WordPress専用のサーバとしてRaspberry Pi5、Raspberry Pi4、Raspberry Pi3を運営する上で、不要なサービス・ハードを停止して、サーバを軽くセキュリティ強度を上げます。
このページでは、Raspberry Pi OS Lite(64bit) bookworm 2024-10-20版で説明しています。
インストールされる内容は、バージョン毎に変わっていくので確認しながら停止してください。
インストール直後に起動しているサービスの確認
全サービスの起動状態を確認
raspberry pi os(bookworm)から、ログ管理のデフォルトがjournaldになりました。/etc/log/syslogにログが出力されないと、運用が面倒なので起動直後にrsyslogをインストールしています。
サービスの一覧は、
$ sudo systemctl list-units -t service
UNIT LOAD ACTIVE SUB DESCRIPTION
alsa-restore.service loaded active exited Save/Restore Sound Card State
avahi-daemon.service loaded active running Avahi mDNS/DNS-SD Stack
bluetooth.service loaded active running Bluetooth service
console-setup.service loaded active exited Set console font and keymap
cron.service loaded active running Regular background program processing daemon
dbus.service loaded active running D-Bus System Message Bus
dphys-swapfile.service loaded active exited dphys-swapfile - set up, mount/unmount, and delete a swap file
fake-hwclock.service loaded active exited Restore / save the current clock
getty@tty1.service loaded active running Getty on tty1
getty@tty6.service loaded active running Getty on tty6
keyboard-setup.service loaded active exited Set the console keyboard layout
kmod-static-nodes.service loaded active exited Create List of Static Device Nodes
ModemManager.service loaded active running Modem Manager
NetworkManager-wait-online.service loaded active exited Network Manager Wait Online
NetworkManager.service loaded active running Network Manager
polkit.service loaded active running Authorization Manager
raspi-config.service loaded active exited LSB: Switch to ondemand cpu governor (unless shift key is pressed)
resize2fs_once.service loaded active exited LSB: Resize the root filesystem to fill partition
rpc-statd-notify.service loaded active exited Notify NFS peers of a restart
rpi-eeprom-update.service loaded active exited Check for Raspberry Pi EEPROM updates
serial-getty@ttyAMA10.service loaded active running Serial Getty on ttyAMA10
ssh.service loaded active running OpenBSD Secure Shell server
systemd-binfmt.service loaded active exited Set Up Additional Binary Formats
systemd-fsck@dev-disk-by\x2dpartuuid-764aa807\x2d01.service loaded active exited File System Check on /dev/disk/by-partuuid/764aa807-01
systemd-journal-flush.service loaded active exited Flush Journal to Persistent Storage
systemd-journald.service loaded active running Journal Service
systemd-logind.service loaded active running User Login Management
systemd-modules-load.service loaded active exited Load Kernel Modules
systemd-random-seed.service loaded active exited Load/Save Random Seed
systemd-remount-fs.service loaded active exited Remount Root and Kernel File Systems
systemd-sysctl.service loaded active exited Apply Kernel Variables
systemd-sysusers.service loaded active exited Create System Users
systemd-timesyncd.service loaded active running Network Time Synchronization
systemd-tmpfiles-setup-dev.service loaded active exited Create Static Device Nodes in /dev
systemd-tmpfiles-setup.service loaded active exited Create System Files and Directories
systemd-udev-trigger.service loaded active exited Coldplug All udev Devices
systemd-udevd.service loaded active running Rule-based Manager for Device Events and Files
systemd-update-utmp.service loaded active exited Record System Boot/Shutdown in UTMP
systemd-user-sessions.service loaded active exited Permit User Sessions
triggerhappy.service loaded active running triggerhappy global hotkey daemon
user-runtime-dir@1000.service loaded active exited User Runtime Directory /run/user/1000
user@1000.service loaded active running User Manager for UID 1000
wpa_supplicant.service loaded active running WPA supplicant
LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.
