Sunday, August 23, 2015

security - Which services to disable on a CentOs 5.8 web/database server?



I have just setup my CentOS 5.8 64 [final] server as a webserver.



Specs: 2x E5620 Intel CPU, DDR3 RAM, Hardware Adaptec RAID 10, 4x SAS drives.




I have installed myself:



 Nginx
 PHP-FPM
 MySQL [ourdelta.org version]
 Sphinx
 Vsftpd
 Fail2ban
 Citadel [ddos flood protection]

 Munin
 NTP
 Htop
 Iptraf


These are all things that I actively use to run my websites.



Now my question:




I found this article: http://www.vr.org/kb/1002/Optimize-and-disable-default-CentOS-services.html



Which talks about a whole list of services that you can disable.



This is the list they suggest:



chkconfig anacron off
chkconfig apmd off
chkconfig atd off
chkconfig autofs off

chkconfig cpuspeed off
chkconfig cups off
chkconfig cups-config-daemon off
chkconfig gpm off
chkconfig isdn off
chkconfig netfs off
chkconfig nfslock off
chkconfig openibd off
chkconfig pcmcia off
chkconfig portmap off

chkconfig rawdevices off
chkconfig readahead_early off
chkconfig rpcgssd off
chkconfig rpcidmapd off
chkconfig smartd off
chkconfig xfs off
chkconfig ip6tables off
chkconfig avahi-daemon off
chkconfig firstboot off
chkconfig yum-updatesd off 

chkconfig sendmail off
chkconfig mcstrans off
chkconfig pcscd off
chkconfig bluetooth off
chkconfig hidd off


Now I do use sendmail, and smartd, so those I will keep.



But most of the other processes I do not recognize. Is there anything I should be careful with disabling?



Answer



Be careful with using other people's "lists" as you may disable things you actually need.



Some obvious problems I see with that list are:




  • anacron makes sure cron jobs missed due to downtime get run when the system comes back up.

  • smartd monitors the health of your disks and can be set up to email you if a disk is failing (though since you have a hardware RAID, you should use the vendor-provided tool instead).

  • ip6tables is the IPv6 firewall... Really? Somebody advised turning off the firewall?!? This really blows their credibility to hell.

  • yum-updatesd provides automatic updates. If you don't want this, turn it off, though it is useful in some scenarios.




I also have to agree with @aairey's advice to do a minimal install. In CentOS 5, this requires the use of a kickstart file; CentOS 6 has a special minimal installation CD.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...