Product SiteDocumentation Site

3.5. Run the minimum number of services required

Services are programs such as ftp servers and web servers. Since they have to be listening for incoming connections that request the service, external computers can connect to yours. Services are sometimes vulnerable (i.e. can be compromised under a given attack) and hence present a security risk.
You should not install services which are not needed on your machine. Every installed service might introduce new, perhaps not obvious (or known), security holes on your computer.
As you may already know, when you install a given service the default behavior is to activate it. In a default Debian installation, with no services installed, the number of running services is quite low and the number of network-oriented services is even lower. In a default Debian 3.1 standard installation you will end up with OpenSSH, Exim (depending on how you configured it) and the RPC portmapper available as network services[4]. If you did not go through a standard installation but selected an expert installation you can end up with no active network services. The RPC portmapper is installed by default because it is needed for many services, for example NFS, to run on a given system. However, it can be easily removed, see Section 5.13, “Securing RPC services” for more information on how to secure or disable RPC services.
When you install a new network-related service (daemon) in your Debian GNU/Linux system it can be enabled in two ways: through the inetd superdaemon (i.e. a line will be added to /etc/inetd.conf) or through a standalone program that binds itself to your network interfaces. Standalone programs are controlled through the /etc/init.d files, which are called at boot time through the SysV mechanism (or an alternative one) by using symlinks in /etc/rc?.d/* (for more information on how this is done read /usr/share/doc/sysvinit/README.runlevels.gz).
If you want to keep some services but use them rarely, use the update-* commands, e.g. update-inetd and update-rc.d to remove them from the startup process. For more information on how to disable network services read Section 3.5.1, “Disabling daemon services”. If you want to change the default behaviour of starting up services on installation of their associated packages[5] use policy-rc.d, please read /usr/share/doc/sysv-rc/README.policy-rc.d.gz for more information.
invoke-rc.d support is mandatory in Debian, which means that for Debian 4.0 etch and later releases you can write a policy-rc.d file that forbids starting new daemons before you configure them. Although no such scripts are packaged yet, they are quite simple to write. See policyrcd-script-zg2.

3.5.1. Disabling daemon services

Disabling a daemon service is quite simple. You either remove the package providing the program for that service or you remove or rename the startup links under /etc/rc${runlevel}.d/. If you rename them make sure they do not begin with 'S' so that they don't get started by /etc/init.d/rc. Do not remove all the available links or the package management system will regenerate them on package upgrades, make sure you leave at least one link (typically a 'K', i.e. kill, link). For more information read http://www.debian.org/doc/manuals/reference/ch-system.en.html#s-custombootscripts section of the Debian Reference (Chapter 2 - Debian fundamentals).
You can remove these links manually or using update-rc.d (see update-rc.d(8)). For example, you can disable a service from executing in the multi-user runlevels by doing:
  # update-rc.d name stop XX 2 3 4 5 .
Where XX is a number that determines when the stop action for that service will be executed. Please note that, if you are not using file-rc, update-rc.d -f service remove will not work properly, since all links are removed, upon re-installation or upgrade of the package these links will be re-generated (probably not what you wanted). If you think this is not intuitive you are probably right (see http://bugs.debian.org/67095). From the manpage:
  If any files /etc/rcrunlevel.d/[SK]??name already exist then
  update-rc.d does nothing.  This is so that the system administrator 
  can rearrange the  links,  provided that  they  leave  at  least one
  link remaining, without having their configuration overwritten.
If you are using file-rc all the information regarding services bootup is handled by a common configuration file and is maintained even if packages are removed from the system.
You can use the TUI (Text User Interface) provided by sysv-rc-conf to do all these changes easily (sysv-rc-conf works both for file-rc and normal System V runlevels). You will also find similar GUIs for desktop systems. You can also use the command line interface of sysv-rc-conf:
  # sysv-rc-conf foobar off
The advantage of using this utility is that the rc.d links are returned to the status they had before the 'off' call if you re-enable the service with:
  # sysv-rc-conf foobar on
Other (less recommended) methods of disabling services are:
  • Removing the /etc/init.d/service_name script and removing the startup links using:
      # update-rc.d name remove
    
  • Move the script file (/etc/init.d/service_name) to another name (for example /etc/init.d/OFF.service_name). This will leave dangling symlinks under /etc/rc${runlevel}.d/ and will generate error messages when booting up the system.
  • Remove the execute permission from the /etc/init.d/service_name file. That will also generate error messages when booting.
  • Edit the /etc/init.d/service_name script to have it stop immediately once it is executed (by adding an exit 0 line at the beginning or commenting out the start-stop-daemon part in it). If you do this, you will not be able to use the script to startup the service manually later on.
Nevertheless, the files under /etc/init.d are configuration files and should not get overwritten due to package upgrades if you have made local changes to them.
Unlike other (UNIX) operating systems, services in Debian cannot be disabled by modifying files in /etc/default/service_name.
FIXME: Add more information on handling daemons using file-rc.

3.5.2. Disabling inetd or its services

You should check if you really need the inetd daemon nowadays. Inetd was always a way to compensate for kernel deficiencies, but those have been taken care of in modern Linux kernels. Denial of Service possibilities exist against inetd (which can increase the machine's load tremendously), and many people always preferred using stand-alone daemons instead of calling services via inetd. If you still want to run some kind of inetd service, then at least switch to a more configurable Inet daemon like xinetd, rlinetd or openbsd-inetd.
You should stop all unneeded Inetd services on your system, like echo, chargen, discard, daytime, time, talk, ntalk and r-services (rsh, rlogin and rcp) which are considered HIGHLY insecure (use ssh instead).
You can disable services by editing /etc/inetd.conf directly, but Debian provides a better alternative: update-inetd (which comments the services in a way that it can easily be turned on again). You could remove the telnet daemon by executing this commands to change the config file and to restart the daemon (in this case the telnet service is disabled):
  /usr/sbin/update-inetd --disable telnet
If you do want services listening, but do not want to have them listen on all IP addresses of your host, you might want to use an undocumented feature on inetd (replace service name with service@ip syntax) or use an alternative inetd daemon like xinetd.


[4] The footprint in Debian 3.0 and earlier releases wasn't as tight, since some inetd services were enabled by default. Also standard installations of Debian 2.2 installed the NFS server as well as the telnet server.
[5] This is desirable if you are setting up a development chroot, for example.