LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-27-2014, 01:13 AM   #1
unclesamcrazy
Member
 
Registered: May 2013
Posts: 188

Rep: Reputation: 1
prevent nmap to show open/close port of my server


I have a linux server and it can be accessed by IP inside LAN and outside LAN.
If anyone installs nmap or similar program, one can see the open/closed ports of my server.
Is there any setting so no one should be able to see my server's ports in any condition?

Lots of things are installed on it like openfire, webmin, ftp, ssh, mailserver(smtp), svn, apache, mysql etc
It shows them like an open book, anyone can know list of installed programs through ports and try to break them.

Please help.
 
Old 06-27-2014, 01:22 AM   #2
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 8,133

Rep: Reputation: 2272Reputation: 2272Reputation: 2272Reputation: 2272Reputation: 2272Reputation: 2272Reputation: 2272Reputation: 2272Reputation: 2272Reputation: 2272Reputation: 2272
that makes no sense for me. If you want to use those apps you need to open those ports... From the other hand you can use a firewall to restrict access to that box. (blocked ips will not see anything, allowed ips will see what was allowed to them).
 
Old 06-27-2014, 05:06 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531
Quote:
Originally Posted by unclesamcrazy View Post
Lots of things are installed on it like openfire, webmin, ftp, ssh, mailserver(smtp), svn, apache, mysql etc
It shows them like an open book, anyone can know list of installed programs through ports and try to break them.
Learn that scans will happen and since you do not control remote end points you can not prevent them from happening. Having a router in front of the machine may restrict access using isolation (DMZ) and limit access by carefully choosing the ports to be forwarded (also see reverse proxy).

So. What you should do first is harden your machine according to your Linux distributions (security) documentation. That step should include anything from using separate unprivileged user accounts, strong passwords, no root access but pubkey-only SSH access via unprivileged users, setting up regular auditing and reporting etc, etc. and testing your setup from remote, to make the machine more resilient. This step should never be skipped for networked machines.

Building on top of that next determine which services need to be exposed (publicly for all, limited access or not at all) and then set access restrictions accordingly. For example you should not expose certain services until they're actually used from remote like MySQL (make it use a UNIX socket) and there is no valid reason (at all) to expose certain services like Webmin and OpenFires web-based administration panels publicly (firewall IP address range white listing, .htaccess).

Also be aware a web server may provide multiple points of entry due to what services it provides: statistics, shopping carts, photo galleries, bulletin boards, web logs, any (third party!) themes and plug-ins all should be secured according to 0) system, 1) web servers and 2) product documentation, next to general recommendations or Best Practices.

If you need to provide certain services to the world then see if you can get away with providing only the SSL-ized version (IMAPS, HTTPS, FTPS) or providing access via a SSH tunnel. Make them use rate limiting, have fail2ban or an equivalent and Logwatch watch logs for anomalies and attacks.


If and when you have done all of that, then you can concentrate on probes and scans that successfully penetrated your setup. Not the other way around, that's simply not an effective admin approach.
 
3 members found this post helpful.
Old 06-27-2014, 09:30 AM   #4
mddnix
Member
 
Registered: Mar 2013
Location: Bangalore, India
Distribution: Redhat, Arch, Ubuntu
Posts: 512

Rep: Reputation: 139Reputation: 139
Install psad.
 
Old 06-27-2014, 10:31 AM   #5
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 17,952

Rep: Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693Reputation: 3693
Quote:
Originally Posted by mddesai View Post
Install psad.
How would that prevent someone from doing a port-scan?
 
Old 06-27-2014, 01:41 PM   #6
John VV
LQ Muse
 
Registered: Aug 2005
Location: A2 area Mi.
Posts: 16,825

Rep: Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408Reputation: 2408
iptables normally is set for "stealth"
so no response is the normal and not ( open / closed)
 
Old 06-30-2014, 12:42 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531Reputation: 3531
Quote:
Originally Posted by John VV View Post
iptables normally is set for "stealth"
No, it isn't and it normally shouldn't even be.
 