43 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.削除対象のサービスを下記に一覧表にしました。
- mDNS/DNS
- Sound
- Bluetooth
- WiFi
- triggerhappy(キーボード ショートカット設定)
- ModemManager
| UNIT | SUB | DESCRIPTION | 削除対象 |
| alsa-restore.service | exited | Save/Restore Sound Card State | 削除 |
| avahi-daemon.service | running | Avahi mDNS/DNS-SD Stack | 削除 |
| bluetooth.service | running | Bluetooth service | 削除 |
| console-setup.service | exited | Set console font and keymap | |
| cron.service | running | Regular background program processing daemon | |
| dbus.service | running | D-Bus System Message Bus | |
| dphys-swapfile.service | exited | dphys-swapfile – set up, mount/unmount, and delete a swap file | |
| fake-hwclock.service | exited | Restore / save the current clock | |
| getty@tty1.service | running | Getty on tty1 | |
| getty@tty6.service | running | Getty on tty6 | |
| keyboard-setup.service | exited | Set the console keyboard layout | |
| kmod-static-nodes.service | exited | Create List of Static Device Nodes | |
| ModemManager.service | running | Modem Manager | 削除 |
| NetworkManager-wait-online.service | exited | Network Manager Wait Online | |
| NetworkManager.service | running | Network Manager | |
| polkit.service | running | Authorization Manager | |
| raspi-config.service | exited | LSB: Switch to ondemand cpu governor (unless shift key is pressed) | |
| resize2fs_once.service | exited | LSB: Resize the root filesystem to fill partition | |
| rpc-statd-notify.service | exited | Notify NFS peers of a restart | |
| rpi-eeprom-update.service | exited | Check for Raspberry Pi EEPROM updates | |
| serial-getty@ttyAMA10.service | running | Serial Getty on ttyAMA10 | |
| ssh.service | running | OpenBSD Secure Shell server | |
| systemd-binfmt.service | exited | Set Up Additional Binary Formats | |
| systemd-fsck@dev-disk-by\x2dpartuuid-764aa807\x2d01.service | exited | File System Check on /dev/disk/by-partuuid/764aa807-01 | |
| systemd-journal-flush.service | exited | Flush Journal to Persistent Storage | |
| systemd-journald.service | running | Journal Service | |
| systemd-logind.service | running | User Login Management | |
| systemd-modules-load.service | exited | Load Kernel Modules | |
| systemd-random-seed.service | exited | Load/Save Random Seed | |
| systemd-remount-fs.service | exited | Remount Root and Kernel File Systems | |
| systemd-sysctl.service | exited | Apply Kernel Variables | |
| systemd-sysusers.service | exited | Create System Users | |
| systemd-timesyncd.service | running | Network Time Synchronization | |
| systemd-tmpfiles-setup-dev.service | exited | Create Static Device Nodes in /dev | |
| systemd-tmpfiles-setup.service | exited | Create System Files and Directories | |
| systemd-udev-trigger.service | exited | Coldplug All udev Devices | |
| systemd-udevd.service | running | Rule-based Manager for Device Events and Files | |
| systemd-update-utmp.service | exited | Record System Boot/Shutdown in UTMP | |
| systemd-user-sessions.service | exited | Permit User Sessions | |
| triggerhappy.service | running | triggerhappy global hotkey daemon | 削除 |
| user-runtime-dir@1000.service | exited | User Runtime Directory /run/user/1000 | |
| user@1000.service | running | User Manager for UID 1000 | |
| wpa_supplicant.service | running | WPA supplicant | 削除 |
関係の無いサービスを無効化する
Raspberry Piを再起動してもサービスが始まらないよう無効にします。
サービスの停止
下記のコマンドでサービスを停止します。入力順も下記でお願いします。
$ sudo systemctl stop avahi-daemon.socket
$ sudo systemctl stop avahi-daemon.service
$ sudo systemctl stop bluetooth.service
$ sudo systemctl stop bthelper@hci0.service
$ sudo systemctl stop ModemManager.service
$ sudo systemctl stop hciuart.service
$ sudo systemctl stop triggerhappy.socket
$ sudo systemctl stop triggerhappy.service
$ sudo systemctl stop wpa_supplicant.serviceサービスの非活性化
サーバの再起動でサービスが動き出さないよう非活性化します。
$ sudo systemctl disable avahi-daemon.socket
Removed "/etc/systemd/system/sockets.target.wants/avahi-daemon.socket".
$ sudo systemctl disable avahi-daemon.service
Removed "/etc/systemd/system/multi-user.target.wants/avahi-daemon.service".
Removed "/etc/systemd/system/dbus-org.freedesktop.Avahi.service".
$ sudo systemctl disable bluetooth.service
Synchronizing state of bluetooth.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable bluetooth
Removed "/etc/systemd/system/bluetooth.target.wants/bluetooth.service".
Removed "/etc/systemd/system/dbus-org.bluez.service".
$ sudo systemctl disable bthelper@hci0.service
$ sudo systemctl disable ModemManager.service
Removed "/etc/systemd/system/multi-user.target.wants/ModemManager.service".
Removed "/etc/systemd/system/dbus-org.freedesktop.ModemManager1.service".
$ sudo systemctl disable hciuart.service
Removed /etc/systemd/system/dev-serial1.device.wants/hciuart.service.
$ sudo systemctl disable triggerhappy.service
Synchronizing state of triggerhappy.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable triggerhappy
Removed "/etc/systemd/system/multi-user.target.wants/triggerhappy.service".
$ sudo systemctl disable wpa_supplicant.service
Removed "/etc/systemd/system/multi-user.target.wants/wpa_supplicant.service".
