LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 12-01-2010, 08:50 AM   #1
WhisperiN
Member
 
Registered: Jun 2009
Location: Middle East
Distribution: Slackware 13.1, CentOS 5.5
Posts: 137

Rep: Reputation: 17
Services that should be ON/OFF on a Web Server [Need Help]


Hello Fellows,

I've searched for such topic, but I couldn't really find some good answer.

Thus, I aimed to start this topic to help my self and those who are wondering about the same thing.

Alright.. Here we go..

On a Dedicated Linux server, that is running as a Web Server, what are the services that should be kept OFF, and what are those that should be kept ON.

I tried my best to configure the best, but there are services that I don't really know about them.. are they important to be on, or should be OFF.

Here is the list:

Services ON:

Code:
[root@centos] chkconfig --list | grep 3:on
crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off
csf             0:off   1:off   2:on    3:on    4:on    5:on    6:off
gpm             0:off   1:off   2:on    3:on    4:on    5:on    6:off
haldaemon       0:off   1:off   2:off   3:on    4:on    5:on    6:off
httpd           0:off   1:off   2:off   3:on    4:off   5:off   6:off
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
kudzu           0:off   1:off   2:off   3:on    4:on    5:on    6:off
lfd             0:off   1:off   2:on    3:on    4:on    5:on    6:off
lm_sensors      0:off   1:off   2:on    3:on    4:on    5:on    6:off
lvm2-monitor    0:off   1:on    2:on    3:on    4:on    5:on    6:off
mcstrans        0:off   1:off   2:on    3:on    4:on    5:on    6:off
mdmonitor       0:off   1:off   2:on    3:on    4:on    5:on    6:off
messagebus      0:off   1:off   2:off   3:on    4:on    5:on    6:off
mysqld          0:off   1:off   2:off   3:on    4:off   5:off   6:off
netfs           0:off   1:off   2:off   3:on    4:on    5:on    6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
rawdevices      0:off   1:off   2:off   3:on    4:on    5:on    6:off
restorecond     0:off   1:off   2:on    3:on    4:on    5:on    6:off
sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
syslog          0:off   1:off   2:on    3:on    4:on    5:on    6:off
vsftpd          0:off   1:off   2:off   3:on    4:off   5:off   6:off
Those services in BOLD, I didn't really know what are they exactly for, and should they be kept on or not..!!

Services OFF:

Code:
[root@centos] chkconfig --list | grep 3:off
exim            0:off   1:off   2:off   3:off   4:off   5:off   6:off
ip6tables       0:off   1:off   2:off   3:off   4:off   5:off   6:off
mdmpd           0:off   1:off   2:off   3:off   4:off   5:off   6:off
multipathd      0:off   1:off   2:off   3:off   4:off   5:off   6:off
netconsole      0:off   1:off   2:off   3:off   4:off   5:off   6:off
netplugd        0:off   1:off   2:off   3:off   4:off   5:off   6:off
ntpd            0:off   1:off   2:off   3:off   4:off   5:off   6:off
rdisc           0:off   1:off   2:off   3:off   4:off   5:off   6:off
snmpd           0:off   1:off   2:off   3:off   4:off   5:off   6:off
snmptrapd       0:off   1:off   2:off   3:off   4:off   5:off   6:off
tcsd            0:off   1:off   2:off   3:off   4:off   5:off   6:off
Should any of those be ON ?!


Finally, I'd like to thank in advance any one who shares his info and experience on this topic


-- Regards..
 
Old 12-01-2010, 09:01 AM   #2
stress_junkie
Senior Member
 
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873

Rep: Reputation: 331Reputation: 331Reputation: 331Reputation: 331
Here is some food for thought.
Quote:
Website administrators, on the other hand, should disable dynamic loading in their Apache module configurations.
http://news.techworld.com/security/1...e-than-feared/

However, doing that could disable features that you want to incorporate into your web site.
 
Old 12-03-2010, 06:25 AM   #3
WhisperiN
Member
 
Registered: Jun 2009
Location: Middle East
Distribution: Slackware 13.1, CentOS 5.5
Posts: 137

Original Poster
Rep: Reputation: 17
Thanks for you addition.

Any more thoughts ?!

...

Thanks ..
 
Old 12-03-2010, 06:59 AM   #4
prodev05
Member
 
Registered: Jul 2009
Location: Earth
Distribution: Unix & Linux Variants
Posts: 304

Rep: Reputation: 20
You are running a WEB Server which is having MySQL as its DB. Only the below service is required rest of them you can switch off. And few services like crond and gpm are OS specific which is not associated with the webserver, so its dependent on your choice. I have explained the used. you can decide whether you want it or not.

crond --> If you run any routine scripts to do some job, you need to switch on this service
gpm --> If you are going to use mouse in the text mode from the server, then you need gpm service
httpd --> Mandatory
mysqld --> Mandatory
network --> Mandatory
sshd --> If you want to connect the server from remote with secure connection. Then you need to run this service.
iptables --> If your machine is in public network, definitely you should switch on and configure this services.
exim --> Not required
ip6tables --> Not required
mdmpd --> Not required
multipathd --> Not required
netconsole --> Not required
netplugd --> Not required
ntpd --> Partially required if you WEB Server/DB depends on the time.
rdisc --> Not required
snmpd --> Not required
snmptrapd --> Not required
tcsd --> Not required

Rest of the services are not required. Running unwanted service/opened port would cause you system under attack/hacking.

After finishing the runlevel service customization, ensure all the switch off'ed service is not running. Issue the command " service --status-all" to verify.

reg
 
Old 12-03-2010, 09:52 AM   #5
Linfan100
LQ Newbie
 
Registered: Jul 2008
Posts: 4

Rep: Reputation: 0
While it's a good idea to disable any unnecessary services on a server of any type, it's also pretty much mandatory that the system should be sitting behind a firewall. I see that iptables is running on your system but it's still much better to operate the server behind a dedicated separate firewall, which I assume you're doing in this instance. If all your server will be doing is serving web pages, then port 80 tcp is all you'll need to have open on the Internet side. You might need to check to make sure if you're running MySQL that your system isn't also running PHPMyAdmin in the background - this is a commonly exploited 'back-door' which some hackers use to infiltrate systems. Also make sure directory browsing is disabled in your Apache config and it also might be an idea to set 'ServerSignature' to 'Off' and 'ServerTokens' to 'Prod' to prevent banner grabbing (a method hackers have of identifying the version of web server software you're running). As in most cases, it not just the extra services which can prove a security risk but the configuration of the web server itself that can open you up to attack.
 
  


Reply

Tags
security, services, webserver


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Mail server on Amazon Web services? Possible? linuxlover.chaitanya Linux - Newbie 9 03-12-2010 01:47 AM
web services jkeertir Linux - Newbie 2 08-27-2009 03:50 AM
LXer: Create Web services with Ruby on Rails and Action Web Service LXer Syndicated Linux News 0 11-05-2008 07:00 PM
Web services in PHP bahadur Programming 4 06-07-2006 08:34 AM
web hosting services shadz General 2 01-16-2005 11:01 AM


All times are GMT -5. The time now is 06:31 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration