Hello all,
I have been doing some searching for information about disabling services within a CentOS 5.5 install. I have found a few different opinions, and wanted to ask for some feedback.
First off, the system is running a LAMP stack to serve a web application. It will only be doing email to send occasional messages out (sent via the application only). It will not be receiving email for any users. It is an CentOS 5.5 (fully updated) install running under VMware (esx, I believe). We are not sharing directories via nfs or samba (either from or to this virtual machine).
From my research, the services that I am thinking of turning off are:
nfs (already off) nfslock portmap rpccgssd rpcidmapd rpcsvcgssd apcid apmd mdmpd mdmonitor
Is there any reason that I need to leave any of these services running? Are there others that I should disable as well?
Any feedback about this would be greatly appreciated. -- Doug
Registered Linux User #285548 (http://counter.li.org) ---------------------------------------- Never trust a computer you can't throw out a window. -- Steve Wozniak
Hello all,
I have been doing some searching for information about disabling services within a CentOS 5.5 install. I have found a few different opinions, and wanted to ask for some feedback.
No brainer.
First off, the system is running a LAMP stack to serve a web application. It will only be doing email to send occasional messages out (sent via the application only). It will not be receiving email for any users. It is an CentOS 5.5 (fully updated) install running under VMware (esx, I believe). We are not sharing directories via nfs or samba (either from or to this virtual machine).
From my research, the services that I am thinking of turning off are:
nfs (already off)
service nfs stop chkconfig nfs off
Same for others.
Oh, and if you don't really need it, turn *off* avahi-daemon, and the same for bluetooth, if you don't need it. Also, if you turn off the avahi-daemon, close the port opened in iptables (edit /etc/sysconfig/iptables and delete it, then restart iptables).
mark "in a *server* room? hardwired?"
Ski Dawg wrote:
From my research, the services that I am thinking of turning off are:
nfs (already off) nfslock portmap rpccgssd rpcidmapd rpcsvcgssd
all safe to shut off if you're not serving NFS, NIS, etc.
apci
power management. I believe you need acpid for things like screen saver.
apmd
apmd isn't even installed on my servers, probably only used on legacy pre-ACPI hardware.
mdmpd
multipath device monitoring, would be required if you have multipath disk IO, or ethernet, I believe.
mdmonitor
should be running if you use mdraid or any other device mapper kind of storage.
The following NSA document provides very good information on the secure configuration of Red Hat Enterprise Linux 5/CentOS 5.x:
Guide to the Secure Configuration of Red Hat Enterprise Linux 5 http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf
It goes through almost all the services and gives you guidance on whether and how you should disable a service.
Mark, John, and Miguel,
Thank you for the information. I will take all of this into consideration with the rest of my research. I do appreciate your feedback and help.
www.cisecurity.org/tools2/linux/CIS_RHEL5_Benchmark_v1.1.pdf
contains very good paper how to harden centos/rhel installation.
-- Eero, RHCE
On Wed, Jun 16, 2010 at 5:06 PM, Ski Dawg centos@skidawg.org wrote:
Hello all,
I have been doing some searching for information about disabling services within a CentOS 5.5 install. I have found a few different opinions, and wanted to ask for some feedback.
First off, the system is running a LAMP stack to serve a web application. It will only be doing email to send occasional messages out (sent via the application only). It will not be receiving email for any users. It is an CentOS 5.5 (fully updated) install running under VMware (esx, I believe). We are not sharing directories via nfs or samba (either from or to this virtual machine).
From my research, the services that I am thinking of turning off are:
nfs (already off) nfslock portmap rpccgssd rpcidmapd rpcsvcgssd apcid apmd mdmpd mdmonitor
Is there any reason that I need to leave any of these services running? Are there others that I should disable as well?
Any feedback about this would be greatly appreciated.
Doug
Registered Linux User #285548 (http://counter.li.org)
Never trust a computer you can't throw out a window. -- Steve Wozniak _______________________________________________
For my VMware ESXi guests I always turn off the following
bluetooth hidd pcscd smartd
Ryan
-
Eero Volotinen -
John R Pierce -
m.roth@5-cent.us -
Miguel Medalha -
Ryan Wagoner -
Ski Dawg