Every open port and running service is a potential entry point. The most fundamental hardening step is identifying and disabling all non-essential services, eliminating legacy vulnerabilities and reducing the noise for monitoring tools.
Administrators often install packages that silently enable background daemons (e.g., Avahi, RPCbind, CUPS). Regular auditing of listening ports against an approved baseline is required to catch shadow IT and misconfigurations.
💡 Pro-tip: Use ss -tulpn instead of netstat. It is faster, more accurate, and directly maps the listening port to the specific process ID (PID) and executable.
This output confirms only SSH (port 22) is listening. If you see port 111 (RPCbind) or 631 (CUPS) on a headless server, it must be disabled immediately.
Simply stopping a service isn't enough; it will restart on reboot. You must stop, disable, and ideally mask the service to prevent any other process from accidentally starting it.
⚠️ Never disable services without understanding their dependencies. Disabling systemd-resolved or dbus can render a Linux host completely unmanageable and break package management.
| Service | Risk | Action |
|---|---|---|
| Telnet | Cleartext creds | Disable / Use SSH |
| RPCbind | NFS exploitation | Disable if not NFS server |
| CUPS | Print spooler exploits | Disable on servers |
Verify exercises to earn ★ 200 XP and unlock next lab level.