2 - Services

2.1 - Disable Unused Services

2.1.2 - 2.1.14, 2.1.16 - 2.1.17 - Uninstall Services

Uninstall Xwin, Avahi Server, CUPS, DHCP server, LDAP server, NFS, DNS server, FTP server, HTTP server, IMAP and POP3 server, Samba, HTTP Proxy Server, SNMP Server, rsync, and NIS Server.

systemctl stop avahi-daemon.service
systemctl stop avahi-daemon.socket
apt-get purge xserver-xorg* avahi-daemon cups isc-dhcp-server slapd nfs-kernel-server bind9 vsftpd apache2 dovecot-imapd dovecot-pop3d courier-imap cyrus-imap samba squid snmpd rsync nis

2.1.15 - Configure mail transfer agent to be local only

Make sure that the mail transfer agent is only listening on loopback addresses (127.0.0.1 or ::1).

Edit /etc/exim4/update-exim4.conf.conf to look like:

dc_eximconfig_configtype='local'
dc_local_interfaces='127.0.0.1 ; ::1'
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost=''
dc_use_split_config-'false'
dc_hide_mailname=''
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'

Then restart exim4 by running systemctl restart exim4.

2.2 Service Clients

2.2.1 - 2.2.6 - Disable Service Clients

Remove nis, rsh, talk, telnet, LDAP, and RPC.

apt purge nis rsh-client talk telnet idap-utils rpcbind

2.3 - Remove or mask nonessential services

List services that are listening on a port by running lsof -i -P -n | grep -v "(ESTABLISHED)"

(A complete list of open ports can be obtained by using ss, such as ss -ln.)

When a service is found, stop the service by running systemctl --now mask SERVICE_NAME and uninstall by running apt purge PACKAGE_NAME