Removed "/etc/systemd/system/dbus-fi.w1.wpa_supplicant1.service".すっきりです。
ラズベリーパイの設定ファイルで使わないハードを非活性にする
Raspberry Pi には、PCでいうところのBIOSにあたる/boot/firmware/config.txtがあります。
通常raspi-configのコマンドで変更します。
この章では直接viで変更します。
soundの非活性化の為モジュールを確認
下記のコマンドでロードされているモジュールを確認します。
Raspberry Pi3、Raspberry Pi4の場合
$ cat /proc/asound/modules
0 snd_bcm2835
1 vc4Raspberry Pi5の場合
$ cat /proc/asound/modules
0 vc4
1 vc4上記2行は、dtparam=audio=onと、dtoverlay=vc4-kms-v3dおよひmax_framebuffers=2をコメントする事でロードを回避できます。
ハード、ドライバの無効化
下記のコマンドで編集します。
$ sudo vi /boot/firmware/config.txt下記ファイルで、使わない所に#を入れて無効化しています。
# For more options and information see
# http://rptl.io/configtxt
# Some settings may impact device functionality. See link above for details
# Uncomment some or all of these to enable the optional hardware interfaces
#dtparam=i2c_arm=on
#dtparam=i2s=on
#dtparam=spi=on
# Enable audio (loads snd_bcm2835)
#dtparam=audio=on <==soundモジュールの停止の為コメント
# Additional overlays and parameters are documented
# /boot/firmware/overlays/README
# Automatically load overlays for detected cameras
#camera_auto_detect=1 <==CAMERAモジュールの停止の為コメント
# Automatically load overlays for detected DSI displays
display_auto_detect=1
# Automatically load initramfs files, if found
auto_initramfs=1
# Enable DRM VC4 V3D driver
#dtoverlay=vc4-kms-v3d <==soundモジュールもロードされるのでコメント
#max_framebuffers=2 <==上記非活性と併せてコメント
# Don't have the firmware create an initial video= setting in cmdline.txt.
# Use the kernel's default instead.
disable_fw_kms_setup=1
# Run in 64-bit mode
arm_64bit=1
# Disable compensation for displays with overscan
#disable_overscan=1 <==液晶表示の為コメント
# Run as fast as firmware / board allows
arm_boost=1
[cm4]
# Enable host mode on the 2711 built-in XHCI USB controller.
# This line should be removed if the legacy DWC2 controller is required
# (e.g. for USB device mode) or if USB support is not required.
otg_mode=1
[all]
dtoverlay=disable-bt <==bluetooth非活性の為追加
dtoverlay=disable-wifi <==wifi非活性の為追加終われば保存してください。
ここでreboot
$ sudo reboot色々手を打った後のサービスの一覧です。
$ sudo systemctl list-units -t service
UNIT LOAD ACTIVE SUB DESCRIPTION
console-setup.service loaded active exited Set console font and keymap
cron.service loaded active running Regular background program processing daemon
dbus.service loaded active running D-Bus System Message Bus
dphys-swapfile.service loaded active exited dphys-swapfile - set up, mount/unmount, and delete a swap file
fake-hwclock.service loaded active exited Restore / save the current clock
getty@tty1.service loaded active running Getty on tty1
keyboard-setup.service loaded active exited Set the console keyboard layout
kmod-static-nodes.service loaded active exited Create List of Static Device Nodes
NetworkManager-wait-online.service loaded active exited Network Manager Wait Online
NetworkManager.service loaded active running Network Manager
raspi-config.service loaded active exited LSB: Switch to ondemand cpu governor (unless shift key is pressed)
rpc-statd-notify.service loaded active exited Notify NFS peers of a restart
rpi-eeprom-update.service loaded active exited Check for Raspberry Pi EEPROM updates
serial-getty@ttyAMA10.service loaded active running Serial Getty on ttyAMA10
ssh.service loaded active running OpenBSD Secure Shell server
systemd-binfmt.service loaded active exited Set Up Additional Binary Formats
systemd-fsck@dev-disk-by\x2dpartuuid-764aa807\x2d01.service loaded active exited File System Check on /dev/disk/by-partuuid/764aa807-01
systemd-fsckd.service loaded active running File System Check Daemon to report status
systemd-hostnamed.service loaded active running Hostname Service
systemd-journal-flush.service loaded active exited Flush Journal to Persistent Storage
systemd-journald.service loaded active running Journal Service
systemd-logind.service loaded active running User Login Management
systemd-modules-load.service loaded active exited Load Kernel Modules
systemd-random-seed.service loaded active exited Load/Save Random Seed
systemd-remount-fs.service loaded active exited Remount Root and Kernel File Systems
systemd-sysctl.service loaded active exited Apply Kernel Variables
systemd-sysusers.service loaded active exited Create System Users
systemd-timesyncd.service loaded active running Network Time Synchronization
systemd-tmpfiles-setup-dev.service loaded active exited Create Static Device Nodes in /dev
systemd-tmpfiles-setup.service loaded active exited Create System Files and Directories
systemd-udev-trigger.service loaded active exited Coldplug All udev Devices
systemd-udevd.service loaded active running Rule-based Manager for Device Events and Files
systemd-update-utmp.service loaded active exited Record System Boot/Shutdown in UTMP
systemd-user-sessions.service loaded active exited Permit User Sessions
user-runtime-dir@1000.service loaded active exited User Runtime Directory /run/user/1000
user@1000.service loaded active running User Manager for UID 1000
LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.
36 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.狙ったサービスは停止できました。
$ cat /proc/asound/modules サウンド関係のモジュールもありません。
ご苦労様でした。
