7

I've recently installed a CentOS 5.3 machine which I'm locking down for server usage in a headless environment (no GUI will be used on the machine). The server will be used as a combined web- and database server.

I've disabled xfs and portmap since these will clearly not be needed on the machine.

Below is a chkconfig log which shows the services running on the machine.

Question: Beyond xfs and portmap - which of the services below would you consider disabling? Why?

chkconfig --list | grep 3:on

acpid           0:off   1:off   2:on    3:on    4:on    5:on    6:off
anacron         0:off   1:off   2:on    3:on    4:on    5:on    6:off
atd             0:off   1:off   2:off   3:on    4:on    5:on    6:off
auditd          0:off   1:off   2:on    3:on    4:on    5:on    6:off
autofs          0:off   1:off   2:off   3:on    4:on    5:on    6:off
crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off
haldaemon       0:off   1:off   2:off   3:on    4:on    5:on    6:off
ip6tables       0:off   1:off   2:on    3:on    4:on    5:on    6:off
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
irqbalance      0:off   1:off   2:on    3:on    4:on    5:on    6:off
kudzu           0:off   1:off   2:off   3:on    4:on    5:on    6:off
mcstrans        0:off   1:off   2:on    3:on    4:on    5:on    6:off
messagebus      0:off   1:off   2:off   3:on    4:on    5:on    6:off
microcode_ctl   0:off   1:off   2:on    3:on    4:on    5:on    6:off
netfs           0:off   1:off   2:off   3:on    4:on    5:on    6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
readahead_early 0:off   1:off   2:on    3:on    4:on    5:on    6:off
restorecond     0:off   1:off   2:on    3:on    4:on    5:on    6:off
sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
syslog          0:off   1:off   2:on    3:on    4:on    5:on    6:off
yum-updatesd    0:off   1:off   2:on    3:on    4:on    5:on    6:off
knorv
  • 1,789
  • 6
  • 19
  • 29

5 Answers5

5

The only things I'd be inclined to disable are yum-updatesd (since I'll run yum update manually when I need it, and probably scripted in cron), autofs, kudzu (since I assume you're hardware is unlikely to change), and netfs (assuming you're not using NFS or the like). If performance is a big issue, it may be worth disabling auditd. Most of the others can be disabled, but in the intersts of making admins lives easier, I'd generally leave them running.

Cian
  • 5,777
  • 1
  • 27
  • 40
  • This is the best advice, when comparing the bunch. Referring to the provided services list, those are very reasonable recommendations. – J. M. Becker Aug 08 '12 at 17:04
2

I'd disable all the services I don't normally use like anacron and netfs. If the server doesn't need firewall rules, iptables and ip6tables would be candidates to disable.

hdanniel
  • 4,253
  • 22
  • 25
  • All? Really? (syslog, network, crond) iptables is your primary firewall... A bit draconian... ;-) – ForgeMan Aug 31 '09 at 00:48
  • Indeed, *anacron* is useless on a server. *crond* should be used on a server. – Cristian Ciupitu Aug 31 '09 at 00:55
  • `If the server doesn't need firewall` In predicate calculus, that statement is known as a "contradiction". When would you ever **not** need some kind of firewall, _especially_ on a server? Obviously, ingress filtering is a very important thing to have, but so is egress filtering (should your database user ever initiate connections to the outside world? No? Then log + block those connections. Same with webserver). And the fact that you don't normally manually interact with a service should by no means imply the service isn't vital to the system. Google what it's for, first, at a minimum. – Parthian Shot Jul 17 '14 at 19:45
2

Realistically, nothing on that list is likely to cause you performance problems, and if you turn it off, you're liable to try to enable something down the road and get bit because it was off. The general suggestion of "research them all and turn on only what you need" is a good one, but not exactly cost effective.

If you are concerned simply about performance and/or security, there are far more effective places to look.

easel
  • 2,229
  • 2
  • 12
  • 4
  • While I would agree with your assessment, "nothing on that list ...", I would not assume such is true across the board. As a 'Base' install is much larger than the absolute minimal core, with even Base unchecked, it's always important to look. For example base comes with services like 'Bluetooth', and 'Portmap', which if not required should ideally be disabled. – J. M. Becker Aug 08 '12 at 17:01
0

Maybe this article might be helpful for you - "Disable Unneeded Services at Boot Time" http://www.imminentweb.com/technologies/centos-disable-unneeded-services-boot-time

Binyamin
  • 133
  • 1
  • 7
0

General suggestion would be to research each service and determine "exactly" what each service does (look into performance gains using hdparam, or what syslogd provides prior to disabling them). If a particular service proves to be useless in your particular setup then, disable it. Yet, use caution with the service you do decide to disable several are important to day to day functionality. ;-)

ForgeMan
  • 391
  • 1
  • 8