Is it a bad idea to stop unnecessary services running

I have a debian dedicated server. I'm trying to secure it and one way I thought would be good is to shut down services I dont need, like FTP for example.

I am suggesting to run something like this on deployment:

service ntp stop
update-rc.d -f ntp remove
service vsftpd stop
update-rc.d -f vsftpd remove
service xinetd stop
update-rc.d -f xinetd remove

I am new to this. Is it generally regarded as poor security to do this, and lock it down the services with iptables, or is removing the service completely advisable and ultimately more secure?


Solution 1:

In general it is not a bad idea. I would even consider it recommendable. Why use resources for services not needed, anyway? Only reason to have some of these services might be some kind of dependency issue.

I wouldn't use update-rd.d though but sudo apt-get remove application. That way you can have a picture of the dependencies and could stop the process if it'll also remove something that you actually need.

All the dependencies are not visible to the package system, though. You could for example have a content management system that uses ftp for file uploads instead of direct file writing. In these kind of situations you could only bind the software to localhost interface.

NTP on the other hand increases security and you should have it updating the server's clock. If you don't need to use NTP as a server, you could configure ntpd not to provide that service to others.