How to Disable Unnecessary Services to Improve Security in Debian 12 Bookworm

How to Disable Unnecessary Services to Improve Security in Debian 12 Bookworm
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  4 minute read  

Introduction

Debian 12 Bookworm is a robust and secure Linux distribution, but like any system, it benefits from proper security hardening. One effective way to enhance security is by disabling unnecessary services. Running unnecessary services increases the attack surface, consumes system resources, and can introduce vulnerabilities. In this guide, we’ll walk through how to identify, evaluate, and disable unneeded services on a Debian 12 system.

Why Disable Unnecessary Services?

Disabling unused services provides several benefits:

  1. Reduces Attack Surface – Fewer running services mean fewer potential vulnerabilities for attackers to exploit.
  2. Improves Performance – Eliminating unneeded background processes frees up system resources.
  3. Enhances Stability – Fewer active services result in fewer conflicts and crashes.
  4. Prevents Unauthorized Access – Closing unnecessary ports limits entry points for attackers.

Now, let’s go through the process step by step.

Step 1: Identify Running Services

To begin, list active services on your Debian 12 system.

Using systemctl

Run the following command to view active services:

systemctl list-units --type=service --state=running

For a complete list of installed services (both active and inactive):

systemctl list-unit-files --type=service

Using netstat to Identify Network Services

If you want to see which services are listening on network ports, use:

netstat -tulnp

Or, if netstat is not installed, use ss:

ss -tulnp

These commands help identify services that expose network access, which should be reviewed carefully.

Step 2: Evaluate the Necessity of Each Service

Ask yourself the following questions for each service:

  • Is this service required for system functionality?
  • Do I use this service regularly?
  • Does disabling this service break dependencies?
  • Is this service a known security risk?

Common services that may be unnecessary on a personal or non-server system include:

  • CUPS (Common Unix Printing System) – Needed only if printing is required.
  • Avahi-daemon – Used for local network service discovery, often unnecessary.
  • Bluetooth-related services – Only needed for Bluetooth devices.
  • RPCbind – Used for NFS and some remote services, unnecessary if not using these.
  • Exim/Postfix – Mail servers, unnecessary for non-mail servers.
  • Apache/Nginx – If you don’t run a web server, these can be disabled.
  • Samba/NFS – Required only if sharing files over a network.

Step 3: Disable Unnecessary Services

Once you’ve identified unnecessary services, disable them using systemctl.

Stopping a Service Temporarily

If you want to stop a service temporarily (until reboot):

sudo systemctl stop <service-name>

For example, to stop avahi-daemon:

sudo systemctl stop avahi-daemon

Disabling a Service Permanently

To prevent a service from starting at boot, disable it:

sudo systemctl disable <service-name>

For example:

sudo systemctl disable cups

To disable and stop the service immediately:

sudo systemctl disable --now <service-name>

Masking a Service (Preventing Manual Start)

If you want to ensure a service cannot be started manually or by another process:

sudo systemctl mask <service-name>

To unmask a service later:

sudo systemctl unmask <service-name>

Step 4: Verify Disabled Services

After disabling services, confirm they are not running:

systemctl status <service-name>

Alternatively, check all disabled services:

systemctl list-unit-files --type=service | grep disabled

To ensure a network service is no longer listening on a port, run:

ss -tulnp

Step 5: Remove Unnecessary Packages

Some services may still be installed even if disabled. To remove them completely:

sudo apt remove --purge <package-name>

For example:

sudo apt remove --purge cups avahi-daemon

After removing packages, clean up unnecessary dependencies:

sudo apt autoremove

Step 6: Secure Remaining Services

For essential services that must remain enabled, consider these security practices:

  • Restrict Access – Use firewall rules (iptables/nftables/ufw) to limit access.
  • Use Strong Authentication – Enable SSH key authentication and disable password login.
  • Apply Updates Regularly – Keep services updated to patch vulnerabilities.
  • Monitor Logs – Use journalctl and fail2ban for intrusion detection.

Conclusion

Hardening Debian 12 by disabling unnecessary services is a straightforward yet powerful way to improve security and performance. Regularly reviewing and adjusting your active services helps maintain a secure and optimized system. By following these steps, you can significantly reduce your attack surface while keeping your Debian installation lean and efficient.

Would you like help with any specific configurations or additional security recommendations?


< How to Set Up an Intrusion Detection System (IDS) in Debian 12 BookwormHow to Restrict Access to Sudo Commands in Debian 12 Bookworm >