Is your web server running unnecessary software?

Tuesday Feb 20th 2001 by Jeremy Reed
Share:

Usually the default installations of popular Unix-like operating systems start up a bunch of useful, possibly useful and entirely unuseful programs all running in the background. This article will quickly share some ideas on how beginning webserver administrators can improve server efficiency, ease management and, hopefully, improve security as well. It shares a few examples of processes that don't need to be running, required programs and some ideas for BSD and System V-type systems for disabling startup scripts. This article doesn't go into great detail, but will give the newbie administrator some basic ideas.

It is extremely simple and quick to install a BSD or Linux operating system with Apache and to start serving webpages. You can usually just boot from an installer CD, follow a few prompts and have a working system in less than an hour. And if your website is already designed and your domain name already points to your IP, a few minutes later your website can be up and running.

Because it is so easy to get started, people with no Unix or other relevant experience can moonlight as ISPs or host their own websites.

And since Apache and most Linux and BSD operating systems are so stable, you could probably just forget about the server and it'll still be running great a year later. (In fact, I have had past jobs where I know the actively-used servers are no longer maintained and continue to run great -- including one Debian Linux box with an uptime of 485 days and counting.) Of course, this is not a good idea and I'd never suggest that an administrator entirely ignore their servers.

Usually the default installations of popular Unix-like operating systems start up a bunch of useful, possibly useful and entirely unuseful programs all running in the background. (These are usually called daemons.) Or you may inherit a server that was installed and administered by someone else -- who may have installed other programs or never cleaned up the system.

You may find that your "web" server is running a print spooler, a mail server (which may be relaying spam), a console mouse handler, and a variety of other software. In fact, you may learn that your webserver -- which doesn't even have a video monitor anymore -- may be running a graphical windowing system.

Over time, your performance needs may change. And over time, more security exploits are found (and fixed). This article will quickly share some ideas on how beginning webserver administrators can improve server efficiency, ease management and, hopefully, improve security as well. It shares a few examples of processes that don't need to be running, required programs and some ideas for BSD and System V-type systems for disabling startup scripts. This article doesn't go into great detail, but will give the newbie administrator some basic ideas. Be sure to consult your operating system's documentation for further instructions.

What programs are running?

To find out what's currently running on your server, type "ps auxw" or "ps -ef". In the output, the right-most information will tell the names of the running processes. You may have a list of names like: sshd, init, kpiod, khubd, klogd, atd, crond, inetd, gpm, xfs, xdm, kflushd, kupdated, kpiod, kswapd, ippd, iprofd, portmap, syslogd, xinit, esd, sawmill, panel, gmc, grekllm, imwheel, xmms, mdrecoveryd, lockd, rpciod, rpc.statd, apmd, automount, lpd, papd, sendmail, afpd, pptpd, identd, randomd, numlock, autofs, keytable, named, snmpd, xinetd and X.

Hopefully, you don't have this many processes -- or maybe you have more. You may wonder "why does this matter?", "the memory and cpu usage is so low, so who cares?" or "if my distribution installed them by default, then it must be the best idea."

But in making your decision, you should think about how much time you have to dedicate to administering your server. Are you willing to test and verify each of these miscellaneous programs that are running? Will you actively follow security announcements or read about the software updates in regards to important security fixes? And will you be able to quickly pinpoint a future problem, if you have so many programs running?

Programs that you forget about, but are always running in the background may have security problems. For example, a malicious outsider may send requests to it to slow down your system. Or a program may have a hole, in which an intruder can exploit to compromise or logon to your system.

If your webserver is a dedicated for serving up webpages, then it needs to be cleaned up. In removing services, you have a few options, including disabling them from starting up, removing the executable files, or uninstalling the appropriate software packages.

What are all these programs?

So how do I know where to get started? What are all these programs? Over the past few years, I have logged on to a variety of different Unix-type boxes -- and I have encountered a huge variety of different running processes. I have to admit that I don't know what they all are or what they are needed for. So you may find it simpler to first decide on what is needed. Make a list of the programs running and start checking whether they are needed or not. This may take a little research. Some administrators are cavalier (or brave or lucky) and simply disable any unknown process.

You know you need apache or httpd. Plus you'll need init -- which is also called the "parent of all processes". init normally begins the system's multi-user operation. Also, init starts getty (or mingetty for example) for user logins. In addition, your particular kernel may start a variety of special system processes or threads. These are often shown in parentheses or brackets in the ps listing. This article will ignore these special processes -- so we won't try to find a way to disable them.

The next two important processes are cron and syslogd. cron is used to run scheduled jobs. For example, cron can be configured via crontab (or /etc/crontab) to start a variety of important system tasks, such as nightly security checks, generating website analysis reports, rotating old log files (so they don't become to large and unmanageable) and doing backups. cron is useful for executing programs to complete a task instead of having the particular program always running.

syslogd is daemon that listens for logging messages and usually logs this information to certain files (under /var/log/). Usually, Apache is configured to do its own logging, but syslogd is important for recording other system information, such as attempted logins, email activity and a wide variety of other information. The syslog daemon on your system may have another name, such as nsyslogd or syslogd-ng. Your system may also need to be running klogd, which is another logging daemon for kernel messages.

In addition, you'll need a way to login to the system. You already have getty running, but most likely it is configured for local console access. I'd suggest running sshd (running as a stand-alone daemon or invoked by a separate program). sshd is also useful for transferring files.

The rest of the constantly running programs are usually not needed. Some examples of some often-installed and running programs include inetd, atd, gpm (or moused), apmd, lpd, sendmail and portmap.

inetd -- often called the "super-server" -- listens for network connections and then starts the appropriate corresponding program as configured. There are a few similar programs that are often used as alternatives, such as xinetd and tcpserver. inetd is often used to listen for FTP, telnet and POP3 connections. By default, all three of these are insecure and are not needed for a dedicated webserver. (In addition, inetd can be used to provide simple services like time and echo.) inetd is usually not required -- and it is interesting to note that many operating systems include the inetd configuration file with nothing enabled (everything commented out). If you must use inetd (or similar program), be sure to disable everything that is not needed.

inetd is often also used to start identd. Or identd may run as a stand-alone service. Basically, identd (note this is identd not inetd) is used to return information (usually the username) of the user running the process that has a TCP/IP connection. Some believe that is needed to track down abuse, spam or to make better authentication; but, by default, identd is not secure, so its reporting may not be entirely reliable. Usually identd is considered to be not needed and I have successfully administrated a variety of webservers without any ident service.

atd is similar to cron, because it is also used to run scheduled jobs. Unless you specifically use the "at" capabilities, you don't need atd -- use cron instead.

gpm (or moused) is a program that allows you to use your mouse to cut and paste text on your console screen. This may be a handy feature, but is it really needed on a webserver? How often are you going to be sitting at the console and needing to use a mouse?

apmd is a daemon for use with an Advanced Power Management (APM) BIOS Interface-based system. If you're interested in your server going into standby or suspend modes or you need to monitor the battery usage, then use apmd. As you can tell, apmd is for laptops and or environment-friendly (or "green") machines; apmd is not needed for an always running webserver.

lpd is the line printer daemon -- basically it is for handling printer by managing spools (or queues). If you don't need a constantly, readily available printer for your webserver, then lpd shouldn't be running. If you do need to print out something, simply copy it to another computer or temporarily turn on lpd (make sure it is configured so outside computers can't access it).

Sendmail is a MTA -- a mail transfer agent. Some other popular MTAs include Exim, qmail and postfix. These MTAs can be used as a mail server to listen for incoming email and/or to relay email to another server. If your server is not providing email services -- or in other words, is not a mail server, then sendmail doesn't need to be always running. If improperly configured, sendmail can be abused; for example, spammers may be able to relay mail through your system. (Some admins run the MTA via inetd -- so another good reason to disable inetd.)

Do not remove the MTA -- your system will still need it to send out email. (But you should consider configuring it, so it can't listen to to the network.) Also, some admins believe that sendmail needs to be always running to manage the queue. Unless, you have some huge amount of email activity, use cron to have sendmail process its queue a few times a day. (This doesn't mean that it will only send mail a few times a day. sendmail will try to send the email when first invoked -- it will only queue it if it had a problem.)

portmap (or rpc.portmap) is a server that converts RPC program numbers to DARPA protocol port numbers. Huh? Basically, portmap is used to help with RPC-type services like NFS (Network File System). (rpcbind is similar to portmap). So, unless you use NFS, you probably don't need portmap running. You may have other processes running that provide RPC or NFS services (such as nfsd, rpc.mountd, rpc.nfsd, rpc.statd and rpc.lockd). Again if you don't use them, then they can be disabled.

