LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Services that should be ON/OFF on a Web Server [Need Help] (http://www.linuxquestions.org/questions/linux-server-73/services-that-should-be-on-off-on-a-web-server-%5Bneed-help%5D-847690/)

WhisperiN 12-01-2010 08:50 AM

Services that should be ON/OFF on a Web Server [Need Help]
 
Hello Fellows,

I've searched for such topic, but I couldn't really find some good answer.

Thus, I aimed to start this topic to help my self and those who are wondering about the same thing.

Alright.. Here we go..

On a Dedicated Linux server, that is running as a Web Server, what are the services that should be kept OFF, and what are those that should be kept ON.

I tried my best to configure the best, but there are services that I don't really know about them.. are they important to be on, or should be OFF.

Here is the list:

Services ON:

Code:

[root@centos] chkconfig --list | grep 3:on
crond          0:off  1:off  2:on    3:on    4:on    5:on    6:off
csf            0:off  1:off  2:on    3:on    4:on    5:on    6:off
gpm            0:off  1:off  2:on    3:on    4:on    5:on    6:off
haldaemon      0:off  1:off  2:off  3:on    4:on    5:on    6:off
httpd          0:off  1:off  2:off  3:on    4:off  5:off  6:off
iptables        0:off  1:off  2:on    3:on    4:on    5:on    6:off
kudzu          0:off  1:off  2:off  3:on    4:on    5:on    6:off
lfd            0:off  1:off  2:on    3:on    4:on    5:on    6:off
lm_sensors      0:off  1:off  2:on    3:on    4:on    5:on    6:off
lvm2-monitor    0:off  1:on    2:on    3:on    4:on    5:on    6:off
mcstrans        0:off  1:off  2:on    3:on    4:on    5:on    6:off
mdmonitor      0:off  1:off  2:on    3:on    4:on    5:on    6:off
messagebus      0:off  1:off  2:off  3:on    4:on    5:on    6:off
mysqld          0:off  1:off  2:off  3:on    4:off  5:off  6:off
netfs          0:off  1:off  2:off  3:on    4:on    5:on    6:off
network        0:off  1:off  2:on    3:on    4:on    5:on    6:off
rawdevices      0:off  1:off  2:off  3:on    4:on    5:on    6:off
restorecond    0:off  1:off  2:on    3:on    4:on    5:on    6:off
sshd            0:off  1:off  2:on    3:on    4:on    5:on    6:off
syslog          0:off  1:off  2:on    3:on    4:on    5:on    6:off
vsftpd          0:off  1:off  2:off  3:on    4:off  5:off  6:off

Those services in BOLD, I didn't really know what are they exactly for, and should they be kept on or not..!!

Services OFF:

Code:

[root@centos] chkconfig --list | grep 3:off
exim            0:off  1:off  2:off  3:off  4:off  5:off  6:off
ip6tables      0:off  1:off  2:off  3:off  4:off  5:off  6:off
mdmpd          0:off  1:off  2:off  3:off  4:off  5:off  6:off
multipathd      0:off  1:off  2:off  3:off  4:off  5:off  6:off
netconsole      0:off  1:off  2:off  3:off  4:off  5:off  6:off
netplugd        0:off  1:off  2:off  3:off  4:off  5:off  6:off
ntpd            0:off  1:off  2:off  3:off  4:off  5:off  6:off
rdisc          0:off  1:off  2:off  3:off  4:off  5:off  6:off
snmpd          0:off  1:off  2:off  3:off  4:off  5:off  6:off
snmptrapd      0:off  1:off  2:off  3:off  4:off  5:off  6:off
tcsd            0:off  1:off  2:off  3:off  4:off  5:off  6:off

Should any of those be ON ?!


Finally, I'd like to thank in advance any one who shares his info and experience on this topic :)


-- Regards.. :)

stress_junkie 12-01-2010 09:01 AM

Here is some food for thought.
Quote:

Website administrators, on the other hand, should disable dynamic loading in their Apache module configurations.
http://news.techworld.com/security/1...e-than-feared/

However, doing that could disable features that you want to incorporate into your web site.

WhisperiN 12-03-2010 06:25 AM

Thanks for you addition.

Any more thoughts ?!

...

Thanks .. :)

prodev05 12-03-2010 06:59 AM

You are running a WEB Server which is having MySQL as its DB. Only the below service is required rest of them you can switch off. And few services like crond and gpm are OS specific which is not associated with the webserver, so its dependent on your choice. I have explained the used. you can decide whether you want it or not.

crond --> If you run any routine scripts to do some job, you need to switch on this service
gpm --> If you are going to use mouse in the text mode from the server, then you need gpm service
httpd --> Mandatory
mysqld --> Mandatory
network --> Mandatory
sshd --> If you want to connect the server from remote with secure connection. Then you need to run this service.
iptables --> If your machine is in public network, definitely you should switch on and configure this services.
exim --> Not required
ip6tables --> Not required
mdmpd --> Not required
multipathd --> Not required
netconsole --> Not required
netplugd --> Not required
ntpd --> Partially required if you WEB Server/DB depends on the time.
rdisc --> Not required
snmpd --> Not required
snmptrapd --> Not required
tcsd --> Not required

Rest of the services are not required. Running unwanted service/opened port would cause you system under attack/hacking.

After finishing the runlevel service customization, ensure all the switch off'ed service is not running. Issue the command " service --status-all" to verify.

reg

Linfan100 12-03-2010 09:52 AM

While it's a good idea to disable any unnecessary services on a server of any type, it's also pretty much mandatory that the system should be sitting behind a firewall. I see that iptables is running on your system but it's still much better to operate the server behind a dedicated separate firewall, which I assume you're doing in this instance. If all your server will be doing is serving web pages, then port 80 tcp is all you'll need to have open on the Internet side. You might need to check to make sure if you're running MySQL that your system isn't also running PHPMyAdmin in the background - this is a commonly exploited 'back-door' which some hackers use to infiltrate systems. Also make sure directory browsing is disabled in your Apache config and it also might be an idea to set 'ServerSignature' to 'Off' and 'ServerTokens' to 'Prod' to prevent banner grabbing (a method hackers have of identifying the version of web server software you're running). As in most cases, it not just the extra services which can prove a security risk but the configuration of the web server itself that can open you up to attack.


All times are GMT -5. The time now is 12:23 AM.