Linux servers typically ship with a firewall that remains inactive until manually configured. This is one of the most common answers to the question of What Is Normally Disabled By Default On Most Linux Servers, and it often surprises new administrators. Beyond firewalls, several other critical services and features are left turned off to maintain security and performance out of the box.
Understanding these defaults helps you harden your server from the start. It also prevents common mistakes like leaving unnecessary services exposed to the internet. Let’s walk through the key components that are disabled by default on most Linux distributions.
What Is Normally Disabled By Default On Most Linux Servers
When you first install a Linux server, the operating system prioritizes security over convenience. Many features that could be useful are intentionally left off. This reduces the attack surface and keeps resource usage low until you explicitly need those services.
The most prominent example is the firewall. While Linux includes powerful firewall tools like iptables, nftables, or firewalld, they are almost never active after a fresh install. You must enable and configure them manually. This is a deliberate design choice to avoid locking out administrators who might not have physical access to the server.
Firewall Services And Rules
On most distributions, the firewall service is installed but not running. For instance, on Ubuntu Server, ufw (uncomplicated firewall) is present but inactive. On CentOS or RHEL, firewalld is installed but disabled by default. You need to start it and define rules to allow traffic on specific ports.
- ufw on Ubuntu: inactive until you run
sudo ufw enable - firewalld on RHEL/CentOS: stopped and disabled at boot
- iptables rules: empty policy allowing all traffic
- nftables: often not loaded into the kernel
This default leaves your server wide open to the network. If you connect it directly to the internet without enabling a firewall, attackers can probe every open port. Always enable and configure your firewall as one of the first steps after installation.
Root Login Over SSH
Another critical default is that root login via SSH is often disabled. Most modern Linux distributions ship with SSH configured to deny direct root access. This forces you to log in as a regular user and then use sudo or su to gain root privileges.
This is a security best practice. It prevents automated attacks from trying to brute-force the root password. It also creates an audit trail because each command executed with sudo is logged with the user’s identity.
Why Root SSH Is Disabled
Allowing root SSH login gives attackers a single target. If they guess the root password, they have full control. By disabling it, you add an extra layer of protection. Even if a regular user account is compromised, the attacker still needs to escalate privileges.
SELinux Or AppArmor
Mandatory access control systems like SELinux (on RHEL-based distros) or AppArmor (on Ubuntu) are often installed but set to a permissive or disabled mode. On some distributions, they are fully enabled by default, but many server administrators find them restrictive and turn them off.
However, the default state varies. For example, CentOS 7 and 8 have SELinux enabled and enforcing out of the box. Ubuntu Server has AppArmor enabled but with minimal profiles. Some lightweight distributions like Alpine Linux have no mandatory access control at all.
If you are running a production server, keeping SELinux or AppArmor enabled adds significant security. It confines processes to minimal privileges, limiting damage from a compromised application.
Network Services And Daemons
Many network services that were once started by default are now disabled. This shift reflects the growing emphasis on security. A minimal installation means fewer ports are open and fewer processes are consuming memory.
Web Servers Like Apache Or Nginx
No Linux distribution installs a web server by default. You must manually install Apache, Nginx, or another HTTP server. This prevents unnecessary exposure of HTTP ports. It also saves disk space and memory.
Database Servers
Similarly, MySQL, MariaDB, or PostgreSQL are not installed or running after a fresh OS install. Database servers are resource-intensive and represent a high-value target. Leaving them disabled by default reduces risk.
Mail Transfer Agents
Older Linux distributions often included a mail server like Sendmail or Postfix. Modern minimal installations skip this. If you need email functionality, you install and configure it separately. This avoids having an open SMTP port that could be abused for spam relaying.
FTP Servers
FTP services like vsftpd or ProFTPD are not enabled. FTP is an insecure protocol because it transmits credentials in plain text. Many administrators now use SFTP or SCP instead. Disabling FTP by default encourages better security practices.
Print Services
CUPS (Common Unix Printing System) is often installed but not started. On a server, printing is rarely needed. Disabling it saves resources and eliminates a potential attack vector through printer protocols.
System Services And Features
Beyond network services, several system-level features are disabled by default. These include graphical interfaces, unnecessary kernel modules, and debugging tools.
Graphical User Interface
Most Linux servers do not include a desktop environment. They run in text mode (runlevel 3 or multi-user.target). This reduces memory usage and eliminates the security risks associated with X11 or Wayland. You interact with the server entirely through the command line.
IPv6
On some distributions, IPv6 is disabled by default. This is less common now, but older versions of CentOS or Debian had IPv6 turned off in kernel parameters. Even if enabled, the firewall rules often do not cover IPv6 traffic, leaving a gap.
You should check whether IPv6 is active on your server. If you do not need it, disabling it reduces complexity. If you do use it, ensure your firewall applies equally to IPv6 addresses.
Core Dumps
Automatic core dump generation is often disabled. Core dumps are memory snapshots taken when a program crashes. They are useful for debugging but can consume significant disk space. On production servers, they are typically turned off to prevent filling up the root filesystem.
Unused Kernel Modules
Many kernel modules for hardware you do not have are not loaded. This includes drivers for uncommon network cards, sound devices, or USB gadgets. Loading only necessary modules reduces the attack surface and improves boot time.
