Whilst setting up this OpenBSD VPS I trimmed some unused services. Secure by default, but securer when not running. :)

check_quotas#

There are disk quota checks at boot, however, I am not using quotas:

doas rcctl disable check_quotas
doas rcctl stop check_quotas

dhcpleased#

The DHCP client daemon; this is not needed as I am using a static IP:

doas rcctl disable dhcpleased
doas rcctl stop dhcpleased

slaacd#

IPv6 stateless autoconfiguration; disable if you are not using IPv6, I am not:

doas rcctl disable slaacd
doas rcctl stop slaacd

sndiod#

Audio subsystem daemon; not needed on a VPS:

doas rcctl disable sndiod
doas rcctl stop sndiod

slowcgi#

My website is static, so this is not needed:

doas rcctl disable slowcgi
doas rcctl stop slowcgi

You can double check yours with:

grep -R fastcgi /etc/httpd.conf /etc/httpd.conf.local 2>/dev/null

resolvd#

Be careful here, this is your DNS resolver. If you have switched to unbound and are resolving from root DNS downwards, your /etc/resolv.conf should only have 127.0.0.1 as resolver, and unbound should be running. If you’re in this position, then it is safe to disable and stop:

doas rcctl disable resolvd
doas rcctl stop resolvd

Optional: If you want to set the file immutable flag on /etc/resolv.conf:

doas chflags schg /etc/resolv.conf

And verify:

-rw-r--r--  1 root  wheel  schg 104 Mar 26 03:44 /etc/resolv.conf

This will mean you can’t accidentally (or conveniently) modify the file and end up overriding unbound; you will have to clear the flag first.