Hardening Debian - Minimum Service Running
Before connecting Debian to network, one must ensure its services and daemon is running at minimal and only needed. Otherwise, it is open for an attack. This section guides you on how to set services and daemon to minimal.
Identified Threats
Here are the list of identified threats.
(T-10) RPC Portmapper Installed Open For Access by Default
By default, RPC is installed for other packages' dependencies and it is not configured securely and is opened to external access.
(T-11) inetd, xinetd, rlinetd, openbsd-inetd or similar Open for Access by Default
By default, a lot of inetd services are handled and not installed. However, should any of its service installed, one must configure the access safely.
(T-12) Unused Daemon or Services Open Access for Intrusions
By default, a lot of unattended daemon services are handled and not installed. However, should any of its service installed, one must configure the access safely.
Actions Required
These are the actions available for countermeasures.
Uninstall Unused Daemon Services
The first step is to identify all unused daemon services and uninstall them whenever possible. This reduces the entry points to the lowest volumes possible.
Disable Daemon Services
Unless absolute necessary that you can't uninstall the daemon services, you should disable those unused ones with the following command:
$ update-rc.d name stop XX 2 3 4 5 .Firewall block Daemon Service
In cases where you can't achieve both of the above, the final option is to setup a local firewall (iptable, ufw, etc.) and block all ports. Then whitelist necessary ports one at a time.
That's all for minimizing daemon service running during hardening efforts for Debian OS.