Apache Today [Your Apache News Source]
Your Daily Source for Apache News and Information  
Breaking News Preferences Contribute Triggers Link Us Search About
To internet.com

Apache HTTPD Links
The Apache Software Foundation
PHP Server Side Scripting
Apache Project
The Jakarta Project
Apache XML Project
The Apache FAQ
Apache-Perl Integration Project
Apache Module Registry
ApacheCon
Apache-Related Projects
The Java Apache Project

  internet.com

Internet News
Internet Investing
Internet Technology
Windows Internet Tech.
Linux/Open Source
Web Developer
ECommerce/Marketing
ISP Resources
ASP Resources
Wireless Internet
Downloads
Internet Resources
Internet Lists
International
EarthWeb
Career Resources

Search internet.com
Advertising Info
Corporate Info
Is your web server running unnecessary software?
Feb 20, 2001, 20 :45 UTC (8 Talkback[s]) (9049 reads) (Other stories by Jeremy C. Reed)

By Jeremy C. Reed

It is extremely simple and quick to install a BSD or Linux operating system with Apache and to start serving webpages. You can usually just boot from an installer CD, follow a few prompts and have a working system in less than an hour. And if your website is already designed and your domain name already points to your IP, a few minutes later your website can be up and running.

Because it is so easy to get started, people with no Unix or other relevant experience can moonlight as ISPs or host their own websites.

And since Apache and most Linux and BSD operating systems are so stable, you could probably just forget about the server and it'll still be running great a year later. (In fact, I have had past jobs where I know the actively-used servers are no longer maintained and continue to run great -- including one Debian Linux box with an uptime of 485 days and counting.) Of course, this is not a good idea and I'd never suggest that an administrator entirely ignore their servers.

Usually the default installations of popular Unix-like operating systems start up a bunch of useful, possibly useful and entirely unuseful programs all running in the background. (These are usually called daemons.) Or you may inherit a server that was installed and administered by someone else -- who may have installed other programs or never cleaned up the system.

You may find that your "web" server is running a print spooler, a mail server (which may be relaying spam), a console mouse handler, and a variety of other software. In fact, you may learn that your webserver -- which doesn't even have a video monitor anymore -- may be running a graphical windowing system.

Over time, your performance needs may change. And over time, more security exploits are found (and fixed). This article will quickly share some ideas on how beginning webserver administrators can improve server efficiency, ease management and, hopefully, improve security as well. It shares a few examples of processes that don't need to be running, required programs and some ideas for BSD and System V-type systems for disabling startup scripts. This article doesn't go into great detail, but will give the newbie administrator some basic ideas. Be sure to consult your operating system's documentation for further instructions.

What programs are running?

To find out what's currently running on your server, type "ps auxw" or "ps -ef". In the output, the right-most information will tell the names of the running processes. You may have a list of names like: sshd, init, kpiod, khubd, klogd, atd, crond, inetd, gpm, xfs, xdm, kflushd, kupdated, kpiod, kswapd, ippd, iprofd, portmap, syslogd, xinit, esd, sawmill, panel, gmc, grekllm, imwheel, xmms, mdrecoveryd, lockd, rpciod, rpc.statd, apmd, automount, lpd, papd, sendmail, afpd, pptpd, identd, randomd, numlock, autofs, keytable, named, snmpd, xinetd and X.

Hopefully, you don't have this many processes -- or maybe you have more. You may wonder "why does this matter?", "the memory and cpu usage is so low, so who cares?" or "if my distribution installed them by default, then it must be the best idea."

But in making your decision, you should think about how much time you have to dedicate to administering your server. Are you willing to test and verify each of these miscellaneous programs that are running? Will you actively follow security announcements or read about the software updates in regards to important security fixes? And will you be able to quickly pinpoint a future problem, if you have so many programs running?

Programs that you forget about, but are always running in the background may have security problems. For example, a malicious outsider may send requests to it to slow down your system. Or a program may have a hole, in which an intruder can exploit to compromise or logon to your system.

If your webserver is a dedicated for serving up webpages, then it needs to be cleaned up. In removing services, you have a few options, including disabling them from starting up, removing the executable files, or uninstalling the appropriate software packages.

What are all these programs?

