Linuxサーバ上で不必要なサービスを起動することは、リソース的にもったいない点もありますが、サービスにセキュリティホールがあった場合は、セキュリティ観点でもリスクとなります。
今回はCentOS7系での不要サービス停止手順を紹介します。
起動中のサービスを確認する
現在起動しているサービスをsystemctlコマンドで確認します。
[root@cent77 ~]# systemctl --type service
UNIT LOAD ACTIVE SUB DESCRIPTION
abrt-ccpp.service loaded active exited Install ABRT coredump hook
abrt-oops.service loaded active running ABRT kernel log watcher
abrtd.service loaded active running ABRT Automated Bug Reporting Tool
atd.service loaded active running Job spooling tools
auditd.service loaded active running Security Auditing Service
chronyd.service loaded active running NTP client/server
crond.service loaded active running Command Scheduler
dbus.service loaded active running D-Bus System Message Bus
firewalld.service loaded active running firewalld - dynamic firewall daemon
getty@tty1.service loaded active running Getty on tty1
kdump.service loaded active exited Crash recovery kernel arming
kmod-static-nodes.service loaded active exited Create list of required static device nodes for the current k
libstoragemgmt.service loaded active running libstoragemgmt plug-in server daemon
lvm2-lvmetad.service loaded active running LVM2 metadata daemon
lvm2-monitor.service loaded active exited Monitoring of LVM2 mirrors, snapshots etc. using dmeventd or
lvm2-pvscan@8:2.service loaded active exited LVM2 PV scan on device 8:2
mysqld.service loaded active running MySQL Server
network.service loaded active exited LSB: Bring up/down networking
NetworkManager-wait-online.service loaded active exited Network Manager Wait Online
NetworkManager.service loaded active running Network Manager
polkit.service loaded active running Authorization Manager
rhel-dmesg.service loaded active exited Dump dmesg to /var/log/dmesg
rhel-domainname.service loaded active exited Read and set NIS domainname from /etc/sysconfig/network
rhel-import-state.service loaded active exited Import network configuration from initramfs
rhel-readonly.service loaded active exited Configure read-only root support
rngd.service loaded active running Hardware RNG Entropy Gatherer Daemon
rpcbind.service loaded active running RPC bind service
rsyslog.service loaded active running System Logging Service
smartd.service loaded active running Self Monitoring and Reporting Technology (SMART) Daemon
sshd.service loaded active running OpenSSH server daemon
sysstat.service loaded active exited Resets System Activity Logs
systemd-journal-flush.service loaded active exited Flush Journal to Persistent Storage
systemd-journald.service loaded active running Journal Service
systemd-logind.service loaded active running Login Service
systemd-random-seed.service loaded active exited Load/Save Random Seed
systemd-remount-fs.service loaded active exited Remount Root and Kernel File Systems
systemd-sysctl.service loaded active exited Apply Kernel Variables
systemd-tmpfiles-setup-dev.service loaded active exited Create Static Device Nodes in /dev
systemd-tmpfiles-setup.service loaded active exited Create Volatile Files and Directories
systemd-udev-settle.service loaded active exited udev Wait for Complete Device Initialization
systemd-udev-trigger.service loaded active exited udev Coldplug all Devices
systemd-udevd.service loaded active running udev Kernel Device Manager
systemd-update-utmp.service loaded active exited Update UTMP about System Boot/Shutdown
systemd-user-sessions.service loaded active exited Permit User Sessions
systemd-vconsole-setup.service loaded active exited Setup Virtual Console
vdo.service loaded active exited VDO volume services
LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.
46 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
不要サービスを停止する
「systemctl stop <サービス名>」で停止できます。
今回はVDOサービスを停止してみます。
★起動確認
[root@cent77 ~]# systemctl --type service |grep vdo
vdo.service loaded active exited VDO volume services
★サービス停止
[root@cent77 ~]# systemctl stop vdo.service
★サービスの自動起動停止
[root@cent77 ~]# systemctl disable vdo.service
Removed symlink /etc/systemd/system/multi-user.target.wants/vdo.service.
★起動確認
[root@cent77 ~]# systemctl --type service |grep vdo
※上記コマンドで何も出力されなければ起動していません。もしくは以下でも確認できます。
[root@cent77 ~]# systemctl status vdo.service
* vdo.service - VDO volume services
Loaded: loaded (/usr/lib/systemd/system/vdo.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Mar 30 23:36:18 cent77 systemd[1]: Starting VDO volume services...
Mar 30 23:36:20 cent77 systemd[1]: Started VDO volume services.
Mar 31 08:19:18 cent77 systemd[1]: Stopping VDO volume services...
Mar 31 08:19:18 cent77 systemd[1]: Stopped VDO volume services.
不要サービスを起動できない状態にする
「systemctl mask <サービス名>」でサービス起動(systemctl start)を禁止にすることができます。
disableは自動起動を無効化するだけで、サービス起動は可能な状態です。
[root@cent77 ~]# systemctl mask vdo.service
Created symlink from /etc/systemd/system/vdo.service to /dev/null.
[root@cent77 ~]# systemctl start vdo.service
Failed to start vdo.service: Unit is masked.
[root@cent77 ~]# systemctl status vdo.service
* vdo.service
Loaded: masked (/dev/null; bad)
Active: inactive (dead)
Mar 30 23:36:18 cent77 systemd[1]: Starting VDO volume services...
Mar 30 23:36:20 cent77 systemd[1]: Started VDO volume services.
Mar 31 08:19:18 cent77 systemd[1]: Stopping VDO volume services...
Mar 31 08:19:18 cent77 systemd[1]: Stopped VDO volume services.
基本的に停止するサービス
色々なシステムを見てきましたが、デフォルトのサービス設定のままのシステムもありました。
基本的に以下のサービスは使用しないので、セキュリティの観点も含めて停止しています。
| postfix.service | メールサーバソフトウェア |
| tuned.service | ホストを動的チューニングしてくれるソフトウェア |
| vdo.service | データ重複の排除および圧縮ソフトウェア |
