How to mask a service in systemd

Masking a systemd service creates a hard block that prevents the unit from starting manually, through dependencies, or through install-time activation. Use it when a service must stay unavailable during maintenance, incident response, or a deliberate policy lockout.

The systemctl mask command places a unit-name symlink to /dev/null in systemd's writable unit path. That changes the unit's load state to masked, which is stronger than disable because systemd refuses all normal start requests instead of only removing boot-time install links.

Examples below use cron.service on Ubuntu Server 24.04, while many Red Hat family systems use crond.service instead. Add --runtime when the mask should disappear after reboot, omit --now when the service should keep running until a separate stop, and remember that current upstream systemd documentation says masking works best for vendor units under /usr/lib/systemd/system because locally created unit files already stored in /etc/systemd/system or /run/systemd/system can block the symlink operation. Use systemctl --user mask instead of the system manager command for per-user services.

Related: How to unmask a service in systemd
Related: How to disable a service using systemctl

Steps to mask a service with systemctl:

  1. Open a terminal session with an account that can use sudo.
  2. Check the current unit-file state before applying the mask. 
    $ systemctl is-enabled cron.service
enabled

    Replace cron.service with the real unit name on the host, such as crond.service, ssh.service, or nginx.service. systemctl mask expects a unit name, not a unit file path.

  3. Mask the service and stop it now. 
    $ sudo systemctl mask --now cron.service
Created symlink /etc/systemd/system/cron.service → /dev/null.

    Drop --now when the service should stay running until a separate maintenance step stops it.

  4. Confirm that the unit is now masked and inactive. 
    $ systemctl status --no-pager --full cron.service
○ cron.service
     Loaded: masked (Reason: Unit cron.service is masked.)
     Active: inactive (dead)
##### snipped #####

    The Loaded: line proves the hard block is in place, and Active: inactive confirms that --now stopped the current service instance.

  5. Try starting the unit to confirm that systemd refuses new activation. 
    $ sudo systemctl start cron.service
Failed to start cron.service: Unit cron.service is masked.

    Masking remote-access, network, storage, or boot-critical units can cut off management access or keep later targets from starting normally. Keep console or other out-of-band recovery available before masking anything critical.