So how do I know where to get started? What are all these programs? Over the past few years, I have logged on to a variety of different Unix-type boxes -- and I have encountered a huge variety of different running processes. I have to admit that I don't know what they all are or what they are needed for. So you may find it simpler to first decide on what is needed. Make a list of the programs running and start checking whether they are needed or not. This may take a little research. Some administrators are cavalier (or brave or lucky) and simply disable any unknown process.

You know you need apache or httpd. Plus you'll need init -- which is also called the "parent of all processes". init normally begins the system's multi-user operation. Also, init starts getty (or mingetty for example) for user logins. In addition, your particular kernel may start a variety of special system processes or threads. These are often shown in parentheses or brackets in the ps listing. This article will ignore these special processes -- so we won't try to find a way to disable them.

The next two important processes are cron and syslogd. cron is used to run scheduled jobs. For example, cron can be configured via crontab (or /etc/crontab) to start a variety of important system tasks, such as nightly security checks, generating website analysis reports, rotating old log files (so they don't become to large and unmanageable) and doing backups. cron is useful for executing programs to complete a task instead of having the particular program always running.

syslogd is daemon that listens for logging messages and usually logs this information to certain files (under /var/log/). Usually, Apache is configured to do its own logging, but syslogd is important for recording other system information, such as attempted logins, email activity and a wide variety of other information. The syslog daemon on your system may have another name, such as nsyslogd or syslogd-ng. Your system may also need to be running klogd, which is another logging daemon for kernel messages.

In addition, you'll need a way to login to the system. You already have getty running, but most likely it is configured for local console access. I'd suggest running sshd (running as a stand-alone daemon or invoked by a separate program). sshd is also useful for transferring files.

The rest of the constantly running programs are usually not needed. Some examples of some often-installed and running programs include inetd, atd, gpm (or moused), apmd, lpd, sendmail and portmap.

inetd -- often called the "super-server" -- listens for network connections and then starts the appropriate corresponding program as configured. There are a few similar programs that are often used as alternatives, such as xinetd and tcpserver. inetd is often used to listen for FTP, telnet and POP3 connections. By default, all three of these are insecure and are not needed for a dedicated webserver. (In addition, inetd can be used to provide simple services like time and echo.) inetd is usually not required -- and it is interesting to note that many operating systems include the inetd configuration file with nothing enabled (everything commented out). If you must use inetd (or similar program), be sure to disable everything that is not needed.

inetd is often also used to start identd. Or identd may run as a stand-alone service. Basically, identd (note this is identd not inetd) is used to return information (usually the username) of the user running the process that has a TCP/IP connection. Some believe that is needed to track down abuse, spam or to make better authentication; but, by default, identd is not secure, so its reporting may not be entirely reliable. Usually identd is considered to be not needed and I have successfully administrated a variety of webservers without any ident service.

atd is similar to cron, because it is also used to run scheduled jobs. Unless you specifically use the "at" capabilities, you don't need atd -- use cron instead.

gpm (or moused) is a program that allows you to use your mouse to cut and paste text on your console screen. This may be a handy feature, but is it really needed on a webserver? How often are you going to be sitting at the console and needing to use a mouse?

apmd is a daemon for use with an Advanced Power Management (APM) BIOS Interface-based system. If you're interested in your server going into standby or suspend modes or you need to monitor the battery usage, then use apmd. As you can tell, apmd is for laptops and or environment-friendly (or "green") machines; apmd is not needed for an always running webserver.

lpd is the line printer daemon -- basically it is for handling printer by managing spools (or queues). If you don't need a constantly, readily available printer for your webserver, then lpd shouldn't be running. If you do need to print out something, simply copy it to another computer or temporarily turn on lpd (make sure it is configured so outside computers can't access it).

Sendmail is a MTA -- a mail transfer agent. Some other popular MTAs include Exim, qmail and postfix. These MTAs can be used as a mail server to listen for incoming email and/or to relay email to another server. If your server is not providing email services -- or in other words, is not a mail server, then sendmail doesn't need to be always running. If improperly configured, sendmail can be abused; for example, spammers may be able to relay mail through your system. (Some admins run the MTA via inetd -- so another good reason to disable inetd.)

