Remove Extraneous RedHat Services to Help Secure Servers

One of the principles of server security is to run only those services and daemons that are absolutely necessary, and no more. A good, hardened server shouldn’t be having extraneous conversations with other machines.

While this is by no means a comprehensive list, here are some extraneous services that may be running on your server after a fresh CentOS or RedHat install. Obviously, you should look at your server’s purpose and skip those that are needed for your particular machine.

Detecting Running Services

There are various commands that will show what’s listening on what port. I personally like

# lsof -i

Disabling Daemons

If one can’t just remove a daemon, one may disable it.

  1. Stop the daemon.
    # service daemon name stop
  2. Disable the daemon from running automatically.
    # chkconfig --level 0123456 daemon name off

Daemons to Consider Removing

My servers aren't doing Zeroconf to talk to new machines that appear on the network. If it says, "Bonjour", my server isn't listening. Avahi is embedded pretty deeply in the system, so you'll probably not be able to remove the avahi package without neutering your server.
For some reason the printer subsystem CUPS is embedded pretty deeply in the system, and you may not be able to remove it without erasing administrative tools that you might want to keep.
For some reason the LSB RPM depends on Exim, so again I simply disable Exim. Cron jobs can still send e-mail without Exim running. If you don't care about LSB compliance, you can sudo yum erase exim.

There are others. Please suggest more!

Leave a Reply