1

When setting a system up as a server with Ubuntu 10.4LTS, what packages are unnecessary and could be removed (to help harden the system)?

For example, I'm confident the gcc package can (and should) be removed. What other packages in the default installation are unnecessary to running the server?

Thank you for reading.

Brian

Zoredache
  • 130,897
  • 41
  • 276
  • 420
Brian M. Hunt
  • 181
  • 3
  • 17
  • GCC is not part of the base server install at all. Perhaps you installed something that depends on it? – Shtééf Jun 22 '10 at 16:36
  • I'd leave `cowsay` and `fortune` untouched :) (and you don't need gcc to run aforementioned two, -- unless you don't need to compile new farm animals from source) – takeshin Jun 22 '10 at 17:28

4 Answers4

3
  1. Use Ubuntu Server 10.04 LTS
  2. sudo apt-get autoremove
  3. Take a look at The perfect server, Ubuntu Lucid, the only package recommended here to remove is apparmor.

For the server the most obvious one to remove is X (and all the apps using windows).

The last one you don't want to remove, is kernel ;)

The rest is up to your needs.

dpkg -l
takeshin
  • 1,471
  • 3
  • 21
  • 28
  • 3
    If hardening is the goal then I don't think I would follow the recommendation in that setup to remove apparmor. Security frameworks like apparmor and SELINUX can be a pain until they are properly configured but are there for a reason. Ideally you should learn to leverage these frameworks and configure them properly with the goal of running all public facing services with it on enforce mode. Until you get to that point it's simple enough to disable apparmor on a per service basis. – 3dinfluence Jun 22 '10 at 17:38
  • Also Ubuntu Server doesn't come with X by default. – 3dinfluence Jun 22 '10 at 17:39
  • And that's why I advised Ubuntu Server in first place. The OP haven't specified which one uses, nor which packages have installed. – takeshin Jun 22 '10 at 17:46
2

The base install is pretty slim. I don't think there is really anything that you can remove without causing difficulty for yourself in the future.

Without us knowing exactly what you are using the server for it is nearly impossible to make any meaningful recommendation.

Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • Thanks for the response. You can presume that I am compiling everything for the server's functionality manually (i.e. not using any Ubuntu packages). Sorry - this should have been in the question. – Brian M. Hunt Jun 22 '10 at 20:18
  • You are compiling everything on your own? – Zoredache Jun 22 '10 at 23:18
  • Depends on what you mean by 'everything'. The server will need to run Nginx and Python, and Python comes with the base install. The only thing left to compile is Nginx. Hope that helps clarify. – Brian M. Hunt Jun 23 '10 at 15:40
1

You can certainly remove gcc. In general, if you find some package you don't want, you can just remove it with

sudo aptitude remove packagename

then if it turns out the package has some dependency that you want, just answer 'n' when it asks whether to proceed.

That being said, IMHO removing the compiler gives a false sense of security. If a skilled attacker gets shell access, you've already lost most of the battle anyway. Secondly, not having a compiler available maybe made sense when servers were running on architectures not generally available in PC's, were running some proprietary Unix variant etc. Nowadays an x86 PC with Ubuntu isn't exactly hard or expensive for an attacker to get his hands on, so if the compiler isn't available he can just copy over whatever binaries he wants.

janneb
  • 3,841
  • 19
  • 22
-3

I don't thing you can remove gcc because it part of kernel ubuntu

Rajat
  • 3,349
  • 22
  • 29
  • 4
    No, gcc (a C compiler) is most certainly not part of the kernel. – janneb Jun 22 '10 at 16:25
  • 1
    It's needed to compile, but not to run. In fact, most of my server installs doesn't have ggc, nor make at all. – Andor Jun 22 '10 at 16:36
  • Isn't it just a not-native-English-speaker-typo? And Rajat wanted to say that gcc is not provided with *core*, default install, as Andor and the others have pointed out. – takeshin Jun 22 '10 at 17:52