Remove Unused Network-Facing Services
Traducciones al EspañolEstamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
Most Linux distributions install with running network services which listen for incoming connections from the internet, the loopback interface, or a combination of both. Network-facing services which are not needed should be removed from the system to reduce the attack surface of both running processes and installed packages.
Determine Running Services
To see your Linode’s running network services:
sudo ss -atpu
The following is an example of the output given by ss
, and shows that the SSH daemon (sshd) is listening and connected. Note that because distributions run different services by default, your output will differ.
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp LISTEN 0 128 *:ssh *:* users:(("sshd",pid=3675,fd=3))
tcp ESTAB 0 208 203.0.113.1:ssh 198.51.100.2:54820 users:(("sshd",pid=3698,fd=3))
tcp LISTEN 0 128 :::ssh :::* users:(("sshd",pid=3675,fd=4))
TCP
See the Peer Address:Port column of the ss
readout. The process sshd
is listening on *:*
, which translates into any incoming IPv4 address to any port, and over any network interface. The next line shows an established SSH connection from IP address 198.51.100.2 via ephemeral port 54820. The last line, :::*
denotes the sshd
process listening for any incoming SSH connections over IPv6 to any port, and again over any network interface.
UDP
UDP sockets are stateless, meaning they are either open or closed and every process’s connection is independent of those which occurred before and after. This is in contrast to TCP connection states such as LISTEN, ESTABLISHED and CLOSE_WAIT. The ss
output above shows no UDP connections.
Determine Which Services to Remove
A basic TCP and UDP nmap scan of your Linode without a firewall enabled would show SSH and possibly other services listening for incoming connections. By configuring a firewall you can filter those ports to your requirements. Ideally, the unused services should be disabled.
You will likely be administering your server primarily through an SSH connection, so that service needs to stay. As mentioned above,
RSA keys and
Fail2Ban can help protect SSH. System services like chronyd
, systemd-resolved
, and dnsmasq
are usually listening on localhost and only occasionally contacting the outside world. Services like this are part of your operating system and will cause problems if removed and not properly substituted.
However, some services are unnecessary and should be removed unless you have a specific need for them. Some examples could be Exim, Apache and RPC.
NoteIf you are using the Apache web server as part of your configuration, it is recommended in most cases to disableDirectory Listing
as this setting is enabled by default and can pose a security risk. For more information, see Apache’s Documentation.
Uninstall the Listening Services
How to remove the offending packages will differ depending on your distribution’s package manager.
CentOS
sudo yum remove package_name
Debian / Ubuntu
sudo apt purge package_name
Fedora
sudo dnf remove package_name
Run ss -atup
again to verify that the unwanted services are no longer running.
This page was originally published on