Of course, there are numerous other programs that may be running. Some other examples of programs that aren't needed (and probably should be stopped) include xfs, fvwm, xinit and X.

If you use remote management tools (like webmin or Comanche), you may need to keep inetd or other daemons running to be able to use them. Be sure to also read the tool's documentation.

Use your manual pages, system documentation and search engines (like Google's Usenet Search) to learn more about any other daemons and to help you make a decision.

Disabling from starting up at boot time

The two common ways for programs to get started at boot time are via /etc/rc or the System V-type startup scripts. Usually, if you are running a BSD system it will begin with /etc/rc and most Linux-type systems use the scripts under /etc/init.d/ (or /etc/rc.d/init.d or some other similarly named directory). Or your system may start up programs using both: via /etc/rc and a variety of System V style rc scripts. (Also, some people may decide to start up programs with init as configured in /etc/inittab; but we will not discuss this method in this article.)

For example, on a Linux system, cron might be started via a /etc/init.d/cron script, Apache started by /etc/init.d/httpd, syslogd by /etc/init.d/syslogd and sshd started via a /etc/init.d/sshd script.

Basically, these System V scripts are ran via symlinks from a specific rc.d directory for the current System V runlevel. Linux systems have different tools for configuring which rc.d scripts are ran. Or you can configure it manually. There should be one directory that has all the actual startup scripts (for example, it may be at /etc/init.d/ or /etc/rc.d/rc.d). Then a few other directories for each runlevel (for example, they may be named like /etc/rc2.d or /etc/rc.d/rc2.d). The files in these directories are usually symlinks to the real scripts. The standard runlevels are usually 2, 3, 4 or 5. You may be able to find out your default runlevel on a Linux box by searching for "initdefault" in the /etc/inittab file.

To manually disable a startup script, simply delete the appropriate symlink. (Ignore the "S" or "K" and the number at the beginning of the symlink name.) Some tools for managing this include: update-rc.d and chkconfig. (Plus there are a few GUI equivalents.) For example, you can run "chkconfig --list" to view the current System V style init script settings. You can remove the lpd startup links with update-rc.d by doing "/usr/sbin/update-rc.d -f lpd remove". For futher information, (if these commands exist on your system) read the manual pages.

It is a lot simpler with just the plain /etc/rc script. Instead of having a variety of scripts to start numerous different programs, the programs are simply all just started via one script. Sometimes /etc/rc may call an additional script, /etc/rc.local, which may start other tasks. (And some systems that use /etc/rc may also use the /etc/rc.d/, System V-style scripts.) To disable a daemon at startup, simply comment out the lines that start it up in the /etc/rc script.

Some BSD systems may have a configuration file, like /etc/rc.conf which can be used instead of editing the /etc/rc file. For example, if it says "inetd=YES" and you want to disable it from starting when the system boots up, then simply change it to "inetd=NO".

Uninstalling unneeded software

You may also find your system easier to manage if you actually remove the unneeded or unused software. If your system is installed using software packages (i.e. BSD ports/packages collection, RPMs or Debian dpkg format), it would be a good idea to simply uninstall any unneeded packages. For example, on systems that use the .deb packaging format, you can uninstall gpm with "dpkg --remove gpm".

It is a lot harder to manually remove individual software. For example, you probably don't need any X servers or X clients, so you could remove them, for example, from /usr/X11R6/bin/. Some perfectionists strip their systems entirely clean removing every tool, configuration or program that is not needed. I don't believe you need to go this extreme.

It may take a while to figure out which software you don't need and then to make sure they aren't started at boot time. But even after you've configured them to not start, they may still be currently running. You may be able to stop them by running the appropriate System V-type script by using the "stop" command-line argument. (Note that you didn't previously remove these scripts; you just removed the symlinks.) For example, to stop sendmail, you can try: "/etc/rc.d/rc.d/sendmail stop". Of course, you can always use ps to find the PIDs and then use kill to stop them. (Or your system may have a killall command where you can use the process name as the argument.)

It is a good idea to test your system after you've made major changes to make sure the correct programs start at boot time -- and the other programs aren't started. You could test it by rebooting, or stopping everything and then running the appropriate rc script that starts everything again, or by using init to change between modes (or runlevels).

(I am curious about what other superfluous services are installed by default. And, I am interested in examples of compromised security due to unneeded services installed by default. Also, have you noticed any dramatic performance changes since uninstalling unneeded services? Share your comments below.)

Share:
Home
Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved