S 5.72 Deactivation of unnecessary network services

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

In order to disable all unnecessary network services on a Unix system, the following procedure must be applied:

There are two options for starting network services in Unix: using the server service inetd configured in the /etc/inetd.conf file, and using the start-up files located in /etc/rc.d/init.d and/or /etc/init.d. In order to disable unnecessary services in the /etc/inetd.conf file, the respective line must be commented out with #. In default installations, more services are normally configured than required. Time and time again, this includes services that may constitute a threat. Therefore, the number of enabled services should be as low as possible, i.e. only the services absolutely required on the respective system (see also S 4.95 Minimal operating system and S 4.97 One service per server).

The services initiated by the start-up files are referenced via links from the subdirectories /etc/rcX.d or /etc/rc.d/rcX.d, with X being the respective Unix run level the start-up file is retrieved from. In order to disable the unnecessary services, the unnecessary services can be moved to a subdirectory so that they can be enabled if required. This may look as follows, for example:

cd rc3.d; mkdir .s; mv S85sendmail .s/

The currently enabled services can be identified using the netstat -a command.

Review questions:

• Have only the network services absolutely required on the system been approved?