You learn something everyday.
Thanks for your explanation.

ok when I type netstat -anp I get over 15 pages of information what I guess is services running but I don't know what I'm looking for?

This is the first part

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 761/portmap
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 1043/X
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 898/sendmail: accep
tcp 0 0 :::22 :::* LISTEN 811/sshd
tcp 0 20 192.168.1.100:22 192.168.1.102:2975 ESTABLISHED 17051/sshd
udp 65212 0 0.0.0.0:68 0.0.0.0:* 522/dhcpcd
udp 0 0 0.0.0.0:111 0.0.0.0:* 761/portmap

Then there are a lot of other lines like this

unix 3 [ ] STREAM CONNECTED 29022 10225/kdeinit: dcop /tmp/.ICE-unix/dcop10225-1046557896

I carried out the command via ssh over my lan if that makes any difference.

What should I be looking for?

Try "netstat -pant" to get only tcp services.

If you need to know what udp services are running use "netstat -pan |grep udp"

thank you, this is the info I got

Pluto:~ # netstat -pant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 761/portmap
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 1043/X
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 898/sendmail: accep
tcp 0 0 :::22 :::* LISTEN 811/sshd
tcp 0 0 192.168.1.100:22 192.168.1.102:4497 ESTABLISHED 18250/sshd

Ive gathered from the rest of the thread that your machine is directly exposed to the net?
Shut off portmap (port 111).
When you start x start it with the no listen tcp flag like so:
startx -- -nolisten tcp
That will close port 6000.

you can leave ssh open like this:

$IPTABLES -A INPUT -p tcp --sport 22 --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 --syn -j ACCEPT
$IPTABLES -A INPUT -i $IFACE -p tcp --dport 22 -m state --state NEW,ESTABLISHED -f -j ACCEPT
$IPTABLES -A OUTPUT -o $IFACE -p tcp --sport 22 -m state --state NEW,ESTABLISHED -f -j ACCEPT



But theres probably a better way to do it, Im not an optables guru.

What Im currently doing on my firewall is running an sshd on a non standard port from init. Because its on a non standard port you dont get hit with version number scans so much when an ssh vulnerability is found. Running from init itll be the last thing killed if the machine gets in trouble.
This is probably excessively paranoid though.

Those guys made a typo, I believe. Shouldn't it be:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

dport needs -- instead of just -

Nice one that got it sorted Artimus!

m0rl0ck I haven't had chance to try what you suggested yet, could you explain a little more about what you've wrote?

If I'm right in thinking that startx is for the linux GUI then I don't start x in a way that I can type it, or at least I don't think so. When I power up, SuSE runs through what it needs to do, I then have a login screen. On this there is an option to choose what I want to go into. KDE is default and I have gnome and a few others so I just leave it on KDE enter username and password and thats it.

The only time that I have used a similar command it was startkde when I logged in through VNC over my network. I had to enter this command to get KDE up but could I have used startx instead?

Im not sure how you would pass that flag to X in runlevel 5, on my Mandrake 9 install the process starts from /etc/rc5.d/S30dm which apparently calls /etc/X11/prefdm I dont know where the trail leads from there.

I also wanted to mention that if you dont really need sendmail you can close port 25 by shutting it down. If you do need to run it, check to see if your vendor
has an update, a recent hole was discovered. Also you might want to read up on sendmail security to make sure you dont accidently have an open relay going.

To shut down portmap "/etc/init.d/portmap stop" Use ntsysv, checkconfig or tksysv whatever comes with suse to prevent it from starting.

To run an ssh daemon from init copy your ssh dir (probably /etc/ssh) to another
location (mine is /etc/sshA) edit the sshd start up file to your liking
custom port, interface etc. and put this in your /etc/inittab (assuming that you new dir is /etc/sshA):

#Emergency sshd
ss:12345:respawn:/usr/sbin/sshd -D -f /etc/sshA/sshd_config

I run this only on the outside interface and run it from init because if the kernel starts running out of memory when the machine is in trouble init is the last thing to be killed.

Nice one m0r0lck some of what you wrote is a bit over my head though


I tried stopping portmap the way you said and it doesn't seem to work on this distro?

I went to /etc/init.d/ and typed portmap stop and nothing happened. I typed netstat -pant and saw that portmap was still LISTENING. when I typed portmap --help I got these following options

usage: portmap [-dv]
-d: debugging mode
-v: verbose logging

I don't think I need sendmail so that will be cool to disable. My windows comps use my cable providers smtp server to send mail and for now it works and thats cool.

What are the benefits of running the ssh daemon from init? At the moment ssh runs at startup automatically as part of the boot.

I stopped the sendmail service, I've installed webmin and did it through there. It's a useful bit of kit but I still dont know how to do it from the prompt

To shut down portmap "/etc/init.d/portmap stop" but if you want to shut it down from the directory its actually in you'll have to use "./portmap stop"
because the current dir is not in your path. (do not put the current dir in your path)

Running an sshd from init has a couple of benefits:
If its killed itll be restarted automatically.
If the machine is in trouble for some reason and the kernel has to start killing processes to keep it functioning, init (process 1) will be the last to go.

If your going to do this when you copy the /etc/ssh dir copy it with "cp -rp"
that will copy recursively and preserve file permissions.

there is something with redhat 8
i donno about other version
there is a file store all the configuration in RH 8's IPTABLES
/etc/sysconfig/iptables
the file will ask u not to change,
but, change according to the port and all the things.