Do not remove the MTA -- your system will still need it to send out email. (But you should consider configuring it, so it can't listen to to the network.) Also, some admins believe that sendmail needs to be always running to manage the queue. Unless, you have some huge amount of email activity, use cron to have sendmail process its queue a few times a day. (This doesn't mean that it will only send mail a few times a day. sendmail will try to send the email when first invoked -- it will only queue it if it had a problem.)

portmap (or rpc.portmap) is a server that converts RPC program numbers to DARPA protocol port numbers. Huh? Basically, portmap is used to help with RPC-type services like NFS (Network File System). (rpcbind is similar to portmap). So, unless you use NFS, you probably don't need portmap running. You may have other processes running that provide RPC or NFS services (such as nfsd, rpc.mountd, rpc.nfsd, rpc.statd and rpc.lockd). Again if you don't use them, then they can be disabled.

Of course, there are numerous other programs that may be running. Some other examples of programs that aren't needed (and probably should be stopped) include xfs, fvwm, xinit and X.

If you use remote management tools (like webmin or Comanche), you may need to keep inetd or other daemons running to be able to use them. Be sure to also read the tool's documentation.

Use your manual pages, system documentation and search engines (like Google's Usenet Search) to learn more about any other daemons and to help you make a decision.

Disabling from starting up at boot time

The two common ways for programs to get started at boot time are via /etc/rc or the System V-type startup scripts. Usually, if you are running a BSD system it will begin with /etc/rc and most Linux-type systems use the scripts under /etc/init.d/ (or /etc/rc.d/init.d or some other similarly named directory). Or your system may start up programs using both: via /etc/rc and a variety of System V style rc scripts. (Also, some people may decide to start up programs with init as configured in /etc/inittab; but we will not discuss this method in this article.)

For example, on a Linux system, cron might be started via a /etc/init.d/cron script, Apache started by /etc/init.d/httpd, syslogd by /etc/init.d/syslogd and sshd started via a /etc/init.d/sshd script.

Basically, these System V scripts are ran via symlinks from a specific rc.d directory for the current System V runlevel. Linux systems have different tools for configuring which rc.d scripts are ran. Or you can configure it manually. There should be one directory that has all the actual startup scripts (for example, it may be at /etc/init.d/ or /etc/rc.d/rc.d). Then a few other directories for each runlevel (for example, they may be named like /etc/rc2.d or /etc/rc.d/rc2.d). The files in these directories are usually symlinks to the real scripts. The standard runlevels are usually 2, 3, 4 or 5. You may be able to find out your default runlevel on a Linux box by searching for "initdefault" in the /etc/inittab file.

To manually disable a startup script, simply delete the appropriate symlink. (Ignore the "S" or "K" and the number at the beginning of the symlink name.) Some tools for managing this include: update-rc.d and chkconfig. (Plus there are a few GUI equivalents.) For example, you can run "chkconfig --list" to view the current System V style init script settings. You can remove the lpd startup links with update-rc.d by doing "/usr/sbin/update-rc.d -f lpd remove". For futher information, (if these commands exist on your system) read the manual pages.

It is a lot simpler with just the plain /etc/rc script. Instead of having a variety of scripts to start numerous different programs, the programs are simply all just started via one script. Sometimes /etc/rc may call an additional script, /etc/rc.local, which may start other tasks. (And some systems that use /etc/rc may also use the /etc/rc.d/, System V-style scripts.) To disable a daemon at startup, simply comment out the lines that start it up in the /etc/rc script.

Some BSD systems may have a configuration file, like /etc/rc.conf which can be used instead of editing the /etc/rc file. For example, if it says "inetd=YES" and you want to disable it from starting when the system boots up, then simply change it to "inetd=NO".

Uninstalling unneeded software

You may also find your system easier to manage if you actually remove the unneeded or unused software. If your system is installed using software packages (i.e. BSD ports/packages collection, RPMs or Debian dpkg format), it would be a good idea to simply uninstall any unneeded packages. For example, on systems that use the .deb packaging format, you can uninstall gpm with "dpkg --remove gpm".

It is a lot harder to manually remove individual software. For example, you probably don't need any X servers or X clients, so you could remove them, for example, from /usr/X11R6/bin/. Some perfectionists strip their systems entirely clean removing every tool, configuration or program that is not needed. I don't believe you need to go this extreme.

It may take a while to figure out which software you don't need and then to make sure they aren't started at boot time. But even after you've configured them to not start, they may still be currently running. You may be able to stop them by running the appropriate System V-type script by using the "stop" command-line argument. (Note that you didn't previously remove these scripts; you just removed the symlinks.) For example, to stop sendmail, you can try: "/etc/rc.d/rc.d/sendmail stop". Of course, you can always use ps to find the PIDs and then use kill to stop them. (Or your system may have a killall command where you can use the process name as the argument.)

