Hi Frank.

Yes blocking the ports via the firewall would certainly work. Keep in mind though, that although the firewall on TurnKey servers is configured, it isn't enabled by default. If you are running on Amazon then it does have a pre-configured (and enabled) "Security Group" (Amazon's firewall).

But a better way to go would be to disable the relevant services (as you initially requested). In theory the command you would use to disable services (daemons in Linux speak) would depend on the TurnKey version &/or build type. v13.x appliances all used the old SysvInit system whereas v14.x use SystemD; except for LXC containers and Open Stack builds which still use SysvInit. I'll give both commands below.

However in practice most services use the legacy SysvInit format with a SystemD helper. This means that often the old commands still apply even on a SystemD server. So unfortunately as I don't know OTTOMH which ones apply, you'll need to do some trial and error. I recommend trying the SysvInit commands and reboot to check if they're running. If they are still running, try the SystemD command and recheck.

To disable services use the following commands:

SysvInit (try this first):

update-rc.d <service-name> disable

SystemD (if services still running on reboot after trying above):

systemctl disable <service-name>.service

You'll also need to know the service names:

git - git-daemon
bzr - bzr # provides the bzr repo access
      loggerhead # the bzr web frontend
hg  - # NONE - runs via Apache CGI script
svn - svnserve

Obviously you won't need the svn service name but I figured I'd include it for completeness... :)

Also, all of them are proxied via Apache so you'll also want to disable those configurations (again I included SVN for completeness; obviously you won't use that one; should be obvious which one it is!):

a2disconf git
a2disconf bzr
a2disconf hg
a2disconf websvn

Then restart Apache:

service apache2 restart