Search This Blog

Saturday, November 22, 2008

Disabling Unwanted Services

The list below is old (perhaps from 2006) and may only apply to Fedora Core 4 and earlier distributions. After the name of each daemon is my recommended state: on for started (enabled) and off for stopped (disabled). My recommendation is based on the kinds of services most people run (e.g. a graphical desktop machine in a home/office setting, with broadband network). The minimal set of daemons for a graphical desktop machine browsing the web and reading email is: xfs, cron, network, and syslog. You'll probably also want cups, haldaemon, iptables, and messagebus. If you are running a graphical desktop (KDE or Gnome) you must have xfs running. Is it a good idea to have cron and syslog running as well. You'll need network running to have your network active (unless you are using dial up). As far as I know, your computer will "run" without any of these daemons. The computer won't have a graphical desktop or network, but it will be running. By the same token, nearly all of these can be enabled with no problem. I don't know of a GUI application to manage daemons. Use ntsysv or chkconfig. You'll have to use a terminal window, and you must be logged in as root. chkconfig name For example: chkconfig acpid off List available daemons: chkconfig --list
  • acpid - off Advanced Configuration and Power Interface event daemon. Shutdown applications if the power fails.
  • aep1000 - off AEP1000/AEP2000 coprocessor driver.
  • anacron - off Cron-like, but doesn't assume that the machine is always on.
  • apmd - off Advanced Power Management. Only on for your UPS to shutdown your computer when the power fails.
  • atd - off Run jobs queued for later execution by "at".
  • autofs - off Auto mount CDs and other file system-like devices and media.
  • bcm5820 - off Hardware cryptographic accelerator support for the BCM5820 Cryptonet driver.
  • cpuspeed - on for laptops, off for desktop computers.
  • crond - on Runs regularly scheduled system tasks, e.g. a task that runs once a day.
  • cups - on Common Unix Printing System. Necesary if you want to print.
  • cups-config-daemon - off(?) Works with HAL to dynamically manage printer configuration. Might overwrite /etc/cups/cupsd.conf. See: http://www.cups.org/articles.php?L301
  • cxoffice - off Probably runs automatically if you have Crossover Office and run an installed Windows application.
  • dc_client - off Distributed session cache client proxy.
  • dc_server - off Distributed session cache server.
  • gpm - off unless you want mouse cut/paste on the non-graphical console.
  • haldaemon - on Auto-recognizes various kinds of hardware and mountable media.
  • httpd - off The Apache web server. Only on if you need a web server.
  • iptables - on The firewall.
  • irda - off Infrared wireless device daemon. For PDA, etc.
  • irqbalance - on If you have a multiprocessor system. Off on all single cpu machines.
  • isdn - off Only used if you have an ISDN network connection.
  • kudzu - off Detects and configures new and/or changed hardware on a system. Can be run manually if you need it.
  • lisa - off Scans your network to provide information about hosts on your network, perhaps including Windows shares. Some versions have security problems. Part of kdenetwork utilities.
  • lm_sensors - off Monitor system sensors such as CPU and motherboard temperature.
  • mDNSResponder - off Publishes and browses available network services via Zeronconf (aka "Rendezvous").
  • mdmonitor - off Part of the mdadm package to administer software RAID. See rpm -qi mdadm
  • mdmpd - off Monitor MD multipath devices, e.g. disks with more than one controller. Apparently only for RAID arrays.
  • messagebus - on Provides a communication bus for dbus. Programs talk to other programs. Probably leave enabled.
  • microcode_ctl - on for Intel CPUs, off for AMD processors. Only works on Intel CPUs
  • (doesn't work with AMD). I'm not clear what the updated microcode does. You can find out your cpu info on Linux systems with this command: cat /proc/cpuinfo More info at:
  • http://www.urbanmyth.org/microcode/
  • mysqld - off A crash prone, slow, non-standard SQL database server.
  • named - off A DNS server.
  • netdump - off Only for diagnosing kernel crashes.
  • netfs - off Automatically Mounts and unmounts all Network File System (NFS), SMB/CIFS (Lan Manager/Windows), and NCP (NetWare) mount points. This is the only thing you need if you are an NFS client (e.g. not an NFS server), since netfs will
  • run any other necessary daemons. Netfs may automatically handle everything necessary for the other (non-NFS) protocols, but I've only tested it with NFS. Disable this if you don't use NFS, Samba, or NetWare.
