslock, rpcgssd, and rpcidmapd daemons all perform NFS client functions.
All of these daemons run with elevated privileges, and many listen for network connections. If they are not needed, they should be disabled to improve system security posture.
Determine whether any network filesystems handled by netfs are mounted on this system:
# mount -t nfs,nfs4,smbfs,cifs,ncpfs
If this command returns no output, disable netfs to improve system security:
# chkconfig netfs off
The netfs script manages the boot-time mounting of several types of networked filesystems, of which NFS and Samba are the most common. If these filesystem types are not in use, the script can be disabled, protecting the system somewhat against accidental or malicious changes to /etc/fstab and against flaws in the netfs script itself.
pcscd – Smart Card Support
If Smart Cards are not in use on the system, disable this service:
# chkconfig pcscd off
portmap – RPC Portmapper
- NFS is not needed
- The site does not rely on NIS for authentication information, and
- The machine does not run any other RPC-based service
then disable the RPC portmapper service:
# chkconfig portmap off
By design, the RPC model does not require particular services to listen on fixed ports, but instead uses a daemon, portmap, to tell prospective clients which ports to use to contact the services they are trying to reach. This model weakens system security by introducing another privileged daemon which may be directly attacked, and is unnecessary because RPC was never adopted by enough services to risk using up all the ports on a system.
Unfortunately, the portmapper is central to RPC design, so it cannot be disabled if your site is using any RPC- based services, including NFS, NIS, or any third-party or custom RPC-based program. If none of these programs are in use, however, portmap should be disabled to improve system security.
In order to get more information about whether portmap may be disabled on a given host, query the local portmapper using the command:
# rpcinfo -p
If the only services listed are portmapper and status, it is safe to disable the portmapper. If other services are listed and your site is not running NFS or NIS, investigate these services and disable them if possible.
readahead early/readahead later – Boot Caching
The following services provide one-time caching of files belonging to some boot services, with the goal of allowing the system to boot faster.
It is recommended that this service be disabled on most machines:
# chkconfig readahead early off
# chkconfig readahead later off
The readahead services do not substantially increase a system’s risk exposure, but they also do not provide great benefit. Unless the system is running a specialized application for which the file caching substantially improves system boot time, this guide recommends disabling the services.
The rhnsd daemon polls the Red Hat Network web site for scheduled actions. Unless it is actually necessary to schedule updates remotely through the RHN website, it is recommended that the service be disabled.
# chkconfig rhnsd off
The rhnsd daemon is enabled by default, but until the system has been registered with the Red Hat Network, it will not run. However, once the registration process is complete, the rhnsd daemon will run in the background and periodically call the rhn check utility. It is the rhn check utility that communicates with the Red Hat Network web site.
This utility is not required for the system to be able to access and install system updates. Once the system has been registered, either use the provided yum-updatesd service or create a cron job to automatically apply updates.
Is there a mission-critical reason to allow users to view SELinux denial information using the sealert GUI? If not, disable the service and remove the RPM:
# chkconfig setroubleshoot off
# yum erase setroubleshoot
The setroubleshoot service is a facility for notifying the desktop user of SELinux denials in a user-friendly fashion. SELinux errors may provide important information about intrusion attempts in progress, or may give information about SELinux configuration problems which are preventing correct system operation. In order to maintain a secure and usable SELinux installation, error logging and notification is necessary.
However, setroubleshoot is a service which has complex functionality, which runs a daemon and uses IPC to distribute information which may be sensitive, or even to allow users to modify SELinux settings, and which does not yet implement real authentication mechanisms. This guide recommends disabling setroubleshoot and using the kernel audit functionality to monitor SELinux’s behavior.
In addition, since setroubleshoot automatically runs client-side code whenever a denial occurs, regardless of whether the setroubleshootd daemon is running, it is recommended that the program be removed entirely unless it is needed.
xfs – X Font Server
Disable the xfs helper service:
# chkconfig xfs off
The system’s X.org requires the X Font Server service (xfs) to function. The xfs service will be started auto- matically if X.org is activated via startx. Therefore, it is safe to prevent xfs from starting at boot when X is disabled, even if users are allowed to run X manually.
Disable the yum-updatesd service:
# chkconfig yum-updatesd off
Create the file yum.cron, make it executable, and place it in /etc/cron.daily:
/usr/bin/yum -R 120 -e 0 -d 0 -y update yum
/usr/bin/yum -R 10 -e 0 -d 0 -y update
This particular script instructs yum to update any packages it finds. Placing the script in /etc/cron.daily ensures its daily execution. To only apply updates once a week, place the script in /etc/cron.weekly instead.
# Kernel tuning settings for CentOS5,
# busy webserver with lots of free memory.
# Big queue for the network device
# Lots of local ports for connections
# Bump up send/receive buffer sizes
# Disable TCP selective acknowledgements
# Decrease the amount of time we spend
# trying to maintain connections
# Increase the number of incoming connections
# that can queue up before dropping
# Increase option memory buffers
There are plenty of other sysctl options to tune, but the above made the most difference.
And netstat -s is your friend.