LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-08-2010, 02:08 AM   #1
pinga123
Member
 
Registered: Sep 2009
Posts: 684
Blog Entries: 2

Rep: Reputation: 36
How to block FTP and SMTP service?


Hi guys i would like to block FTP and SMTP service as a part of linux server hardening.

How would i do the same?
 
Old 09-08-2010, 02:12 AM   #2
jmc1987
Member
 
Registered: Sep 2009
Location: Oklahoma
Distribution: Debian, CentOS, windows 7
Posts: 872

Rep: Reputation: 112Reputation: 112
Firewall. Depending on your firewall settings may differ. Them you simply just open the ports you wish to allow example you may want to block port 21 ftp but allow http and https. You would open ports 80 and 443 for http and https and block 21 for ftp. Then if you wanted to be the onlyone to be able to access ftp you would add your ip to a white list.
 
Old 09-08-2010, 02:27 AM   #3
pinga123
Member
 
Registered: Sep 2009
Posts: 684
Blog Entries: 2

Original Poster
Rep: Reputation: 36
Quote:
Originally Posted by jmc1987 View Post
Firewall. Depending on your firewall settings may differ. Them you simply just open the ports you wish to allow example you may want to block port 21 ftp but allow http and https. You would open ports 80 and 443 for http and https and block 21 for ftp. Then if you wanted to be the onlyone to be able to access ftp you would add your ip to a white list.
Thanks for the useful information.My machine detail is as below .

How would i make changes to firewall?
Code:
# lsb_release -a
LSB Version:    :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID: EnterpriseEnterpriseServer
Description:    Enterprise Linux Enterprise Linux Server release 5.2 (Carthage)
Release:        5.2
Codename:       Carthage
Code:
# uname -a
Linux TomcatServer 2.6.18-92.el5 #1 SMP Fri May 23 22:17:30 EDT 2008 i686 i686 i386 GNU/Linux

Last edited by pinga123; 09-08-2010 at 03:45 AM.
 
Old 09-08-2010, 03:44 AM   #4
pinga123
Member
 
Registered: Sep 2009
Posts: 684
Blog Entries: 2

Original Poster
Rep: Reputation: 36
I would also like to know if i can disable the service instead of blocking the port.

I m reffering to following link which explain how to disable the service.
http://www.governmentsecurity.org/fo...showtopic=1695
Quote:
1. To disable Telnet, you must edit the /etc/xinetd.d/telnet file. Open the Telnet file, using vi or an editor of your choice.
2. Comment out the service telnet line by adding a number sign (#) before service telnet: #service telnet
3. Write and quit the file.
I m not able to get telnet file under /etc/xinetd.d/

Last edited by pinga123; 09-08-2010 at 03:47 AM.
 
Old 09-08-2010, 03:55 AM   #5
sem007
Member
 
Registered: Nov 2006
Distribution: RHEL, CentOS, Debian Lenny, Ubuntu
Posts: 638

Rep: Reputation: 111Reputation: 111
Quote:
Originally Posted by pinga123 View Post
I would also like to know if i can disable the service instead of blocking the port.

I m reffering to following link which explain how to disable the service.
http://www.governmentsecurity.org/fo...showtopic=1695


I m not able to get telnet file under /etc/xinetd.d/
Transient services are managed by xinetd daemon and configuration of these services are located under /etc/xinetd.d/ directory.

in redhat/centos 4,5 telnet service name is krb5-telnet

Code:
[root@localhost xinetd.d]# ls | grep telnet
ekrb5-telnet
krb5-telnet
you can also use tcp wrappers to control service access.
tcp wrappers files are

Code:
/etc/hosts.allow
/etc/hosts.deny
HTH
 
Old 09-08-2010, 05:09 AM   #6
pinga123
Member
 
Registered: Sep 2009
Posts: 684
Blog Entries: 2

Original Poster
Rep: Reputation: 36
Quote:
Transient services are managed by xinetd daemon and configuration of these services are located under /etc/xinetd.d/ directory.