  • netplugd - off Automatic recognition of active/inactive network interfaces.
  • network - on if you have an Ethernet connection. Off for modem users.
  • nfs - off Network File System. Only on to allows other unix systems to share your hard drive (volume, file system). Not necessary if you are a client to a shared volume.
  • nfslock - off Provides NFS file locking functionality.Disable if you aren't using NFS. Required by nfs.
  • nifd - off Network interface monitor. Calls mDNSResponder if your IP address changes.
  • nscd - off Nscd provides cacheing for the passwd(5), group(5), and hosts(5) databases.
  • ntpd - off Network Time Protocol. Easier to put this in cron: /usr/sbin/ntpdate -s -u ntp1.virginia.edupcmcia - on for laptop users with PCMCIA cards. Off for desktop machines.
  • portmap - off Netfs will start portmap as necessary. Portmap is DARPA port to RPC program number mapper. Required if you are an nfs client or server (although netfs starts portmap for clients, so you don't need it explicitly enabled). If you're not using NFS or NIS, then you should disable portmap. Some (?) versions of portmap are highly insecure. You can run `rpcinfo -p $hostname` against your system to see what
  • additional services it is providing. More info at: http://cert.uni-stuttgart.de/archive/suse/security/2003/04/msg00141.html
  • postgresql - off The most powerful, fastest, easiest to use SQL database. Robust and has excellent documentation.
  • psacct - off Daemon used by several utilities for monitoring process activities, including ac, lastcomm, accton, and sa.
  • readahead - off The readahead process preloads the buffer cache with files that might be paged in one 'page demand triggered' read at a time. This can speed things up of boxes with enough memory. Config file is: /etc/readahead.files
  • readahead_early - off See readahead. Config file is: /etc/readahead.early.files
  • rhnsd - off Queries the Red Hat Network for updates and information.
  • rpcgssd - off Part of the nfs-utils package. Required by nfs.
  • rpcidmapd - off Required if you are running an nfs server.
  • rpcsvcgssd - off Required by nfs.
  • saslauthd - off unless you are using plaintext SASL password authentication
  • sendmail - off Part of the mail server. Only on if you machine is mail server.
  • sgi_fam - off FAM is a file monitoring daemon that detects when files have changed and then performs some action.
  • smartd - off SMART Disk Monitoring Daemon. Monitor hard drive and predict failure.
  • smb - off Samba Windows file sharing server.
  • snmpd - off Respond to SNMP request packets. Probably only on if another machine is monitoring the status of your machine.
  • snmptrapd - off Receive and log SNMP trap messages. SNMP is for monitoring system status.
  • spamassassin - off Mail filter to identify spam using text analysis. Only for mail servers(?)
  • squid - off Proxy caching server for web and ftp.
  • sshd - off SSH daemon. On if you want to ssh into your machine.
  • syslog - on Handles logging of system events. It is good to leave this turned on. Logs autorotate and will not fill your hard drive.
  • tux - off Apparently a web server.
  • vncserver - off Remote desktop sharing.
  • winbind - off Related to Samba.
  • xfs - on X Windows font server. Use by X windows to support a graphical desktop (including KDE and Gnome)
  • xinetd - on Super daemon (aka super server), launches network related daemons on demand.
  • ypbind - off Disabled unless you are using and NIS server, usually for password authentication
  • yppasswdd - off yppasswdd is the RPC server that lets users change their passwords when you are using NIS (a.k.a. YP).
  • ypserv - off ypserv is an implementation of the standard NIS/YP networking protocol.
  • ypxfrd - off ypxfrd should be started in addition to ypserv to accelerate transferring yp maps.
  • yum - off Yellow dog Updater, Modified. Updates software packages (rpm and/or apt
  • packages). Some people run it nightly, some run it manually.
  • Xinetd services in this list are typically all off. Most are totally unnecessary and several have been (or are) security holes. For a few years, Red Hat and Fedora had ftp (or vsftp) as an xinetd service. However, now vsftp is its own service (see
/etc/rc.d/init.d/). chargen - generates characters chargen-udp - udp version of chargen cups-lpd daytime - gives out the current system time daytime-udp - udp version of daytime echo - echo characters back to the client echo-udp - upb version of echo ktalk - KDE version of the talk server rsync time - RFC 868 time server. time-udp - udb version of time ------------------------------------------------------------------------------------------------------------------------

For each service listed, the Service Configuration utility will display a short description about the service you have highlighted in the upper-right pane, and the current status and process ID (PID) of the service, if it is running.

The services that you can safely disable will depend upon the role of your system. For example, if you are planning to run a web server, you will not want to disable the httpd service. The list below is a good starting place. These services can be disabled for the role we have chosen, that of a home workstation:

  • aep1000 - load and unload AEP1000/AEP2000 coprocessor driver.

  • bcm5820 - Hardware cryptographic accelerator support - BCM5820 Cryptonet driver.

  • chargen - An xinetd internal service which generates characters.

  • chargen-udp - This is the udp version.

  • daytime - An internal xinetd service which gets the current system time.

  • daytime-udp - This is the udp version.

  • echo - An xinetd internal service which echo's characters back to clients.

  • echo-udp - This is the udp version.

  • httpd - Apache is a World Wide Web server. It is used to serve HTML files and CGI.

  • irda - Infrared data link (for PDAs and such)

  • ktalk - KDE version of the talk server.

  • lisa - Provides information about hosts on your network.

  • mysqld - MySQL database server.

  • named - named (BIND) is a Domain Name Server (DNS) that is used to resolve host names to IP addresses.

  • netplugd - netplugd is a daemon for managing non-static network interfaces.

  • nfs - This service provides NFS server functionality.

  • nfslock - This service provides NFS file locking functionality.

  • nscd - This is a daemon which handles passwd and group lookups for running programs and cache the results for the next query.

  • ntpd - ntpd is the NTPv4 daemon.

  • pcmcia - PCMCIA support is usually to support things like ethernet and modems in laptops.

  • rsync - allows remote file synchronization

  • saslauthd - saslauthd is a server process which handles plaintext authentication requests on behalf of the cyrus-sasl library.

  • sendmail - Sendmail is a Mail Transport Agent.

  • services - An internal xinetd service, listing active services.

  • sgi_fam - FAM is a file monitoring daemon.

  • smartd - Self Monitoring and Reporting Technology (SMART) Daemon.

  • snmpd - Simple Network Management Protocol (SNMP) Daemon.

  • snmptrapd - Simple Network Management Protocol (SNMP) Trap Daemon.

  • squid - Squid - Internet Object Cache.

  • time - An RFC 868 time server.

  • time-udp - This is the udp version.

  • tux - The TUX threaded kernel-based http server.

  • vncserver - Starts and stops vncserver. used to provide remote X administration services.

  • winbind - Starts and stops the Samba winbind daemon.

  • ypbind - This is a daemon which runs on NIS/YP clients and binds them to a NIS domain.

  • yppasswdd - yppasswdd is the RPC server that lets users change their passwords in the presence of NIS (a.k.a. YP).

  • ypserv - ypserv is an implementation of the standard NIS/YP networking protocol.

  • ypxfrd - ypxfrd should be started in addition to ypserv to accelerate transferring yp maps.

  • yum - Enable daily run of yum, a program updater. (This will depend on your environment.)

[Note]Note

If you include yum in your list of services to disable here, then you will be disabling the automated updates you would have configured in earlier sections of this overview. Certain users may have specific reasons for not wanting to run automated updates every night. Most users will want to leave this enabled, if you are disabling it, you should know exactly why.

Once you have chosen the services that you want to disable for your application, you can do so by unchecking the check box next to the name of the service you are disabling. Once you have deselected all of the services you want to disable, be sure to click the Save button, so that your changes are committed. The process needs to be done for all 3 multi user runlevels (3, 4, 5). The GUI utility defaults to runlevel 5, so you will have to manually select runlevels 3 and 4 to enable/disable service there. You may also want to check runlevel 2, as there are certain services that may be considered "critical" that will be started at that runlevel.

[Important]Important

Be sure to stop the service you are disabling, if it is running. This will both prevent you from having to reboot your system, as well as give you an immediate indication that stopping that particular service will inhibit any functionality you expect from the system.

Command Line: Service Configuration

[Note]Note:

The following commands will need to be run as root.

There are a number of ways to tackle service control from the command line. One of the simplest is to use chkconfig. The following command will show you the all of the services that are enabled to run at runlevel 5:

sudo '/sbin/chkconfig --list | awk '/5:on/ { print $1 }' | sort' 

If you are running in command line only mode (runlevel 3), theoretically, you could disable all of these services. However, this could cause problems if you were to ever run in GUI mode. So, focus on the ones that I have listed above in the GUI section. Take this list of services, and put it into a series of commands that can be run either from the command line directly, or in a script. The easiest way will be to put the list of services in a file, however you could list all of the services individually in the for loop. This might be the better option if you were running it directly from the command line.

To put the list of services in a file, issue the command above, and redirect the output to a file:

sudo '/sbin/chkconfig --list | awk '/[35]:on/ { print $1 }' | sort >> serviceslist.txt' 

This will capture all of the services that are designated to start at either runlevel 3 or runlevel 5. Then, edit the serviceslist.txt file to only disable the services you want to disable. An example serviceslist.txt file might look like this:

acpid
anacron
apmd
autofs
cpuspeed
crond
cups
cups-config-daemon
gpm
haldaemon
httpd
iptables
irqbalance
kudzu
lm_sensors
mDNSResponder
messagebus
microcode_ctl
netfs
network
nfslock
nifd
portmap
readahead
readahead_early
rhnsd
rpcgssd
rpcidmapd
rpcsvcgssd
smartd
smb
vncserver
xfs
xinetd 

Once you've edited the serviceslist.txt file, put the following into a text file, and give it executable permissions:


for SERVICE in `cat serviceslist.txt` ;do
 /sbin/chkconfig --level 35 ${SERVICE} off
done
 

Execute the script by issuing the following command:

./script.sh 

This will disable the services you have selected for runlevels 3 and 5, which are the multi-user runlevels: level 3 for command line only, and level 5 for X, or GUI, mode.

No comments: