💾 Archived View for envs.net › ~neovoid › notes › closeports.md captured on 2023-07-22 at 17:40:20.

View Raw

More Information

-=-=-=-=-=-=-

# Disable Unused Network Services as Security Vulnerabilities & Risks

In 6 steps, in the general case, disable rogue services or services that are active yet unused and the associated LISTENING ports are often a security risk! Note you can substitute "cups" service removal for most other systemd Linux services, for example ssh on vulnerable port 22. Even previously harmless dbus.service has been weaponized by data mining criminals grabbing users data.

I use the extra simple Linux firewall ufw, but advanced users can use SeLinux port and service security filters. You are advised to see the link Ports Risks List.

Cups and cupsd ports like 631 (and others) are associated with security risks. You can detect active Linux network connected services with netstat.

## 1) Detect the rogue or not needed services and their risky ports

$ sudo netstat -utpln # Activity PID/Service

tcp 127.0.0.1:631 LISTEN 9132/cupsd


If you do not know what each service in the list is eg cupsd, look it up to see if it is needed. Port 631 is linked to a vulnerability.

## 2) Firewall Block High Risk Linux Ports and Services

Sure advanced users apply selinux rules, but simple firewalls do a great job.

$ sudo apt install ufw # and **dnf** applies to Red-Hat/Fedora/Centos

$ sudo ufw enable # ... Activate the ufw firewall.

$ sudo ufw deny 631 # ... block port using the ufw firewall.

$ sudo ufw status numbered # Show your ufw firewall rules.

$ sudo ufw reload # Reload the above rules that were changed.

Sadly printers are known for their deliberate ink ordering greedy embedded malware as well as hacker malware. Office and home devices that do not need to use a service (like printers) should have this 'deny' applied.

Selinux users can fine tune the risks, but still be able to use cupsd for printing (or indeed suppress all the _cups types). Follow this guide for cups with selinux.

## 3) Expose the Linux Service Sub-services to be Disabled

$ systemctl --reverse list-dependencies cups.* # Notice the .* is important.

cups.service

● └─cups-browsed.service

cups.socket

● ├─cups.service

● └─sockets.target

● └─basic.target

● └─multi-user.target

● └─graphical.target

cups.path

● ├─cups.service

● └─multi-user.target

● └─graphical.target

## 4) Disable the service you exposed after stopping it first

$ sudo systemctl stop cups cups.service cups.socket cups.path # 'stop' is NOT enduring!

$ systemctl --reverse list-dependencies cups.* # What else hangs onto the service?

$ sudo systemctl disable cups cups.service cups.socket cups.path # long term setting.


So by now the roach is "inactive, (dead)", right?
WRONG it has service buddies that cause it to go "active (running)" hours later when you are not looking! Its legs are still twitching and it will get up and run, so you have more killing to do! Normally systemd starts services and they run automatically, you can manually override them by >> appending the word manual once only.

$ sudo echo "manual" >> /etc/init/cups.override

$ sudo echo "manual" >> /etc/init/cups-browsed.override

## 5) Remove Rogue Malware Linux Service Packages

You will be shocked to find that cups even when set to "disable" in step 4 has other baddie services that automatically revive it especially on a HP Server with stock Debian installed. In this case "cups" has many hanging on services that can be removed. Note apt or apt-get applies to Debian/Mint/Ubuntu and dnf is for Fedora/Red-Hat/Centos.

$ dpkg -l | grep -i "cups\|print\|hp" # Shockingly lots.

$ sudo apt remove --auto-remove cups # then repeat: dpkg -l as above

OR purge the service package WITH all its config files:-

$ sudo apt-get purge --auto-remove cups

If you purge, you also lose that services non-default settings. Settings that indeed may have been hacked. Do so with caution. The advantage is that if your config was hacked then that hack is also 'purged'.

6) Test for More Rogue Linux Services after Reboot

"cups" is an example service, please look for others using the information below.

$ sudo shutdown -r now # just reboot

$ systemctl --reverse list-dependencies cups.* # Not there?

$ sudo netstat -utpln # No sign of rogue service?

$ sudo ps aux | grep -i "cups" # Nothing there running?

$ dpkg -l | grep -i "cups" # Is the service running removed?

$ sudo systemctl status cups # should say "inactive (dead)"

Or not be present in any way.

$ pstree # cups gone, but there is so much that can be removed.

$ systemctl list-units --type=service --state=running

$ systemctl --type=service --state=running


Desperado removal of services: systemd uses /etc/systemd/system/<service_name>, /etc/systemd/system/<some_directory>/<service_name> and /etc/init.d/<service_name> to set them going. Moving those files and links away from their directories is bruit force, but works.
# close ports manually
## Look for open ports

``sudo ss -tulnp | grep LISTEN``

## Close Port
``sudo sv disable sshd``