Tuning a "lean mixture" of services
What services you got??
Unix users often don't even know. We're talking about a) programs that are installed on your machine, whether they run or not, and b) programs that start, always and automatically, as part of the boot process. From a security point of view, it's desirable to minimize both to the fewest programs you actually need. That may mean taking an inventory of those your system has, deciding which ones you don't really need, and getting rid of them (either uninstalling them, or turning them off so they don't run automatically).
Installed services
Users who install linux themselves may allow their distibution's installer program (e.g., Fedora's Anaconda) to choose what programs to install. Most installers offer a "worksataion or server" choice. Then the installer, not you, defines and installs the appropriate set of programs that it thinks fit the chosen role. Or, it may offer you "minimal" or "everything" options. Again, you don't select individual programs.
So what programs actually are installed on your machine? Well, programs land on your machine by either of 2 routes: from source code which you compile or by preconstructed package (tarball vs rpm in Fedora). The rpm programs are centrally recorded when installed, so at any time you can easily check what's been installed. The tarballs are not, so you can't. Find out what rpm-based packages (each contains a "program") have been installed:
rpm -qa
What are all these programs? Can we figure out which ones we need? Choose any one of them and let rpm tell you what it its. For example:
rpm -qi firefox
You could generate this information for all the programs with something like:
for item in $(rpm -qa); do rpm -qi $item; echo; done
This is time-consuming, however let it go at least until its output starts to appear on the screen. You can interrupt it with a ctrl-z keystroke.
If you decide you really don't want one of these programs on your machine, you could remove it:
rpm -e mtx
The better strategy than to retroactively remove packages because you didn't want them in the first place is, to not install them in the first place. Keep this in mind next time you install a linux system that demands security. The security connection is that if an intruder gains full control of your machine he gains control of everything on it. Compilers and editors on the machine will help him build his own programs in place on your machine, usable to subvert it. File transfer clients and servers can help move his files onto your machine, or yours to his machine for leisurely analysis for example.
Auto-run services
Of greater interest and importance is the number of programs auto-launched at startup, especially those which are network services. Network service programs are designed to conduct interaction with outsiders. That's part of their job. They are often part of a security attack. Run them as you need them. But those you don't actually need shouldn't run so shouldn't be started.
How do we know what programs are auto-started on boot? There are those that start through the System V initialization mechanism, triggered by a dedicated startup script in /etc/rc.d/init.d. And another group, usually fewer, all started through a single program for that purpose, xinetd. The System V mechanism determines which programs to auto-run by keeping a directory of symbolic links (shortcuts) that all begin with either "K" or "S" and refer to individual programs or services. At boot time, it starts the programs whose shortcuts begin with "S". Checking your startup configuration this way works, but it's a little complicated and there's a command line utility named chkconfig that does the same thing.
chkconfig --list | less
The output contains a lot of lines like:
dhcpd 0:off 1:off 2:off 3:off
4:off 5:off 6:off
httpd 0:off 1:off 2:off 3:on
4:off 5:off 6:off
xinetd 0:off 1:off 2:off 3:on
4:on 5:on 6:off
Then there's a section toward the bottom entitled "xinetd based services" followed by entries like:
rsh: off
rsync: off
swat: on
talk: off
telnet: on
If you determine the runlevel number to which your computer boots up (usually 3 or 5, and controlled in the file /etc/inittab's "initdefault" line), you can see for each program whether it will be auto-started. For runlevel 3 in the above example, httpd and xinetd will be started but dhcpd will not; in runlevel 5 xinetd will be started, but not httpd nor dhcpd. Then further, if xinetd starts, it in turn will start the other services listed in its section of chkconfig's output.
If you chose the "install everything" option when installing Fedora, you'll see quite a few services that run upon startup. So many that probably you don't even know what most of them are. rpm can help here. First get a filtered list of all the services that start in your runlevel (3, I assume):
chkconfig --list | grep 3:on
Now reduce that down to just the names by cutting out the first field:
chkconfig --list | grep 3:on | cut -f 1
Hand this list of programs off to rpm, which will then tell us about them. You might very well put this in a script. On the other hand its possible to squeeze it all in a loop on the command line. Press the enter key between info displays:
for item in $(chkconfig --list | grep 3:on | cut -f 1); do rpm -qif /etc/rc.d/init.d/$item; read; clear; done
Going through them all will be time-consuming, however you now have a concrete basis for judging which startups you can eliminate to make your system more spare and secure. (Interrupt with ctrl-C whenever you wish.) You could extend this into an interactive script to turn off those services you designate as you move through the list:
#!/bin/bash
RUNLEVELS=3
for ITEM in $(chkconfig --list | grep 3:on | cut -f 1);
do
rpm -qif /etc/rc.d/init.d/$ITEM
echo -ne "\nTurn auto-run off? ("y" to turn off): ";read CHOICE
if [ "$CHOICE" = "y" ]; then
chkconfig --level $RUNLEVELS $ITEM off
fi
clear
done
Identify some startup scripts which, from the description, you think are dispensable or undesirable and turn them off. For example, an action specific to Hewlett Packard printers or ISDN would be dispensable if you don't have an HP printer or ISDN.