Raspberry Piの不要なサービス・ハードの停止(trixie版)

WordPress専用のサーバとしてRaspberry Pi5、Raspberry Pi4、Raspberry Pi3を運営する上で、不要なサービス・ハードを停止して、サーバを軽くセキュリティ強度を上げます。

このページでは、Raspberry Pi OS Lite(64bit) trixie 2025-10-01版で説明しています。

インストールされる内容は、バージョン毎に変わっていくので確認しながら停止してください。

過去のbookworm版は、下記記事を参照ください。

WordPress専用のサーバとしてRaspberry Pi5、Raspberry Pi4、Raspberry Pi3を運営する上で、不要なサービス・ハードを停止して、サーバを軽くセキュリティ強度を上げます。このページでは、Raspberr　　　＞＞続く＞＞

インストール直後に起動しているサービスの確認
1. 全サービスの起動状態を確認
関係の無いサービスを無効化する
1. サービスの停止
2. サービスの非活性化
ラズベリーパイの設定ファイルで使わないハードを非活性にする

インストール直後に起動しているサービスの確認

全サービスの起動状態を確認

サービスの一覧は、

$ sudo systemctl list-units -t service
  UNIT                                                        LOAD   ACTIVE SUB     DESCRIPTION
  alsa-restore.service                                        loaded active exited  Save/Restore Sound Card State
  avahi-daemon.service                                        loaded active running Avahi mDNS/DNS-SD Stack
  bluetooth.service                                           loaded active running Bluetooth service
  cloud-config.service                                        loaded active exited  Cloud-init: Config Stage
  cloud-final.service                                         loaded active exited  Cloud-init: Final Stage
  cloud-init-local.service                                    loaded active exited  Cloud-init: Local Stage (pre-network)
● cloud-init-main.service                                     loaded failed failed  Cloud-init: Single Process
● cloud-init-network.service                                  loaded failed failed  Cloud-init: Network Stage
  console-setup.service                                       loaded active exited  Set console font and keymap
  cron.service                                                loaded active running Regular background program processing daemon
  dbus.service                                                loaded active running D-Bus System Message Bus
  getty@tty1.service                                          loaded active running Getty on tty1
  keyboard-setup.service                                      loaded active exited  Set the console keyboard layout
  kmod-static-nodes.service                                   loaded active exited  Create List of Static Device Nodes
  ModemManager.service                                        loaded active running Modem Manager
  NetworkManager-wait-online.service                          loaded active exited  Network Manager Wait Online
  NetworkManager.service                                      loaded active running Network Manager
  polkit.service                                              loaded active running Authorization Manager
  rpi-eeprom-update.service                                   loaded active exited  Check for Raspberry Pi EEPROM updates
  rpi-setup-loop@var-swap.service                             loaded active exited  rpi-setup-loop - set up file on loop device
  serial-getty@ttyAMA10.service                               loaded active running Serial Getty on ttyAMA10
  ssh.service                                                 loaded active running OpenBSD Secure Shell server
  systemd-binfmt.service                                      loaded active exited  Set Up Additional Binary Formats
  systemd-fsck@dev-disk-by\x2dpartuuid-4e6b1e6c\x2d01.service loaded active exited  File System Check on /dev/disk/by-partuuid/4e6b1e6c-01
  systemd-journal-flush.service                               loaded active exited  Flush Journal to Persistent Storage
  systemd-journald.service                                    loaded active running Journal Service
  systemd-logind.service                                      loaded active running User Login Management
  systemd-modules-load.service                                loaded active exited  Load Kernel Modules
  systemd-random-seed.service                                 loaded active exited  Load/Save OS Random Seed
  systemd-remount-fs.service                                  loaded active exited  Remount Root and Kernel File Systems
  systemd-sysctl.service                                      loaded active exited  Apply Kernel Variables
  systemd-timesyncd.service                                   loaded active running Network Time Synchronization
  systemd-tmpfiles-setup-dev-early.service                    loaded active exited  Create Static Device Nodes in /dev gracefully
  systemd-tmpfiles-setup-dev.service                          loaded active exited  Create Static Device Nodes in /dev
  systemd-tmpfiles-setup.service                              loaded active exited  Create System Files and Directories
  systemd-udev-load-credentials.service                       loaded active exited  Load udev Rules from Credentials
  systemd-udev-trigger.service                                loaded active exited  Coldplug All udev Devices
  systemd-udevd.service                                       loaded active running Rule-based Manager for Device Events and Files
  systemd-user-sessions.service                               loaded active exited  Permit User Sessions
  systemd-zram-setup@zram0.service                            loaded active exited  Create swap on /dev/zram0
  user-runtime-dir@1000.service                               loaded active exited  User Runtime Directory /run/user/1000
  user@1000.service                                           loaded active running User Manager for UID 1000
  wpa_supplicant.service                                      loaded active running WPA supplicant