It is a good idea to test your system after you've made major changes to make sure the correct programs start at boot time -- and the other programs aren't started. You could test it by rebooting, or stopping everything and then running the appropriate rc script that starts everything again, or by using init to change between modes (or runlevels).

(I am curious about what other superfluous services are installed by default. And, I am interested in examples of compromised security due to unneeded services installed by default. Also, have you noticed any dramatic performance changes since uninstalling unneeded services? Share your comments below.)

  Current Newswire:
Great Bridge PostgreSQL 7.1 package announced

ApacheCon Dublin sessions listed

Apache Week issue 253 is out

ServerWatch: June 2001 Security Space Survey Results

zez.org: Security flaws in PHP

SECURITY: Bugtraq: Java servlet cross-site scripting vulnerability

mnoGoSearch 3.1.17 released

The June Netcraft Results are Out: Apache Gains Slightly in Market Share

GroupIT site-content engine previewed

Lineo Availix Vertical Clustering 1.0 Ships

 Talkback(s) Name  Date
  Great Aritcle!
Love the article... Nice to see more mention of BSD type systems.. ;)

You rock!   
  Feb 21, 2001, 01:55:47
  I shutdown processes all the time...
Especially after a fresh install for a server.

One of the things that kind of burns me about most Linux distros is the amount of attention needed to scan through every single package before it is installed. This tends to shy away some *nix newbies I have noticed.

Look at what you are running and then check with you distro's security updates and erratas. This will give you quick information about certain unknown processes that you may be running and whether or not you need to update them or shut them down / remove from rc.d/... .

Since this is dealing with webservers, you should probably touch on ftp servers such as wu-ftpd (security exploit waiting to happen) and proftpd (my personal fav); bringing to attention like making sure that they are updated and blah, blah, blah.

Updating Apache would be nice :)   
  Feb 21, 2001, 23:22:26
  Good one!
Thanks! I never knew what portmap was for... thanks for the good article!   
  Feb 22, 2001, 21:53:25
  Congratulations
Congratulations Jeremy C. Reed, this article is great, it's nice to see someone talking about BSD systems with a simple language, as you did on this article.   
  Feb 23, 2001, 20:34:53
  Nice article man
nice and very easy for us newbies,i didn't know what portmap was either hehe
and nice for mentioning BSD,it's very rare..

and uh the guy that said that scanning through the packages scare newbies of,this hasn't scared me in any way,what has scared me was all compiling thing since im used to already compiled bin's,but oh well,i managed to get over my fear and install openbsd :)   
  Feb 28, 2001, 22:06:59
  Apache Server for a home
Hej, I am a relative newbie to the whole PC,Server scenario although I am an IT professional coming from the roots of MVS & TSO (not similar?!).
I am wondering if there's a feint possibility that I could set up a server in my new home to serve tha family's rapidly growing IT demands... 3 IBM ThinkPads and a base PC with a printer and scanner. I'd like to set up a server to do the connections and have docking stations for the TPs, (THEN hopefully start playing Perl & XML). Is there a good guide that'll show me how to do this? It'd have to be at "Dummies guide..." or "Complete Idiots..." level though, preferably with pictures!
thanks in advance...
/Steve   
  Mar 1, 2001, 16:24:51
  Great help for new BSD users..
Excellent article, great for new *BSD users especially! :)   
  Mar 18, 2001, 20:36:33
  Yes, it's great !
Yes, I've waited it so long time. I learned many and many from your article!

thanks.   
  Mar 28, 2001, 17:49:45
Enter your comments below.
Your Name: Your Email Address:


Subject: CC: [will also send this talkback to an E-Mail address]
Comments:

See our talkback-policy for or guidelines on talkback content.

About Triggers Newsletters Media Kit Security Triggers Login


All times are recorded in UTC.
Linux is a trademark of Linus Torvalds.
Powered by Linux 2.2.12, Apache 1.3.9. and PHP 3.14
Copyright INT Media Group, Incorporated All Rights Reserved.
Legal Notices,  Licensing, Reprints, & Permissions,  Privacy Policy.
http://www.internet.com/