Disabling Unused Services to Reduce Attack Surface

Disabling Unused Services to Reduce Attack Surface

Every running service is a potential entry point for attackers. Disable anything you don't need.

List All Running Services

systemctl list-units --type=service --state=running

Check What Is Listening on the Network

ss -tulpn

Look for services listening on 0.0.0.0 (all interfaces) that should only be accessible locally.

Common Services to Evaluate

  • avahi-daemon: mDNS — rarely needed on a server. Disable: systemctl disable avahi-daemon
  • cups: Printing — not needed on a server. apt purge cups -y
  • rpcbind: NFS RPC — disable if not using NFS. systemctl disable rpcbind
  • snapd: Snap package manager — remove if not using snaps. apt purge snapd -y
  • bluetooth: systemctl disable bluetooth

Restrict MySQL to Localhost

Edit /etc/mysql/mariadb.conf.d/50-server.cnf:

bind-address = 127.0.0.1

This prevents MySQL from listening on the public network.

Restrict Redis to Localhost

Edit /etc/redis/redis.conf:

bind 127.0.0.1

Remove Unused Packages

apt purge telnet rsh-client rsh-server ftp -y
apt autoremove -y

Audit After Changes

ss -tulpn   # Verify open ports reduced
ufw status  # Confirm firewall rules still make sense
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Securing SSH Access

Securing SSH Access SSH is the main entry point to your server. Hardening it is one of the most...

Setting Up a Firewall with UFW

Setting Up a Firewall with UFW UFW (Uncomplicated Firewall) makes managing firewall rules...

Installing Fail2Ban to Prevent Brute Force Attacks

Installing Fail2Ban Fail2Ban monitors your log files and automatically bans IP addresses that...

Setting Up Let's Encrypt SSL Certificates

Setting Up Let's Encrypt SSL Certificates Let's Encrypt provides free, trusted SSL certificates....

Scanning for Rootkits with rkhunter and chkrootkit

Scanning for Rootkits Rootkits are malware that hide from standard detection tools. Two widely...