Legend: LOAD   → Reflects whether the unit definition was properly loaded.
        ACTIVE → The high-level unit activation state, i.e. generalization of SUB.
        SUB    → The low-level unit activation state, values depend on unit type.

43 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.

削除対象のサービスを下記に一覧表にしました。

SoundCard
mDNS/DNS
Bluetooth
cloud-init
ModemManager
WiFi

UNIT	UNIT	削除対象
alsa-restore.service	alsa-restore.service	削除
avahi-daemon.service	avahi-daemon.service	削除
bluetooth.service	bluetooth.service	削除
cloud-config.service	cloud-config.service	削除
cloud-final.service	cloud-final.service	削除
cloud-init-local.service	cloud-init-local.service	削除
●cloud-init-main.service	●cloud-init-main.service	削除
●cloud-init-network.service	●cloud-init-network.service	削除
console-setup.service	console-setup.service
cron.service	cron.service
dbus.service	dbus.service
getty@tty1.service	getty@tty1.service
keyboard-setup.service	keyboard-setup.service
kmod-static-nodes.service	kmod-static-nodes.service
ModemManager.service	ModemManager.service	削除
NetworkManager-wait-online.service	NetworkManager-wait-online.service
NetworkManager.service	NetworkManager.service
polkit.service	polkit.service
rpi-eeprom-update.service	rpi-eeprom-update.service
rpi-setup-loop@var-swap.service	rpi-setup-loop@var-swap.service
serial-getty@ttyAMA10.service	serial-getty@ttyAMA10.service
ssh.service	ssh.service
systemd-binfmt.service	systemd-binfmt.service
systemd-fsck@dev-disk-by\ x2dpartuuid-4e6b1e6c\x2d01.service	systemd-fsck@dev-disk-by\ x2dpartuuid-4e6b1e6c\x2d01.service
systemd-journal-flush.service	systemd-journal-flush.service
systemd-journald.service	systemd-journald.service
systemd-logind.service	systemd-logind.service
systemd-modules-load.service	systemd-modules-load.service
systemd-random-seed.service	systemd-random-seed.service
systemd-remount-fs.service	systemd-remount-fs.service
systemd-sysctl.service	systemd-sysctl.service
systemd-timesyncd.service	systemd-timesyncd.service
systemd-tmpfiles-setup-dev-early.service	systemd-tmpfiles-setup-dev-early.service
systemd-tmpfiles-setup-dev.service	systemd-tmpfiles-setup-dev.service
systemd-tmpfiles-setup.service	systemd-tmpfiles-setup.service
systemd-udev-load-credentials.service	systemd-udev-load-credentials.service
systemd-udev-trigger.service	systemd-udev-trigger.service
systemd-udevd.service	systemd-udevd.service
systemd-user-sessions.service	systemd-user-sessions.service
systemd-zram-setup@zram0.service	systemd-zram-setup@zram0.service
user-runtime-dir@1000.service	user-runtime-dir@1000.service
user@1000.service	user@1000.service
wpa_supplicant.service	wpa_supplicant.service	削除

関係の無いサービスを無効化する

Raspberry Piを再起動してもサービスが始まらないよう無効にします。

サービスの停止

下記のコマンドでサービスを停止します。入力順も下記でお願いします。

$ sudo systemctl stop avahi-daemon.socket
$ sudo systemctl stop avahi-daemon.service
$ sudo systemctl stop bluetooth.service
$ sudo systemctl stop cloud-config.service
$ sudo systemctl stop cloud-final.service
$ sudo systemctl stop cloud-init-local.service
$ sudo systemctl stop cloud-init-main.service
$ sudo systemctl stop cloud-init-network.service
$ sudo systemctl stop ModemManager.service
$ sudo systemctl stop wpa_supplicant.service

サービスの非活性化

サーバの再起動でサービスが動き出さないよう非活性化します。

$ sudo systemctl disable avahi-daemon.socket
Removed '/etc/systemd/system/sockets.target.wants/avahi-daemon.socket'.
$ sudo systemctl disable avahi-daemon.service
Removed '/etc/systemd/system/dbus-org.freedesktop.Avahi.service'.
Removed '/etc/systemd/system/multi-user.target.wants/avahi-daemon.service'.
$ sudo systemctl disable bluetooth.service
Synchronizing state of bluetooth.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install disable bluetooth
Removed '/etc/systemd/system/dbus-org.bluez.service'.
Removed '/etc/systemd/system/bluetooth.target.wants/bluetooth.service'.
$ sudo systemctl disable cloud-config.service
Synchronizing state of cloud-config.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install disable cloud-config
Removed '/etc/systemd/system/cloud-init.target.wants/cloud-config.service'.
$ sudo systemctl disable cloud-final.service
Synchronizing state of cloud-final.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install disable cloud-final
Removed '/etc/systemd/system/cloud-init.target.wants/cloud-final.service'.
$ sudo systemctl disable cloud-init-local.service
Synchronizing state of cloud-init-local.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install disable cloud-init-local
Removed '/etc/systemd/system/cloud-init.target.wants/cloud-init-local.service'.
$ sudo systemctl disable cloud-init-main.service
Synchronizing state of cloud-init-main.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install disable cloud-init-main
Removed '/etc/systemd/system/cloud-init.target.wants/cloud-init-main.service'.
$ sudo systemctl disable cloud-init-network.service
Removed '/etc/systemd/system/cloud-init.target.wants/cloud-init-network.service'.
$ sudo systemctl disable ModemManager.service
Removed '/etc/systemd/system/multi-user.target.wants/ModemManager.service'.
Removed '/etc/systemd/system/dbus-org.freedesktop.ModemManager1.service'.
$ sudo systemctl disable wpa_supplicant.service
Removed '/etc/systemd/system/multi-user.target.wants/wpa_supplicant.service'.
Removed '/etc/systemd/system/dbus-fi.w1.wpa_supplicant1.service'.

ラズベリーパイの設定ファイルで使わないハードを非活性にする

Raspberry Pi には、PCでいうところのBIOSにあたる/boot/firmware/config.txtがあります。

通常raspi-configのコマンドで変更します。

この章では直接viで変更します。

soundの非活性化の為モジュールを確認

下記のコマンドでロードされているモジュールを確認します。

Raspberry Pi3、Raspberry Pi4の場合

$  cat /proc/asound/modules 
 0 snd_bcm2835
 1 vc4
 2 vc4

Raspberry Pi5の場合

$  cat /proc/asound/modules 
 0 vc4
 1 vc4

上記2行は、dtparam=audio=onと、dtoverlay=vc4-kms-v3dおよひmax_framebuffers=2をコメントする事でロードを回避できます。

ハード、ドライバの無効化

下記のコマンドで編集します。

$ sudo vi /boot/firmware/config.txt

下記ファイルで、使わない所に#を入れて無効化しています。

# For more options and information see
# http://rptl.io/configtxt
# Some settings may impact device functionality. See link above for details

# Uncomment some or all of these to enable the optional hardware interfaces
#dtparam=i2c_arm=on
#dtparam=i2s=on
#dtparam=spi=on

# Enable audio (loads snd_bcm2835)
#dtparam=audio=on               <==soundモジュールの停止の為コメント

# Additional overlays and parameters are documented
# /boot/firmware/overlays/README

# Automatically load overlays for detected cameras
#camera_auto_detect=1           <==CAMERAモジュールの停止の為コメント

# Automatically load overlays for detected DSI displays
#display_auto_detect=1

# Automatically load initramfs files, if found
auto_initramfs=1

# Enable DRM VC4 V3D driver
#dtoverlay=vc4-kms-v3d         <==soundモジュールもロードされるのでコメント
#max_framebuffers=2            <==上記非活性と併せてコメント

