In 6 steps, in the general case, disable rogue services or services that are active yet unused and the associated LISTENING ports are often a security risk!

NOTE

You can substitute “cups” service removal for most other systemd Linux services, for example ssh on vulnerable port 22. Even previously harmless dbus.service has been weaponized by data mining criminals grabbing users data.

I use the extra simple Linux firewall ufw, but advanced users can use SeLinux port and service security filters. You are advised to see the link Ports Risks List.

Cups and cupsd ports like 631 (and others) are associated with security risks. You can detect active Linux network connected services with netstat.

1) Detect the rogue or not needed services and their risky ports

netstat -utpln              #Activity     PID/Service
tcp   127.0.0.1:631           LISTEN      9132/cupsd

If you do not know what each service in the list is eg cupsd, look it up to see if it is needed. Port 631 is linked to a vulnerability.

2) Firewall Block High Risk Linux Ports and Services

Sure advanced users apply selinux rules, but simple firewalls do a great job.

apt install ufw         #  and **dnf** applies to Red-Hat/Fedora/Centos
ufw enable              #  ... Activate the ufw firewall.
ufw deny 631            #  ... block port using the ufw firewall.
ufw status numbered     # Show your ufw firewall rules.
ufw reload              # Reload the above rules that were changed.

Sadly printers are known for their deliberate ink ordering greedy embedded malware as well as hacker malware. Office and home devices that do not need to use a service (like printers) should have this ‘deny’ applied.

Selinux users can fine tune the risks, but still be able to use cupsd for printing (or indeed suppress all the _cups types). Follow this guide for cups with selinux.

3) Expose the Linux Service Sub-services to be Disabled

systemctl --reverse list-dependencies cups.*  # Notice the .* is important.
cups.service
 └─cups-browsed.service
 
cups.socket
 ├─cups.service
 └─sockets.target
   └─basic.target
     └─multi-user.target
       └─graphical.target
 
cups.path
 ├─cups.service
 └─multi-user.target
   └─graphical.target

4) Disable the service you exposed after stopping it first

systemctl stop cups cups.service cups.socket cups.path          # 'stop' is NOT enduring!
systemctl --reverse list-dependencies cups.*                    # What else hangs onto the service?
systemctl disable cups cups.service cups.socket cups.path  # long term setting.

So by now the roach is “inactive, (dead)”, right?

WRONG it has service buddies that cause it to go “active (running)” hours later when you are not looking! Its legs are still twitching and it will get up and run, so you have more killing to do! Normally systemd starts services and they run automatically, you can manually override them by >> appending the word manual once only.

echo "manual" >> /etc/init/cups.override
echo "manual" >> /etc/init/cups-browsed.override

5) Remove Rogue Malware Linux Service Packages

You will be shocked to find that cups even when set to “disable” in step 4 has other baddie services that automatically revive it especially on a HP Server with stock Debian installed.

In this case “cups” has many hanging on services that can be removed.

NOTE

apt or apt-get applies to Debian/Mint/Ubuntu and dnf is for Fedora/Red-Hat/Centos.

dpkg -l | grep -i "cups\|print\|hp"   #  Shockingly lots.
sudo apt remove --auto-remove cups    
# then repeat: dpkg -l as above OR purge the service package WITH all its config files:-
apt-get purge --auto-remove cups

If you purge, you also lose that services non-default settings. Settings that indeed may have been hacked. Do so with caution. The advantage is that if your config was hacked then that hack is also ‘purged’.

6) Test for More Rogue Linux Services after Reboot

“cups” is an example service, please look for others using the information below.

shutdown -r now  # just reboot
systemctl --reverse list-dependencies cups.*  # Not there?
netstat -utpln  # No sign of rogue service?
ps aux | grep -i "cups"  # Nothing there running?
dpkg -l | grep -i "cups"  # Is the service running removed?
systemctl status cups  # should say "inactive (dead)" Or not present in any way.
pstree  # cups gone, but there is so much that can be removed.
systemctl list-units --type=service --state=running
systemctl --type=service --state=running

Desperado removal of services: Systemd uses /etc/systemd/system/<service_name>, /etc/systemd/system/<some_directory>/<service_name> and /etc/init.d/<service_name> to set them going. Moving those files and links away from their directories is bruit force, but works.

Close ports manually

Step 1: Look for open ports

ss -tulnp | grep LISTEN

Step 2: Close em!

sv disable sshd