Skip to main content

Introduction to Service Auditing

Author(s): Matthias Lee (ml2322)


Last Updated: 7-17-2025


Details

Recommended Prerequisites (click to expand) None! This is an introductory article.

What is a service?

A service is a background process managed by the init system, usually systemd. Services not only provice necessary functions for the system, like NetworkManager or auditd, but can also host servers like Apache, Nginx, SSH, and more.

Why is this important?

Auditing services is important, as unwanted services may be providing remote access or sensitive data to malicious actors. Even things like SSH or Apache should be removed if not necessary, as they increase the attack surface, and can be configured to grant remote access or exfiltrate data. While this is the most common way services are abused, services can also be created to run malicious code and take advantage of running in the background, and potentially with elevated privileges.

How to audit services

There are several ways to check for malicious services, each with different benefits and drawbacks.

nmap

nmap (Network Mapper) is a tool to scan a host and see what ports are open. However, you can also run it on yourself (localhost) and see what ports are open on your own machine. This is by far the easiest way to check if there is an unauthorized port open, indicating an unwanted service is present.

Nmap doesn't come preinstalled, so you will have to install it with apt:

user@system:~$ sudo apt install nmap

Once nmap is installed, you can run it on yourself to check for open ports:

user@system:~$ nmap localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2025-07-17 10:23 PDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00018s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
631/tcp  open  ipp

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

Here, we see that I have ports 22, 80, 139, 445, and 631 open. 139 and 445 are used for netbios discovery. These are managed by the nmbd service. This isn't inherently malicious and is standard on many systems, but you may want to disable it for extra security. However, 22 and 80 are used for SSH and HTTP respectively. You can disable services with systemctl, but outright removing the packages is better.

user@system:~$ sudo systemctl disable ssh
user@system:~$ sudo systemctl disable apache2
user@system:~$ sudo systemctl disable nginx
user@system:~$ sudo apt purge openssh-server
user@system:~$ sudo apt purge apache2
user@system:~$ sudo apt purge nginx-common

If you don't know the specific service running on a port, remove or disable all servers that could be running on that port.