in redhat/centos 4,5 telnet service name is krb5-telnet

Code:
[root@localhost xinetd.d]# ls | grep telnet
ekrb5-telnet
krb5-telnet
I think this service is disabled by default.
Code:
# cat krb5-telnet
# default: off
# description: The kerberized telnet server accepts normal telnet sessions, \
#              but can also use Kerberos 5 authentication.
service telnet
{
        flags           = REUSE
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/kerberos/sbin/telnetd
        log_on_failure  += USERID
        disable         = yes
}


you can also use tcp wrappers to control service access.
tcp wrappers files are

Code:
/etc/hosts.allow
/etc/hosts.deny
HTH[/QUOTE]

I have used tcp wrapper files to disable communication between server and other machines. I didnt know it can be used for blocking services as well.
 
Old 09-08-2010, 05:15 AM   #7
sem007
Member
 
Registered: Nov 2006
Distribution: RHEL, CentOS, Debian Lenny, Ubuntu
Posts: 638

Rep: Reputation: 111Reputation: 111
Quote:
I have used tcp wrapper files to disable communication between server and other machines. I didnt know it can be used for blocking services as well.
Tcp wrapper is used to allow or deny service.

If you want disable system V services stopping service is a best way to disable.
 
Old 09-08-2010, 07:27 AM   #8
suprstar
Member
 
Registered: Aug 2010
Location: Atlanta
Distribution: ubuntu, debian
Posts: 142
Blog Entries: 2

Rep: Reputation: 22
chkconfig vsftpd off
service vsftpd stop

chkconfig sendmail off
service sendmail stop

repeat for any services you want to shut off and STAY off.
 
Old 09-08-2010, 07:37 AM   #9
jmc1987
Member
 
Registered: Sep 2009
Location: Oklahoma
Distribution: Debian, CentOS, windows 7
Posts: 872

Rep: Reputation: 112Reputation: 112
Just to add to the above post you can ad the --levels option to set it to start to stop on specific runlevels

chkconfig --levels 235 vsftpd off

something like that
 
Old 09-09-2010, 02:06 AM   #10
pinga123
Member
 
Registered: Sep 2009
Posts: 684
Blog Entries: 2

Original Poster
Rep: Reputation: 36
This is what i have done for disabling FTP and Telnet session.

Request you to correct me if i m wrong.

Enable FTP Service:

To check FTP is running or not:
This can be done by loging into the server or any other machine connected to server.All you need to do is type a command called.
ftp
Example:
If 10.180.18.222 is my server's ip address.

Code:
# ftp 10.180.18.222
ftp: connect: Connection refused
ftp>
Above output shows that ftp is not enabled on my server.

To enable the ftp you need to edit gssftp file under
/etc/xinetd.d directory.

You should modify disable parameter to no.

Code:
# cat gssftp
# default: off
# description: The kerberized FTP server accepts FTP connections \
# that can be authenticated with Kerberos 5.
service ftp
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/kerberos/sbin/ftpd
server_args = -l -a
log_on_failure += USERID
disable = no
}
Once you have modified the file you should restart xinetd
Code:
#/etc/rc.d/init.d/xinetd restart

To check if FTP is running or not:
Code:
# ftp 10.180.18.222
Connected to 10.180.18.222.
220 TomcatServer FTP server (Version 5.60) ready.
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
GSSAPI error major: Unspecified GSS failure. Minor code may provide more information
GSSAPI error minor: No credentials cache found
GSSAPI error: initializing context
GSSAPI authentication failed
334 Using authentication type KERBEROS_V4; ADAT must follow
KERBEROS_V4 accepted as authentication type
Kerberos V4 krb_mk_req failed: You have no tickets cached
Name (10.180.18.222:root):

Above output shows now you can able to use ftp.


Disable Telnet:

Telnet is a service using which we can remotely communicate with server.However ssh is more secure alternative to it.Therefore we should disable this service by default.