Audit Daemon
The auditd service, which logs security-relevant events, is often disabled by default. While useful for compliance, it generates large log files. Administrators enable it only when required by security policies.
User Accounts And Access Controls
Default user configurations also reflect a security-first approach. Several accounts and access methods are disabled out of the box.
Guest Or Anonymous Accounts
No guest accounts are created. Every user must be explicitly added by an administrator. This prevents anonymous access to system resources.
Password Aging Policies
Password expiration is usually not enforced by default. Users can keep the same password indefinitely. While this is not ideal for security, it avoids locking out administrators who forget to change passwords. You should implement password aging policies manually.
Root Password
On some distributions like Ubuntu, the root account has no password set. You cannot log in as root directly. Instead, you use sudo with your user account. This is another layer of protection against brute-force attacks.
Logging And Monitoring
While basic logging is always active, advanced monitoring features are often disabled. This includes detailed audit logs, performance monitoring, and intrusion detection.
System Activity Reporter
Tools like sar (System Activity Reporter) from the sysstat package are not installed or enabled. They collect CPU, memory, disk, and network statistics over time. You need to install and configure sysstat separately if you want historical performance data.
Intrusion Detection Systems
No Linux distribution ships with an active intrusion detection system like Snort or OSSEC. These are third-party tools that require manual installation and tuning. The default assumption is that the administrator will add security layers as needed.
Log Rotation
Log rotation via logrotate is usually configured but not aggressive. Logs may grow large before being rotated. You should review the logrotate configuration to ensure logs do not consume all available disk space.
Package Management And Updates
Automatic updates are almost always disabled. Linux distributions leave it to the administrator to decide when and how to apply patches. This prevents unexpected reboots or service interruptions.
Unattended Upgrades
On Debian-based systems, the unattended-upgrades package is not installed by default. You must install it and configure it to automatically apply security updates. On RHEL-based systems, the dnf-automatic package serves a similar role but is not active.
Repositories
Third-party repositories are not enabled. Only the official distribution repositories are configured. This reduces the risk of installing untrusted software. You must manually add repositories like EPEL or Docker’s repository if needed.
Security Enhancements
Several security features that could be useful are disabled by default. This is often because they can cause compatibility issues with legacy software.
Address Space Layout Randomization
ASLR is enabled by default on modern kernels. However, some older distributions had it disabled. You can check with cat /proc/sys/kernel/randomize_va_space. A value of 2 indicates full randomization.
Exec-Shield
On older kernels, Exec-Shield (a protection against buffer overflow attacks) was sometimes disabled. Current kernels have this built into the architecture and it is always active.
TCP SYN Cookies
SYN cookies, which protect against SYN flood attacks, are usually enabled. But the threshold for activation may be high. You can lower it by adjusting kernel parameters in /etc/sysctl.conf.
FAQ: What Is Normally Disabled By Default On Most Linux Servers
1. Is The Firewall Always Disabled On Linux Servers?
Yes, on most distributions, the firewall service is installed but not running after a fresh install. You must enable it manually. This is the primary answer to “what is normally disabled by default on most linux servers”.
2. Why Is Root Login Over SSH Disabled By Default?
Disabling root SSH login prevents direct brute-force attacks on the root account. It forces administrators to use regular user accounts with sudo, which provides better auditing and security.
3. Are Web Servers Like Apache Installed By Default?
No. Web servers are not installed or enabled by default on any major Linux distribution. You must install them manually to reduce the attack surface and resource usage.
4. Is IPv6 Enabled Or Disabled By Default?
It varies. Most modern distributions enable IPv6 by default, but some older ones disable it. Even when enabled, firewall rules often do not cover IPv6, so you should check and configure it separately.
5. What About Automatic Security Updates?
Automatic updates are disabled by default. You must configure tools like unattended-upgrades or dnf-automatic to apply patches automatically. This prevents unexpected service disruptions.
Practical Steps To Secure Your Linux Server
Now that you know what is disabled by default, you can take action. Here is a checklist to harden your server immediately after installation.
- Enable and configure your firewall. Allow only necessary ports like 22 (SSH), 80 (HTTP), and 443 (HTTPS).
- Ensure root SSH login is disabled. If it is enabled, change it in
/etc/ssh/sshd_config. - Install and enable SELinux or AppArmor if not already active.
- Disable IPv6 if you do not need it, or add firewall rules for it.
- Set up automatic security updates for critical patches.
- Review and disable any unnecessary services using
systemctl list-units --type=service. - Configure log rotation to prevent disk full issues.
- Implement strong password policies and consider SSH key-based authentication.
By following these steps, you turn a default insecure server into a hardened production machine. Remember that the defaults are not meant to be permanent. They are a starting point for you to build upon.
Understanding “what is normally disabled by default on most linux servers” gives you a roadmap for security. Each disabled feature is an opportunity to make an informed decision. Enable only what you need, and keep everything else turned off.
This approach minimizes risk and keeps your server running lean. It also aligns with the principle of least privilege, where every component has only the permissions necessary to function. Start with a minimal base, then add services deliberately.
Your Linux server is a powerful tool. By knowing its default state, you can take full control and ensure it remains secure from day one. The defaults are your friend—they protect you until you are ready to take over.