# Don't have the firmware create an initial video= setting in cmdline.txt.
# Use the kernel's default instead.
disable_fw_kms_setup=1

# Run in 64-bit mode
arm_64bit=1

# Disable compensation for displays with overscan
disable_overscan=1

# Run as fast as firmware / board allows
arm_boost=1

[cm4]
# Enable host mode on the 2711 built-in XHCI USB controller.
# This line should be removed if the legacy DWC2 controller is required
# (e.g. for USB device mode) or if USB support is not required.
otg_mode=1

[cm5]
dtoverlay=dwc2,dr_mode=host

[all]
dtoverlay=disable-bt                 <==bluetooth非活性の為追加
dtoverlay=disable-wifi                 <==wifi非活性の為追加

終われば保存してください。

ここでreboot

$ sudo reboot

色々手を打った後のサービスの一覧です。

  UNIT                                                        LOAD   ACTIVE SUB     DESCRIPTION
  console-setup.service                                       loaded active exited  Set console font and keymap
  cron.service                                                loaded active running Regular background program processing daemon
  dbus.service                                                loaded active running D-Bus System Message Bus
  getty@tty1.service                                          loaded active running Getty on tty1
  keyboard-setup.service                                      loaded active exited  Set the console keyboard layout
  kmod-static-nodes.service                                   loaded active exited  Create List of Static Device Nodes
  NetworkManager.service                                      loaded active running Network Manager
  rpi-eeprom-update.service                                   loaded active exited  Check for Raspberry Pi EEPROM updates
  rpi-setup-loop@var-swap.service                             loaded active exited  rpi-setup-loop - set up file on loop device
  serial-getty@ttyAMA10.service                               loaded active running Serial Getty on ttyAMA10
  ssh.service                                                 loaded active running OpenBSD Secure Shell server
  systemd-binfmt.service                                      loaded active exited  Set Up Additional Binary Formats
  systemd-fsck-root.service                                   loaded active exited  File System Check on Root Device
  systemd-fsck@dev-disk-by\x2dpartuuid-4e6b1e6c\x2d01.service loaded active exited  File System Check on /dev/disk/by-partuuid/4e6b1e6c-01
  systemd-journal-flush.service                               loaded active exited  Flush Journal to Persistent Storage
  systemd-journald.service                                    loaded active running Journal Service
  systemd-logind.service                                      loaded active running User Login Management
  systemd-modules-load.service                                loaded active exited  Load Kernel Modules
  systemd-random-seed.service                                 loaded active exited  Load/Save OS Random Seed
  systemd-remount-fs.service                                  loaded active exited  Remount Root and Kernel File Systems
  systemd-sysctl.service                                      loaded active exited  Apply Kernel Variables
  systemd-timesyncd.service                                   loaded active running Network Time Synchronization
  systemd-tmpfiles-setup-dev-early.service                    loaded active exited  Create Static Device Nodes in /dev gracefully
  systemd-tmpfiles-setup-dev.service                          loaded active exited  Create Static Device Nodes in /dev
  systemd-tmpfiles-setup.service                              loaded active exited  Create System Files and Directories
  systemd-udev-load-credentials.service                       loaded active exited  Load udev Rules from Credentials
  systemd-udev-trigger.service                                loaded active exited  Coldplug All udev Devices
  systemd-udevd.service                                       loaded active running Rule-based Manager for Device Events and Files
  systemd-user-sessions.service                               loaded active exited  Permit User Sessions
  systemd-zram-setup@zram0.service                            loaded active exited  Create swap on /dev/zram0
  user-runtime-dir@1000.service                               loaded active exited  User Runtime Directory /run/user/1000
  user@1000.service                                           loaded active running User Manager for UID 1000

Legend: LOAD   → Reflects whether the unit definition was properly loaded.
        ACTIVE → The high-level unit activation state, i.e. generalization of SUB.
        SUB    → The low-level unit activation state, values depend on unit type.

32 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.

狙ったサービスは停止できました。

$  cat /proc/asound/modules

サウンド関係のモジュールもありません。

ご苦労様でした。