CompTIA Linux+ XK0-006 (V8) Practice Question

The goal is to stop the Telnet listener right away and prevent any future activation. With systemd, masking a unit replaces its service file with a symbolic link to /dev/null. This makes it impossible for the unit to start manually, by dependency, or through socket activation. Adding --now stops the socket instantly. Disabling a unit only prevents automatic startup at boot; the service could still be started manually or by another unit, so it does not meet the audit requirement. Simply stopping the socket or changing the firewall leaves the service installed and potentially restartable. Removing the Telnet service from the firewall also does nothing to the running socket or to future local activations. Therefore, systemctl mask --now telnet.socket is the only single-command solution that both halts the insecure service and ensures it remains unavailable.