Old 07-01-2014, 08:10 PM   #8
JeremyBoden
Member
 
Registered: Nov 2011
Posts: 939

Rep: Reputation: 174Reputation: 174
For example
Code:
jeremy@hector:~$ nmap -v -A www.linuxquestions.org

Starting Nmap 6.40 ( http://nmap.org ) at 2014-07-02 01:04 BST
NSE: Loaded 110 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 01:04
Scanning www.linuxquestions.org (75.126.162.205) [2 ports]
Completed Ping Scan at 01:04, 0.13s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:04
Completed Parallel DNS resolution of 1 host. at 01:04, 0.01s elapsed
Initiating Connect Scan at 01:04
Scanning www.linuxquestions.org (75.126.162.205) [1000 ports]
Discovered open port 80/tcp on 75.126.162.205
Discovered open port 443/tcp on 75.126.162.205
Completed Connect Scan at 01:04, 8.87s elapsed (1000 total ports)
Initiating Service scan at 01:04
Scanning 2 services on www.linuxquestions.org (75.126.162.205)
Completed Service scan at 01:04, 6.43s elapsed (2 services on 1 host)
NSE: Script scanning 75.126.162.205.
Initiating NSE at 01:04
Completed NSE at 01:05, 22.89s elapsed
Nmap scan report for www.linuxquestions.org (75.126.162.205)
Host is up (0.15s latency).
Not shown: 988 filtered ports
PORT     STATE  SERVICE            VERSION
25/tcp   closed smtp
53/tcp   closed domain
80/tcp   open   http               nginx
|_http-favicon: Unknown favicon MD5: 156AE67BD1AC56523C1F096815917C35
|_http-methods: No Allow or Public header in OPTIONS response (status code 403)
| http-robots.txt: 31 disallowed entries (15 shown)
| /questions/attachment.php /questions/avatar.php 
| /questions/editpost.php /questions/member.php /questions/memberlist.php 
| /questions/misc.php /questions/moderator.php /questions/newreply.php 
| /questions/newthread.php /questions/online.php /questions/postings.php 
| /questions/printthread.php /questions/private.php /questions/private2.php 
|_/questions/report.php
|_http-title: HTTP Error 403
110/tcp  closed pop3
143/tcp  closed imap
443/tcp  open   http               nginx
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject: commonName=www.linuxquestions.org
| Issuer: commonName=GeoTrust DV SSL CA/organizationName=GeoTrust Inc./countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2012-06-23T18:25:28+00:00
| Not valid after:  2014-08-26T13:05:52+00:00
| MD5:   fcaa 0b27 af2c 5c5a c330 fe51 89cd 144a
|_SHA-1: c38a 6737 f2b6 b65c 5322 0444 71b1 877d bec6 04c2
|_ssl-date: 2014-07-02T00:04:52+00:00; -1s from local time.
2323/tcp closed 3d-nfsd
4662/tcp closed edonkey
6346/tcp closed gnutella
6699/tcp closed napster
6881/tcp closed bittorrent-tracker
7778/tcp closed interwise

NSE: Script Post-scanning.
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.93 seconds
jeremy@hector:~$
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
need explanation about nmap and how to open a port craftereric Linux - Newbie 2 08-21-2008 08:39 AM
Tried to open a port, but nmap says it is still closed ErrorBound Debian 2 06-06-2007 07:41 AM
nmap says every port is open shokora Linux - Security 2 02-16-2007 11:01 AM
nmap reports port 21 (ftp) open - how to close it? shazam75 Linux - Security 3 09-23-2005 08:13 PM
firewall.rc.config says :"open port 8080" but nmap says port is closed saavik Linux - Security 2 02-14-2002 01:16 PM


All times are GMT -5. The time now is 12:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration