The Linux - Forbidden Services Policy makes it easy for IT admins to reduce risk to their environment by removing support for service types that are not required for normal operation. The policy applies to Linux systems running on x86 and x64 platforms.
To create a Linux Forbidden Services policy:
- Log in to the Admin Portal: https://console.jumpcloud.com/login.
- Go to DEVICE MANAGEMENT > Policy Management.
- In the All tab, click (+).
- On the New Policy panel, select the Linux tab.
- Select Forbidden Services Policy from the list, then click configure.
- Under Settings, select the option to disable the respective service. No additional activation is required.
- Disable xinetd – Disable the xinetd daemon, which listens for well-known services and dispatches the appropriate daemon to properly respond to service requests.
- Disable Avahi – Disable Avahi, which allows automatic service discovery on the local network.
- Disable CUPS – Disable the Common Unix Print System (CUPS), which allows printing to and receiving print jobs from local and network printers.
- Disable DHCP – Disable Dynamic Host Configuration Protocol (DHCP), which is a service that allows machines to be dynamically assigned IP addresses.
- Disable LDAP – Disable the Lightweight Directory Access Protocol (LDAP) if the system will not need to act as an LDAP server.
- Disable NFS and RPC – Disable the Network File System (NFS) if the system will not need to export NFS shares or act as an NFS client.
- Disable DNS – Disable the Domain Name System (DNS), which maps names to IP addresses for resources on the network, if the system will not need to act as the DNS server.
- Disable FTP – Disable the File Transfer Protocol (FTP), which does not protect the confidentiality of data or authentication credentials when transferring files between networked machines.
- Disable HTTP – Disable HTTP if there is no need to run the system as a web server.
- Disable IMAP and POP3 server – Disable IMAP and POP3 server provisioning by the system.
- Disable Samba – Disable Samba, which allows Linux systems to share file systems and directories with Windows desktops, if there is no need to mount directories and file systems to Windows systems.
- Disable HTTP Proxy server – Disable HTTP Proxy if there is no need for a proxy server.
- Disable SNMP server – Disable the Simple Network Management Protocol (SNMP) service, which does not require authentication to execute commands.
- Disable rsync service – Disable the rsync service, which uses unencrypted protocols for communication to synchronize files between systems over network links.
- Disable NIS server: – Disable the Network Information Service (NIS) protocol used to distribute system configuration files.
- Click save.
- Next, apply the policy to a device or group of devices.
After a service is disabled using this policy, a form of the 403 Forbidden error appears to show the user that the service is not active and that the configured ports for the service will not respond to requests.