Securing a Linux desktop part 1: removing unwanted services

by admin Email

Rationale


There are several approaches to securing software platforms such as a computer. I like to use this sequence when I try to get better security in place:


  1. reduce the attack surface

  2. have more than one mitigation in place against a certain attack

  3. patch and upgrade

  4. try to add defenses when new types of threats arise


Reduce the attack surface


This is actually a very simple principle, if your desktop does not use wireless connections then your desktop cannot be attacked through a wireless network. In practice this becomes a little more difficult, there are many programs you want or need to have on your desktop, each of these is a possible target for an attacker. On a Linux system there are a lot of services running in the background (same goes for Windows and Mac OS) and some of these you do not really need. By removing them you reduce the potential targets.


Some of these services are started when you boot your computer, it is possible you need one of these services but not all the time (e.g. wireless network connection is only needed when you do not have access to a network cable), these services will not be removed but could be stopped and started manually when they are needed. This reduces the time an attacker has to attack these services.


Additional benefits


By removing services from your system you will have some benefits other then reducing the attack surface such as a faster boot time and a slightly faster machine. Every service that gets removed does not need to be started at boot time and while your desktop is running that service is no longer using CPU and RAM. The benefits gained might not be noticeable on a modern machine though.


Prerequisites


Since I'm going to fiddle with the services and daemons running on my system I'm running the risk of ruining my system, certainly since I do not know what each and every running service does. By installing the same setup your desktop has in a virtual environment I can safely play with the services without much risk. It is important to have the same software packages running in your virtual environment since some software packages make use of services are have their own services running.


Getting the list of services started at boot time


In Linux this is quite easy, open a terminal and type 'systemd-analyze', you can see how long your system needed to boot. Using the same command with the parameter 'blame' you receive a list of all services started and their start up time. Since we are not interested in reducing boot time (this is just a nice side effect of increasing our security), I ordered the list alphabetically.


Removal procedure


Now we need to decide what services we are going to remove. In order to make this decision we need to determine exactly what the service does and why it would be needed in our system.


The procedure goes as follows:

  1. get the first service from the list

  2. find out what the service does

  3. do you need this service at all?

  4. do you need it started at boot time or can you start it when actually needed?

  5. if the service is removed or changed to start manually reboot and check everything is still working

  6. check the service off the list and go back to step 1


To find out what a service does you can simply search the itnernet or use the command 'systemctl status service' where service is the name of the service (inclusing the .service suffix).


I'll illustrate this using an example, the first service in my list is abrt-ccpp.service. According to the internet this is part of the automated bug reporting tool. I do not need this service, if I find a bug in fedora I can always report it manually. This service can be removed.


Removing this service is easy, in a terminal use the command 'sudo chkconfig abrt-ccpp off'. Note you have to remove the word '.service' or the command will fail.


In case of the abrt-ccpp service my research also showed that there are two other services related to the automated bug tracking tool (abrt-oop and abrt), I cheated the procedure a bit and removed them also in the same iteration of our procedure.


After reboot I checked the systemd-analyze and my boot time was one second faster than before. I also checked the blame list to make sure the services were actually removed from the boot sequence. I then made a quick check to see if all my programs were still in working order.


My list of services


After going through this procedure until all services were checked I ended up with the list as shown at the bottom of this article, I added a column describing the purpose of the service as well as the result of the investigation to see if I needed this service or not.

 

A special note on the ipv6tables service, by removing this service I removed the firewall from all ipv6 connections on my system. The reason I did this is because I completely disabled the ipv6 stack on my system, I do not need ipv6 in my workplace not at home. Since ipv6 differs so much from ipv4 and since I'm not an expert in ipv6 security I opted not to use it at all. This is a good practice should you ever visit a conference or use free wifi in public places.

A good article on removing ipv6 from your system and some of the security concerns can be found here.


There were some services I disabled using the following commands:

ln -s /dev/null /etc/systemd/system/udev-settle.service

ln -s /dev/null /etc/systemd/system/fedora-wait-storage.service

ln -s /dev/null /etc/systemd/system/fedora-storage-init.service

ln -s /dev/null /etc/systemd/system/fedora-storage-init-late.service

 

Some final thoughts

 

I have removed no less then 21 services from my boot sequence and made my machine a little bit more secure. It was not without risks, removing services can crash your machine if you are not carefull but it is certainly worth the effort.

 

Services list

 


Name Purpose Result
abrt-ccpp Automated Bug Reporting Tool removed
abrt-oops Automated Bug Reporting Tool removed
abrtd Automated Bug Reporting Tool removed
accounts-daemon Accounts service start at boot
auditd Logs to separate log file, if removed logs to sys log removed
avahi-daemon mDNS/DNS-SD daemon implementing Apple's ZeroConf architecture removed
boot.mount Loads the /boot and is needed start at boot
console-kit-daemon Console manager start at boot
console-kit-log-system-start Console manager startup logging start at boot
cpuspeed Throttles your CPU runtime frequency to save power. start at boot
cups Network printing services start when needed
dbus Software communication protocol start at boot
fedora-autoswap Enables swap partitions start at boot
fedora-readonly Configures read-only root support start at boot
fedora-storage-init-late I don't use RAID or LVM so I do not need this removed
fedora-storage-init I don't use RAID or LVM so I do not need this removed
fedora-sysinit-hack
start at boot
fedora-sysinit-unhack
start at boot
fedora-wait-storage I don't use RAID or LVM so I do not need this removed
hwclock-load System clock UTC offset start at boot
ip6tables Firewall removed
iptables Firewall start at boot
irqbalance Needed for multicore CPU's start at boot
iscsi I don't have iscsi removed
iscsid I don't have iscsi removed
livesys-late live CD left over removed
livesys live CD left over removed
lldpad Needed for fiber channel over ethernet, I don't have that removed
lvm2-monitor I don't use RAID or LVM so I do not need this removed
mcelog Log machine check, memory and CPU hardware errors start at boot
mdmonitor Software RAID removed
media.mount
start at boot
netfs Mount network file systems, I need this but other might not ... start at boot
NetworkManager Networking start at boot
portreserve I only had cups in here and since I removed that I can remove this removed
rc-local Needed in boot process and shutdown process start at boot
remount-rootfs
start at boot
rsyslog System logging start at boot
rtkit-daemon Realtime Policy and Watchdog Daemon start at boot
sandbox Used by SELinux start at boot
sendmail I use thunderbird so I do not need this removed
smolt Monthly information send to fedora to assist developers removed
systemd-readahead-collect Faster boot start at boot
systemd-remount-api-vfs
start at boot
systemd-sysctl
start at boot
systemd-tmpfiles-setup Prepare /tmp start at boot
systemd-user-sessions
start at boot
systemd-vconsole-setup
start at boot
udev-settle I don't use RAID or LVM so I do not need this removed
udev-trigger Device management start at boot
udev Device management start at boot


Trackback address for this post

Trackback URL (right click and copy shortcut/link location)

Feedback awaiting moderation

This post has 2832 feedbacks awaiting moderation...