As part of the Best Security Practices, it is recommended to disable all services that are not required for normal operation to prevent the vulnerabilities exploitation of these services for Redhat Enterprise Linux (RHEL) or CentOS Linux.
These are the following services that need to audit, uninstall or remove to reduce the number of possible threats.
1. Internet Service Daemon(Inetd) / eXtended Internet Daemon (Xinetd)
-is a super-server daemon that provides Internet services. Xinetd replaced the original inetd, and listens for well known services.
Command to check if xinetd is installed or not:
rpm -q xinetd
Recommendation: Remove the package/s to reduce attack area
dnf remove xinetd
2. X Windows System
– this provides the Graphical User Interface or GUI for users to have graphical login access, and interact with a mouse and keyboard.
Command to check if X Windows System is installed or not:
rpm -qa xorg-x11*
Recommendation: Remove the package/s to reduce attack area
yum remove xorg-x11*
dnf remove xorg-x11*
3. Common Unix Print System (CUPS)
– this enables a system to function as a print server
Command to check if CUPS is installed or not:
rpm -qa cups
Recommendation: Remove the package/s if system does not act as the Print Server to reduce attack area
systemctl disable cups
yum remove cups
dnf remove cups
4. Avahi Server
-is a system that facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. It is a free zeroconf implementation that allows programs to discover and publish services or hosts running on a local network with no specific config.
Command to check if Avahi Server is installed or not:
rpm -qa avahi-daemon
Recommendation: Remove the package/s
systemctl disable avahi-daemon
yum remove avahi-daemon
dnf remove avahi-daemon
5. Lightweight Directory Access Protocol (LDAP) Server
– is an open and cross platform software protocol that is used for directory services authentication.
Command to check if LDAP is installed or not:
rpm -qa slapd
Recommendation: Remove the package if the system is not acting as the LDAP server to reduce attack area.
systemctl disable slapd
yum remove slapd
dnf remove slapd
6. Network File System (NFS)
-it is a distributed file system protocol that enables user to access remote data and files , retrieval of data from multiple directories and disks across a shared network
Command to check if NFS is installed or not:
rpm -qa nfs
Recommendation: Remove the package if the system is not acting as the NFS server to reduce attack area. There are few ways to do this:
systemctl disable nfs
systemctl disable rpcbind
chkconfig portmap off
chkconfig nfs off
dnf remove nfs-utils
yum remove nfs-utils
7. File Transfer Protocol (FTP) Server
-is a network protocol for transferring of files between computers .
Command to check if FTP is installed or not: (default installed is the VSFTP)
rpm -qa vsftpd
Recommendation: Remove the package if the system is not acting as the FTP server to reduce attack area.
systemctl disable vsftpd
dnf remove vsftpd
yum remove vsftpd
8. Samba Server
– it allows system admin to share file systems and directory with Windows desktops, via the Server Message Block (SMB) protocol.
Command to check if Samba is installed or not:
rpm -qa samba
Recommendation: Remove the package if the system is not acting as the FTP server to reduce attack area.
systemctl disable samba
yum remove samba
dnf remove samba
9. Network Information Service (NIS)
-is a client-server directory service protocol used for distributing system configuration files. It is formally known as Yellow Pages.
Command to check if NIS is installed or not:
rpm -qa ypserv
Recommendation: Remove the package as it is an insecure system that has been vulnerable to attacks like DOS, buffer overflows and has poor authentication in terms of querying NIS maps.
systemctl disable ypserv
yum remove ypserv
dnf remove ypserv
10. HTTP Proxy Server
-it is a server application that acts as an intermediary for clients requests seeking resources from servers. It can cache data to speed up common HTTP requests. The standard proxy server used in many distributions is the “Squid”.
Command to check if Squid is installed or not:
rpm -qa squid
Recommendation: Remove the package if the servers does not act as the HTTP proxy server to reduce potential attack
systemctl disable squid
yum remove squid
dnf remove squid
11. SNMP Server
– SNMP is a network-management protocol that is used to monitor network devices, collect statistics and performance.
Command to check if SNMP server is installed or not:
rpm -qa snmpd
Recommendation: Remove the package if the servers does not act as the SNMP server. SNMP client can keep.
systemctl disable snmpd
yum remove snmpd
dnf remove snmpd
12. DHCP Server
-a network server that dynamically assigns IP addresses and other network parameters to client devices
Command to check if DHCP server is installed or not:
rpm -qa dhcpd
Recommendation: Remove the package if the servers does not act as the DCHP server to reduce potential attack
systemctl disable dhcpd
yum remove dhcpd
dnf remove dhcpd
13. Domain Name System (DNS) Server
-DNS is a system that translates domain names to IP addresses for computers, services or other network resources. The most common DNS server on Linux is Bind.
Command to check if Bind server is installed or not:
rpm -qa named
Recommendation: Remove the package if the servers does not act as the DNS server to reduce potential attack
systemctl disable named
dnf remove named
yum remove named
14. HTTP or Web Server
-is a system that uses Hypertext Transfer Protocol(HTTP) to respond on requests by cliensts over the World Wide Web. There are few web servers (Refer to Top 5 Open-Source Web Servers on Linux ) that can run on Linux that need to be audited.
Command to check if Apache server is installed or not:
rpm -qa httpd
Recommendation: Remove the package if the servers does not act as the Web server to reduce potential attack
systemctl disable httpd
yum remove httpd
dnf remove httpd
15. IMAP & POP3 Server
–Internet Message Access Protocol (IMAP) Server or IMAP is an email protocol for retrieving and managing emails from the receiving server. It stores message on the server and synchronizes across multiple devices
Command to check if IMAP server is installed or not:
rpm -qa doevecot
Recommendation: Remove the package if the servers does not act as the IMAP server to reduce potential attack
systemctl disable dovecot
yum remove dovecot
dnf remove dovecot
Post Office Protocol (POP3) Server
-3 stands for the latest version. It is an email protocol for retrieving and managing emails from the receiving server. but compares to IMAP, it downloads email from a server to a single computer then deletes email from the server.
Command to check if POP3 server is installed or not:
rpm -qa doevecot
Recommendation: Remove the package if the servers does not act as the POP3 server to reduce potential attack
systemctl disable dovecot
yum remove dovecot
dnf remove dovecot
Honorable Mention:
Rsync Service
– it is used to synchronize files between seems locally or over network links.
Command to check if Rsync service is installed or not:
rpm -qa rsyncd
Recommendation: Remove the package if rysnc is not being used as it uses unencrypted protocols for communication to reduce attack area.
systemctl disable rsyncd
dnf remove rsyncd
yum remove rsyncd