Here is what you need to do if you are using redhat/centos 4,5.

This service is usually named as krb5-telnet.
You just need to edit file under /etc/xinetd.d/krb5-telnet.
Following is the content of file where telnet is disabled .
Code:
# cat /etc/xinetd.d/krb5-telnet
# default: off
# description: The kerberized telnet server accepts normal telnet sessions, \
# but can also use Kerberos 5 authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/kerberos/sbin/telnetd
log_on_failure += USERID
disable = yes
}
Just restart xinetd service.
Code:
#/etc/rc.d/init.d/xinetd restart
Telnet should be disabled now.
 
Old 09-09-2010, 02:08 AM   #11
pinga123
Member
 
Registered: Sep 2009
Posts: 684
Blog Entries: 2

Original Poster
Rep: Reputation: 36
Now i m confused which method to follow.
Tcp wrapper files
Chkconig method
or
/etc/xinit.d .
Please suggest.
 
Old 09-09-2010, 02:12 AM   #12
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Go with the chkconfig method. Easier maintenance in the long run.
 
Old 09-09-2010, 02:13 AM   #13
14moose
Member
 
Registered: May 2010
Posts: 83

Rep: Reputation: Disabled
Firewall - your first line of defense. Do it.

Disable any unused services - your second line of defense. Do it, too.

Vigilence - keep an eye on your logs, keep up-to-date with patches. Perhaps install an IDS (Intrusion Detection Software) and periodically run "nmap" (verify the ports you *think* you closed are in *fact* closed).

Security is an ongoing process.

IMHO ..
 
0 members found this post helpful.
Old 09-09-2010, 03:43 AM   #14
sem007
Member
 
Registered: Nov 2006
Distribution: RHEL, CentOS, Debian Lenny, Ubuntu
Posts: 638

Rep: Reputation: 111Reputation: 111
Quote:
Originally Posted by pinga123 View Post
Now i m confused which method to follow.
Tcp wrapper files
Chkconig method
or
/etc/xinit.d .
Please suggest.
If your service is running and you want to deny/allow particular ip or subnet then Tcp Wrapper files or iptables (Firewall) is used.

chkconfig command used to start or stop service at boot time.

Transient services scripts (/etc/xinetd.d/*) are used to enable/disable services. (you can also set some advance parameters like only_from, max connections per ip)

It depends you what method you have to follow.

HTH
 
Old 09-09-2010, 08:16 AM   #15
suprstar
Member
 
Registered: Aug 2010
Location: Atlanta
Distribution: ubuntu, debian
Posts: 142
Blog Entries: 2

Rep: Reputation: 22
Quote:
Originally Posted by suprstar View Post
chkconfig vsftpd off
service vsftpd stop

chkconfig sendmail off
service sendmail stop

repeat for any services you want to shut off and STAY off.
Do this if you don't want the service running at all, for anyone, ever. That's what you said you wanted, and that's the safest thing of all anyway - if there's nothing to connect to, then it doesn't matter if you block the port, limit subnets, ip's, connections, etc..

chkconfig sendmail off

sets your server so that the service doesn't start at boot.

service sendmail stop

kills the service if it's running right now. That's the answer. All the rest of this talk about xinetd, hosts.[allow|deny], firewalls, tcp wrappers, etc. is about configuring and controlling access to a running service.
 
0 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Binding SMTP service into IP tables, and redirecting SMTP to port 366 bamquest6 Linux - Software 1 09-24-2008 03:48 AM
Block a Particular User through FTP service karthi Linux - Security 1 11-07-2005 04:57 PM
Block a Particular User through FTP service karthi Linux - Security 1 11-07-2005 03:23 PM
How can block my SMTP Traffic? krishnakishore Linux - Networking 3 06-19-2004 08:49 AM
how to block an ip from using SMTP woho Linux - Networking 4 03-05-2004 11:48 AM


All times are GMT -5. The time now is 06:20 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration