There are several good reasons for doing this:
- Minimize resource utilization – disk space, network bandwidth, CPU time and RAM are all finite; there is no reason to waste these quantities on processes which don’t have a purpose.
- Greater security – the fewer open ports and running processes, the few vulnerabilities there are likely to be on the system.
- Easier maintenance – with less software there are fewer dependencies to worry about, less to upgrade, and patching is less problematic.
- Elegant simplicity – management of a host is easier and cleaner if every component has its utility and nothing is extraneous.
A server freshly built from a Linux DVD – whatever distribution it is – will be automatically installed with a set of software suitable to its function. During the installation process, one selects “Basic Server” or “Desktop”, and a predetermined selection of software packages are selected accordingly. The thing to remember is that this selection is for a general case, and is rarely exactly applicable for any one host in particular. For example, if one were to select the “Web server” option for some distributions, one might by default get both Apache HTTPD and NGINX, although only one of these would probably be used at a time. It would be necessary to uninstall the extra package.
It is good practice to extend this principle of least utility with all your servers, uninstalling unnecessary packages or disabling unneeded services to create a minimal installation. Once this ideal configuration is arrived at, it should be persisted to your Kickstart configuration and closely maintained. Provisioning and configuration management with Kickstart will be the topic of a subsequent post.
The frequent difficulty for the novice administrator is that without a good amount of experience and research, there is an awful lot of installed software which need to be understood before one can decide what to cut, and what needs to be kept. This research process is a useful learning experience to understand what makes up a running Linux system, and is definitely advisable.
Linux packages under virtualization
Virtualization is now extremely widespread as a means of better utilizing and managing server resources. But in presenting emulated hardware to a Linux operating system, rather than physical devices, there is a set of software concerned with this hardware which becomes rendered superfluous on a virtual machine guest. This extra software should be removed. So a virtual machine installation provides an particular case study where the list of running services will be examined and disabled where irrelevant.
For the purposes of this discussion, I’m using CentOS 6.2, running on VMware ESXi 4.1, although much of the advice would apply equally to Xen or KVM as well. Also, RedHat and Fedora wouldn’t differ significantly from CentOS. Feel free to weigh in with your opinions in the comments. I may have overlooked things, or may be doing something you disagree with, and I’d love to hear about it.
I’ve done a fresh installation from the DVD and had selected “Basic Server”. My host is up and running. If I then check and see what services are running by default (searching for ‘on’ for run-level 3, since this is the default multi-user run level), here is what I get:
# chkconfig --list | grep 3:on abrt-ccpp 0:off 1:off 2:off 3:on 4:off 5:on 6:off abrt-oops 0:off 1:off 2:off 3:on 4:off 5:on 6:off abrtd 0:off 1:off 2:off 3:on 4:off 5:on 6:off acpid 0:off 1:off 2:on 3:on 4:on 5:on 6:off atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off irqbalance 0:off 1:off 2:off 3:on 4:on 5:on 6:off kdump 0:off 1:off 2:off 3:on 4:on 5:on 6:off lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off mdmonitor 0:off 1:off 2:on 3:on 4:on 5:on 6:off messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off postfix 0:off 1:off 2:on 3:on 4:on 5:on 6:off qpidd 0:off 1:off 2:on 3:on 4:on 5:on 6:off rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off sysstat 0:off 1:on 2:on 3:on 4:on 5:on 6:off udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off
It’s worth checking the man page for every running service to ensure you at least know what they all are, but of the above list, here’s what I would disable on a virtual machine, and why:
|acpid||Power configuration interface, useful for graceful shutdown when pressing the power button; not really needed on a VMware guest|
|cpuspeed||Manipulates the CPU clock speed according to idle time; Hypervisor manages CPU scheduling|
|haldaemon||Collects hardware info; VMware console handles all this|
|ip6tables||Firewall for IPv6; Disable if you’re not using IPv6|
|irqbalance||Balances load across CPUs; hypervisor will handle this.|
|postfix||Mail server; unless you’re actually relaying mail disable this. It’s not required for sending mail|
|sendmail||Mail server; see above|
|qpidd||Message queuing; if not being used, disable|
|lvm2-monitor||Logical volume manager monitoring; disable if you’re using regular partitions or VxVM|
|mdmonitor||Software RAID monitoring; possibly not required with virtual disks|
|messagebus||Broadcasts system events; only use if needed|
|netfs||NFS-related service; possibly disable if not running an NFS server|
|restorecond||Monitors files for correct Selinux context; disable if not using Selinux|
There may be quite a few other services that appear in your installation, particularly if you’re using an older version of CentOS/Fedora, or if you installed different groups of packages. The gist of all this is that it’s important to be familiar with what you’re running, what it does, and why it’s there. And then disable the rest.
To stop and disable these services, one would execute:
# service SERVICENAME stop # chkconfig SERVICENAME off
Or better, remove it from the service list with:
# chkconfig --del SERVICENAME
You could also use “rpm” or “yum” (or “apt-get”) to uninstall the software completely, although I’m often loath to do so unless I’m certain there are no dependencies to worry about.
Other services to cut
Depending on your distribution or the package groups you’ve installed, you may have other services running that aren’t in this list. In the past, I’ve always tended to disable these as well, where I find them:
|cups||Printer daemon; Only use if managing printers *|
|bluetooth, hidd||Bluetooth; not needed on a server|
|avahi-daemon||Zeroconf networking; not really needed on a server|
|iscsi||iSCSI daemon; VMs would generally have disk devices presented natively|
|firstboot||Runs some initialization on the first boot, then never needed|
|pcscd||Smart card daemon|
|xfs||Font server not really needed when not using X|
|smartd||Monitor disk devices, again not usually needed on a VM guest|
|ntpd||NTP daemon; if the VM agent software is synchronising time, then disable it|
* Seriously, write in the comments if you’ve ever used cups on a server (not a desktop). I don’t remember the last time I handled paper in this job.
To further secure things, it’s a good idea to run
netstat and take note of any listening ports and the services listening upon them:
# netstat -nlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 7729/httpd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1239/sshd
On this server there’s only SSH and HTTPD listening. Given that it’s a webserver, this is as expected. If, for example, port 25 was being listened to, this would indicate a mail server was present, and I’d probably want to disable this and segregate the mail function elsewhere to a dedicated server.
Again, all of these changes should be formalised into a stable Kickstart, Jumpstart or Cobbler configuration in order to be assured of consistent and secure builds.
Linux system administration is an active process which requires attention, research, documentation and discipline. It’s no longer adequate to choose defaults and hope for the best. The suggestions I’ve made here may be incorrect for your environment or your distribution, but it’s important to work out what software you need to have installed, document that, and rigorously adhere to your plan.
[flattr uid=’matthewparsons’ /] If you have found this article useful, please consider making a microdonation.
Matt Parsons is a freelance Linux specialist who has designed, built and supported Unix and Linux systems in the finance, telecommunications and media industries.
He lives and works in London.